A MASSIVE RETHINK OF SECURITY Today we are going to talk about security. Security is broken and requires a massive rethink.
RECENT SECURITY UPDATES Shareholders Are Not Safe Consumers discontinue relationship 30% Average stock price drop after breach 5%+ Loss to Shareholders $400M Consumers Are Not Safe Impact to offer price by Verizon (7%+ market cap loss) $350M User accounts compromised 1B+ Governments Are Not Safe Companies Are Not Safe DNS Provider knocked offline by botnet of millions of IoT devices with same default password Why do we need a massive rethink of security? Simple: Shareholders are not safe Recent Ponemon study shows that stocks drop 5% after a breach is announced And worse, 30% of impacted consumers discontinue their relationship with the breached company A recent example of shareholder impact is Chipotle which saw it’s stock drop by $400M after announcing a breach Consumers are not safe Over one billion Yahoo users accounts were compromised for years before notifying users Note: this impacted the takeover offer from Verizon to the tune of $350M or 7% of the offer price Governments are not safe Poor authentication and misused privileged accounts resulted in 25M stolen personnel records Note: OPM breach involved the compromise of a “jump box” giving hackers control of every machine on the network Companies are not safe DNS provider (Dyn) knocked offline by a botnet of millions of IoT devices compromised because they all shared the same default password Lack of strong authentication and privileged account theft results in 25M OPM records stolen The Impact of Data Breaches on Reputation & Share Value, Ponemon Institute, May 2017
TODAY’S SECURITY IS NOT SECURE $80B SPENT ON SECURITY IN 2016 YET 66% OF COMPANIES ARE STILL BREACHED 66% And worse, they’re breached on average five or more times Let’s look at this another way: Last year we spent over $80B on cyber security yet a stunned 2/3rds of companies were still breached And worse, those that were breached averaged five or more separate breaches Bottom line: Something has to change. Today’s security is not secure. Gartner press release, Aug 2016; Stop the Breach, Forrester, January 2017
90% enterprises using cloud 150,000 enterprises cloud apps THE ENTERPRISE PERIMETER NO LONGER EXISTS 90% enterprises using cloud 150,000 enterprises cloud apps 8B mobile devices 50B IoT devices AND IDENTITY IS THE TOP ATTACK VECTOR For years we have relied on a well-defined boundary to protect our assets. We knew where the perimeters of our networks and endpoints were and we kept our important assets on the safe side. But the world as we know it is an increasingly complex digital canvas of connections and identities that live in and out of the enterprise. This has changed the perimeter to no perimeter at all. At the same time, identity has become — by far — the top attack vector. According to Verizon, 81% of all breaches last year involved weak, default or stolen passwords. Forrester estimates that 80% of breaches involve privileged credential misuse. 81% breaches involve weak, default or stolen passwords 80% breaches involve privileged credential misuse Private vs. Public vs. Hybrid Cloud, Logicworks, March 2015; The Explosion of Apps: 27% are Risky, CloudLock, December 2016 Mobile Visual Networking Index (VNI) Forecast, Cisco, February 2017; 50 Billion Things Will Be Connected to the Internet by 2020, Cisco, 2013 Verizon 2017 Data Breach Investigations Report, Forrester Wave™: Privileged Identity Management, Q3 2016
REQUIRES A PARADIGM SHIFT THIS NEW THREATSCAPE REQUIRES A PARADIGM SHIFT This new threatscape requires a complete paradigm shift. One that rethinks and challenges the network perimeter-based approach One that puts identity at the foundation of the massive security rethink. One that redefines security to follow identity and access (vs app, infrastructure or device) A new paradigm that invests in and improves your identity and access maturity to stop breaches, reduce risk and improve business value
