Get the Report
Centrify Zero Trust Privilege
Privileged Access Service
Shared Account & Password Vault
Secure Password Storage
Application Passwords & Secrets Vault
Secure Remote Access
Secure Administrative Access via Jump Box
Access Request & Approval Workflow
MFA at Vault
Active Directory Bridging
Active Directory Integration
Complex Active Directory Environment Support
Active Directory Migration & Automation
Machine Identity & Credential Management
Local Account & Group Management
Local Account Management
Centrify Zone Technology
Group Policy Management
MFA at System Login
Privilege Elevation Service
Role-Based Access Controls
Dynamic Access Controls
Delegated Privilege Role & Policy Management
Time-Based Role Assignment
MFA at Privilege Elevation
Audit and Monitoring Service
Session Recording and Auditing
Gateway Session Monitoring & Control
Host-Based Session Auditing, Recording & Reporting
Privilege Threat Analytics Service
Adaptive Multi-Factor Authentication
User Behavior Analytics
How to Buy
By Business Initiative
State and Local Regulations
Privileged Access Compliance Auditing
Privileged Access Management
Privileged Identity & Access Management
Privileged Account & Session Management
Privileged Elevation & Delegation Management
Secure Remote Access
Banking, Financial Services, & Insurance
Biotech & Pharmaceutical
Energy & Utilities
By Attack Surface
Centrify for Hadoop
Centrify for NoSQL
Audit & Compliance
Cyber Security Management
Secure DevOps Solutions
Register for Webinar
Professional Services Request Form
Centrify Trust Cloud Status
Centrify Partner Connect
Become a Channel Partner
Find a Channel Partner
Register a Deal
Centrify Zero Trust Security Network
Zero Trust Security Network Partner Directory
Become a Centrify Zero Trust Security Network Partner
Refer an Opportunity
Centrify MSSP Partner Program
Centrify OEM Program
News & Events
Selecting the Right IDaaS for Zero Trust Security
ch the On-demand webinar to hear Centrify and Forrester Research discuss key capabilities and differentiators that will impact your decision when selecting the right IDaaS vendor to help you achieve Zero Trust.
View Full Video Transcript
Selecting the Right IDaaS for Zero Trust Security
I wanna really thank the attendees for taking the time to join today's webinar. I'm really excited to have our guest speaker today, Andras. As Beth mentioned, he's got a ton of experience in cloud security and specifically in the identity management space. Today, Andras is gonna really share his insights regarding what we're really hearing a lot of, this zero trust security approach, and specifically, how identity is really become this core pillar around this zero trust approach. Also, really looking at ways in terms of when we're evaluating identity solution offerings, what types of criteria we should really be looking at. So without any further ado, I'd like to kick it off to Andras.
Thank you. Can you guys hear me okay?
Excellent. Thank you. This is Andras Cser, I'm the VP Principal Analyst here at Forrester, looking at identity and access management. Today, really I wanna expand on, explain why we see
identity and access management
being the central hub of the zero trust ecosystem. I will talk about some of our key drivers in this space, that make identity management one of the key center points and focal points of zero trust. We're gonna also assess the impact of cyber attacks, talk about understanding why they're important. Then look at how identity can be shifted to the center of a threat detection ecosystem. How identity can be set up as a new parameter, what are some of the areas to pay attention to, and really talk a little bit about some of the processes that either the management actually encapsulates.
Then I will spend some time on describing our wave in the identity and access management as a service space or
space. Talk about some of the results, some of the understandings of basically what we saw as differentiating criteria, what we saw as new requirements, and surprises in the space. Then I'm going to close my presentation today with some future trends on identity as a service, where we see this market going, how we see it integrating into the broader threat response, and threat mitigation and
landscape. I'm really gonna end on some trends and analysis around machine learning and device IOT. With that in mind, let's dive in.
Let's talk about some of the drivers, why we see people turning towards identity access management. I think we can all agree that digital approach is really everywhere, from employees working at an organization, all the way to business partners hub. For example, an insurance agency on boards an independent insurance agents, an insurance carrier, an insurance company on boards independent agents or how, for example, a financial services or investment firm works with independent financial advisors, all the way to customer facing identity and access management. It's clearly, customers have a lot of say, have a lot of impact as to what they want to see on a website. They wanna see customization, they want to see a good user experience, they want to be able to interact with the site quickly. They want the site to serve them well. All the same is true for employees as business partners.
