Hello, good afternoon or good evening, depending on where you're listening in from. And welcome to this web webinar from today. It's supported by Broadcom, and we'll be talking about Zero Trust and within particular in reference to privilege access management. I'm delighted to be joined in this webinar by Joe Burke, who is the Chief architect for Pam Symantec Identity Security Group, which is part of Broadcom. Before we get into the actual content, just some notes you don't need to do anything about muting yourself or unmuting yourself as that's all done automatically.
We're doing a couple of polls during the webinar just to get some feedback on where you are when it comes to things like zero trust and there will of course be a, a opportunity at the end of both of our presentations to ask questions for those of you who have colleagues, partners who wish to see this but couldn't make the live. It will be obviously recorded and downloadable I, I believe, from tomorrow.
So a quick agenda. So as I said, I will talk a little bit about the background to Zero Trust, what Zero Trust is, what it isn't, and the theories behind it.
And then secondly, Joe will come in with a more focused look at Zero Trust and technology and how it can help. Then we'll have the q and a session, the wrap up and thank you. So well further ado, let's get into the first poll, which is very simple. Have you considered zero Trust for your organization? It's a yes no. So vote away. My poll should be now on your screen.
I mean, really you should be able to vote now.
So normally I read out all the questions in that just to give you some time to, to vote, but there's only two and one word yes or no, so just see.
Okay, I think we've done enough on that. Let's move into the presentation. So zero trust, what is it?
Well, zero trust concerns really Networks, and I often say this, the internet is, is a zero trust network. In fact, it's probably the biggest zero trust network anyone can find. The fact is nearly all of us, nearly all of our organizations, nearly all of our devices are connected at some point to the internet to make everything work. So would you trust that you see on the internet? Would you trust everything that you can download on the internet? Probably not, which is why we call it the biggest zero trust network, but zero trust as a concept. And this is from the US Institute, N I S T.
It's not an architecture, it's not something that is the same for everyone. It's a set of guiding principles for workflows, for system designs and operations that can improve the security posture of your, of any classification or secure sensitivity level. So that's the official line from N I S T and N I S T is actually, it's worth looking out their reference books on Zero Trust and, and many other things. I think they are actually the best organization in the world when it comes to defining standards and best practices for cybersecurity. So if it's not a single architecture, what is it?
It's, it's not, it's not new, it's not a miracle cure. It's not like something that you can add to your wash, as it were, add it to your infrastructure and make everything zero trust compatible. It has been around in different kind of forms. The PCI standard for the payment card standard used the ideas of zero trust quite some years ago in that never trust the user of a, of a credit card to, to put it basically.
So it's, you know, it's a theoretical approach as, as will become clear as this webinar goes on. It's a theoretical approach to cybersecurity hygiene and it's not a pre-packaged solution despite what some vendors or Analyst or some resellers or consultancy. This is an interesting prediction here from, from Bloomberg where it's not actually from Bloomberg. They're reporting someone else's prediction. But to say the zero trust security market will be worth 59 odd billion kind of suggests that there is a group of products that can be lumped together at zero trust.
That's not true.
Zero trust applies to or can be used. Now, lemme put that another way. Zero trust is, can be made up of many products, many software and solutions.
Therefore, privileged access management is a great example of one type of platform that can assist in creating a zero trust architecture. Identity Access management is another that we have what has become known as zero trust network access, which kind of now it envelopes all the things like firewalls, perimeter safety, et cetera. So to actually put a value on on the market kind of suggest that it is a product sector and it isn't.
And I would suggest also to say that it's worth any particular size is, is is very difficult to calculate because it involves so many different types of products and different types of applications.
So what it should be, and the guy that is quoted on the right there, John Kinder, who at one time was a Forester Analyst, he's often accredited with the inventing the term zero trust. That's not actually true. I think as it said, the zero trust as a concept have been around for a lot longer, but he was good at popularizing it around about 10 years or so.
And also he was good at encapsulating how zero Trust could work in wider architectures and networks. So it, it can be applied to any architecture and enforce strict identity verification and access controls.
He came up with the term never trust, always verify. And that's kind of at the heart of zero trust and it goes against the grain really of pretty much how we've been doing computing for the last 30 or 40 years that we get people an identity or we give people access to parts of the network or part or software or other parts of the people's computers as in the administrative case.
And we then tended to like once that was a established, we left it there. Never trust, always verified. Mills is much more into the modern paradigm of always on dynamic access requests just in time requests and also the, the move towards dynamic air environments such as DevOps and all of these, if they're left with the previous paradigm become risk centers in that we don't know or don't know who is accessing network or accessing particular tools workflows at the time.
So zero trust once, just to emphasize it can't be baked into a product that certain products can be used to help create a zero trust architecture. And I think that's important to emphasize.