PARADIGM SHIFT #1 NEED TO SECURE ACCESS FOR ALL ENTERPRISE IDENTITIES RISK # USERS The first paradigm shift is to secure access for all enterprise identities. At one end of the spectrum we have a small number of highly privileged users that represent a massive risk to the enterprise, such as IT admins. At the other end we have customers that individually present less risk but there are many more of them and collectively represent a large risk. All users need to have secure access to their data and resources and all of them represent substantial risk to the enterprise. PRIVILEGE WORKFORCE PARTNERS CUSTOMERS
NEED TO SECURE IDENTITIES EVERYWHERE PARADIGM SHIFT #2 NEED TO SECURE IDENTITIES EVERYWHERE STOP BREACHES THAT Target Applications So many apps and too many accounts Increasingly in the cloud Self-managed passwords Passwords reuse and unsafe practices Provisioning/de-provisioning and orphaned accounts Time to productivity Remote access STOP BREACHES THAT Start on Endpoints BYOD Remote workers Too many apps Local administrators Weak authentication Access context and trust STOP BREACHES THAT Abuse Privileged Access to Infrastructure Too many accounts Too much privilege Stolen credentials Heterogeneous infrastructure Remote IT admins IaaS adoption Regulatory compliance The second paradigm shift is that we need to secure identities everywhere they exist As we meet with thousands of companies, just like yours, we are hearing common challenges to stopping breaches that target apps, start on endpoints or abuse privileged access to infrastructures This slide is pretty self explanatory, just read
NEED TO IMPLEMENT BEST PRACTICES FOR IDENTITY PARADIGM SHIFT #3 NEED TO IMPLEMENT BEST PRACTICES FOR IDENTITY DANGER Too Many Passwords Too Much Privilege RISK Consolidate Identities MFA Everywhere Risk-based Access SSO Everywhere GOOD Establish Identity Assurance BETTER Limit Lateral Movement GREAT Enforce Least Privilege OPTIMAL Audit Everything The third paradigm shift, after securing all users wherever they exist, is to implement best practices for identity So how do we move from the danger zone of too many passwords and too much privilege towards an IAM maturity level that can greatly reduce the risk of breaches? Reducing cyber risk best practice number one is to establish identity assurance The Verizon report has a great quote: “Don’t get us wrong—passwords are great, kind of like salt. Wonderful as an addition to something else, but you wouldn’t consume it on its own.” The facts are that passwords are no longer effective as a means to secure anything of importance. Consolidate identities: Reduce disparate identity silos and leverage the existing technologies and skill sets you have in-house like Active Directory. Use two-factor authentication everywhere: This can limit the damage that can be done with lost or stolen credentials. Improve MFA experience with Risk-aware Access: MFA technology has really improved in the past 18 months. Advances like push authentication to mobile devices and machine-learning to reduce when MFA prompts are needed, based on behavior and risk score, have vastly improved the user experience. Get SSO everywhere: Give secure access across apps and devices — based on a single identity for each user and a centralized policy from IT. Reducing cyber risk best practice number two is to limit lateral movement Establish access zones: All too often we grant broad access rights to admins out of convenience, access zones restrict access to just the systems and resources associated with a user’s specific job Automate access approval and move toward JIT access: Automate the request/approval cycle to speed provisioning/de-provisioning. This closes the loop and allows you to move toward a state where no user has access to until/unless they need it and only for as long as they need it. Automate app provisioning: Automate provisioning and de-provisioning to as many apps and systems as you can to ensure that no one has more access than he or she needs to do his or her job, thus reducing the potential impact of a breach. Mitigate VPN risk: Look for solutions that allow VPN-less access to individual apps and systems versus granting broad access to corporate network, and enforce strict MFA for any VPN user. Reducing cyber risk best practice number three is to enforce least privilege Grant just enough privilege and move toward JIT privilege: In the same way as controlling broad access, automate the request/approval cycle for privilege