Listen to FCW, Keeper Security, and Carahsoft’s latest podcast on the topic of "Securing every user, every application on every device." This episode is an extension of Keeper Security’s presentation at FCW’s recent ICAM Workshop.
Corey Baumgartner
On behalf of FCW, Keeper Security, and Carahsoft, we would like to welcome you to today's podcast on the topic of securing every user every application on every device, which is an extension of Keeper Security is presentation at FCW's recent ICAM workshop. In this episode, Mark Cravotta, Chief Revenue Officer at Keeper Security, will discuss how stolen and weak passwords and secrets are the leading cause of data breaches for most organizations. As a result of their lack of visibility, security or control over their users’ passwords, credentials and secrets on every device application and system. He will then dive deeper and explain how your organization's largest security gap can be closed quickly and cost effectively by implementing comprehensive password security policies.
Mark Cravotta
My chat here today is about the concept of every user every application and every device, and just how that's relevant not only to the Government Solutions, but to you know, IT systems worldwide. So, here's a reality right now. And this is from the Verizon data report, over 80% of the security breaches out there today are due to weak password security related controls. And that's essentially, everything from Dark Web compromised passwords, whether north of 20 billion of them out there to phishing attacks, you name it, it's still the easiest way into an organization. And when you look at some of these widespread breaches, even the ones of the past month, credentials are usually at the root of this. And, you know, some of the things that that both gentlemen talked about earlier are fantastic, but we're still missing the average user who is getting breached. And, you know, the positive side of the government is that, you know, we are implementing controls, like physical cards, like cat cards or uni-key devices and strong multi factor authentication, which are essential. But still, these users are getting breached every single day. And it's not just the commercial sector. It's not just small businesses, the government as well. So, this is a problem we're trying to tackle. The net of it is password management is the world's most pervasive security issue. And I would go so far as to say the credentials are the new endpoint. And what do I mean by that? If you reverse 10 years, we spent 10s of 1000s of millions of dollars on endpoint security predominantly focused on virus and malware organizations like Symantec, and McAfee rose to the point where every single one of those endpoints had some kind of anti-malware, anti-virus. We've solved for a lot of that today. In that those tools are pervasive, they're delivered with firewalls and things like that now, but we have necessarily solved the password management issue. And I fully agree with what Kenny had to say about that is, yes, we support the idea that one day passwords will go away, but today, they haven't. And it's not going to be anytime soon. And you know, if you look at my bio, Iran, cyber for CA Technologies, a lot of us would say that the mainframe would go away. And it hasn't. It's still very prevalent, very prominent in a lot of organizations. And so, while that may very well happen, we have to solve for it as well. The reality of that pervasive problem is that it impacts every single user, every application, and every device, and all of them must be secured. And, you know, until that happens, the threat surface continues to multiply exponentially. If you think about, you know, just us as individuals today, how many devices we own versus five years ago, it is it is just growing and how many we might own. You know, it started with a telephone, and now it's tablets, its IoT devices, you name it, and they continue to proliferate. So, you know, this is kind of what that looks like you have exponential proliferation of IoT, you know, exponential proliferation of cloud computing, and therefore, your threat surface and your risk of cyber-attack is also growing exponentially. You know, what's causing this. I mean, if you look at three years ago, you look at our perimeter. It was very different, and especially in the government clear, most things on prem, there was some form of maybe hybrid BYOD was tightly managed, and, you know, the enterprise governed all the devices. COVID caused a lot of this, even in the government. It pushed us off prem, it pushed us outside of our firewall. It caused us to quickly adopt cloud technologies or multi cloud technologies or hybrid technologies that we may not have researched as well but had a need for immediately required us to bring your own device in certain organizations. And then, you know, you think about enterprise governance devices, but operating on millions of different networks and cloud apps. So, you know, when people went home, they were working on their on their local network. And with them, they took credentials and secrets. So, you know, this is the landscape today, one of the biggest problems out there and this problem is pervasive. There is no visibility, security or control over employee passwords, credentials and secrets. And what I mean by that is, you know, I kind of stated that stolen and weak passwords are the leading cause of data breaches. But if you look at the enterprise's ability to govern that, as an IT professional, I do not know what an employee's password is, and I'm even in my SSO system. So, you know, I very well may be able to enforce complexity. But what I can't enforce the idea that that credential may very well be compromised and present on the dark web. That is the first issue. The second issue, what we call the security adaption paradox, and Hansel spoke about it. You know, the more security we provide, the fewer the employees who want to use it. They want frictionless. I agree with Kenny. I mean, the idea of, you know, keeping and storing and entering passwords is archaic. People want biometrics, they want dynamic logins, they want to be identified seamlessly. And, you know, this is a problem that we're all trying to solve for. The reality of it is and what I like about this, this workshop is there is no silver bullet, and there is no