So these are seven tenants of zero trust as defined by nist. And there is a lot more in, as I said in those reference pieces about zero trust. First of all, it says all data sources and computing services are considered resources. So that means you now have to think of holistic approach to your environment and that includes everything that's in the cloud, everything that may be connected to the cloud.
And that can include things like third parties or supply chain partners that are also potentially connected to you via the internet. So everything, everything that you would consider a data source or a computing resource within your environment can be or should be subject to zero trust. All communication must be secured regardless of the network location.
Number three is important. Access to individual enterprise resources is granted on a per session basis and that's where we'll get into zero standing privileges and just in time access or one time only access, which is time limited.
And this, these kind of features are now being seen in privilege access management, particularly access resources determined by policy. We are starting to move away from role-based access into much more policy-based access. So we must trust the, verify the identity first, then the role not the other way around. The enterprise must monitor and measure the integrity and security posture of all owned and associated assets. That's a very small sentence for a very large task.
I mean what it actually means is you have to audit the entire network and you need to know exactly or as far as possible exactly what nodes are connected, what endpoints are connected, who's using what machine, is a laptop being used in someone's kitchen, a resource that is registered, or are they using some kind of virtual machine to access you? But you still have to register that and know that an identity in this case, probably an end user is using it for access to your network. You've got to apply zero trust to that as well.
You have no idea whether that identity is the correct one or resource authentication. Authorization should be dynamic and strictly enforced. That's again, a small sentence, but a big task and tools like those that Joe will be talking about can help in that in making authorization dynamic.
And finally, the enterprise needs to collect as much POS information as possible about the current state of its assets, network infrastructure, et cetera.
Not just pertaining to 0.5, but obviously also zero Trust plays a huge role now in compliance and G R C and helping organizations reduce the risk of data loss or other breaches or exposing personal identifiable information to a audience in which it should not be exposed. So those are seven key tenants. I urge you to have a look into this here, this S P 802 0 7 to find out more. Now it's very easy to talk about zero trust and all the good things and what to do about applying it to your organization.
But again, it, it's not an easy thing. There are some things that will challenge organizations. Technical debt is is the first one.
Updating old applications or legacy applications or legacy security applications so that they can be considered compatible with zero trust can actually operate zero trust is gonna be costly. It might even be impossible, which means you'll have to replace rather than upgrade. Excuse me. The same goes for your infrastructure legacy application infrastructure and oss.
The longer they've been there, the bigger the business, the wider the network, the less likely they are going to be zero trust in operation. So that's a huge undertaking audit task that you have to do. I've mentioned privilege access, you, you privilege access is needed to control lateral movement. That is the one of the key ways that attackers get inside your network.
If you don't have privilege access of any kind right now, and you'd be surprised how many organization do not have a dedicated privilege access management platform, you're gonna find that it's one very important tool to create the beginnings of a zero trust network. Not the only one, but certainly a very important one. Can you judicially transform at the same time as embracing zero trust?
Well, the answer to that is yes you can and yes you should and zero. And digital transformation is a great opportunity to introduce zero trust computing. I mentioned DevOps briefly earlier and other highly dynamic, highly fast moving environment such as DevOps, where it's even harder to keep tabs on who's doing what, what access they have, what privileged access they have. So you need to apply zero trust to any agile teams that you may have within the organization. And of course multi-cloud and shadow it.
Multi-cloud is a reality, even for those organizations that might think they don't have that many clouds. They'd be surprised because lines of businesses are able to buy and run cloud from the three main providers, aws, Amazon, and Google, et cetera. And people buy or download things like monday.com on a kind of departmental basis rather than a wider organizational basis. These aren't necessarily always vetted and approved and installed by traditional IT teams, but that still means that they form another conduit into the network. So you need to think about all of those things.
The, the real message here is that your stuff is old, you don't know half of what you've got and it's gonna take a while to actually audit that, actually get some kind of handle on what your network looks like before you can then start thinking about applying zero trust.
So the model should be, this is a highly simplified diagram of how zero trust is really if we, you could put your organization in the middle of that as well.
So, or even actually the organization could be all around as well, but it's gotta be holistic. If zero trust is to work, it can't be in one area only and in not in another. Although it has to be said that any kind of zero trust environment that was created in one part of the organization is better than none. And it must be applied to almost every entity that comes into contact with your architecture, with your organization, wherever that is. So you need zero trust devices, zero trust data networks, workloads, and people.
And you can also add to that things, iot, et cetera, machines, applications. You mustn't you must verify all of those and not trust them.
And like many things in modern cybersecurity, we at Kuppinger Coal believe is that it always starts with identity. Identity is really the key or the building block of, or the starting point of any workflow of any activity within your organization. So you need to verify the identity, is that the right identity that is claiming that it needs access to do that job or that role at this particular time? You have to say no at that.
