Future of Bravura Security: How to Deliver Password Governance

Review the Full Session Transcript

No time to watch the session? No Problem, Take a read through the transcript.

Carolyn Evans (00:00:00):

Thank you for joining our webinar today with reverse security titled The Future of Reverse Security, how to Deliver Password Governance. My name is Carolyn Evans. I am the director of marketing here at Reverse Security and I am today's moderator. Today you'll hear from two of reverse securities own CTO, Ian Ray and Brian Krist, who is a senior solution engineer. So Ian and Brian will both review the current landscape of passwords. They'll then dive into what's involved in transforming your password management strategy to actually minimize risk for your organization, and then walk you through some key password use cases in a live demo at the end of our session. They will also be available to answer any kind of questions that you have, and please feel free to pop them in the q and a function in this tool and also in the chat. Over to you Brian.

Bryan Christ (00:00:57):

Hey, thank you Carolyn. Appreciate the introduction and a welcome to everybody on the line that's joined us today. So as Carolyn mentioned, we are going to start off just sort of introducing folks to the current landscape regarding passwords, regarding the challenges and some of the things that we're seeing out there. So the first thing that I think is really interesting is to kind of bring forward what we all know to be true, but maybe the data behind it. So back in January of this year, we did commission a survey to a hundred respondents and we asked them this question and this was a director level and above. We asked them, how are you managing passwords today? So again, anecdotally, we know this to be true, that people are doing bad things with passwords, but here's the data supporting it. So what you see here up on the screen represented graphically is that 75% are using spreadsheets, probably not just spreadsheet, the question was centered around spreadsheet, but probably something like stickum note or Notepad or whatever. But idea being some sort of insecure medium, like a spreadsheet to store application passwords. The part that was so surprising about this was when we narrowed that question down and we asked something that was way more sensitive in nature, in this case, cloud infrastructure, nearly half admitted to using spreadsheets for cloud infrastructure. Ian, your thoughts on that? How does that play with SOC two compliance? Does it, I mean, I think baiting the question here, but

Ian Reay (00:02:53):

That's too, when I saw that number, I was a little shocked. Also, people are willing to admit that frequently to this being done, especially in light of modern day attacks that are out there and that realistically there are so many options that are available, but that unfortunately convenience is often dominating decision making, especially when people are time pressured and when they're trying to hit their deadlines. And so that's where many of us say, well, we'll come back and we'll clean it up. At least they're honest that they're not.

Bryan Christ (00:03:35):

Yeah, and they never do. Right. I'll share one more story and then we'll move on. So probably not unusual. I mean most people on the line would probably relate to this, but do spend some amount of time on Facebook and our family is, we're in the education world and so I'm kind of plugged into some groups that education. And so right about the time the school year started, and I saw this last year, this teacher goes on there and she complains, oh, they're making us change our passwords again and the school and then another lady chime and you can't make this stuff up because it's so stereotypical, but it's also so true. And the lady literally said, oh, don't worry, I have a great way around that. I just changed my password. I write it down on a stick of note and I tack it to my monitor. We've all joked about that, but the reality is that this really bad stuff is happening and of course the data here bears that out.

Ian Reay (00:04:38):

Again, when talking about family related, I've talked to my family members and they admit to doing the same thing here, especially since again, we're all human and when it took me 10 years to work, learn my wife's phone number, realistically the chances of me remembering a 15 character strong password is pretty slim.

Bryan Christ (00:04:57):

Yeah, absolutely. Absolutely. So that's sort of the user side of the equation. So users are doing bad things with passwords and we know that now objectively, but organizations on the other side of the equation, Ian just sort of alluded to this or kind of brought that to bear in his last comment, which we know this from Gartner, we know this from Forrester, but organizations are struggling with this. You can see the statistics here on the screen when you think about the average cost that's being displayed here and the volume, it is a significant burden on most organizations. We not too long ago commissioned a case study with Blue Cross Blue Shield of North Carolina, and this is exactly what Ian was saying, that complexity of the password is driving up calls to the service desk. Ian, you want to say anything about that? Something that's on your mind here?

Ian Reay (00:06:02):

So we've been talking to a few of our customers and some of them that are in the financial services area are pushing really forward with passwordless based approaches and they've actually encountered some very curious results, whereas they go passwordless, they're actually seeing an uptick in their help desk calls because people are using their passwords less, less day-to-day, more likely to forget them. And then also because they're moving to the stronger password policies as directed too by standards authorities and even the US government people are just, they're really, really struggling to remember them and to type them in effectively. And as a result, people are calling the help desks more because as they're forgetting them, they then lock themselves out. And it's not just the help desk costs, it's also lost productivity as people are not able to get their job done day on day when they're having to call into the help desk more often for this. So again, there's many points of friction and cost here. That too, there's good ways through this and we're going to present some of them. And it's just that that's the important thing to think about here is there's these hidden unexpected costs when people are trying to improve their security here and they amount to a fair bet as per those stats you have on the screen here.

