Hello and good afternoon, good evening, good morning. Welcome to this webinar from KuppingerCole and our sponsor today OneIdentity. We're talking foundational security, the critical cyber security infrastructure, the stuff that we've probably forgotten about perhaps or have not, but we're here to remind you of the importance of foundational security and the basics. And I'm joined today by Brian Chappell who is VP Product Manager at OneIdentity. Hello Brian.
Hi Paul, great to be here with you today. Looking forward to a great presentation. All right and we'll be hearing from you in a bit. Let me just make sure that we're moving this on. So there are some housekeeping notes for you all. You don't need to control the volume or anything else. Just sit back and listen. We have a poll, one poll, which we'll do in a minute. There is Q&A at the end and you can enter questions anytime using the control panel that you'll see on your screen.
Finally we are recording this as usual and everything will be available on the KuppingerCole website in a few days after today. So that's that out the way. Here's my very in-depth agenda. So first I speak, then Brian will speak, and then we'll have questions and wrap up. But obviously the key theme is foundational security.
So let's, before we get into that, you should now see a poll on your screen and the question is, do you have any of the following foundational security items in place right now? So we're talking anti-malware tools, privilege access management, data encryption, some form of identity governance, and perhaps some form of DR, ITDR, threat detection, those sort of things. Obviously that's not the whole gamut of financial security, but we just thought we'd see if any of those tickle your fancy. So what is foundational security?
Let's start off with a foundational question, often overlooked or rushed, but the basics of IT security are something that we should revisit. It is possible that a business or organization company has actually no foundational security or at least no real plan for it, but it's unlikely that any business today would have no foundational security. It's unlikely that any business would have, for example, some basic form of firewalls or anti-malware tools or web application firewalls, those sort of things.
But they are indeed a set of core practices and principles for IT security that should underpin, hence the word foundational, everything else that we do. So the basic or general business computing and the frameworks and the benchmarks for foundational security can be implied to ensure that all IT is compliant. So it's a mixture really of, although it doesn't say here, it is a mixture of services or products or solutions in association with frameworks and how to make these elements of foundational security work together.
And as I said, quite often there are bits of foundational security in place, but they haven't necessarily been put in in accordance with a plan or a framework, etc. So that's kind of what we're going to be talking today about. So a bit further into the detail of foundational security, and this is where we get into the sort of product side of things. So we're talking about access controls, where we need to control who or what has access to resources. So access controls must come before the access itself.
So we need to put in place some kind of control so that we know who's accessing what and what they're accessing. And also, quite often overlooked these days, or taken for granted, perhaps is a better phrase, is authentication.
We have, and for good reason, focused very much on verifying identities and verification, which is less important than authentication and data protection. Data protection is also at the heart of foundational security, because that's precisely what we're trying to do, what we're trying to secure. If we don't secure the data, if we don't secure everything that's in our business that's valuable, in today's world, we're running huge risks. And of course, as I say, most companies realize it, which is why they have some form of foundational security in place.
We also have network protection, which, as it suggests, is protecting everything that networks us to that data. And that today will, of course, include not just the conventional, the historic version of networking, but obviously, cloud computing, stuff in the cloud, and stuff that's based remotely in edge computing and all that stuff. And then we need to think about how users and identities are accessing data. You've probably heard this a hundred times, a thousand times.
We all know that we no longer work for organizations that are kind of centralized and have a perimeter around them, but it's still worth pointing out. Whilst we've all moved to enjoying endpoints, remote working, endpoints, remote working, et cetera, we haven't actually, in many cases, thought about how we're really securing that endpoint and how we're allowing users to get access from that endpoint. So we need to think, factor that into foundation. And then there are some more general or more less technological aspects of foundational security.
And that, of course, is training and awareness. Now, again, training and awareness has its fans. It also has its detractors. Some people say, endlessly telling users not to do stuff is counterproductive because every time you tell them, they remember, and then they forget a few days later.
However, security training, or at least awareness, is important so that your employees, end users, your partners, et cetera, do have some awareness of why we need to secure stuff. And that's because of the next item there, which is governance. And governance feeds into foundational security. If we start building our foundation of security for our business, it will help us keep governance at bay. It will help us actually be compliant and help us not falling foul of things like GDPR, et cetera, and the other myriad numbers of legislation that companies have to adhere to.