one answer. So, you know, I talked a little bit about endpoint security. That's, that's a requirement. So, we still have to secure the network and the perimeter, the idea of password security has to be addressed. And, you know, this is one of those things that's I think, is low hanging fruit, but it's also it's less sophisticated than maybe the SSO solution provided by the identity provider. I mean, I am a huge fan. And you know, if you ask me, that's one of the primary things that you should implement and handled points respond out. A lot of us has adopted training, things like phishing, training and how to avoid malicious links and how to stop from getting hacked through phishing attacks. We talked a lot about two factor authentication or multi factor authentication, Kenny spoke of it. Yes, I mean, and you know, not only the soft tokens, but hard tokens, cat cards, etc. I think the BeyondTrust team is doing a little bit of this presentation today. So, you know, we're firm believers in Privileged Access Management. And then a lot of us don't really think about secrets. And just, you know, for those that you know, are maybe new to that the secrets are machine and machine credential. So, humans secrets are passwords. Machine credentials are secrets. And so, they have to be covered as well. And we believe that this is what represents a comprehensive strategy around identity. And you know that point was well taken, I believe that identity is one of the primary issues out there that we have to sell for realistically, a little bit about that. So, Hansel spoke about SSO. And yes, by all means, that is one of the best ways to provide seamless authentication. But when married up with password management, we can not only have SSO and single sign on and some of that seamless integration, but we can also provide visibility and control in that not in a native way. But in comparing a hash password in a password management database, and a hashed password on the dark web and comparing them to see if the see if that credential is present, and then flagging it if it is the concept of non SAML compliant applications. You know, less an issue in some organizations, big issue and others. Now not everything is SAML compliant. Not everything is ready for SSO. And so, we have credentials that we have to manage, they need to be complex, and they need to be accessed throughout the enterprise. Same for native apps for older apps as 400, mainframe, etc. The concept of encryption for storing credentials and not only credentials, metadata, documents, media files, so you know a lot of us will go to the doctor's office and fill out these forms in plain text that have PII. And oftentimes PHI. It's absurd. So, the idea that that a platform exists where you can share those types of things in an encrypted zero now Zero Trust format is essential. And, you know, by us transmitting by email or through insecure form RMS and storing things unencrypted at doctor's offices were improving the risk of our credentials being breached every day. There's a concept of smaller businesses and even within a government, smaller agencies, smaller departments that have limited staff limited budget. And, you know, password management can help with that. And this isn't really an accurate that SSO they are two, there's a lot of, of work that's being done with any SSO to provide rapid deployment, rapid rollout, and kind of templated provisioning of SSO. And we believe in it, we, if an if an organization can have it, we think it's fantastic. We do have to talk about the cost and time to integrate and provision standing up an enterprise password management stack, fully integrated to the SSO stack takes about an hour. And this is, you know, a critical thing, because organizations are tapped, you know, they've just gotten done with an SSO implementation, they've got done with a modern directory, they've implemented, you know, sophisticated Privileged Access Management, and their money, time and energy to do more to get all the way down that identity stack. And so, it's important that there are tools out there that are quick and easy to implement, that can help reduce that threat surface. Client-side encryption is a big one, and we're going to talk about that. And I'm going to talk a little bit about the concept of zero knowledge, I think you've heard an excellent, you know, depiction of Zero Trust from Ansel, and I'll capitalize on that here in a second. A couple of things about privilege access, because it is an important part of our identity stack. Traditional PAM, you know, focuses on, you know, very sophisticated IT users with comprehensive secrets. And but it's also very much built for the IT user, it's sophisticated. It's not, you know, intuitive. We believe that the future of privilege access, and we know, the folks at BeyondTrust, and the others are working on this is it's not just writing anymore, at some point, everybody's a privileged user, everybody has some kind of a secret, or credential or knowledge that have information that is sensitive to the organization. You know, one of the things we want to point out is that, you know, we looked at the identity stack. The challenge with the stack is it's not ubiquitous, and it's not unified. So, we all have different solutions, and we're doing our best to seamlessly integrate with one another, but it still needs to be moved further. So, a few points are takeaways. Organizations, infrastructure has both humans and machines, both need to be protected, we can agree that the traditional IT perimeter is vaporized, we can believe that cloud computing or hybrid computing is coming even in the government. And you see some of that, you know, kind of this multi-faceted cloud hybrid on prem solution, our attack surface is as large as it's ever been, you know, CISOs are grappling with the idea of separate isolated software products to gain complete visibility, seamless access, control, authentication, and the security necessary to prevent a cyber-attack for those of you that have been breached, and I'm a former incident responder, you know, it's devastating, and most of us never saw it coming. You know, I can tell you stories of I worked over 2000 breaches two years ago, in a single year, and, you know, organizations thought that they had the right infrastructure, and we're still penetrated and breached.