Bryan Christ (00:07:23):

Yeah, I think that's one of the interesting ones that as we were going through and preparing this presentation is on the one side you've got the organizations that are making the password complex, they're doing the right thing, they're upping the ante on what a complex password looks like, and we're going to talk about that here in a little bit. But then they're recognizing, well, this is causing problems, so we need to reduce the footprint or the exposure or the need to use that password. And again, we'll also talk about that, but then that reciprocal is, okay, well I've used it so infrequently that now I can't remember it. So there are these interwoven dynamics that are really making passwords quite a challenge for organizations.

Ian Reay (00:08:16):

Yep. Couldn't agree more.

Bryan Christ (00:08:20):

We had a lot of fun with this one. Just a quick aside here, all the artwork you see, so either created by Midjourney or Dolly, so we had some fun with that telling the AI what kinds of pictures to create here. But the idea that we wanted to convey on talking to this slide is there are a number of reasons that passwords aren't going to go away anytime soon. I mean, Ian, you've been around a long time. I think the idea of getting away from the password, you can probably pen it back at least a decade and a half, maybe two decades, that this idea of getting away from passwords. But the reality is that we really do have organizations where they have mainframes and as four hundreds and systems that have no modern authentication password is really the only thing that you can do there. You want to talk maybe Ian about the password as a fallback challenge. I'll throw that one over to you.

Ian Reay (00:09:24):

Well too, even with things such as clic active directory, it's pretty rare that people actually turn off password based authentication into their directories. They'll turn on passwordless authentication, they'll turn on federated authentication. Those are great options, but they still leave password based authentication on, and that's often for many of these integrations, many scenarios where you have a system that's authenticating as active directory through the LDAP protocol. And so the passwords are still often being used under the covers and that's where it's really important that they're not forgotten about. People could sometimes get a false sense of security when they're adopting some of these new modern authentication approaches without really considering that the passwords are still there and can absolutely be used. And so that's a key thing just to think about here. And one of the things we're talking to people about and thinking about is all the different types of accounts too that are in your environment and making sure that you have a plan for each one of them or at least know where your pain points are. You want to be able to surface that so that you can make these informed decisions so too. Yeah, it's definitely the legacy systems aren't going away, but even the modern systems too usually still have password based authentication on and you just have to make sure you don't have that false sense of security because that'll hurt you.

Bryan Christ (00:10:53):

Yeah. Ian, I want to drill down. I want to kind of pick your brain on this one just a little bit. If you could for a minute, just unpack for us why passwords are still relevant in something like a Windows, hello situation. We get asked about Windows, hello as an authentication mechanism, but talk to us a little bit about passwords and how they still are relevant in a Windows Hello type environment.

Ian Reay (00:11:18):

Biometrics are great. They are phishing. You want to make sure that you have a good solid phishing resistant authentication approach being the default, the thing that your employees go to. But there are life events that happen. Say for example, people can get sick, they can get injured. For example, with Windows, hello with my laptop, I recently had an injury to my finger and as a result it swelled up and then as a result my fingerprint didn't recognize and so then I had to fall back. I had to fall back to some of the approaches that we use internally here so that I could gain access to the fallback passwords that I have so I can still get onto my laptop and then by extension everywhere else. And it's those kind of edge events. So again, personal health sometimes comes into play. Accidents can of course come into play, but also too legal and technology restrictions.

(00:12:15):

Many devices now have the capability of authenticating people with strong biometric approaches, but not all. There's certain costs associated to that. And then also too with certain legal jurisdictions when people are using bring your own device scenarios, there are a lot of hidden costs sometimes there and that can cause friction, but also too people with disabilities as well. Again, you have to think about every different angle that it can be quite easy to get 90, 95% of your user population in, but that last five to 10% can have a fairly long tail, especially in large, complex and diverse organizations. So definitely we're seeing that across the board from the different customers of the different verticals that they have. Each one of them tends to have some unique challenges. Higher education of course, is a very unique example of that in terms of the diversity of the scenarios that they need to support.

Bryan Christ (00:13:22):

And I'll just throw kind of an anecdote out here or maybe a cautionary tale as well because Windows, hello comes in two variations. So a lot of people are familiar with Windows, hello on their home computer, and that is kind of a softer, gentler version of windows. Hello, if I can say it that way. And it is still very much things like pen, like pen password. I mean those are practically interchangeable. And so in those cases you have the password lurking around and the windows hello for business. Some people know this if you do sorry for sharing something you already know with you, but some folks don't know that there is basically it's a PKI mechanism that leverages the TPM on that system. And so if that system becomes broken, it gets damaged. I know that when I was serving as a CIO, one of the things that we did was we were on call when executives laptops would go out.

(00:14:34):

There's always this delay in terms of getting a new PC provisioned and permanently assigned to them. So we would have to assign them a temporary laptop or workstation. And so what are you going to do in that situation when your identity and your credentials are tied to the machine itself, right? So that's why even in Windows, hello for business, you've got this fallback mechanism which ends up being the password because you've got to accommodate that. So passwords, they're just not going away. I mean, I don't have a crystal ball, but as I look at the landscape and I look at the technologies out there, I still see passwords being necessary for at least the next five or 10 years. Ian, you object. Do you see the same thing?