Ask it the question and ask the identity to be verified so they can then move on to the device, the network system application, et cetera. So it, it all starts with identity, which is pretty much, as I said, where we think nearly everything now in cybersecurity and access management begins and ends with an identity. It's just how you process that identity, how you, how you deal with it, whether you trust it or not is key.
So before we move into Joe's part of another poll, which kind of alludes to some of the stuff I've been talking about, and of course clouds, you know, multi-cloud is here.
So how many cloud service providers do you use? Do you know? So is it one, maybe only one of the three main providers? So that's Amazon, Microsoft, or Google more than three, but not including the big three, more than three, but also including aws, Azure, and gcp. Or you even actually don't know. And that's not actually something that is to be ashamed of. That's not a trick answer. It's actually quite possible that many people in IT management, IT security don't know specifically how many clouds. So that's running now. So I'll just let that run a little bit.
And while that's running, when you get the download for this webinar, I've included a number of resources from Coping Call, which give you even more information about zero trust. What are best practice advice is some of the products that can, can be used to enable some parts of zero trust, et cetera. So I think we'll close that poll now.
Yeah, and we now welcome Joe, Joe Burke, as I said, who is the chief architect, Pam at the Semantic Identity Security Group. So welcome to Joe.
Thanks Paul. I appreciate the, the Coopers Cole hosting this today and thank you for having us today. Happy holidays to folks on the call. What I would like to do is actually walk through sort of what we're seeing with our customer base as well as the trends in the market, but more importantly, how to take that theory that Paul was talking about and what we're seeing it as practice using the PAM tool, right?
So we're, we're gonna cover a couple of those things today. Hopefully some of this sounds familiar to your own organization and hopefully some of the, you know, the practical aspects of this can be, you know, we could take away as part of a, a PAM solution that, you know, we can see the value in a PAM solution going forward.
So with that little bit of a history here, I won't spend too much time on the slide, but really what it came down to is the history of how zero trust as being implemented over our legacy data centers so that a lot of our customers, right, our customers are going through massive transformation.
They are looking at not only on premise, but hybrid and multi-cloud and that whole idea and concept of having that, you know, the moten tower of the perimeter as a security layer that's gone now at this point, right?
But we, we would qualify that as sort of core screen authorization, right? You you're protecting the outer shell. And then as things started to break down and, and move through it, you know, they realized that okay, maybe it's the data center, maybe it's a cage, maybe it's a a, a PCI or an enclave type of environment. But as things started to move into a more granular set of requirements, right? Zero trust is, is prevalent across each one of them, right?
So Paul, you know, referenced the, the network is the key aspect here. And that's certainly is, is definitely the case.
You know, what if your environment was just the public internet, how would you secure it, right?
And if you assume that a breach is already there or there's an actor inside of your network being an employee, an authorized employee, a contractor or a hacker, a bot, a scanner, what have you, how do you limit their lateral movement? How do you limit their exposure to where things are going, right? And how do you want to look at that?
We certainly see a lot of our customers moving into that, into that type of model and, and being able to verify every, every transaction is certainly the the best practice, right? And so one of the things that we look at as we start to move down into this granular level of viewing things, yes it breaks down beyond even just the network layer and into the individual applications and access to those applications. Whether that's a database or, or an api or whether that's a third party SaaS provider or a cloud provider.
We see that privilege still has to exist everywhere, right?
We still need the ability to have a, an identity which could be an account, a person, a process, and what have you be able to reach out and do something that will, will change the environment or, or gain access to the environment or, or use the data from that environment. And as we go down even further beyond that, we're seeing it not only down to the individual server level, but we're seeing it down into the kernel level.
And, and so PAM solutions provide that control point both through a policy-based, Paul mentioned a policy-based access to be able to handle every layer of this, of this type of journey. You know, and as of course as we go down further and further and get more fine grain access, the challenge we see a lot of security teams come to us with a lot of our customers come with is that the operational burden sort of explodes, right?
It it's a, it's an inverse effect on, you know, as you get more fine grained, the upper operational burden gets higher and higher.
Zero trust sounds like a magic bullet and for a lot of cases it does work really, really well. But that burden is still there because you have to get to that fine level of access on whatever the, you know, the called colonel, the the server, the the accounts, the the person and what have you. And so as we move forward, you know, going into that lower and lower granularity, how do we as a PAM provider or how does any PAM provider provide sort of that easy button for on the operational burden side, right? And we have to balance both of those as, as we get through this, right?
This is the practical side of, of moving to, of zero trust. And I would even qualify the operational side in two different veins.
The first vein being what is the operational burden on the security team to make sure everything is covered? Cuz that's their role.
They have, they're the, they're the control point, they're the policy makers, they're the policy implementers, and ultimately they're the ones who, who get audited as well. But then also the operational burden on the folks that are using these tools, right? So it's the support staff or the, or the DevOps team or, or the processes that need to get into those environments and how do we provide them the speed that they want while it's still controlled, right? So we see this as a dynamic balance between the two.