So can a framework and a model help in us achieving foundational? Well, yes, we can, if you choose correctly. What I was talking about just now was very much how a lot of businesses approach security and identity security right now. They tend to buy or they tend to evaluate point solutions, i.e., a solution for one thing. So they might look at, for example, a privilege access management solution because they have some users that need privilege access. So they'll look and find that and install it, et cetera, and seemingly, it will do the job.
But without a plan or an understanding of how that privilege access will fit into a holistic foundation of security, it's not necessarily necessarily going to be a long-term solution, which is why we now have companies that have many different types of point solutions on top of all the many different types of cloud solutions, which they're also using. And that quote there on the right is very indicative. And it's true that he said that he asks vendors how, obviously, how long does it take to deploy? But more importantly, how long does it take to undeploy?
Because he expects to use any product for only about two years, which is a bit of an indictment for us all, not just for end users, but also the vendor community and everyone else, the analyst community, in that you guys are struggling to find the right solutions if you don't use or don't start from with a framework or a foundation. So like I said, imagine if you designed a building or built a skyscraper, but you didn't actually think about the foundation's setup. So it'll fall down most likely.
Well, that analogy isn't quite the same. That PAM solution you installed will do the job, that identity and access manager or the IGA solution will do the job. Your anti-malware stuff will do the job, but it's not necessarily doing the right job in the right places. It's not necessarily giving you feedback on exactly what's happening in your organization all the time in terms of attempted access points and things like that. So what is framework and which ones would we recommend?
You know, there is a number of organizations out there that can deliver sort of off-the-shelf security frameworks. One of the best that I know of anyway is by the American NIST organization, which has established for itself a reputation for providing really excellent frameworks for cybersecurity. But they're not the only ones. There are plenty of other organizations around that can help you, and not least there are consultancies and research companies that also can help you build a framework.
The important thing is that you do choose a good one probably in association with advisors, and NIST is a good one. Its core functions are written down there for, so the core functions are identity, protect, detect, respond, and recover, which again we hear about these words so often that they can just sort of go in and out because, yeah, identity, protect, detect, respond, recover, whatever.
Yeah, I've heard that. I know all about that. But actually people don't really think about it. And I've highlighted the word identity, which actually is spelt wrong. I apologize. It should be identity, not identify. But identity is core and increasingly core to any security framework.
And again, key components of that framework in this case are its core implementation tiers and profiles. And you can find an awful lot more about that if you go to NIST's website. But the point is that a framework, whether it's designed by an organization as large and important as NIST or whether it's designed in association with a consultancy, has to be used and reflect your own business model and the way that you work.
And again, as I said, here are some other well-known frameworks or standards that you can look up. The famous one is the ISO 27001 and so on, but there are plenty others. You can see there are some which, for example, if you're in the payment industry, PCI DSS is something that is highly relevant to the needs of the payment industry or the financial services industry and so on.
So again, you can look up these later at your leisure. On the left, just an important point, these are not regulatory standards. They are frameworks. They are blueprints of how to work. They will help you become compliant, but they are not a list of things that you need to pass in order to be compliant. That's a complete difference.
Now, you can't do a presentation these days without mentioning AI. And of course, AI, the question I'm asking here is, can AI assist with foundational security?
Well, the answer is probably yes. And AI is already and has been making a difference in security products for some time. Long before everyone started talking about it last year with chat GPT, et cetera. But what we have now, we used to call it machine learning. So we have slightly something a little bit more advanced than machine learning. But what AI can do right now is help parts of your foundational security with the kind of things that humans have done in the past, which are very boring and a bit of a chore, such as patch management and analytics and threat detection.
They can also, I said here, they can also help with policy creation and identity management. But there, I think the key word is help. I wouldn't right now trust AI to come up with policies on its own. You need to have guardrails. You need to have humans still at the end of that to make sure that any identity policies or policy-based access control is actually based on human experience, human knowledge of your organization, not just what an AI thinks.
As I said, I say it must be taught the right stuff by the right people. And just some of the things there also, which are from an article in HBR, that it can actually achieve 99.9% accuracy in spotting, spotting, sorry, classifying malignant email attacks, etc. But we also need to be careful. Overtrust in AI right now can lead to AI making mistakes, which is why the AI needs to be trained by the right people. So I have no doubt that AI in future will be a huge part of not just identity security, identity management, but cybersecurity in every way.
But we need to make sure that we know that it can make mistakes. We already know that if you ask ChatGPT a question, you can't actually rely on the answer unless you kind of know something about the subject in the first place.