For this, you have to manage profiles and you have to manage customizations of those profiles. How you do that? You have to actually have some level of an understanding as to who is interacting with that application, what the profile is, how the user can manipulate the profile, be able to reset passwords, reset forgotten user ids, recover forgotten user ids, etc. This is all basically around the human interaction with applications, it's just much more elaborate, much more customized than where it was maybe five, 10 years ago.
If you look at the security aspect of all this, I think it's fair to say that you don't want to be looking at your enterprise after a data breach, as this burning house on the right hand side. Definitely do not want to be seen on CNN Headline News after a big breach. Really, as a result of past breaches, starting from the Target and all the way through the past three,four years of breaches that we've seen, I think it's safe to conclude that security has shifted from a purely IT Director level, VP level, or even CISO, Chief Information Security Officer, or CIO, Chief Information Officer, IT Officer level problem to a CEO, Chief Executive Officer kind of problem. Heads have rolled in the past. We've seen a lot of organizations basically paying a pretty hefty price for not managing security well. Not paying attention to identities, who can access what and how you enforce that access type of story and really CEO heads have rolled in the past because of this.
Obviously at the pinnacle of this security drive and security data is really the data protection. How you protect personally identifiable information of your customers, of your employees, of your business partners. How you protect your intellectual property that in this age really starts play the role of the true differentiator in service delivery and product delivery. How do you deal with mobile devices? Great variety of devices for a lot of different people and increasingly, how you handle IOT or Internet of Things, connected gadgets or connected devices challenges which are on the internet. A lot of times they may be on your own network. Operational Technology, OT Network or IT, Information Technology Network. A lot of times these devices actually are fairly dumb, they are not able to actually be upgraded from a security prospective but they maintain a lot of data and that data can be stolen or they can be used as a DDOS conduit. Basically attack yourself, almost like an autoimmune kind of fashion. And again, obviously BYOD and use your own devices are definitely here to stay so we kind of have to do something about those.
So obviously, with all the perimeter being long gone, we cannot no longer count on any kind of network perimeter, this was all true even before enterprises started adopting the cloud but it's even more true today. Network based perimeters are largely gone and also a device based company issued and managed device based security postures are also gone. You're not going to be able to get a laptop with the VP and not every single contractor that you're going to hire. A lot of times people use their own devices even employees, so again, this is not a realistic expectation. There's a lot of drives towards understanding how you could handle business and admin user rights, access requests and their approval from one single perspective. A lot of times admin users have been, privileged users have been treated as a separate group of identities. Increasingly, organizations are trying to figure out how you can actually allow your admin users to use their normal day to day credentials, even for admin tasks because it provides much better tractability and really capability to actually correlate people to administrative actions.
Password replacements are mandatory, we're seeing a lot of issues and questions around the password strength being diminished. Basically every day all these cracks and all these hacks that we've seen around passwords are largely due to short passwords that can be really easily cracked, even if you look at an eight character long password that has one upper case, one numerical character, one special character, you're really looking at still, minutes if maybe a few hours to crack those passwords on basically general purpose equipment without using any kind of special computing power, GPUs, etc. So it's clearly ... Passwords are at the end of their useful lifespan. And again, understanding application data endpoint and network access controls and treating those under the same umbrella is very important.
You have to have a unified treatment of apps, data and endpoints, networks, to be able to clearly protect your data and be able to defend against threats. Identity has emerged as a new perimeter, so identity is really the source of the truth in a lot of instances that drives who can access what. It's no longer data that within an enterprise, everything is visible. Everything should be visible because we only let good guys come into the enterprise and we should have a firewall towards the external world and everything should be wide open on the inside. That is really the core of zero trust which really means that even on the inside, you act as if no users are trusted, no applications, no devices are trusted and you basically default deny policy in terms of access, data access, application access, network access supplies and you only allow entities, people, machines to access your data networks only if they are authorized to do so.