Every organization is different in its control objectives, but what we do see is that there's always a balance and the long pull of any kind of pan implementation as figuring out the right business model that matches the control environment for our company, right?
So I would say any PAM solution that you want to use or, or going to use has to have that flexibility to be able to support both the level of granularity, but then also the, the, the challenges around operational burden and making it as easy and seamless and in the background as possible.
You know, privilege does still have to exist. There's no way we can get around that, but how do we control it and how do we provide the least minimal, the policy-based, the revocable audible aspects of all of this. This is really sort of with the sweet spot lies. So that's taking the theory and moving it more into the practicality side of things. But what does that mean for a true implementation, right? And so what, sorry, wrong. When we get to zero trust and, and using pam, we look at really three principles here.
And, and when you evaluate a, a, a PAM solution data control, and this goes just beyond like data at rest or data in transit, this really goes into your identities, your credentials, your secrets, your your ability to, to store anything that you don't want to have, you know, readily available. It's PII data, it's possibly a combination to a physical safe, right? Things that are, are key to your business that you really want to have vaulted and controlled, right? And that's really where that data control comes in.
It's not necessarily a database or a dlp, it, it is more a matter of the way you would get to that information rather than the information itself. Of course, policy enforcement and decision points as Paul mentioned, policy-based access dynamic, well, policy-based access to work within your organization and of course having that be, you know, real-time enabled and, and justifiable for, for, for that authorization is, is always key.
We see a lot of customers that do a lot of things by, by AV or L D A groups, right?
And, and your membership into that group will grant you access to certain things and you know, a robust PAM solution should be able to provide that kind of flexibility. Of course audible recordable access, whether it's s SSH or or other mediums to be able to connect off to it, right? That is your zero trust over the wire. Not only is it connected and secured over the wire, but it's also now authorized and viewed as a way to and, and recorded so that it can be understood what the activity was.
And of course we see a lot of our customers have multi, multi-step workflow, whether that's with a, a service desk implementation and or within our, our tool itself, you know, having approvers and, and managers understand and, and grant the access that's being requested.
We see that a lot through, across, across our customer base, right? So that's data control and, and sort of control around the policy and access to certain things beyond that, we get into more of the, the zero trust aspects of it, right?
So those are the core tenets of a pam, you know, the data control side of it, the authorization point and whatnot. But when we get into zero trust on Pam, we start to look and expand those use cases a bit more, right? Just in time provisioning and entitling, you know, this is, this includes, and, and I would stress this identity creation and deletion when done right?
And, and you know, PAM solutions should be able to, you know, inject a a a a A credential or identity and credential onto a, a, a target system that would be able to then be used, audited, manage, and then removed once the the activity was complete.
That is one of the, the, the least privileges and, and sort of the, what I would call a very strong zero trust posture because you're not having any kind of longstanding access out there or even even temporary access beyond the time when it's actually need needs to be used.
SSH keys and 5 0 9 certs are, are certainly a, a, a new change that has come in more recently, maybe not that recently, but, you know, implementing that and having no standing privileges on, on target systems is a key thing, right? So that is another zero trust posture. We have the, the ability to, to grant those for short-lived, you know, short-lived certificates.
So, so it's only good for a short period of time so that if the data or the information around that certificate is, is compromised or, or, or obtained, the access is dead because the certificate is no longer valid.
So that is another really good zero trust posture there. Secrets management. And really, you can't, can't really talk about secrets management unless you talk about DevOps, right?
DevOps in, in, you know, and while I love DevOps, don't get me wrong, it, it has its fingers in all the pies, so to speak, right? It, it has the access and, and the, the keys to, to everywhere in your environment to do things that needs to happen at, at very high and very broad access levels, whether it being deploying a Kubernetes workload or, or deploying a VM to a cloud provider or, or VMware or what have you. These things really do these processes really do need to, to be looked at very, very carefully, right? And secrets management.
And on, while there's a ton of different secret management providers out there, we would strongly suggest that you look at PIM vendors from, from this lens in the sense, is it a single control plane that, that works over multiple cloud vendors and multiple technology sets, you know, can provide those short-lived tokens and, and short-lived information to get out to those, to those target endpoints, be it cloud native or, or to, or out to, you know, cloud providers or, or, you know, using things like artifacty or, or GitHub or what have you to pull your code to, to build it, you know, take a look at that holistically from top to bottom.
And PAM solutions should be the place where you hold onto that sensitive data that it needs to be able to do its job. And then certainly key management is always a, a, a key, a a main tenant here. Being able to, to manage keys and, and do them out as necessary and, and use those in, in a fast changing, fast paced environment is, is an operational challenge, but then it can be secured and managed centrally through a PAM solution. And then finally, cost containment, right? So we talked about the operational burden for both the security team as well as the, as well as the operation team, right?