elevation thus moving toward a state of zero privilege granted only as needed in a time bound manner. Don’t “break glass”: Users log in as themselves and only raise their privilege level for individual tasks when required. Never allow the use of a shared account unless absolutely necessary. Reducing cyber risk best practice number four is to audit, analyze and monitor everything Risk analytics: Automatically profile user behavior, flag potentially compromised accounts and elevate to IT’s attention Record privileged user sessions: Capture everything a user did with privileged access and make it searchable and repayable. This helps with not only forensics but also documentation and training. Integrate with SIEM and related systems: Leverage existing systems for trouble ticket automation, security event alerting and threat analytics. MATURITY Establish Access Zones Require Access Approvals Automate Provisioning Minimize VPN Access Just-in-Time Privilege Just Enough Privilege Don’t Break Glass Analyze Risk Monitor Sessions Integrate with SIEM
FORRESTER FINDS IMPLEMENTING IDENTITY BEST PRACTICES RESULTS IN 50% fewer breaches in cost savings $5 MIL If you do these things, then what are the benefits of achieving IAM maturity? According to a brand new study from Forrester, entitled “Stop the Breach”, there are massive benefits to improving IAM maturity including: 50% reduction in the number of reported breaches An average of $5M in cost savings related to breaches Interestingly, the most mature organizations preferred an integrated platform approach vs point and custom one-off solutions. This strategic approach led to a 40% reduction in IAM technology costs as a percentage of IT budget. Massive savings. less on technology costs 40% Stop the Breach, Forrester, January 2017
HOW CENTRIFY STOPS THE BREACH So how does Centrify help stop breaches?
CENTRIFY STOPS THE BREACH SECURE ACCESS FOR ALL ENTERPRISE IDENTITIES FOR ALL USERS End User Privileged User Outsourced IT Customer or Partner SECURES ACCESS TO INFRASTRUCTURE Cloud (IAAS & PAAS) Applications Data Center Servers Network Devices Big Data SECURES ACCESS TO APPS Centrify’s vision from the start is to secure access to infrastructure and apps, from any endpoint for all users through the power of Identity Services. FROM ANY ENDPOINT
CENTRIFY STOPS THE BREACH SECURES IDENTITIES EVERYWHERE ANALYTICS Risk-based User Scoring › Behavior Analysis and Reporting APPLICATIONS ENDPOINTS INFRASTRUCTURE Single Sign-on Adaptive MFA for App Access Workflow & Lifecycle Management Mobility Management App Gateway Device Management Adaptive MFA for Endpoints App Management Endpoint Privilege Management Smartcard & Derived Credentials Identity Broker Adaptive MFA for Privileged Access Privilege Elevation Shared Password Management Privileged Access Request Secure Remote Access Auditing & Monitoring Centrify delivers Identity Services that enable you to secure identities everywhere they exist, in apps, on endpoints or in your infrastructure. Common risk analytics across apps, endpoints and infrastructure Built on a common architecture, Centrify Identity Services provides common administration without sacrificing best of breed features. CORE SERVICES Directory + Policy + Federation + Workflow + Reporting
Shared Password Management Smartcard & Derived Creds RISK RISK CENTRIFY STOPS THE BREACH ENABLES END-TO-END IDENTITY MATURITY OPTIMAL GOOD SECURES ACCESS TO APPS Single Sign-on Device Management Identity Broker Adaptive MFA Risk-Based Access App Management Privilege Elevation Mobility Management Endpoint Privilege Shared Password Management App Gateway Smartcard & Derived Creds Audit & Report APPLICATION SERVICES FROM ANY ENDPOINT ENDPOINT SERVICES Centrify enables end-to-end identity maturity across your apps, endpoints and infrastructure through best of breed AND unique features. For example, the first step toward maturity is to implement identity assurance through SSO, MFA and Identity Consolidation, etc. <This is a good slide to show how our individual services allow you to achieve identity maturity across apps, endpoints and infrastructure.> SECURES ACCESS TO INFRASTRUCTURE INFRASTRUCTURESERVICES
WHY CENTRIFY So what makes Centrify different or better than alternatives?