Identity and access management is the core foundation for insuring that this happens and enforcing policies around us. So identity and access management, again has been the perimeter for on prem equipment servers, IoT devices and mobile devices but if you are extending your IT services and workloads to cloud platforms, infrastructures of service such as AWS or Azure or Google Cloud or platform as a service such as Blue Mix and others or software as a service such as Salesforce, Workday and others. It is clear that those environments have minimal to zero network perimeter so identity maintenance, understanding the identity entitlements and access rights, what they can access and what they can actually do in the various cloud platforms is absolutely very important. This is true for business users as well as for administrative or privileged users as well.
However, identity and access management is really a fairly difficult and complex set of processes and tools, so I think it's also important to understand that identity and access management to a lot greater degree than other security principles is about processes and not only tools. So, processes meaning on-boarding/joiner, mover/leaver processes at a station, access re-certification, access requests, submission and approval processes and also about tools. So you have to have your tools that map to these business requirements that you have. So, what are some of these tools that we have to look at? Definitely directories which store user information, usernames and passwords or other credentials for users. Entitlements of users, what the user can have access to, what they don't have access to, groups, security groups, or other types of groups. And increasingly in the IoT world, information about these connected devices. Where they are, how they are grouped, what their entitlements are, etc. So directories are not only user stores but general repositories of entity information and credentials.
Then there's access management, which is really all about understanding the who can get access to what, and how do you actually enforce that access. This isn't about authenticating users to resource, may be a web application, data files, data file shares, etc. and really how you log this, how do you manage these policies centrally. And then a two factor authentication systems which really augment and strength and passwords in many cases, using tokens, push notification, biometrics, fingerprint, facial, voice, risk based authentication, understanding network context such as geolocation, device identity, device reputation and really using all these to apply more logic and more hurdles to bad guys trying to get into your environment and really asking them and forcing them to prove their identities using exquisite authentication if it's a risky access. And identity as a service definitely belongs to these tools. These are tools that are cloud based application that typically provide enterprise mobility management as well as access controls, federated access controls, two factor authentication in a lot of cases, even access request submission approvals, user account provisioning and de-provisioning to cloud base and even on prem applications based on HR sources of truth.
And lastly, privileged day to day management. Really managing who can get access to which server, how they check out a password or set of credentials to a server maybe be a human being or an application. How do you actually manage that access, how do you monitor what the admin user does on that session. Looking for bad activities, looking for unusual activities, looking for data that may be actually something that they should be not doing or even data transfer anomalies. Again, this is identity, looking at the data movement, looking at the access actions of users, looking at access re-certification, looking at access request submissions and approvals. So, clearly a lot of areas, a lot of protection. Layers, in a zero trust ecosystem.
Obviously, just to kind of reiterate, the password problem. We see that passwords and privileged credentials are responsible or play some kind of a role in 80% of data breaches out there. So, 80% of all data breaches involve some kind of misuse of administrative privileges that you can steal from an endpoint. And a lot of times these are all stolen endpoints and a lot of times you have to have network analysis and behavioral analytics which may or may not be good enough or fast enough to really be able to understand as to what's going on. So having talked about the zero trust support with identity and access management and having concluded that in the large family of these identity access management systems, identity as a service or so, cloud, so where's their cloud provided identity provides basically one of the broadest set of capabilities in the identity and access management arena.
Let's talk a bit about some of our key takeaways from our identity and access management wave that we have conducted. So, this is the wave graphics, I don't really think I need to talk to you much about this but in the leader segment, we had [OCTA 00:17:38], Centrify, Microsoft and in the strong performance segment we had OneLogin and PING and in the contenders part we had Oracle, whilst in the challengers segment we had Gemalto. I don't want to necessarily get into the how's and why's of this, basically why a certain vendor places higher than others. I encourage you to actually look at this wave, get the spreadsheet and understand some of these comparison capabilities. Instead, what I'd like to do today is talk a bit about some of our really new found requirements. Some of the requirements that we included in this wave. Criteria that we included in this way that we took away from end user increase being more important than others.