And so what the other key tenants of, of a PAM solution, I would argue need to be is, is the way to set it up and easily deploy it, right? Does it, does it need a massive footprint or is it can be, can it be done in, in a small footprint and, and still work globally across your, your hybrid enterprise?
It's easy to integrate and use. So if you have upstream processes or downstream processes, you know, having APIs and CLS to be able to, to connect to all those things, those are really, you know, key sort of table stakes for, for, for getting here. But more importantly, does it scale?
And what does the scale factor look like to meet the demand of your organization, right? Do you have, are you DevOps centric and need to have thousands of secrets, you know, and at any given moment, or do you have a lot of operational staff that has to log onto machines and, and get in and, and do something on a host that, you know, is part of their day-to-day job?
And, and what does that recording look like? You know, do you need to have an army of, of machines to be able to support this type of load?
Or does the, or does or does the solution provide a lot of capability and capacity out of the box, you know, from the get-go? And then more, most importantly, I would wanna stress that, you know, for flexible environments and being able to support different business models, we've been through a lot of different implementations with some very, very large customers.
And undoubtedly the longest poll of any implementation of a PAM solution is supporting the control objectives while supporting the operations directives objectives. And, and by doing that, what we end up with is a business model on how to use pam. And of course that is unique to every customer. So any PAM solution has to be flexible enough to be able to meet the demands and the requirements of your specific organization.
You know, it's the longest poll, not from a PAM implementation standpoint, at least from our perspective, but it's really the longest poll of getting the, the, the necessary teams involved to make sure that it's the right experience for the end users.
It's the right experience for the security folks, but then it's also, you know, working in a way that meets all the control objectives, right?
And so we would look at these three tenants here as, you know, the core foundation of, of what to look for in a PAM solution, but more importantly, when it comes to zero trust, does this, Pam, does the PAM solution enable you to get to this level of, of le not only least privilege, but then zero privilege, but zero standing privilege, I would say, in in order to, in order to work and, and operate inside of your environment. Paul, if you wouldn't mind, if you can go back to your, your slide there about the challenges. I do wanna walk through those.
Yeah. Okay.
Let's see if I can show my screen.
Sure. Excellent. Thank you. Yep.
Sorry, I can see it. Yep, thank you. So as we walk through these, right, these are, these are great challenges about zero trust and, and Pam can help in a lot of these different areas for a variety of different ways, right? If we talk about technical debt, right? Old applications aren't gonna wanna change. Maybe they're from a vendor, maybe they can't change, right? So how are you going to deal with that when it comes to zero trust?
Well, while yes, you can't change the technology and you can't change how they're going to be wor worked on, you can, you can change how they're operated, right? Because you have do have the ability to control that. And so Pam publishing changes to, out to that environment or out to that, out to that solution, and then having to recycle the application is probably your best bet.
Unfortunately we call that marrying the security operations with the, with the dev, with, with some, some layer of DevOps.
And you know, that's a, that's a practice we actually talked to our customers about, about trying to avoid, right? But I get it, there's technical debt out there, folks aren't gonna rewrite applications to do that, but you know, we can work around that with some, some operational, some operational changes, legacy infrastructure, right? We can't expect every customer to move to, you know, every new fancy shiny orb that comes out, be it Kubernetes, not that that's fancy or shiny anymore, it sits certainly robust, but things change and infrastructure shifts all the time.
And oftentimes the older infrastructure has to stay around for a variety of reasons, right? Maybe you have a P C I environment that only requires, you know, physical, physical machines as opposed to virtual machines, right?
And those things kind of become, you know, the key tenants here. So making these things trust aware, you know, robust PAM solutions can still work with the old legacy in infrastructure as well as the new modern ones as well.
Again, PAM is your control and audit point more than anything else, or it's, it's your point of policy and it's your point of access. And so bringing those on board, you know, and, and bringing them into a a PAM solution is the first step in getting your hands around that and making it more least privileged and then zero trust aware. And actually, I would say this, this actually applies to even beyond the legacy stuff, right?
It's, it's also SaaS apps, it's databases, you know, windows, Linux, mainframe, you name it, routers, cloud providers, right? It's, it's all the above. Getting your hands around that and using a PAM solution to be able to A, inventory it, but then b, control it and manage it and be aware of it, is the start of making sure that you're in that robust zero trust mode.
It, it's the first step along that journey. It's not, certainly not the end state you want to be in, but it's, it's the first big step to go forward. Talk about privilege, access and lateral movement. That is certainly a key issue. Part of what we see in a lot of our customers is that there's a lot of SSH keys lying around, right?
So the ability to discover and bring those under management as you, you know, as Pam gets into and controls an environment, a network site or a VPC or what have you, the PAM solution should be able to, you know, scan that environment, understand what's inside of it, bring it in, and let's let a security personnel decide whether or not they wanna bring it under management or not. This is your first step towards making sure that you can lock lateral movement, that's fine.