Ian Reay (00:15:18):

It is just one where they are the universal base level that everyone and everything can depend on. It's just that when they're like that, it's best to start treating them almost like an encryption key. Make sure that they're long, make sure they're strong, make sure you store them somewhere. Don't try to remember them because if you can remember them, then they are weak and that's where just start. In some ways it can be very freeing to adopt some of the things we'll be covering here where you can truly start forgetting your passwords and that there's just leverage the tools that are in the market well so that you can always get back in. And that's where you should be encouraged to use phishing resistant MFA whenever possible. But again, when these events happen, when these systems don't support it, passwords are on that universal baseline and that's where that universal baseline, I don't see changing anytime here soon except in specific scenarios.

Bryan Christ (00:16:21):

Yeah, thanks Ian. We've got a couple of other items up here. Legislative mandates, I'll just talk about this really briefly. This has actually come, I don't know if Ian, you've seen this, but I've certainly heard it from at least two customers of ours over the last nine months, which is in certain states you can't necessarily ask an employee to use a personal device as an authentication mechanism. So you have to make some really challenging decisions about how are you going to authenticate. And a lot of organizations given the options set before them, some of them include cost, it means the password's going to live longer because they're trying to navigate this landscape and do so where their bottom line is not impacted. So I think that this maybe not as a top driver but is going to have an impact in certain parts of, at least in the United States, certain parts of the country. Have you heard anything on this front, Ian, or

Ian Reay (00:17:27):

Certainly it is a top of mind element for many of our customers as they're working out this journey, especially when they cross legal jurisdictions because you do have to do these reviews in each one, making sure that when they do require you to give compensation to your user population that you do that. And again, depending on who users are, sometimes that is simply cost prohibitive. It's just not realistic to do so that's where most companies have to have a hybrid strategy on here where they're trying to get something that can cover the significant majority of their population, but then they still generally have to fall back and have these plans in place for the people who are on those fringes and making sure that they can do what their role in the organization requires of them. And that's where it's important to reduce your threat scope, encourage people to use the strong authentication. Never possible, but it's a challenge. There is no, that's why passwords are the universal standard and everything else is really, really good in certain domains, but unfortunately none of them are universal yet. It's a tough nut.

Bryan Christ (00:18:44):

It really is priority in business disruption. We'll just wrap this slide up with this point here, which is as folks look to do something different, they begin to think about things like how will my, whatever strategy we go down, how will that impact the organization? Am I going to do something that's going to drive help desk, call volume up? And then when they start thinking about all the different systems that they have to deal with and the integrations, a lot of times, and I hate to say it this way, but it's true, a lot of times they say, well, you know what, I don't really want to deal with that right now. And so that means it's the status quo just because making some of these changes can be difficult. Ian, any thoughts on that?

Ian Reay (00:19:36):

Yeah, no, those two business description can take many forms here because we tend to think of it in terms of from at least some people think of it from a IT business disruption perspective in terms of needing to have passwords to the accounts so you can get back in, but you have other forms of disruption too, such as getting locked out and not being able to make that critical customer call getting locked out and not being able to do that really important presentation, getting locked out and not being able to give a remote course to a number of people who have been paying for it. Those kind of things are important to many companies and it's important that people have confidence in what they should be doing day on day, getting in strong, good, easy to use approaches, but if something happens, if a life event happens, they should also know still how to get in from the fallback path. And that should be well known. It shouldn't be hidden because if it's hidden, then it might not be meeting your needs in terms of strength and security. Your fullback path could become a weak back door and then you have a real, real problem that is the source is so much ransomware these days where people don't break in. They're just logging in these days into so many people's environments and it's finding these weak spots and that's where it's really important that the passwords aren't forgotten about with all these strategies.

Bryan Christ (00:21:11):

Absolutely. Yeah, good way to wrap that up, Ian, by mentioning ransomware because that's exactly what we wanted to look at here on the next slide. So I've thrown some statistics up here. I'm not going to read this off verbatim, I just want to hit a couple of the big ones and then we're going to move on to the next set of content in the deck. But breaches that involve passwords are still, some of this is based on the Verizon report tend to be a very high ranking attack vector. So the passwords stolen and credentials being almost near 50% these days. The cost of a ransomware attack is IBM says 4.5 million. What I wanted to share with the group is that we were recently at edu cause, and I couldn't tell you and I wouldn't tell you even if I could remember, but there was an organization that stopped by our booth and we started talking about the fact that they had been hit with a ransomware attack and brace yourself for this number, but it costs them 20 million to recover from that ransomware attack.

(00:22:32):

I mean 4.5 in light of something. And I'm sure 20 million is an outlier, but that's crippling. Most organizations can't endure that. And I used to do a webinar specific to the health industry, but I remember not too long ago there was a medical organization because they never got their patient data back. They were just gone. They were out of business because of that. So the cost, there's always this dynamic where you're evaluating the cost of doing something versus the cost of doing nothing. And I think the numbers bear out eventually that the cost of doing nothing is far more risky and far more costly and most people don't have the ability to sustain something like a 20 million impact. That's doors shuttering at that point. Ian, any thoughts on this before we move on?