And then, you know, the idea of this heterogeneous, you know, operating environment, it's just really hard, because every time you pull two things together, you leave a small gap. And inside of that gap is a vulnerability. I want to talk a little bit about zero knowledge. So, Zero Trust, I think we can understand I always, you know, depict Zero Trust as your front door. The reason there's a keyhole in there is because you don't trust anybody coming to your door. You verify them for who they are, why they're there, and what their purpose is. And you let them through based on knowledge that Zero Trust, zero knowledge is takes it a step further. And this happens with a lot of the data breaches. It's awesome. Zero Trust organizations have been breached. But the question is, is what are they getting? And zero knowledge is the idea that there's nothing on the server in the cloud that can be readily decrypted or stolen because it has a tie back to the client side. So, you know, what is what is zero knowledge? First off, device level encryption, and not only that record level encryption. So, the thing that we deployed to solve for this is the idea that every record, every file, every everything has their own independent encryption key, and it's a 256 bit key. It also is FIPS 140 dash two compliant nothing is ever stored in plain text, it's all ciphertext, the server never receives plain text, no third party can view unencrypted data. And the keys to decrypt and encrypt data are derived. So even on the client side, the decryption keys don't exist. They're derived based on authentication. So, the idea of what Hanzo talked about SSO authentication, or a master password, you know, allows us to, you know, leverage that derive a decryption key and unwrap a vault, it requires all of that to in order to for the default to be to be exposed to the end user. But none of that's on the server, the idea of multi-layer encryption, and access control, and then, you know, again, also covered the public key cryptography. But you know, the distribution of that, and the client-side portion of that is so critical. So, you know, I think the concept of zero knowledge will continue to evolve. And it will work right along Zero Trust. But Cloud providers have to protect data, if you store metadata. If you store data in plain text view store encryption keys, you're increasing your threat surface for even though you're secure a breach to occur. And for somebody with malicious intent to decrypt a client's data or PII, towards the end of this, just a few use cases that we're solving for me, one is obviously password management. A lot of the players in the stack are working on this. So, the idea of protecting passwords, rotating passwords, metadata files, etc. One of the big use cases is sharing. And, you know, hey, that's a no sharing passwords, but the reality of it is in an IT department and SSH key, you'll have to share that and creating a way to share that password, where it can be done with zero knowledge to the user. So, it is fully masked, that it can be rotated. And without the user having to know that it was rotated, it's just available in real time. And that you can share files associated with it that might actually have, you know, scripts or you know, SSH keys, things like that are part of that, to be able to share that and to embed the multi factor authentication piece, so that, you know, the person who has that tied to their device doesn't have to be woken up in the middle of night, it's embedded in the record, it's still query the multifactor in real time, and enter into the record. So that use case is really important. It's huge, one of our biggest use cases for sophisticated IT staffs the idea of secrets management, integrated into the password management, I mean, a machine should be treated no differently than a human privileged session management, which a lot of us are covering the idea of, you know, getting beyond tools and getting up to native tools like RDP, things like that. Just basic remote infrastructure access, single sign on strengthening Single Sign on I have it, but what about the rest of it? And how do I leverage it? password lists and seamless authentication, absolutely. 100% credential governance, really deep role policies that leverage what's built in the SSO, key management, remote database access, a lot of tools don't address databases, databases are store some of the most critical secrets, so it'd be able to create policies and ways to quickly authenticate into a database and to not, you know, sacrifice any security to do it. And then the idea of compliance reporting and some integration is important. And really, that's it for me, I'd say, you know, it's a quick overview on some of the things that we're doing. I think the takeaway I'd like you all to have is that none of this supplants any of the other things that are being discussed today. It's complimentary. It's designed to leverage the, you know, Okta is one of our biggest partners in the world. And, you know, I'd say 80% of our deployments have some form of SSO a lot of them have, you know, a solid Privileged Access Tool. Most people are using MFA, and then some are using none of it. And, you know, we're here to solve for the things that you don't have, and to leverage the things that you do have to make your security better and stronger. So, I'll certainly take any questions you might have.