I would actually argue that as you go a little bit deeper into this, you should also think about things like, you know, processes and kernel level threats that can happen, right? Open source supply chain checks that happened recently.
You know, a a a kernel level policy, you know, from a, from a PAM solution could prevent an outside, you know, phoning home or could prevent a, with a trigger within an environment to, you know, enable, let's say a malware or a ransomware, right? And so those are the kinds of things that, you know, having that fine grain access, we're starting to see with our customers can give them that control over, over doing those things.
You know, these threats are everywhere, but you know, if you go in with the assumption that you trust nobody, even your employees, I know that's kind of a, an oxymoron, but if you come in with that approach, you can certainly start to see where and how these things get, get, get placed in.
And then finally on privileged access as well. Robust PAM solutions have real-time behavioral analytics, right? They can see what's going on inside of the, inside of the, the user access session. They can see what they're in, observe what they're doing on the network and on on the sessions.
And if they start doing something that's out of their comfort zone or out of their normal day-to-day operations, we can raise flags and then, and then provide responses to, to those things, right? We can start recording them or whatnot. Behavioral analytics is, is is a growing, you know, key part of this and, and certainly something that provides that extra layer of observ observability during, during privileged access on the digital transformation side, you know, there's really, you know, to, to echoes Paul this answer, yes, you have to do it at the same time.
There's no choice, but I see it as a fantastic opportunity for security teams to get in there to be able to say, Hey, you know, let's start building insecurity from day one of, of design and as well as day one of implementation.
Because when you do that, the friction and resistance at the end of the process is, is a lot less, right?
So getting, you know, security teams getting involved with the, the new and emerging groups or the new products that are coming out internally, baking that trust, baking that zero trust principle in upfront will save you a lot of time and headaches as you get down the road here. I think I beat dead ops to a, to a to a pulp here, but, you know, certainly short-lived tokens, you know, keys and certificates and, and and removing any kind of longstanding access or, or, or credentials is an identities is, is key there. And then multi-cloud and, and shadow it.
So that is actually one thing I do want to double click on, right? So having a hybrid solution for a pam, meaning that you can run in the cloud and on-premise at the same time or in multi-cloud at the same time is certainly a key thing.
Again, mature pi PAM implementations will be able to, to do that, but teams wanna deliver quickly, right? And so shadow it comes into play because they just wanna get the job the job done. They being the engineering team and the product team wanna get the job done. And so they, they do this other work to try to satisfy the boxes, but you know, you really don't have visibility into it.
You know, as those things are discovered and there's really no way to stop them, well there probably is a way to stop them, but you know, most of the time they aren't stopped. They're always found after the fact. One of the things that we can look at doing is, you know, a, a good PAM solution should be able to discover that or start to take over and onboard that very, very quickly, right?
And so having the ability for a PAM solution to go into a a, a VPC or go into a cloud account, understand the environment, and then present up everything that's in that environment and let the administrator decide that the security admin decide what goes under management and what doesn't is, is a key capability we are seeing multi-cloud for in some of our, even by regulation in some of our industry verticals here.
You know, this is something that's not gonna go away.
And as we see companies strategies emerge, it's oftentimes multi-cloud with on-premise all combined together as one, as one thing. And and so the internet as Paul had mentioned, is starting to become your, your network environment.
And you, again, the, the, the thing I would stress is that any kind, any time you have that type of mindset that I'm in a breach already, and even though you're not, but you, if you assume it, you can then put controls and, and use Pam to help those controls to put it in place to help, to help to provide that kind of security. I went through that kind of quickly. I apologize if I was going too fast there, but hopefully there's some good questions and answers we can, we can, we can drive towards and, and I guess I would turn it back to you, Paul, for, for those questions. Great.
Thank Joe, and I really appreciate you looking at those challenges there. So I'm gonna quickly look at the polls. The first one, hopefully these, these should be seen now, well, no surprise, 94% people said they're considered zero trust. Only 6% said no. I know that seems like a rather, you know, simplistic poll, but it does, I mean, there's no doubt the interest in zero trust is huge right now. And I think that reflects that. Let's just look at the second poll result when I can, oh, okay. Hide that one.
Sorry, how many different cloud providers? I said don't be ashamed of you, you have no idea. And 12% have no idea. And I think that just goes to what exactly what Joe's just been saying about, you know, managing the clouds.
It's, it's, it's, it's inevitable that there's gonna be stuff that you just don't know about 32% more than three clouds, including natives, Azure and gcp. That increasingly seems to be the norm now that it's not just the big three as it were, but people are buying specific clouds for specific purposes.
They have, you know, private clouds as well. So it's, it's multi-cloud, it's here to stay. Multi-access is also here to stay. We do have a, a question for you, Joe, which is, can you provide an example where Zero trust has been or is achieved within the cloud native context using a PAM solution?
Do, do you understand that question there?