Ian Reay (00:23:34):

That's also where it's also no longer the ones that hit the news tend to be for the big companies, but this is hitting every organization of any size and that's where cybersecurity insurance is critical because again, you need to take steps to be prepared, but also you still need, every organization of every size needs to be robust against these kinds of attacks. And again, even just the latest one worth Okta breach going around here where again, it's important to really think about the attack factors here because even when you're using some of the federated authentication you have those access tokens, those access tokens never really expire. They basically start looking like a password that just never expired. And so again, it's really important to think through that. What's important is get the fundamentals right to make sure that this is stuff that is resistant to social engineering, resistant to bru force attacks and other kinds of guessing scenarios.

(00:24:42):

But also too, make sure that you have a strategy in place to rotate these effectively with minimal business disruption when something like ransomware hits, because some of our customers have been telling us that it can take them easily two to three months to do the necessary rotations and that some have a few accounts that just simply can't be for historical or operational reasons, it's not really viable for them to change their passwords due to the outage that would be triggered from that. And that's where it's really important to know which ones those are because you don't want to be doing this when you're at the heat of the moment under this kind of stress of a ransomware attack. You want this planned out ahead of time. You want to know where your weak points are, where you have an easy button, you can just press it in this event, but know the areas that you're going to have to circle the wagon so to speak if something like this happens because at least then the scope, scope of what you're in for if you get hit by this.

Bryan Christ (00:25:41):

And I think that's a very good point. I'll wrap up with this, which is it's not necessarily that the ransomware itself is 4 million or whatever, what's often called the long tail cost. It's the cost of the cleanup, it's the training, it's the business impact. That's what costs so much.

Ian Reay (00:26:02):

It can certainly hurt your brand quite a bit too. Again,

Bryan Christ (00:26:05):

Absolutely GM tax

Ian Reay (00:26:07):

And everything, that certainly did have an effect on their brand. And again, there's many intangible costs to this. I completely concur, Brian.

Bryan Christ (00:26:17):

So now that I think we've conveyed the idea that passwords are going to be around for a while, what do you do to accommodate 'em? What does a good password strategy look like? I'll talk to a few of these and then I'll pass the baton to Ian to talk to a few of 'em, but change frequently. Why? Just because if you're changing 'em frequently, you're narrowing the attack vector. It just makes good common sense to make sure they're long. I've tried to illustrate on the graphic here what a long and complex password looks like. This is, again, this is kind of a double-edged sword here because the long and complex comes with the same challenges that we mentioned earlier. And then pass phrases, Ian, ill pass this over to you. You can talk about passphrases and what makes them a good part of a strategy as well.

Ian Reay (00:27:14):

Two passphrases are kind of a mixed bag. They can be really good, but they can also be disturbingly poor. And it's one where past phrases, many people think of them as, oh, it's three words long, it's 20 characters. That means it's strong and it's not strong. If you're using common words like old blue truck as a passphrase, that is not strong because it has so little, it's easily guessable and it's in common vernacular. Whereas if you use where if you're using words that are less commonly used ones that are from a broader dictionary, that's when you can get a along more strength to the past phrases. That's when past phrases can become very strong. And also too, say for example for laptops, it can be very difficult for many people to type truly random character strings. They end up hitting the shift key wrong, they accidentally use the wrong symbol, they don't realize that they mistyped it.

(00:28:22):

And that can lead to significant frustration and immediate calls to the help desk for doing a password change where all it really was was just that they were typing one of the characters wrong. And that's where with pass phrases, because they're using the language that people are used to, it's often a little easier to type. You can kind of focus on a couple of special characters that you need to have to get this in, but it's more common to how you type. So people are more likely to get it right, but again, still needs to be strong and you still need to use a random passphrase generator like what perverse safe offers because that helps expand the vocabulary. It's not old blue truck, it's joyful, joyful dancing orangutan or something like that. It's something that is not in common vocabulary and that then makes it a lot more stronger. You can still realistically type it out and that's where store those in platforms such as BeSafe and then again, use your biometrics to log in, but you still have this password if you need to get it in, if you need to get it. And it's something that can be typed easily. And so that's where pass phrases can be good if they're randomly generated, just like passwords can be good if they're randomly generated.

Bryan Christ (00:29:43):

And that's the thing. So whether it's a passphrase or a complex password, the reason I called attention on the slide to the not easily memorized is because even a good passphrase, I'll make one up here, Harry Onion, sunset flamingo, like easily typed, but am I going to in a week come back and remember, okay, does the word onion come before sunset or what order is it? So if I've done it right, it's still complex. It's not guessable, but again, it's also not going to be easily memorized, which is again part of the problem that we're dealing with when it comes to good password strategy.

Ian Reay (00:30:26):

Because also too, if you memorize it, if you focus on memorizing, then you just fall into the thing of using the same pass phrase and just count up and count down a number. Those kinds of things that people would use to keep their passwords going. You fall back into that same trap where as soon as one of them is compromised, like old boot blue truck five, you can probably make a pretty good guess that other one variance of it. Were counting upper counting down that number. So again, it's really important to stop trying to remember these things because then you fall into traps that all humans make of choosing convenience over security sometimes.