So yeah, AI will assist. So let's now drill this a bit further down in where identity sits, which is where Brian will carry on in a minute. The stuff that I put up earlier, access controls, authentication, data protection, network protection, all of this is really the most important things that we need to think about are access controls, authentication, authorization. Identity is now so important to cyber that it must be thought of at the core of foundational security, which it hasn't necessarily been in the past. So we need to think a lot more about access controls.
We need to think about how we authenticate and how, probably even more importantly, how we authorize someone to be allowed into a resource and so on. So this final slide is something that I now like to talk about, which is identity-first access for data in business. So we are taking all our identities and thinking about how they access data in business.
Basically, this schematic here is really a simplified version of the way that I see access for data in business right now. We have all our key types of identities. We have our identity zoo of Privileged Access Management, Cloud Infrastructure and Target Management, IAM. We can probably add ITDR to that at some point as well. And then where they're going and the kind of stuff they need. But underneath all that is still aspects of the foundational elements of computing.
So we can then, stuff that I haven't even begun to talk about, but like Zero Trust to Die and Zero Standing Privilege and data governance, importantly. If we don't govern our data, if we don't, and I can't say this enough, but data, if we don't know what people are trying to access or what non-human identities are trying to access, then everything else is kind of backwards. So identity is crucial, but you also need, as part of your foundational security, you need to think about the data, the governance. When I say data, I mean everything. I don't just mean pure data. I'm talking about servers.
I'm talking about databases. I'm talking about edge computing, everything, an application, an app, a SaaS service, everything that we use for business now. That is data. It's all just classified to me as data. So that's where we are. Identity-first access for data and business.
ITDR, as I said, might come in at some point. So I've called it IAD, but you can call it what you like. But I think the message I'm trying to get across is you need to think about how your business is structured, what is where, before you then start applying a framework. So take that, then the framework, then think about identities and how they access all that. And with that, I think I will hand over to Brian, who is still there. Good. Yes.
Hello, Brian. I shall stop sharing my screen and let you carry on. Thank you for that, Paul. I'm going to take it, probably repeat a few things because I think they're important to be repeated, but hopefully add a few new bits and a few new thoughts for people to take away within this.
So for me, foundational cybersecurity is largely comprised of many of the things that have been a challenge for securing from the beginning of computing to today. You know, that very first login-created identity was at the forefront of what we did. We didn't really notice it in many ways. And for me, some of the realization of the importance of foundational security came when I was actually at a CISO conference in Dubai. This was around 10 years ago now. And I always book a nice high floor in a hotel, if I possibly can, because I love the views.
And when you're on the edge of Dubai, you get to look out across the desert and, you know, you wake up the first morning, you open those curtains and you look out and you just marvel at just the sheer expanse of the desert and the complexity of it. And second morning, you get up and you open the curtains, you kind of, wow, desert. And then by the third morning, you open the curtains and walk away because you're kind of thinking it's the same desert that you've seen for two mornings already. But when you look at the desert and actually really look at it, it's in constant motion.
Every grain of sand there is moving over time. Those dunes drift along from the smallest ones in front to the very largest at the back. And it got me thinking about the attack surface and the threat surface that we're trying to defend against when we're building our security strategies. And what I see a lot of organizations doing over the years was running out into this environment and erecting these incredibly pretty and sophisticated cybersecurity edifices is the only way to describe them.
You know, big towering blocks of really beautiful dashboards and new latest technologies, lots of AI mentioned in some of the ones today. And it would be great until the landscape under it shifts slightly and then the whole thing topples, collapses, and we have a breach situation. And this is because those things often distract us away from those foundational pieces. If we actually take them as foundational pieces and think of them as piles that we sink into the ground.
If any of you have followed the construction of the Shard in London, that is held in place by something like 150 individual, just meter wide concrete piles that are sunk down into the clay that act like a comb and just secure the whole thing in place. A technology that's enabled most of the larger buildings we see in London now to actually exist.
So, you know, fundamental piece when you've got 18,000 tons and thousands of people are really putting their lives on that foundation being solid, you begin to really grasp how important the foundations are in anything that people and, you know, people are the basis of business that they rely on to actually be safe in what they do on a day-to-day basis. So, I think about cybersecurity as being more like business resilience in this regard and that it's there to help us provide a safe environment in which to do business.
So, if we think about sinking foundational piles out there in a landscape like this, it anchors the whole thing in place. You can still have the shiny new stuff on top of it. You've got to get those basics right first.