Yeah, sure, yeah, yeah, I do. Yeah. So cloud native context, we're probably talking about Kubernetes and you know, the ability to have a, a secured environment that is running Kubernetes, right? And the way I would look at this, you know, you look at it in different layers, right? The first layer is the infrastructure layer, right? Where is the Kubernetes workers going to be running, where is the Kubernetes admin API going to be running and making sure that that underbelly is secure, right?
So if you're, you know, the question I would ask folks is if you're using, let's say a cloud provider's Kubernetes infrastructure, who's managing the underbelly, right? Who's managing, who has access to those hosts under the hood and what do they have access to over your workloads, right? If I go in to a, a Kubernetes host and I do a look at the running containers, I have pretty much free access from that bottom up, right?
And so a PAM solution can come in and actually protect that underbelly of the, of the infrastructure to start with, right?
That's a core PAM use case, just protecting a, a server. But then as you start to move your way up the stack, the next layer between that would be your, your Kubernetes api, right? And how do you then push lower codes onto it? What are the name spaces? What are the, the identities used within Kubernetes to be able to, to be able to, to interact with it, right?
So PAM solutions need to be able to manage those privileged credentials as well as you get into Kubernetes to launch whatever it is you want to launch, I would then go one step further and go a little bit even higher up the stack or actually one step deeper into the stack. And if I look at the actual workloads themselves, right?
So I have the ability to run Kubernetes, the ability to deploy something to Kubernetes.
And now if I go into the actual thing that has been deployed on Kubernetes, we're talking about a lot of different things there that need a wide variety of different privileged information and, and privileged access, right? And that would be something like, hey, I need an access. I need a a, a secret for a database, I need a secret for a third party provider. Maybe it's a, a financial exchange.
I need a, I need secrets for this, that, and every other thing or these 10 APIs that I have to call and rely upon, you know, that is the content within Kubernetes that has to be secured as well. And I know Kubernetes does provide secrets, a as an object type that has some minimal but growing sort of security posture that we could argue over a couple of beers at some point.
But in reality, you're still tying DevOps to SecOps when, when database credential changes that's required by one of those pods that's running under the hood, you now have to recycle that pod. That's an outreach, right?
And do you really want to get to that point? Whereas realtime access, which is what we, we promote with our customers and, and, and or we'll be supplying here the realtime API-based access.
You know, you ask for the credential and you get the latest one that's available to it, right? And so having that at your fingertips, having, having that pod have the data at their fingertips and on demand is, is what we would stress as a, as a best practice for zero trust.
Fantastic.
Joe, I have a question from Yaron Mazu, I hope I pronounced that correctly. Actually, two questions. I'll take the second one first.
He, she, I apologize, I dunno, how do you, you zero trust the end users of your PAM solution. You didn't mention it in the zero trust capability slide. So does that make sense? How do you zero trust the end users?
Yeah, I guess so. I guess they're go ahead
Doing that most often and, and this is pretty much the corporate standard we see around, around our customers is that there's a central identity store, right? Whether it's AD ldap, Azure, what have you, there's a whole bunch of them. Sam will provide a Okta SiteMinder, right? I certainly have to plug our own, the, the corporate identity store oftentimes has entitlements associated with it, right? And because of that, you know, PAM is an entitled application.
And so that would be one way of, of, of, you know, that that's probably the most common way that Pam is secured for end users coming into pam. However, we do have in Pam the ability to do what we call dynamic grouping, right? And what that means is that oftentimes, you know, our users are part of a group. That group has access via policy to a set of devices or set of secrets or what have you.
And when that person logs in, they are reevaluated for all of the groups that they're in.
So upon every one of their login, they have access at the point in time when they're logged in and once they're logged out, that's that when they log back in again, it will rebalance to whatever that that group composition looks like for that user, right? And so while it's not a perfect zero trust module, it is zero least privileged and always requested on demand. So it does meet the zero trust principles. So that's how we would promote that through our customers.
Okay, so Ya's other question was about identities lit, literally how do you create and delete the identities that are using privilege access management?
So you're talking about the identities, I'm assuming that the question is more focused on the identity of at, at, at the source, what we're going to when connecting off to,
Well, I think, yeah, I'll read it in full as they wrote it. You mentioned that just in time can do identity creation and deletion.
Oh, they just said it's about just in time. So yeah, it's particularly focused just in time. So my question is where you create or delete those identities.
So, so typically they're at the source, right? They're at the, the source system, right? If you think about a Windows machine, a MySQL server or SQL Server server, right?
There are, you know, certainly core identities that are, are local to the box, right? Are local to the process. They have to be there, it's part of the initial login.
It's the, it's the one identity that has full reign access to do anything within the, within the, within the application, right? Or, or the os we call those local accounts, right? And you can certainly add your own on top of that, whether it's MySQL and you know, almost any of the other tools can do that. Oftentimes those as well are hooked up to, you know, corporate entities as well, right? So whether it's an ad or an l d or whatnot. So when we talk about just in time, it means a couple of different things, right?