One thing in IDaaS wave that we looked at was user directory support, so this is a very important aspect as to what degree does the identity as a service tool in the cloud support your user directories, may these directories be on premises or in the cloud. So this is the alpha of good identity and access management that you have to have a strong support for user directories, user stores. Be able to draw information from these user stores, manage the contents of these user stores, create, modifying, delete users, or deactivate users in these user stores and do it really at scale and highly available fashion. Next thing is access management policies, so this is all about, okay once a user is authenticated, how do you actually apply fire controls for what the user can or cannot do. So how do you tailor what application a user should or should not be able to get in terms of applications. Or how is the user able to actually customize their portal, their service portal. What kind of cell service type of capabilities the user has. So this is access management policies, really all about protocol support and other areas.
The next related criteria is protocol support. What degree you're able to support SAML or OAuth, open ID connect and other W-Star protocols and standards in the tool. Obviously these standards and protocols have become the foundation or building blocks of any decent identity access management system so you kind of have to have support for these. Step up authentication is really an important aspect as well. How a user is able to be challenged to provide additional authentication in a case of a risky or high value transaction. So if you're trying to, for example, transfer a large amount of money or, for example, change a certain attribute of your employee profile in the corporate directory, you may have to do step up authentication. The question is, how you are able to do this and how easy it is to design and force and audit policies that then drive these step up authentication capabilities.
Then we also looked at the SAML and non-SAML application ecosystems. So really understanding how broad you have the set of on premises as well as cloud applications that identity as a service provider actually integrates with cloud apps or actual salesforce (sfdc) and all the thousands, literally thousands of applications that an application, an IDaaS service should integrate with. It's safe to say that a SAML integration is out of the box. SAML integrations are typically under a few hundred and the non-SAML application integrations which is typically force posted using a plug in, in the browser goes to a thousand. I think you want to look at this because, and match what the vendor actually supports and then provides a certified and product-type support for and how those applications actually match your own application portfolio.
Next thing is provisioning support, so this is all about if there is a change, for example, in a connected application such as HR source maybe on-prem or cloud based HR source. Like a work day or loss an on-prem or oracle or SAP, HR system. If there's a new employee being added to that system, how can that employee actually get access to security groups and how that membership in those security groups actually drives application accounts being created in the cloud. So if a new user is on-boarded, the IDaaS platform should actually, if the user is authorized, should create the access to sales force or Office 365 or whatever platform you have if the user actually requires it. So again, feed based provisioning is something that we see as being a core building block of IDaaS platforms these days.
In relationship to this, how easy or difficult it is to set up actually connectors to these SaaS applications. Again, fairly ... A lot of differences between tools in this space in terms of how you're able to connect it to new applications. There should be a lot of ease of use and really kind of administrative ability to add new SAAS applications in the cloud as well as on-prem applications. Again, this is another area where we usually encourage customers to do a deep dive and get a good understanding of what the product and solution does. Continuing on to the further differentiate criteria that we saw on the wave. ID analytics and threat feeds are starting to make their way into IDaaS products, so this is all about understanding and using third party or vendor provided information around things like risky IP addresses. So if you have a log in activity from a risky IP address that may be problematic you may have to crank up your security posture on these aspects.
How to what degree does the solution provide on-prem application single sign on. This is the ability to work with on-prem applications, on-prem legacy systems. It's not all cloud for a lot of organizations so you want to use one identity system that can cover both your cloud but also your on premises applications and provide single sign on. Then you have end user self service, so these are things like forgotten username and forgotten password recovery, password reset, setting up a two factor authentication token in the solution, how easy or difficult that is. And then we've also seen mobile application support being a very differentiating capability across the vendors. To what degree A. can a IDaaS solution provide functionality for managing mobile devices in terms of authorizing them and B. To what degree does the IDaaS solution actually provide it's own portal, provide it's own two factor authentication to the app, but also a portal that can represent and show enterprise approved cloud or on-prem applications to the user. How can you use that portal, how can you rearrange icons on that portal, how that portal actually provides password reset, forgotten user ID recovery and other types of experiences. Again, very very important aspect here.