Otherwise, you begin to lose the stability of that platform and they're not always the most exciting things to be dealing with. They're often things that you've probably been struggling with for years. A bit like Paul, I have five examples here. This is not a comprehensive set. Paul had some more that I don't have. There are some more that neither of us have within this regard. But these are some of the key areas based on what is a typical attack chain that I see as fundamentally important when we're working forwards.
Now, vulnerability management is critical from my perspective because for me that's the doors and windows of your office building, for example. You don't leave them open and unlocked. Those are the ways that people make their initial ingress into your environment.
So, you have to put the defenses in place for those. Most organizations will at least have locks on the doors and most of the downstairs windows may not even open, which can be annoying in the weather we're having here in the UK at the moment. But fundamentally, it's about that first layer of security. Once we actually get through that, then access to privilege becomes a big key element for the attacker in question. And we'll go through this a little bit in an attack chain in a moment.
But, you know, it's how they then move on from there. It's very unlikely and very unusual for them to find themselves where they actually want to be in your infrastructure when they make their initial entry. Same with somebody attacking a physical building. I do find the parallels between physical and cyber security are very, very strong.
You know, the control over identity and what you can do with identity. And I agree with Paul, you know, as we're moving forward, identity, while it's always been there in the forefront, we had a lot of weak technologies around it. Those are all beginning to come up to a state where we can rely on them.
So, now identity really does become the main focus. And you mentioned there of zero trust. And in fact, most of the frameworks that were given there, if you can't identify the individual who is coming forward asking for access to something, you cannot authorize them to have access into it.
So, it really does become the core of everything we do. So, having a really solid understanding of who's being, who the people are, having multiple factors that help us or ensure they're authenticated correctly, and keeping our arms around things like who has access to what. That comes through, you know, IGA and also through Kim.
You know, knowing what they should have access to, being able to compare that to what they actually have access to, and making sure the two match, because the moment they don't, there's a good chance something untoward is happening within your environment and you need to pay attention to it. But I'll layer things like configuration management and patch management on top of those things as well.
You know, configuration management, just so there are great frameworks out there, there are great libraries of how to secure just about every operating system out there, and a vast proportion of the most common business critical applications. Also, there are configurations out there from organizations like Microsoft, like governments, you know, and individual groups who specialize in the security of your systems. They're there, you can take them, you can adapt them, you can use them, and then you should monitor them for drift to make sure they're not changing.
Again, when things are changing outside of your access controls, what events happen outside your access controls, it's a very clear signal that something bad is happening in your environment. And finally, patch management for me is, I had a conversation with somebody just this weekend, I'd seen them a couple of weekends ago, their laptop was just refusing to start up, they figured it was broken, they took it into one of those help bars in one of the stores, who took one look at it and went, you haven't actually installed any updates for two and a half years.
He'd always just push them off and push them off, and lots of orgs don't think about the upgrades, you know, upgrade dating to the latest version of software I consider to be low resolution patch management. It helps you ensure you're getting those security updates in there, you're not opening the doors at the other end of this list of piles in terms of the vulnerabilities in the system. It's important that we keep them up to date.
It's also, if you can correlate the two and make sure that you're patching things that have the most vulnerabilities with the most known exploits, you gain yourself an awful lot of ground. This is almost certainly all stuff that you guys are well aware of, and you have to tackle on a daily basis, but the scale is huge, which can make it seem unassailable, but just take simple views, use the resources around you, and do your best to move forwards to the things that are the biggest threats within your organisation.
It's not always the thing that's being shouted loudest about, or the thing that's the shiniest. These things will underpin those environments in ways that will become a little bit more apparent as we go through.
Thinking about the attack chain, now the DBIR report, the Data Breach Investigation Report from Verizon is a great resource, and they publish every year the number of different attack vectors there are, and it's normally a core nine, and then there are some others, but when we boil that down even further, we get to an attack chain which is very, very simple, and this is based a little bit on the MITRE ATT&CK framework as well, which is another great reference. You generally get an initial entry into the environment.
They'll land on a laptop generally, or a workstation, and they're almost certainly going to find themselves in these days a relatively constrained environment, so they're going to look for some privilege so that they can gain access to things like the stored credentials on your Windows system, or particular services and environments on your Unix and Linux systems that will allow them to move away from the system so they can start to move laterally, so they're looking for privilege. They can do further target evaluation to see where they are, see what's out there in the environment.
