Beyond Identity and the Zero Trust Security Ecosystem

Enterprise security requires a labyrinth of technologies to protect users, networks and assets, both on premise and in the cloud. By tying together leaders in identity, single sign-on and orchestration tools as well as virtual private networks, secure access service edge (frequently called zero trust network access), endpoint detection and response tools and code repositories, Beyond Identity enables enterprises to deliver the highest level of secure authentication for their extended workforce, customers and developers and advance the move to zero trust security.


Hello everybody. I'm Kurt Johnson, Vice President of Strategy and Business Development here at Beyond Identity, and want to share with you today a little bit about Beyond Identity and our technology partner ecosystem, really to help our customers on their journey to Zero Trust, creating this zero trust ecosystem to tie beyond identity into some of the most critical technologies, organizations are investing in today to really complete their entire security architecture.

First and foremost, you should be familiar with Beyond Identity by now and understand our passwordless, unphishable, multi-factor, authentication platform. And we serve at the center here, really to provide the basis and component for our customers to understand who and what is gaining access to our critical company resources regardless of device, regardless of platform. We do this by cryptographically binding the identity and device together to provide the most secure form of authentication possible. And tying that into the ecosystem, first and foremost, for employees to get access to the resources and applications they use every day, we tie into leading identity providers, such as Ping, Okta, Microsoft, ForgeRock, and others, working as a delegated identity provider into these platforms.

So there is no disruption to your underlying identity ecosystem and foundation tying directly into that to redirect to us to authenticate those users securely without passwords and pulling the device information to make policy decisions for employees accessing those applications and resources they do every day, whether that's the primary form of authentication or even as step-up authentication for multi-factor authentication. We do that for employees, but we also do that for customers, so employees and customers alike, whether you're using that IDP to tie-in to those applications or even platforms such as Auth0, and ForgeRock, and Ping, SIAM-focused solutions. Enabling that strongest form of authentication, bringing who and what for all the resources your customers are accessing as well as your employees. But let's think about some of those most privileged accounts and resources out there.

Understanding the privileged access management solutions from vendors, like CyberArk and Beyond Trust, and others who've created this ability of bringing a vault into their organization, which store these most critical resources and credentials. But to provide strong authentication into that, Beyond Identity is integrated into these PAM platforms to provide the strongest form of authentication. Again, identifying that user and identity and the device that they're coming in on in the security posture of that device prior to accessing any of those privileged credentials.

We also do this with the Endpoint Protection products. So as privileges on an endpoint are escalated, it can immediately trigger a signal to Beyond Identity to authenticate that user securely. So again, protecting your employees, protecting your customers, protecting your administrators accessing these privileged credentials, but also your developers.

And we have our DevOps, secure DevOps solution that is tied into leading git repository such as GitLab, GitHub, Atlassian Bitbucket, to provide the highest level of assurance on the identity of the developer and the device that they're accessing at the point of code commit. Not only securely authenticating that user, but also identifying that they are a corporate developer within policy to access or to commit code to that repo. And then also, what that device is, with a private key that resides on that device that can't be moved, can't be exported, providing customers the highest level of assurance and cutting down on the CI/CD pipeline attacks. All of the different things I've been talking about right now have really been focused again, on the primary form of authentication and the step-up authentication into the widest variety of resources to protect your employees, customers, administrators, as well as developers.

But the Zero Trust journey goes beyond that as well. We're also looking at various risk signals that could also help identify and provide higher level of assurance around who and what. And one aspect of that are the MDM vendors. Folks like VMware AirWatch, Intune for Microsoft, Mobile Iron, Jamf, products organizations are using to protect the mobile devices in their organization. Beyond Identity can increase the policy of these organizations by ensuring that those solutions and tools are in place, present on those devices and configured properly prior to providing access to any of these resources.

Similarly, when we're talking about risk signals on device, we can't help but talk about Endpoint Detection and Response Solutions. Increasingly popular within our customers from vendors like CrowdStrike, Sentinel One, and others. These solutions are critically important at looking at that device. Again, looking back at the what here, analyzing that device, understanding the risks, the vulnerabilities on that device, even the presence of malware and viruses. So as important as these tools are in our environments to protect those devices, again, Beyond Identity can check for the presence of those solutions, but also even get deeper in looking at some of those risk signals.

Adding to the array and variety of information that we capture ourselves regarding those vice security posture from solutions that even provide a deeper analysis. In the case of CrowdStrike, they've actually gone so far as to assemble this and calculate a zero-trust assessment score. And in this case, again, Beyond Identity can actually configure our policy engine to read that score at the point of authentication, so you can at the highest level of assurance, that the devices gaining access, meet the requirements for higher-level, higher-risk solutions within your organization. The other interesting aspect about endpoint detection and response is we've taken this a step further to actually create an API connection that can quarantine a device that comes out of policy for the notion of continuous authentication.

When Beyond Identity is first launched via an application access from a user, we look at that who and what, assemble that policy and either accept and give them access or deny access, but we are running on a continuous basis. So if anything happened on that device that now takes it out of policy, we can trigger an API call to CrowdStrike for example, to actually quarantine that device and require it to re-authenticate, which means it has to come back into policy before we allow access to whatever resource is being accessed.

Similarly, we are doing a same thing with Zero Trust network access vendors, Zscaler, Netskope, Palo Alto, and others, with a strong connection to bring zero or network-centric zero trust and identity-centric zero trust together. We can authenticate into these solutions with or without an identity provider, IDP platform underneath, but additionally, provide that level of quarantine capability as well. So if anything does change on that device, we can terminate the session within the Zero Trust network access solution requiring it to come back to us to re-authenticate prior to enabling access to that user and the device that they're on.

One of the other strong benefits of the Beyond Identity platform is our ability to create an immutable audit record that captures every identity, device, and resource being accessed. We capture that in this audit record that can then feed solutions such as identity governance and administration from vendors like Sailpoint or Saviynt, and others, so they can actually see when they're doing attestation reviews who and what device access those resources. Do we have devices that are being used that shouldn't be used? Do we have devices that we've given people that they're not using and have we given privileges and resources to users that they're never logging into, which can provide ability to provide greater attestation and compliance, but also even to refine the access policies or the provisioning policies moving forward to not over-provision people or under-provision people. Similarly, this makes sense into areas for fraud analysis or insider risk.

If we detect suspicious activity from a user leveraging a solution such as Code 42, Beyond Identity can help provide the forensics that there's an immutable audit record that proves it was that individual, or even maybe to stop that. So if they detect some insider risk activity, they can send a signal to Beyond Identity to require that user to authenticate, which is basically telling them that user that we know that we're gonna make sure we are proving it's you again, at the point of doing some level of activity that we feel may or may not be suspicious. And then finally, into SIEM solutions and SOC solutions, such as Splunk, IBM Qradar to provide these deep, rich information around who and what is gaining access into these solutions for log analysis and to provide analytics around looking at patterns of behavior and detecting anomalies, which really get to the point that this rich data can help organizations really provide richer analytics.

And in the future, we actually expect to take signals from these solutions as well to feed into us to provide deeper, richer risk-based analytics. So hopefully, what you see here is that we've invested a lot of our time and resources integrating into the solutions you are using on your Zero Trust journey. We recognize Zero Trust as a journey. We recognize Zero Trust isn't a product you buy and implement and all of a sudden, check the box that you're doing Zero Trust. Really, what we're hoping to do is to provide you with the basis, the building blocks of which you can start that journey and the confidence that we can tie and protect the investments you're making across the board to provide the highest level of assurance for you as an organization, at the end of the day, know who and what is gaining access and assess that risk and prevent access that you don't want. Thank you very much.