Bryan Christ (00:31:04):

So then the question becomes, okay, so if we're going to demand this of our users, if we're going to demand them create complex passwords or non guessable, how do we deal with that artifact of, well now that I need it, I can't remember it. So this slide here is intended to kind of spell out that multifaceted approach and then we're going to ultimately transition into a demo here in a minute and show you how we can do this with our tool set. Something this, something you have, this something you are. I think we all get that. So the punchline here is whatever password management strategy you employ, you need to bring this good practice to bear. And I'll just make one cautionary say something cautionary here. One of the reasons that we did our slide presentation with the graphics and AI is because there was a conversation about AI that came up and for example, the something you are, some of those something you are not necessarily as strong as they used to be.

(00:32:18):

So we were talking about voice biometrics. Facebook hasn't released meta voice yet, but we're told that when it is released it'll be able to clone your voice with a two second sample. And whereas the cloning accuracy is about 93% today, it's going to be upwards of 7% accurate. And we've seen according to the Wall Street Journal how that gal that did the experiment was able to bypass her bank authentication with an AI generated voice, right? So as you think about, so you got the something which is your password, but the something you have and something you are, you consider, are they all equally as strong? Any additional thoughts here, Ian on that or is that pretty fair?

Ian Reay (00:33:06):

I think it's very fair and also too it opens up such a scope of social engineering attacks on this here because when somebody is calling into a help desk using your voice, maybe even if the help desk gets onto a team session and looks at you and it looks like you on the team session. So again, they think it's who you are, especially if you're well known in an organization, if you're a person of influence and then you add that social pressure that people are really good at that I need in now the deals on the line I have to do this, that element of pressure can then help coerce the help desk staff into making a poor choice and letting somebody in. And that's where making sure that the help desk has approaches to authenticate people using a form of authentication that isn't just voice and an image and how do you really know who you're talking to on the other end?

(00:34:05):

And that's a key point of a number of conversations in many companies these days in many organizations. And it also fits into the day one onboarding when somebody calls into the help desk. In some ways it requires the same kind of checks of bringing an employee in for the first time because the same risks are there when you're bringing it in for that first day. Is the person who you're talking to actually who they say they are or are they using a stolen identity and to your point minutes or a couple seconds of Facebook video that was publicized. That is really opening up a lot of challenges to companies these days because these attacks aren't hypothetical anymore. They are becoming very, very realistic stick.

Bryan Christ (00:34:51):

I think we're running slightly behind on time, so I'm trying to be conscientious of that. I want to walk through some of these, but you are going to talk through some of these, but you're actually going to see them in action here a minute. In terms of password generation, I think you heard Ian say earlier that really just make it automatic. Rely on a tool to do that and you're going to see that here in a minute with Revera Pass and then taking that password and dealing with this idea that hey, I might not remember it or might forget it because it's complex, it's long, and then taking that secret and storing it in a zero knowledge vault and all of that culminates in what we call password less. A little bit play on words here, but it's the idea that we're acknowledging that passwords aren't going away, but we want to reduce the exposure of the end user population to the password. Not that they can't get it when they need it, but it's simply that it's largely not there. And also Federation plays a part of that, right? If you have the infrastructure to do it and you can get them to authenticate with that password at some point, then you can use things like Federation to get 'em into the various systems that they need, at least on the modern systems you can do that. Any last minute comments here, Ian on passwordless? Otherwise we'll take folks on a little tour.

Ian Reay (00:36:23):

Yeah, I think in the tour here, if anything that's when we're just showing people that you don't have to remember these. You can choose good strong ones and you can actually have a very pleasant experience and what some of the future can hold here. So

Bryan Christ (00:36:39):

Alright, very good. So with about 22 minutes remaining, what we're going to do is I'm going to take you on a tour of what we provide today with Pass Safe and one-off and then Ian is going to take you on a tour of some new technology that we are introducing into the market. So my screensaver has kicked in here and I am entering chakra password. So what you see here is the login screen to Vera Pass and I'm going to grab my phone here, going to go ahead and see my phone here. We'll be using that for authentication here in just a second. So what I'm going to do is I'm going to authenticate into Vera Pass. And Vera Pass is our solution that focuses on self-service, password reset, unlock, and in this case I'm going to log in as Fred j Fred is a good steward, let's just call him that.

(00:37:43):

And he knows that he's received a notification that one of his passwords is about to expire and he needs to change that. So on our adaptive authentication screen here, you see I have the option to authenticate with Vera one-off in a Passwordless experience. So I'm going to go ahead and do that and we'll get my phone here handy. There's a notification pops up, says, Hey, you want to authenticate? I say log in, I'm going to try to do this here, y'all can see I'll use some biometrics to authenticate and that gets me logged in. And then here in a second I'm going to get N to Revera pass, give it just, and this is a pretty richly provisioned environment, but if what he wants to do is change his password, so I click on change my passwords, see all the different systems that we're going to change the password on call, special attention to RAAF because that will be an interesting target here for a minute.

(00:38:45):

But we're also going to be changing this password on on-prem active directory. We're going to change the password on Azure to AD and so on. And so I'm going to go ahead and hit next. And on the next screen what you're going to see is you're going to see a list of criteria that Fred is going to be required. So in this case it's pretty strong. We've demanded that it be 12 characters, uppercase, lowercase, not be compromised. So this particular tool has the ability to check the have I been phone database and make sure that Fred is not choosing a password that's already known to be compromised in the wild. But as we said in the presentation, the best strategy would just to be let the tool generate the password. So I'm just going to go ahead and pick some random password that the tool has proposed for me.