If they find themselves on the system they actually need to be on, you will realize your impact. That's why there's a question mark there. Is it time for the impact? If there is, that's generally exfiltration time of your data, damaging of your data, and they're gone. If they don't find what they're looking for, we go lateral movement, initial entry into the next machine, look for privilege, target evaluation.
This goes round and round and round until they finish on that impact thing, and from that you're probably already gathering just how vitally important access control and identity is within this, because even within the standard user environment, ensuring that they have access to the things they need without giving them too much access into the environment, but keeping the friction down as far as possible, is vitally important. We've all done the thing, probably historically, where the security team added a capability to their defenses. It impacted your ability to do your job.
You yelled loudly and it got taken off for a while at least, but in today's environment we can't afford to do those sorts of things. We need to make sure that the tools we put in place don't adversely impact our users, and ideally they can help make them more productive within that, and there's a privilege elevation on workstations is incredibly powerful for that as well, or endpoint privilege management is often referred to.
So that can help give you more capabilities, and equally when we're doing changes or making changes to our cyber security strategy, we should always be looking to add things that simplify the security model, lower the noise in our environment, and if those two things are not being satisfied in the tool you're looking at, and you can't directly point at how that's happening, it's probably not the right tool for right now. So you need probably to go back to some of the foundations that are out there. I mentioned a little bit about signal to noise.
So this is just an entirely randomly generated graph here on the left, but it gives an impression on what we see on a daily basis when we come into our offices to look at what's going on within our infrastructure. There are events happening of different severities.
There's often a lot of very high severity events in reality across our environment, you know, that gives us an immense amount of background noise, and trying to filter out the legitimate uses of identity and privilege in the space or accesses within the space is really, really hard because people have direct access to privilege, they have direct access to a lot of systems, and we are trying to find the good from the bad in that.
When we do the basics well, the picture looks far more like this, in that there's a low level of events, because we're probably not actually logging a lot of things because they're within our control environment. We might log that somebody accessed the system, but we know that this is through an entirely controlled space we have, so we will not log every command they execute or everything they do within that space because we know the limits of what they can do very effectively, and we know there's no way around those controls.
So when something unusual happens, say Brian logs into a server using an administrator account that doesn't have a correlating release from our access management environment, there's a red signal, it's immediately there, it's visible, you can see what's going on, you can take your human attention to it and actually take some action, and even for the AI or machine learning systems that are running, they benefit from stronger systems as well, and all the pretty stuff on the top of your foundational cyber security all benefit from having stronger signals to work from from the off, and it makes more value out of those as well, and that's where, you know, both Paul and I say it's so important to get those basics right because they really do add massive value to your defense of your environment, and it's, you know, really it's about taking control in the foundational piece.
It's not about impacting users, it's not about necessarily stopping them from doing things, it's just being in control of what they're doing so that you can have visibility, so that you can respond, and so you can react accordingly. So I said, you know, these things should reduce complexity in your environment. If you looked at an active directory bridging product to bring your Unix and Linux systems into your AD, that reduces the number of accounts you have in the environment. I used to work for a big company and I had seven privileged accounts, six of them were non-windows based accounts.
I left for a while, I came back, and five of them were still active when I came back because they weren't part of the normal identity life cycle. Now it wasn't necessarily a problem, but that's seven times the complexity you really need to have in that environment.
Similarly, when you're looking at things like endpoint privilege management, those can allow users to do more on the system than they can currently, while you actually gain more control on the back end because they're only the things that you allow them to do. It's about explicit security rather than implicit security and trying to manage down.
Eliminating direct access to privilege is a massive gain for you when you're working in this space, and having that direct privileged access often means you can't tell who was using it at what time, but by having the control we can then begin to understand who's using it. And for the accounts that we're even not using, we should actively manage the credentials so they're not open to brute force attacks in the background.
And providing simple access into privileged sessions through the environment as a fundamental, as one of the key golden eggs for a hacker is to get privileged account access into another system. Having that strongly controlled just buys you so much benefit in how you move forwards. And as I say, address the critical vulnerabilities.
For me, those are not necessarily the ones with the highest CVSS scores. They are the ones with the highest number of known exploits because even an informational only severity exploit can provide a lovely beachhead for an attacker in your environment if it can be exploited.