Next thing is enterprise mobility management which is really about managing mobile devices, putting a secure container or certificate on these devices. Really being able to remotely wipe these devices or trust these devices or enroll these devices. This is very much about protecting data that is saved onto these mobile devices. Even if you're able to log onto Office 365 on your mobile device, if you lose your device and somebody unlocks it, they shouldn't be able to look at your corporate presentation, excel spreadsheets and in many cases revealing important intellectual property or personally identifiable information. The remaining aspects that we looked at were API security, to what degree can the IDaaS tool provide non-human interaction identity management, access controls. So typically app to app, application to application, calls, identity management authentication and authorization support. Reporting the depth and breath what you're able to get out of these platforms. Obviously one of the key drivers that we see in adoption of identity as a service platforms is really to what degree can you squeeze out reports, graphical or textural on the platform. To what degree can you customize these reports.
And lastly, scalability. So these tools really play a central role in ensuring zero trust ecosystem and really, if these IDaaS solutions fail, nobody's going to be able to really do anything in your environment, so they have to be rock solid and scaled to thousands, tens of thousands, or even hundreds of thousands of users and user requests or authentication and authorization as well. So, these were the differentiating criteria on our force to identity as a service wave. But let's talk a bit about some of the future trends that we see in this area.
One of the biggest and most important benefits of an identity as a service out there that we see is not only the ability to reduce your on-prem labor cost and really be able to use templatized, policies and reduce the customization need but it's also the network effect, the fix one fix for all kind of aspect. So, in an Identity as a Service environment, the vendors are increasingly pushing templates, pushing policies essentially and if you see a, for example, a problem with a SSO library or see an exploit on some buffer overflow, the IDaaS vendor and solution provider can roll out a fix to all it's clients, really at the same time and the customers don't have to actually do anything much actively to get that fix versus in the old world, you have to apply that fix manually, make sure, test it out and then roll it out into production. That takes time and a lot of human labor. Even Network effect, the fixed ones, fix for all is very important. Then reducing the cost of rule management is also an important aspect here. Using machine learning, other behavioral tools is just going to take over this manual rule management of basically specifying bad IP address ranges, good IP address ranges and maintaining those lists. And again, reducing false positives is an important aspect here as well.
We see machine learning hype being largely over. Customers are getting smarter about machine learning, artificial intelligence, algorithms. They're asking questions about how you actually operationalize these technologies, how you provide better accuracy in terms of of false accept and false reject rates. Self checking algorithms are more common than they were two, three years ago. These algorithms are able to report deficiencies and even deteriorations in efficiencies. And again, scalability of these algorithms is getting better and better so you require less and less computing power to basically perform the same level or more computationally intensive machine learning algorithms. In the past some of these algorithms have been out right impossible, not practically feasible on platforms. Again, machine learning for access controls, understanding and building normalcy based lines of what users are accessing and then detecting any kind of anomalies from that base line is absolutely important.
Risk based methods, going beyond simple risk based authentication, so this is what we have today in terms of if the user is coming in from a bad IP address or if the user is coming in from a device which has a bad reputation, may have been used for hacking into other accounts or may have been used for committing fraud on other websites, then you basically apply a score, risk score to transaction higher in the request that the user provide maybe a capture or even two factor authenticator, a token, a push notification, biometrics, etc. We're finding that these risk based methods are actually extending beyond just authentication. So there are more and more adopted in places like identity governance, so understanding who requested access to what application, who approved it, if are these requests are actually more than what the peer group of a user might have, have is the user actually using these entitlements they got, are they maybe not using them at all, etc.
In addition to this, threat response is definitely something where we're going to see risk based methods. Understanding how risky an action is in what environment that action happens and then basically determining the risk response that this is to really alleviate some of the long found management fatigue that we've been experience, so too many things to investigate out there. And then finally access management and automatic policy management we're going to be seeing a lot more advances there as well.
Last two things here, one is identity analytics, basically using new threat signals, using machine learning, so really understanding the who has requested what, who has logged in from where based on things like log files, access request activities and logs, DNS information, device fingerprint, network forensics, so correlating network activity, packet level information, packet logs to directory information. Who logged in when and correlating that information with what happened on the network. And really, ultimately marketing information so B.I. (business intelligence), how users have migrated and manipulated and navigated through a website. How that actually ties to your device logs, how that ties to your network activity or access logs.