(00:39:36):

So I'm going to say change my password and then what's going to happen is Vera Pass is going to go out and it's going to touch all of these systems and update the password. Now I have no idea what the password is, but I don't need to concern myself with what that password is because I have a way to access it. So what I'm going to do is you see here on the desktop is the fat client for Vera Safe. We also have a mobile application. And so if Fred now having been a good steward, changes his password to something that's complex, has no idea what it actually is, needs to use that password for some reason. Well, I can log in here as Fred Johnson, so you're seeing me enter our master password. This is going away in future versions and as the mobile app exists today, it's completely unnecessary.

(00:40:30):

So I don't actually have this actor tied to my phone for this demonstration. So trying to convey the same idea here with the fat client. So what I'm going to do is I'm going to grab the master password out of our safe that I use daily. So I don't even know Fred Johnson's master password, but you can see the next thing I'm going to get is I'm going to get prompted to authenticate with one off. So I'm going to go ahead and do that again. Oops, with my biometrics and off we go and we're in. And then this is my safe. So again, we have the mobile version of this, so could do that on my phone if I was so wired, but here's that active directory entry and I can reveal that massively long, complex password that I wouldn't otherwise know. So you can see here that we can provide a really fluid experience for the user and we can make sure that even though they don't know that password or that past phrase, they can have access to it at all times because we have a fat client for Mac, we have a fat client for Windows, we have the Android app, the iPhone app, we have a Windows or a web browser ui, we have extensions for all the major browsers.

(00:41:47):

So we've really eliminated this idea that I won't be able to get to my password under certain context. What I want to do really quickly is I want to jump back to the presentation because I think Ian had a couple of slides as he takes us now through Vera Cloud, which is our early access, new introduction to the market. And I think he had a couple of slides he wants to review before he goes into that demo. So I'm going to do that really quick here. You'll just bear with me. I'll get that slide deck going. Oops. And it jumped all the way to the beginning to me. There we go. Is this where you want to start Ian?

Ian Reay (00:42:35):

So just again, we have actually it's okay. How about we can just talk to this one here right now.

Bryan Christ (00:42:42):

Okay,

Ian Reay (00:42:42):

So if you aren't familiar with rera Cloud, I would strongly suggest reviewing the keynote address where we introduced Revera Cloud about a month ago in our power of one summit. And what revera Cloud is is it's a SA native platform that allows us to start to really bring some innovation into this ecosystem. And we're starting off with cutting, allowing us to surface a lot of value with people's existing investments in Vera Pass Safe and one-off. And what the strategy is here is that we have implemented some discovery approaches that can pull data out of Provera Pass and bring that into Provera Cloud. That then allows us to start to bring some new user experiences, some new compelling dashboards, some very powerful APIs, and really allow you to surface some of the value that is within a pass instance. And so it's meant to be very complimentary.

(00:43:53):

It's meant to be an extension on capabilities and a place where using these new APIs we can start building out new user experiences. I'm going to show you some dashboarding ones, but also too similar ones for say like AI assistance, chat bot assistance, bring your own reporting layers, a number of things. Those things have been covered in the power of fund summit. And so I'll just be showing you a flavor of this here right now. But also as we're working through the EA program here, the yearly access program here, getting certain customers in and building out some of these capabilities with very collaboratively about which areas of value we can surface quickest and past us here. So I'm just going to switch over to my and share my screen right now to one of the environments that we're using as we're coordinating with some customers here on some of the next steps here. Just finding my screen here. One second. Okay, and so I'm just confirming Brian, you can see the dashboards page here right now.

Bryan Christ (00:45:03):

All good.

Ian Reay (00:45:05):

Great. So what we're doing here is Provera cloud is built on a few principles around being able to discover your state, be able to surface details about what we discovered, give you approaches to cleanse your status, be able to do cleanup, be able to say, remove or accounts and group memberships that may not be appropriate or reasonable. Be able to have an inventory of these and be able to govern that long term. Being able to make sure that you can see risks as they're occurring in near real time in your environment. And then allowing you to take action either through automated tools or even just submitting tickets and making sure that people are informed so they can take action on this. And the key underlying layer of this is what we're calling compliance rules. Compliance rules allow us to define policies using these APIs, using open platforms such as open policy agent and to be able to flag items that are potential points of concern.

(00:46:07):

And so this is a dashboard that we're coordinating with our customers on about building out to help give them an overall lay of the land of the kinds of accounts that are in their ecosystem, which ones are they're doing well on, and ensuring strong password support as well as ones that might not necessarily be as strong as they think they are. So say for example, in many companies you have four types of accounts. Often you have personal administrative accounts, you have shared administrative accounts, service accounts, and then of course employee accounts. And that's where often each one of these has different policies in place. Breve Pass is being used by many of our customers for many of these. Of course, breve privilege also has some very unique and compelling capabilities around personal administrative accounts and shared administrative accounts. But a number of our customers are using Prefer Pass for these scenarios as well where people can log in and reset the passwords on these administrative accounts.