So, you know, not always the most important according to some of the measures, but getting control over what you do is so vitally important because, you know, there are those regulatory compliances out there and it doesn't matter what size and all you are now, you will be in the sites of the various regulatory agencies and they will be looking to ensure that you are compliant. And it's about knowing what's going on in your environment.
PCI DSS, ISO 27001, HIPAA, all those kind of regulations are all about knowing who has access, what they have, why they have access, how they have access, when they access it and what they access within your environment. It's all about knowing if you're in control, you know these things before they even use them for the majority. And that then leads you on to control over those things. And this is the essentials of that foundational security. That's what it provides to you. And it's not just a thin layer. This is the deep part of your cyber security because it's anchoring everything in place.
And one last piece about compliance is, you know, increasingly we see the need for cyber insurance in our organizations to help offset some of the damage that can come from a breach. Because, you know, it's not always just the physical impact, the reputational damage can be huge. But when we don't have compliance, we'll increasingly see no insurance in this space. The insurance companies are not going to provide you with any kind of cover if you're not meeting the basic compliances that they will start to require in the space. So it becomes even more important.
You can't even offset your risk if you're not managing to get those basic controls in place. So it's about layered security. It's about simplification of your security. You want to try and simplify your security model as much as possible. And foundational security is definitely one of the areas, if not the fundamental area, where that comes in. AI is going to help you.
I see it very much more as an augmentation of what we do in our day-to-day basis, much like the spreadsheet when that first came out in probably the late 80s, you know, allowed us to process huge financial sheets and, you know, huge amounts of data and boil it down so that we could actually manage to interact with it. AI does this just on a much broader data set. So I see real value in AI in helping us deal with just the tsunami of data we face every day that we walk through the door of our offices.
To help you, you know, One Identity, we are an identity and access management company in the first and foremost way in which we operate. We have a broad collection of tools.
In fact, we have probably the broadest suite that's available in the market from a single vendor. And every one of those, we have at least 20 years of experience in each market space. We launched a new product earlier this year in March, which is called One Identity Cloud PAM Essentials, which is a big name. But that's because the first three words there are actually a big product which is going to grow out of what is this first piece, which is the PAM Essentials piece. So you can think of this as a foundational privileged access management system that's going to allow you to grow on.
It's been built in the cloud from the ground up. It is entirely architected to be part of a much bigger product while also being entirely fully functional in itself. But it was an opportunity to reinvestigate the problem that we're trying to solve in this, which is how do we control privileged access into our systems? And I went back to the question of why do we need this access in the first place? I need to do a piece of work on that machine there. I probably don't care about which account I'm using as long as it allows me to do my work.
So let's take one step back from all of the password controls and everything else. Still does all that goodness in the background to make sure that you are safe from brute force attacks. But we get to an interface a little bit like the top one on the right there, where we're more into that iDesk kind of approach. You just click on the button, be connected to the system, do your work, get off the system, recording the sessions in the background if it's appropriate, and giving you visibility about who's doing what, when, where, and how, bringing you that compliance piece at the end of it.
Lots of great things coming to this space. Other areas of our portfolio, including IGA and also Active Roles, which is now being referred to as Active Directory Defense, which is a great way of providing the granularity of control that the MMC doesn't, as well as other areas, including the one login you see mentioned there, which is an access management platform on which PAM Essentials is loosely built. So lots of great stuff there. We can do lots to help you in establishing a lot of that foundational cybersecurity.
And with that, I'm going to say thank you, and I think we're going to go on to some questions. Great, thank you, Brian. Let's move on to the poll. If we could get the poll results up on screen, please, and then we can talk about it.
Okay, here we are. Okay, so good news there, Brian. 50% have privileged access management, or maybe not good news, but maybe if you want to sell them some more, data encryption, identity governance. It's a bit surprising that 0% have anti-malware tools and 0% have threat detection tools, but maybe they really don't. I don't know if that's... I can't believe that. Maybe it's just this particular cross-section, but there you go. It's possible.
I mean, not everyone considers antivirus to be part of their anti-malware. It's often now wrapped into your endpoint protection system, so it may not be seen as an entirely separate thing, but it's difficult to say.
But yeah, I mean, in terms of the privileged access management piece, I'm gratified that 50% of the people have PAM. I hope that it's all one identities, but honestly, I'm just pleased that they've got it, because that shows that they're thinking the right way and starting to move in the right directions. And of course, you know, it does mean that there's still 50% at least of this part of the market that haven't got it, so there's plenty of room for growth there.