INFRASTRUCTURE SERVICES RISK RISK CENTRIFY STOPS THE BREACH END-TO-END IDENTITY SERVICES APPLICATION SERVICES SECURES ACCESS TO APPS FROM ANY ENDPOINT ENDPOINT SERVICES INFRASTRUCTURE SERVICES SECURES ACCESS TO INFRASTRUCTURE Data Center Servers Network Devices Big Data Cloud (IAAS & PAAS) Centrify is the only end-to-end solution that provides identity services across apps, endpoints and infrastructure — for all users. The alternative is to tactically piecemeal multiple identity solutions to solve point problems for specific resources, at greater cost, with greater gaps, managing a greater number of point products. These gaps and inefficiencies pose massive threats.
A RECOGNIZED LEADER LEADER FORRESTER PIM WAVE The Forrester Wave™ is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave are trademarks of Forrester’s call on a market and is plotted using a detailed spreadsheet with exposed scores, weightings, and comments. Forrester does not endorse any vendor, product, or service depicted in the Forrester Wave. Information is based on best available resources. Opinions reflect the judgement at the time and are subject to change. LEADER GARTNER IDAAS MQ Gartner “Magic Quadrant for Identity and Access Management as a Service” by Gregg Kreizman, June 2016. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. GARTNER CRITICAL CAPABILITIES TOP VENDOR Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. KUPPINGERCOLE LEADERSHIP COMPASS NETWORK WORLD CLEAR CHOICE WINNER PC MAGAZINE EDITOR’S CHOICE Best Identity Management Solution of 2017 Centrify stops breaches with an unified identity platform to deliver a seamless defense, effortlessly securing every user’s access to apps and infrastructure in today’s boundaryless hybrid enterprise through the power of identity services. AND Centrify is the ONLY industry recognized leader in both Privileged Identity Management and Identity-as-a-Service.
5,000+ Trusted by over 5,000 customers 95% Retention
5 of top10 7 of top10 85+ 6 of top10 5 of top10 6 of top10 U.S. Financial Services Companies 7 of top10 Pharma Companies 85+ Federal Agencies 6 of top10 Worldwide Telcos 5 of top10 Energy & Transportation 6 of top10 U.S. Retailers
CENTRIFY EXECUTIVE SUMMARY Addresses top attack vector – compromised credentials – targeting both end users and privileged accounts Only end-to-end platform that addresses identity for apps, endpoints and infrastructure Supports on-premises, cloud, and/or hybrid environments Trusted by over 5,000 customers including more than half the Fortune 50 Recognized market leader by leading analysts
THANK YOU
APPENDIX
WHY CENTRIFY IDENTITY SERVICES ANALYTICS Common Risk Analytics Across Apps, Endpoints and Infrastructure APPLICATIONS ENDPOINTS INFRASTRUCTURE On-Prem, Cloud and Mobile apps Identity Where You Want It Infinite Apps Included Mobility Management App Gateway Deep Mobile, Mac and Windows AD or Cloud-based Management App Management for Mac & Mobile Endpoint Privilege Management Smartcard & Derived Credentials Identity Broker for IaaS BOTH Privilege Elevation & Shared Password Management BOTH Windows & *NIX Secure Remote Access Session Recording & Audit CORE SERVICES Best of Breed Features + MFA Everywhere + Common Admin + Integrated Platform
INCREASE RISK OF BREACH POINT SOLUTIONS INCREASE RISK OF BREACH APPLICATIONS END POINTS INFRASTRUCTURE No centralized admin, no risk analytics, no shared services, no integrated platform
SECURE ALL USERS RISK # USERS PRIVILEGE WORKFORCE PARTNERS CUSTOMERS
$80B 66% TODAY’S SECURITY IS NOT SECURE SPENT ON SECURITY IN 2016 YET 66% OF COMPANIES ARE STILL BREACHED 66% ENDPOINT PROTECTION Symantec Intel Security Kaspersky Trend FIREWALL Palo Alto Networks Checkpoint Cisco Juniper McAfee IDENTITY & ACCESS MANAGEMENT RSA IBM Oracle VULNERABILITY MANAGEMENT IBM HP Veracode Qualys WhiteHat Security SIEM IBM HP Splunk Intel Security EMC (RSA) LogRhythm