(00:47:12):

And so that's all fine if it's adding value, that's the important thing. But again, they have different password policies. Service accounts often have a very different password policy and also accounts can go dormant. And so if the accounts go dormant, it's important to understand that they're still there but they're no longer meeting your policy. And so our demo environment is actually a really good one to show this example because this information has come from the demo environment that Brian was just showing you because integrated it and that way we can surface the insights about what's doing good and what's doing bad. And for the employee accounts in this demo environment, we have about 1100 of them. And because it's a demo environment, we don't tend to log in as all of these accounts and do password changes on them. So many of them have gone dormant and then as a result they're not meeting the password policies anymore.

(00:48:06):

And that's where this can be a real indicator of a thing where if this is in a real environment, you'd want to clean that up or find out what that gap is in your processes. And this is where in the analysis here, we're breaking these out and I'm just have this one expanded out here for visibility here is that that way people can see the user's in violation of your employee password policy be able to get a quick and easy list of all of this data that you can download as a CSV, as a helper. We've also provided the manager information of these accounts if we know what they are. And that way too, basically asking people to review with their support, why is this gap here and how can it be fixed? That might be a process problem, that might be a coaching problem or it certainly could be an automation problem, those kinds of things.

(00:48:57):

At least now we can surface them and then action can be taken. And that's where again, if we take this back to the ransomware scenario here where people are, you can get a ransomware attack. It's really, really important to know what is your profile of accounts that are easy to change the passwords on the ones that are adhering to the password policy are probably quite easy to change, especially with what Brian did because again, you can just issue a mass password randomization and then people can go into prove safe and get those passwords log in and their relative happy days so to speak. But also it's important to understand the breakdown of these wedges that are a challenge because those are the ones that are going to cause you some sleepless nights if you get compromised with a ransomware attack. And so that's where as we're coordinating with people in the early access program, building out these capabilities based on their feedback, based on the insights we get.

(00:50:03):

And two, and it is quite thought provoking about how PASS gets used for managing these kinds of administrative accounts. But it also gives us a chance to talk about should privilege be using it instead. So you don't have to deal with that. So you're not susceptible to the orphan account scenario where people just don't go in there and do it because privilege will do it for you behind the scenes and then make them available. It's opportunity to find the right tool, the job, so to speak. And then similarly, another thing that in order just to, as we're building out and making sure that we're getting people the information that they need to prove audit, prove operational details as effectively as possible, we're building out some new user experiences around surfacing data about the audit histories that are in your existing investments or past privilege and identity.

(00:50:56):

This is again, real event data from the demo environment that Brian demoed. And in here we can start to surface information about what kind of audit events are firing. These are things that are commonly done through our event log report and pass. All of this stuff is available to people, but now we can start surfacing this in some new ways that can be really compelling and also give people some really nice searchability here, such as if you want to find the events related to your active directory environment here, we can filter on that. We can filter on certain people and give people the ability to kind of drill into this data in ways that hopefully can really simplify some of your existing auditing and reporting needs. And so again, we're building this out in coordination with members of the early access program and certainly excited to continue to recruit more into this here as we're building up some of these layers.

(00:51:53):

And then also too under here, and we're going to have a follow up webinar on here is how using the new APIs that are underpinning Brea Cloud, how we can bring some new user experiences such as modern password reset experiences, modern chat assisted scenarios here. We're building those out here right now and we're certainly, and we're building up coordination with the people who are in the early access program here and taking their feedback and their insights about what they would need to do to carry this forward here. And so it's a pretty exciting time here and certainly looking forward to follow up webinars here on some of these new capabilities and in the December timeframe here. So maybe we'll open it up for a few questions here maybe.

Carolyn Evans (00:52:46):

Absolutely. So we have a few minutes left. If anybody has a question, please pop in the chat or the QA function and it looks like we have one question so far, Ian and Brian, I'm not sure who wants to take this one. Every time we have changed password strategies, it's caused problems for our end users, what can we do to avoid that?

Bryan Christ (00:53:13):

Yeah, precisely. I mean I think that that hits the nail on the head about what we've been talking about. It's actually one of the reasons that organizations are very hesitant to do things because they've maybe attempted this in the past and it's not gone well. And so hopefully by seeing the demo today in terms of what you can accomplish with the right tooling, you can make that sort of out of sight out of mind. I think the other thing that is important here, and we can do this in a tool like Vera Pass, is that we can target certain user population. So you can roll this thing out incrementally throughout your organization, so don't go for the big bang approach, but identify key users, maybe those that are in a certain department or maybe those that are more kind of do it yourself, like your technical folks tend to be very good at that do it yourself approach. And so you might try rolling it out to them first and then seeing if there are any challenges that come out of that. And so that would be my recommendation is right tooling and then not shooting for that big bang approach. Any additional thoughts on that?

Ian Reay (00:54:35):

I think also one thing I might just add here is thinking about if you were to actually randomize most people's passwords, that can sound a little scary until you start thinking through what Brian has just presented here where Brian chose a random password, he doesn't remember what that password is, I don't remember what that password is, there's no hope of me remembering it. And so he chose a random password, it was put into Prove Safe and now Brian can confidently go in there at any point in time, grab that password out and use it. And as we're introducing and continue to build on the various different authentication approaches to safe, that can be used in two of the different modes. People can have it on their laptops, they can have it on their phones, they can gain access to their passwords through many different approaches.