For you, Brian, anyway. There is a question that came in, which is actually an excellent question. I really want to talk about it, because it brings front and center everything we've been talking about in conferences recently about decentralized identity wallets and everything else. And Michael Sutherland says, when we think about managing identity, we sometimes automatically think centralized authentication. True. But does this make us more or less secure?
So yeah, this comes at a time when everyone is starting to say decentralized identity or self-sovereign identity is the way of the future. I don't know if that's really the way that many organizations feel. Do they prefer to have security or identity management centralized still? What's your experience, Brian? I think in the LatVarB's majority of organizations, we do still see that centralized directory. Active directory is so ubiquitous. We might see some orgs that are large enough to have a few forests or even multiple domains. It's difficult always to see exactly what's going on.
But there generally is that core forest where you've got maybe a domain for identities that may be separated. But if you're in a particularly acquisitive company, you may well still have multiple directories of different types out there with different identities. But I generally see a drive to move towards a singular, let's call it a singular directory, but not a singular instance of it. The domain structure in Windows server has been distributed for so many years now, it's easy to forget that it is highly diverse in that way.
Yeah, but do you think taking that a bit further with the emergence of wallets and people bringing their own identity and using that to authenticate, that's a bit that I worry or wonder whether certainly enterprises would say, actually, that's fine, but we'll give you an identity. You're still going to have your identity, which belongs to this organization. And that's our rules. That's still, yeah, still probably true for a good while. I think we might see the emergence of what might be called meta directories where, you know, we'll still take your external directory, your external identity.
And let's face it, at some point, that could well be your government issued identity, which you then would have controls over to say which aspects of it your employer had access to, and then take that identity and then put the authorization around that identity within your infrastructure. You'd still have all of the auditing you need.
You'd also still have all of the controls you need, but potentially, you know, you'd just be adding that to your environment and basically losing the access to that identity when the person leaves beyond the call that you'd need for certainly auditing and regulatory compliance. But, you know, I kind of think there is a drive towards more of that singular identity, and certainly IDaaS for me has been something that kind of sent up a signal flare and said that, yeah, there is an appetite just to have one identity you log in with and then access everything in the environment using that identity.
I think you're probably right. Most are going to want to hang on to the control over that identity for the foreseeable. Okay. Another important question, with advent of public clouds, AWS, GCP, etc., configuration management and patch management should be relics of the past. This questioner says the major items in IGA, IDM, IEM are who, what, and when.
So, interesting idea for patch management. I don't know about that. I think it's going to be a while. I think that would really need software engineering to get to the point where bugs were able to be entirely eliminated from the environment. Okay.
Sorry, Bella. What are some, regarding core principles, sorry, I'm reading these questions off the screen here. How can organizations balance maintaining these principles while adapting to new and evolving cyber threats? I'm sorry. There's a distraction here at this end. Not animal related for a change.
Sorry, can you repeat? Yeah, sure. Regarding core principles, how can organizations balance maintaining these principles, which we've been talking about, as at the same time adapting to new and evolving cyber threats?
That's, yeah, that's a good one. I think I'm going to probably be very contentious here and say, I think the core of the things that we're trying to defend against are actually still the same things. They're the things that are actually delivered by the foundational security in the first place. If you have good control over the vulnerabilities, the identities, the privileged access, the patch management, the configuration management, the data security, all of those kind of things, then most of the attack vectors are somewhat eliminated.
Just a good handle over your vulnerabilities will eliminate on average, I think 80% of the Microsoft vulnerabilities that exist out there. And so you then are able to focus more of your attention on the actual critical stuff that could be significantly damaging in the environment because you're spending less time firefighting the rest of the infrastructure. But it is a challenge, you know. I've been lambasted in the past for saying that cybersecurity was easy in units, in individual systems and individual people. It actually isn't that complicated.
But when it goes up into scale and you have all of the other complexities of operating with inside the business, then it does get very, very difficult to balance those things. But I think it's about having the right discussions with the management, being able to reflect them in terms of things like risk, which is something they understand a lot better than the number of privileged users or the number of vulnerabilities that you have in your environment. And then they can get on board and actually realize that if this stuff isn't done right, then the business just doesn't do business. Yeah.
And I think that comes back to what I was talking about, which is, you know, data governance. You know, you could waste an awful lot of time building security controls onto stuff that doesn't need it. And at the same time, you also, like we know all about overprivilege and entitlements that people, I can't remember the exact statistic, but each user now has something like, you know, 100 entitlements they don't use, something like that.