Moderator
Insightful and engaging, you know, you just sort of hit on it. There's across the landscape, there's organizations that kind of all different points along the path here. We have a question from the audience about whether you think the issue is more password management and credentials or with individuals I guess, thinking you know, is the problem writ large here that folks just aren't on top of password management and credentials the way that they should be? And perhaps the way that they should be using keeper and other things, or is it really that individuals just aren't up to speed here yet?
Mark Cravotta
I think it's both, but I mean, if you look at it, I mean, I'm a pretty sophisticated it use right? I work in things like incident response. And, you know, breach management. And, you know, I'm guilty of it with certain passwords that I have in my personal life where I'm reusing a password or doing things that, you know, I know not to be secure. I don't react to a dark web notice, you know, from the Marriott or something like that. We're all guilty of it. So, to some extent, we're all a little bit lazy when it comes to passwords. And why because it's a pain. And so, the idea of cheaper, or any of the password tools, I don't make this a keeper thing. The idea of it is that, you know, in a, in a seamless way, using technologies like autofill, and auto detect, so I can, I can navigate to a site and hover over the over the Change Password feature. And in an automated fashion, it'll walk me through the changing of the password, store any complexity that I want, I can do 60 characters, you know, you name it, match it up to the policy of the site, save it and never have to think about it again. Now, when it comes time to launch that site, when I navigate onto a page like Amazon, and I hover over the login, it's going to bring up and prompt me to do you want to autofill your credentials? Absolutely. The reason why people don't is that they don't have these tools, and they're not readily available want to, you know, our biggest challenge is that people don't know who we are. And people don't know that there is an answer. IT departments know, they know how to use this. And their use case was the shared password that causes them to go to this. But, you know, this is why the name of my presentation is all users every device, because everybody needs it. And, you know, we go so far as to give free family licenses away with our with our, our software, because we want to practice good password hygiene and security at home. We just don't want those credentials embedded into the into the enterprise. And so, yes, I think I think the problem is people, but I think the problem is definitely passwords, and we're all we're all in the same ill we want to get away with them, and do away with them, but we can't. And so, the answer is coming up with tools that are user friendly, frictionless, seamless, and you know, that are easy to deploy, without a lot of cost. And people will deploy them. And they will, as long as they operate in that in that fashion. You'll see adoption. But it's not an easy curve. And most of our organizations that purchase this type of platform, you know, go through an evolution on it. So, they'll start with certain departments, and they'll roll out more broadly as they go as they build, you know, kind of confidence in the solution.
Moderator
Yeah, yeah, that makes sense. I completely agree. As someone who covers this space and cybersecurity, I'll get an email. And you know, my password has just been involved in in, you know, a hack, and I can't remember the last time I change that password. So.
Mark Cravotta
yeah, we're just we're getting numb to it. And then the problem is when you use that password, when you join a new company, and you brought it to your organization, and I'll go so far as to say that I am pretty sure that's happening. So, you know, and without visibility, so you know, our admin console allows the IT staff to know that that credential is breached, they can't see it. It's zero knowledge. None of us know what it is. But we can determine based on that hash comparison, that it is a compromised password, and then they can't change it themselves. They can't prompt the user to do it. So, there's a little bit of visibility and control over that.
Corey Baumgartner
Thanks for listening. If you'd like more information on how Carahsoft or Keeper Security can assist your organization, please visit www.carahsoft.com or email us at keepersecurity@carahsoft.com. Thanks again for listening and have a great day.