And lastly, device IoT, internet of things. Evolving beyond just identity access management. Again, these devices require a massive scale of identity management capabilities. You know, you have to manage identities, registration, de-registration, provisioning, user identity provisioning of multiple thousands of these devices out there. And again, the life cycle management, biometric authentication, voice base authentication to these IoT devices is absolutely going to be very important here. And again, they have to ... Identity access management will have to handle not only people, apps, but also systems and devices, so we're expecting a huge shift and a huge additional set of requirements that IoT will bring to these identity as a service access systems. Authorization is specifically an area where we're going to see a lot of changes but also data protection, how you protect the information that's stored on a device, how you do real time detection to mitigate or prevent denial of service kind of attacks. Maintaining the integrity of network access controls is very important. So all these aspects are key building blocks of zero trust identity supported ecosystem that expands not only to the network but also to data, so data protection as well as to application access rights.
So with that, I'd like to conclude my part of today's presentation and hand it over to Teresa.
Thanks so much Andras, you know again, this is just great information that you provided. I really appreciate your perspective on how identity ... I really love that first slide that you showed is really becoming that central hub of this zero trust ecosystem and then taking the audience through the different building blocks and criteria that are really what's important today as well as looking at what's important tomorrow. So, expanding on some of the insight that you brought today, I wanted to take the last moment of this webinar to really address how Centrify is really taking this zero trust security approach and how identity and just really how the zero trust model is really the foundation of what our solutions and what our offerings really bring.
So in order to do that, the next slide I think, to kind of have some context of going and pivoting towards what that foundation is being created from, I really would like to share with you and take a look and spend some time just to see what's not working today. What's broken? As you can see from this stat if you guys just take a pause and just look, for the past year or so as an industry, globally, we've spent over 80 billion dollars in security, yet two thirds of companies are still being breached and of those that are breached, they've been breached at least five or more times. So when you look at this, this stat is alarming and compelling at the same time because at the end of the day, when we continually spend billions of dollars in security but we are seeing so many hacks and breaches still occur, in fact even out pays the investment that we put in, I think we all need to think of ourselves. Is it realistic that we're expecting a different result if we're doing the same thing? Maybe it's time to again, rethink what we do and revisit our priorities.
And this is a lot of you Andras touched on earlier in your slides when you said the perimeter is really long gone and you talked about factors like digital transformation including cloud adoption, including mobility and IoT devices and also talking about identity really being that top attack vector. I think you mentioned earlier, you mentioned that 80% of the breaches involve privilege credential misuse. Again, alarming over 81%, this is from the Verizon DBIR earlier this past year. Those involved, breaches involve weak or stolen passwords and I think the reality is one, there's obviously no longer a perimeter, but two is that hackers know that the lowest common denominator is really to steal that username and password. And so we really have to shift to just a different way, a fundamental mind shift into a zero trust approach and Andras had earlier mentioned what is that approach. Well really the concept is flipping the fundamentals of before you have this strong perimeter and you trust everything inside it. Well now, let's not trust anything. Verify everything first and don't trust anything. Assume that the bad guys are already within your quote on quote perimeter.
This concept is just elaborating on this zero trust principal. It isn't something that was invented last month or this past year, in fact it's been discussed for quite some time. Forrester was actually the ones that developed and coined this zero trust term and even folks like Google, they actually implemented this zero trust security framework within their corporation and they've rebranded it as Beyond Corp. So at Centrify, we fundamentally believe we've really embraced this security model where everything from users, endpoints, devices, everything is assumed untrusted and really needs to be verified first. And I really want to take the audience through what are the core tenants that Centrify really believe when it comes to zero trust security and specifically how identity plays the core pillar part in this fundamental mind shift.
So one, it's first about verifying the user. Making sure that someone is who they are. I'll take Andras for example, making sure that Andras is who he says he is. The second step is really verifying the device. Ensuring that Andras is coming from a verified or known endpoint. Making sure that it validated before we grant him access to resources. Once these two conditions are met, we're able to give Andras some sort of access, but we're always performing some level of control so that he always has the least amount of access. And then finally, through learning analytics and machine learning and data, we're continuously leveraging this information to learn and adapt. To set these preventative controls to constantly learn and adapt and give Andras the access of what he only needs to do the task at hand.