It could be that I am taking your identity as the user and I am now pushing it onto that target system, right? And, and, and making you enabled on that target system for that period of time. So there is no, there, there may be an ad hookup for authentication, but there's no ad hookup for you as a person on that bo on that host until we do just in time. And then of course when we do that just in time and we Paul onto that machine or onto that process, we can actually have in additional commands that would then say, add this privilege or, or remove this privilege and what have you.
That's one way we can look at doing it. And the other way we can look at doing it is if, let's say it is a shared account on that, on that box, right?
So it's administrator or maybe it's a app user one or whatever it is, and while Pam is still managing that credential and managing the ability to, you know, manage and rotate and provide access to that, the privileges might escalate up or down as well, right? So I don't necessarily have to manage it, but I can manage it if, if that's what you're asking me to do.
You know, I think the question also sort of talks to the chicken and the egg problem. Well how do I inject a, a credential on how do I inject an identity onto something when I don't have access to it? And typically in in PAM solutions there is that core root account, right? Or that that key administrator account that exists, right?
And, and in Pam and, and robust CAM solutions, that root account or that that administrator account can be used to then create the other identities on demand, right?
So there is always that one initial identity there that has to happen. I know there's been a lot of push over the past couple of years about ephemeral identities. This starts to, you know, move into that realm as well. The challenge I always see with the femoral identities when I ask customers this question is, okay, well if you're creating the identity, what are you basing it upon?
And then if you're basing it upon something, what's the privilege of that and what's the standing access for that? And and that's always where it's becomes, okay, let us go us take our customers, say let us take that back and, and have a conversation of what that really means. Because while it might be a temporary credential or a temporary identity, it's still based upon something that's longstanding and that's really not a zero trust way of thinking about things.
Cool. Okay.
Well, Yaron, I assume if you wanna follow up with Joe, I think that we make your email address available somewhere, but I'm sure that Joe, you'd be happy to take some more inquiries from from Yaron on, on that point.
Sure, absolutely.
Okay, finally then we've kind of done this a deaf a bit, but yeah, but talking about new environments, cloud environments, how do, how can Pam implement zero trust into dynamically changing, you know, landscapes that are literally changing on a sort of daily or hourly basis, even with, you know, new resources, clouds spun up, et cetera?
Sure. So let's take that a couple of different ways, right? Let's take that first within a cloud account, right?
You have an established cloud account, you're getting new VPCs, new machines, new assets all the time, you know, Pam, robust PAM solutions can do discovery. And when you discover you can, you look over a network segmentation or a network segment rather and, and be able to scan that and then pull that in and sometimes even just automatically added in, like let's say you have a AWS vpc, you know what your EC two user key is, right? That's supplied to all of the machines you're gonna be deploying and then deploying and redeploying.
We can, we can bring those into PAM automatically and and be able, able to, to manage them through that, that shared EC two key, right? That C two key would be that privileged account that Pam is holding and managing on, on their behalf.
Beyond that, we look at cloud accounts and we look at additional cloud accounts, right?
And if somebody created a sub-account and then they're gonna be doing some, so the awareness that way, there are some audit trail things that we could look at doing, you know, certainly with our integration with AWS and, and well in our, in our integration with aws, we can dynamically add privileges to any account that we have that we, that we're managing inside of Pam, right? So it's temporary access and elevation that we can do as well, sort of adjust in time use case there.
But in terms of new accounts being discovered or, or new, new things being brought out, brought to light, you know, we can't generally scan a cloud provider for gimme all the root accounts that you have. That's, that would be a really bad trust model, right?
So, you know, unfortunately that initial discovery of new cloud accounts something that's net new out there and, and call it the ether, there's no easy way for us to, to capture that and, and, and whatnot. I mean it's, how do you know something exists if you don't know it exists?
It, it's kind of a, a chicken in, well not a chicken in the egg problem, but it's, it's, it's a key challenge. But once we do know it exists, we can do a lot with it and do that all at the discovery and bring it into management rapidly.
So, great. That's a, that's a, that's a good point.
Okay Joe, thanks so much. We're nearly out of time. So I mentioned that you can email, I'll put my email address on the screen there, so if anybody listening or watching the recording wishes to follow up on anything, please just drop me a line@pf.com and we can make sure that anything gets forwarded to Joe as well. So with that Joe, I'll just say thank you so much for your time today and for highly informative overview of Zero Trust, not something that's gonna get solved overnight.
I'm sure we'll come back and do much more on zero trust as as it progresses. Obviously great interest there out there from our polls.
But again, thank you Joe, thank you all for listening today and may I wish you all a very happy holiday season. Goodbye now.
Thank you. Happy holidays. Appreciate it Paul, and look forward to the follow up questions. Thank.