Anyway, but it's a problem. And if you don't do that data governance in the first place, and entitlement management and access management, then everything else doesn't really follow. So I think we do tend to talk about new threats all the time, threat landscape changing, but you're right, it doesn't change that much.
But, you know, we do know that identity is now targeted, or at least identity takeover or identity based attacks. So but fundamentally, in the end, what they're all looking for is data, isn't it?
You know, usernames, passwords, data, they can sell data, they can lock down for ransomware. Yeah, absolutely.
I mean, it is the thing, you know, that I don't think there is in all reality anything other than your IT companies out there, because even if you make something physical, the making of the physical thing is less important than how you do that better than everyone else. And that's your intellectual property. And that's what makes you better, or makes the product better. So having access to that data on the back end, even in manufacturing is a huge risk.
Yeah, well, let's stay on that theme, because we have a question. So what tactics do hackers commonly use to exploit human vulnerabilities? And I mentioned training in my presentation. What are some strategies that could be used to build a culture of cybersecurity awareness, bearing in mind that human tendency to forget everything they're told quite quickly?
Yeah, it's people, you know, don't want to necessarily be too harsh on people, because we're human at the end of the day. And we're emotional individuals. And we have our responses to things that are caring and entirely legitimate approaches. But a lot of the routes into organizations now is through phishing, through spear phishing, through, you know, human engineering, as it's sometimes called.
And really, I think it's about helping our users, not just pushing them through the what can sometimes be quite dull, you know, our half hour, hour training they have to do every year about these and the importance of, you know, cybersecurity and not clicking on things, but giving them better ways to report these things not feeling embarrassed when they might misreport something, you know, it's better to be cautious than to be blase in these situations. And just giving them little notes and updates throughout the year.
So even if it's just like having a monthly newsletter from your cybersecurity team, just to talk about some of the things they're seeing some of the ways things are shifting, and just reminding them that, you know, just the same as we're told, when we get our passes, when we join the building, it's your responsibility to challenge anyone in the building who doesn't have a pass or doesn't look like they should be there.
It's your responsibility to challenge any piece of data coming in or an email or any attachment to make sure that the organization remains secure and don't just respond to what you're presented the SMS from the CEO that says, hey, you're in finance, please, I need this money transferred to this account. Now, pick up the phone, call the CEO, verify it before you make those actions. So it's just about being a little bit more mindful and finding a way of just very lightly, I think, just keep reminding people that the company is relying on them. And if everyone does it, well, yeah.
And very good point there. They're only human, we're all vulnerable to it.
I mean, even they would say that, you know, people that supposedly work in cyber or aware of cyber, I've fallen for scams, tax based scams. Because they prayed, I was expecting, you know, the parcel scams, and now that you know, you get UPS or FedEx saying there's a parcel, you need to pay money on it. And you think, oh, yeah, I am expecting a parcel. And then you, you blindly follow the link. So it's so easy for anyone to be fooled.
Not so absolutely don't, it shouldn't be a case of blame, which is why we need to sort of somehow why we need all this foundational security to help people in the first place. So yeah, Brian, one last comment before we close in what would be the first thing that you would say to a business that perhaps hasn't really got to grips with this?
Well, where would they start? Well, that's, that is actually a difficult one. And there are so many places you can start in this. It's not like there's a mass of dependencies that mean you have to do them in a certain order.
Generally, the thing that an attacker looks for first, when they get into your environment is looking for some kind of privileged access. So getting control over privileged access insurance systems in your environment, making sure that it's controlled, using multiple factors to ensure that people who have access to that are the right people at the right times. I think those are all very valuable and important things. And they can do the most important thing that we can target in terms of protecting our environment, which is contain the breach.
We've all been going to conferences long enough now, and we've all seen the big sign outside that says it's not if it's when it's probably not when it's probably already happened. And the majority of us got lucky. But you know, that if and when piece, it's like, we really are never, I don't think anytime soon, we're going to be able to stop the breach. So aim for containment, assume breach, zero trust says. So work on that basis to start with, and look at the key routes and privilege will be the first one out of every system. Fantastic.
Okay, well, big thanks, especially to you, Brian, for being my guest today. And it's nice to see you again. Thanks also for listening back at home. Thanks to my producers back in the studio in Germany, and for putting this together. And as I said, right at the top, this will be available for download quite soon after this. So with that, goodbye for now.