This next slide really kind of breaks it down and okay, when we talk about verify the user, what does Centrify mean? What are the tenants that make up and constitute verifying the user. So we all have unique identities right? I am Teresa because I have distinct qualities that make Teresa and Andras is Andras the same way, he has very distinct qualities that make him up. So I think through capabilities such as multi factor authentication, this really gives you the ability to demonstrate that unique ID. At Centrify, we firmly that MFA should be implemented everywhere. We have this tag line of saying MFA everywhere. It's really not just about a subset of your users, it should be implemented for all your users and for all types of access. Whether it's application access, whether it's server access, privilege access, all access has to be protected by MFA.
The next step is to improve upon that MFA, we firmly believe that you really need to implement behavior based access. Today for example, I'm calling in remotely actually from San Francisco, I've been in this all hands meeting up in the city. Normally I don't live in San Francisco, our headquarters are not located in San Francisco, I normally don't ever log in and so this morning I had to re-authenticate myself. So this is just an example of how this increases security. But also think of it from the perspective of at the end of the day, it's also about creating greater user experiences for the end user. MFA should never be burdensome for you or me or anybody, we should always incorporate it and make it more personalized with behavior based analytics. If we know essentially, more about the user, then we can make better choices of when to prompt them and when to not in terms of authentication.
And finally, once a person is authenticated, how do they get access to that application. There really should not be any password. That's where standards such as SAML which removes passwords from applications, these types of best practices should really be implemented. So these are the core fundamental tenants that really make up how one verifies the user. Now the next step is essential in verifying the device as well. This is the second core tenant belief of zero trust approach is a lot of you guys are probably evaluating some sort of next generation endpoint security solution, right? These types of solutions can definitely be complemented with identity centric preventative controls on the endpoint. So what do I mean specifically by that? Well one, we already talked about MFA, definitely implement MFA on endpoints right? So again, when I'm using for example, my Windows laptop, I need to MFA from that laptop to ensure that it's me accessing that laptop. Number two, it's all about implementing device identity as well. Think about your organization. If everybody in your organization and company registers their personal device, whether it's a mobile phone or an iPad, at least you know they're coming from a registered device. So you can also compliment then with policies that devices for example, are only allowed access if they meet certain security standards or settings.
And the third and final kind of pointer on here is you want to ensure to implement controls for privileged commands as well. Too much privilege essentially means that ransomware can be installed on that endpoint. So the takeaway here is really grant privileges only when it's required. And all of these controls really complement again and accentuate that next generate endpoint security that you either already have or evaluating. And holistically, the combination of these two will really give you a verified and secured posture for that endpoint and we really think that that's crucial. And finally, I wanted to talk to you guys about limiting access and privilege. So when we bring the two concepts together of verifying the user and verifying the endpoint, we're able to create and give users access and policies that are based on this access decision.
So again, going back to the example of I've been authenticated let's say by MFA, I'm already at this known location, I'm already using a registered device and now, yes I have access to salesforce (sfdc) application. Let's say I'm a sales person, what can I do inside of sales force? Well that's where leased privilege comes in because if I'm a sales person, I should only be able to look at my territory. But then if I'm VP of sales, I should be able to look across all territories for my entire company, right? So this same example can be applied to the data center. Many times, system admins, they have full access to root accounts. That's really risky so at any point in time we at Centrify, we firmly believe that every person should really have zero access and only have access when they need to. If you implement least privilege, you have control such as MFA that help you control your environments and limit that movement within the environment. At the end of the day when we talk about enforcing least privilege, it's really a principal of saying at any given point in time a user is assigned the minimal amount of access that they need to do the task at hand.
The fourth pillar when it comes to zero trust and one of the core beliefs that we have is really about learning and adapting through machinery. Andras had mentioned this before about machine learning is no longer just hype. It's reality. And so why is this so topical today. I think in so many smart things that we can do with machine learning. In fact, I just read a report, it was a survey from Deloitte around machine learning is one of the top investments across all companies and specifically those companies that are resource constraint because it enables productivity. And what do I mean by that? We already talked about let's say, verifying the user, the device and all of these components are generating data. We can kind of compile this data so it enables us to make decisions around allowing or blocking access. Automatically making decisions around stepping up authentication, right. And then I think what's also probably the most important and the crux of what machine learning brings is that it's able to provide and enable changing roles and changing policies when we need to. We're able to have sort of a system to kind of self regulate and tell us when policies need to be changed and I think that's really a key part in assisting and moving towards this zero trust model approach.