(00:55:29):

If people are getting comfortable using a random password, why not just randomize it under the covers periodically for them? That I think is going to be a key topic that I'd like to talk to a few people about here is how good is that experience if you just randomize it once a month for a month, a quarter, and they don't actually need to know that it was changed. They just go into Safe and get the latest password out and they're logging in often with things like Windows, hello one-off other approaches. And again, it actually becomes quite a kind of seamless and freeing experience because that way if you change the password policy, if you need to increase its length, you just increase its length and issue a new set of randomizations for a user. The difference between a 12 and a 15 and an 18 character random is nothing because all of them are completely impossible to remember.

(00:56:27):

So that I think is a key thing just to think about is what would that future look like if you can just change it and that's when else you can get really resistant to ransomware because when it hits, you can press those randomization buttons with confidence and then your staff would get their new randomized password through Reverse Safe can log in and restore business operations. That's where it's a certain degree of freeness when you kind of have an easy button in the form of the APIs that are in past privilege and identity starting in 12 three and Newark because they all have the ability to do these kinds of actions.

Carolyn Evans (00:57:10):

We have two more questions that just popped up. I'll go with this one here. Thanks for the webinar. How do we enforce guidelines and standards for past Phrase? In my mind it's wide open and can't completely rely on the user's creativity.

Bryan Christ (00:57:27):

Yeah, absolutely. I mean I think Ian touched on this earlier when he was talking about people that will just tack a number, a sequence and they'll either increment that number or decrement that number and that is a, I mean just guilty as charged, right? I've done it. I've venture to say that most of the folks on the line have done that and that's really why we're driving home this idea of making it completely randomized set the policy. So for example, when you saw me use Vera Pass, the criteria that we're forcing to meet in terms of minimum requirements, that's flexible. So we chose 12 characters, but I could have made it 16 or 18 or 20. And the same thing with passphrase. Let tooling create the passphrase. Don't rely, we hope we drove this home, which is whether it's a complex password or a complex passphrase, the artifact of doing that correctly is going to be difficult to remember. So if it's difficult to remember, you need a tool anyway, so go ahead and let that tool do it for you. I think the only challenge on the past phrases is that some systems are passphrase tend to be really, really long and some systems may not be able to accommodate that, but ultimately let the tooling do that for you. You really can't leave it up to the users to come up with that. Ian, any closing thoughts on that?

Ian Reay (00:58:59):

Yeah, that's where say Provea Safe has random generators for pass phrases and I would certainly encourage those to be used as well as also we have plugin points in Proverb Pass that can be used to generate these random pass phrases and go consult good strong dictionaries of words in the act of doing that. Because again, yeah, if you leave it up to employees to do it, employees, we're all human, they're going to choose something like Old Blue Truck and it's just, again, it's who we are and that's where we just need to implement these policies that can handle these cases where we just have other things on our mind at the time we have other priorities and no amount of training can solve the problem of you're under pressure and you just need to get back onto your system, so you're going to use that old password, put a one on the end or a two on the end. We all do that. So just take it out, make it random, and then really encourage people just again, go into prove safe and use it and encourage them to use biometric authentication whenever possible to just lessen the burden.

(01:00:15):

Exactly. Passwordless, they're still there. Just try to remember them less and try to use them a little less. And again, it's freeing.

Carolyn Evans (01:00:24):

Good play. We have one more question and we are two minutes over. So a few people are joining in banking for the webinar. How can we prove that using a system to manage passwords and storing things in preferred cloud will really provide value?

Bryan Christ (01:00:41):

Yeah, good question. So that comes down to, in my opinion, metrics, right? So this is maybe the other side of the coin to the question that was asked earlier about, we talked about rolling this out to small user populations. When I earlier brought up Blue Cross, blue Shield, North Carolina and their case study, they measured the impact. When I say impact, I mean that in a positive way. So roll it out to your small communities of users as a way to, and then expand into your organization. But as you're doing, so Vera Pass has metrics on how the tools being used, but Vera Cloud is going to greatly expand those metrics. You get really good insight into whether or not it's being effective and so it's really becomes a question of measurement. You're going to have to do something initially to get that data, but we are confident that when these tools are put in into the user's hands, they do bear fruit. And so it will just be just a matter of periodically getting the data and then presenting that to stakeholders. Ian, closing comments on that? One

Ian Reay (01:02:04):

Could not agree more data speaks louder than any kind of we can make, and so we want to make that as easy as possible to surface with preferred cloud going forward here, just to make everybody's lives easier. There's value, here it is and then it's indisputable.

Carolyn Evans (01:02:21):

Okay, we're over a couple of minutes. Thank you everyone for joining today. We're going to send out a recording. We'll also send out links to all of the resources that we mentioned so you have access to them, including that keynote that Ian mentioned where we introduced cloud and the case study and the survey. And if you need anything, please don't hesitate to reach out. We look forward to hearing from you soon.