And so, this is probably one of my last slides here. I want to say that at Centrify we fundamentally believe that you need a platform to be able to provide secure access across all these different types of resources across all your users. And I want to really emphasize the word platform. Some of you might automatically think, "Okay, she's pivoting platform but I want to stick with my point product solution, I want to stick with best in breed" and what I'll say to that is I think there's always a time and place for buying different tools and different products. But you gotta also look at times when you want to choose a single provider as well. And in this case you really should be able to look at the convergence of these tools because at the end of the day there's a lot of commonality between them. If you think of, just looking at this diagram, securing access to apps, is that really that much different than securing access to a server?
In reality, the concept is really the same. It's all about securing access, right? So why should we really introduce different gaps in security by introducing different tools? And it's the same with users as well. Is there really any difference between me trying to access sales force or a admin requesting access to a server? In both cases I'll need to have to MFA in both cases I probably need to have to go through some sort of approval policy. So the point that I'm trying to make is let's not introduce gaps by introducing different tools and products when we don't really need to. I think there's definitely a convergence in this area and at the end of the day you can still pick best of breed tools. You don't have to forsake best of breed by going to a platform. And I obviously work at Centrify, I am so proud of our technology and of our products. This pride is proof point, don't just listen to me, listen to third party analysts and other resources. We are the only vendor that plays and has clear market leadership not only in the the Privilege Identity Management (PIM/PAM) market but IDaaS as well as enterprise mobility management.
You don't have to give up best of breed is basically the point that I'm trying to say and I think there are advantages to going to this platform unified approach and from Centrify's perspective, we always had this vision from the start and again, it's really to secure that access to whether it's applications or infrastructure from any endpoint to all users. I just, again, I think this is my last slide before we move to Q and A but hopefully, you know, this information that we provided today really gives you some sort of more ammo or more data points to look at pivoting to zero trust mindset and how identity is really just this fundamental pillar that is really driving this and really, like Andras mentioned, this hub and core of ecosystems. So when you're evaluating IDaaS tools or pin tools, just think about how does this zero trust approach really layer in when you're looking at criteria for all these tools. So thank you again, and I think right now we have about five minutes to go through some Q and A. So let me just pull this up right now.
Okay, I've got one for Andras. Andras when you talk about some of the trends, can you kind of elaborate on that and discuss what do you think the top two or three within the next coming year will really be impactful in the IDaaS state?
Sure, sure. So obviously, better use of threat information, public or propietary, corporate based sourced information. Understanding the context and being able to pull in into policy management. Takes like user IDs or IP addresses that have been compromised. So that's one thing. Second biggest trend that I would say will happen is again, understanding the analytics and AI of identities. How various identities are accessing the system and environment, building better models around us, anomaly detection. Lastly, I should say we're going to see a lot more improvements around the whole access governance and management of identity, identity management and governance aspects for access request submission approvals and re-certifications, periodical certification of users.
Right, thank you. All right. Let's look at some other questions here. Okay, so this one's, 'Teresa, you ... On the last slide there was a mention of enterprise mobility management. Do you see mobility also converging with identity? What is Centrify's take?'
So, absolutely, we've always known that these two markets were going to converge. We strategically built a mobile solution from the ground up and we place it as part of our IDaaS offering. So we firmly believe that EMM without identity is just really an incomplete solution because the two of them go together hand in hand and provide greater security, greater end user experience. The chart that I showed up in the last slide, it's basically ... We were stacked ranked head to head against stand alone EMM vendors like Mobile Iron or Blackberry and we scored a perfect score in product vision and in the areas of mobility, identity and access in the latest EMM Forrester rate. So in our opinion, we really believe that this is just another proof point of the validation of the convergence of mobility and identity. So hopefully that answers that question.
I don't see any other questions here. Again, this power point will be available to those that registered and I really just want to thank everybody for attending today's webinar and specifically thanking Andras for being our guest speaker today. So, thank you everybody.