A very good morning, everyone. This is a Mo from KA Cole, and today I'm joined by David from help systems. He's a senior cybersecurity strategist to talk about the today's topic, which is securing your hybrid it environment with privileged access management.
So today's topic is very close to my heart because we know that privileged access management is a technology that has evolved over last few years, especially to deal with the latest challenges that we talk about in securing it infrastructure across organizations, which is increasingly under a phase of hybrid, as well as several factors, which are impacting the overall it infrastructure towards aligning it with the digital trends in the market. So before we deep dive into the topic and also our, our subject, I'll quickly take few minutes to talk about what Cola is and what we do.
So we, a company founded in 2004 and, and international independent Analyst organization offering neutral advice, expertise, thought leadership, and practical relevance. All of you should be aware of how we support companies, corporate users, integrators, and software manufacturers and vendors with, with the tactical and strategic advice.
We specialize across all the various topics of information security, particularly identity and access management, access governance, risk management compliance, and as well as many other areas that concern today's digital transformation initiatives.
These are three key business areas of copy a call at this point in time. So we have caught research, which is significant part of our business. We provide research on all the major and current topics tailored to your requirements. Your business needs all our advice. Our research is quite when neutral, independent of any of the biases and always very current. We offer events in terms of, in, I would say, format of conferences, webinar hours, and special events, as well as these events are tailored to meet innovative leadership, an approach, which is future proof.
These events offer you great, that fucking opportunities amongst peers within your industry, et cetera, as well as at these events, you can get the opportunity to meet and talk with experts about your specific challenges or issues that you might be facing with organization and how copy a call can support these, these challenges.
And finally, we have got advisory business where we try to be the best of the class and trusted advisory partner to you.
We try our best to make your business more successful and offer you advice, which is a very insightful current, and basically an extract from our experience from interaction of, from various in, you know, organizations across industries, across the geographies, and try to be, you know, be most relevant in the era of transformation, right? So there are some quick guidelines for the webinar here. You all are muted centrally. So don't worry about muting unmuting yourself. This webinar is going to be recorded again, and the podcast should be available tomorrow for you to listen.
And also there'll be a Q a session at the end. You like to enter any questions, anytime you like to ask me or David using the question feature in the good of webinar, please, and enter questions we like to hear from you, what are challenges that you are facing in the industry? And we'll try to advise the best possible we can.
Okay. So the agenda for this webinar, I will talk about how the emerging landscape of it is creating some challenges for organizations to identify, track and control the privileged access to it assets and the sensitive data.
We all know there are various challenges created by the type of infrastructure that we have, the hybrid nature of it infrastructure in order to secure access or various types of users to use infrastructure. So I'll probably talk about that.
And maybe I'll talk about some best practice recommendations of what organizations should be doing to handle such challenges after which David will talk about the Pam controls, which are most effective and relevant in managing certain types of previous access and what Omni leaders should be doing to ensure the implementation of a successful and Futureproof privileged access management solution with that, let's quickly dive into the subject here. So as I said, what are the primary challenges that we see in the industry that the Pam market is facing?
So again, this is a good time for Pam market overall. It's probably one of the most increasing domain of, I would say I am today. So Pam has been significantly growing since last five or six years, I think in the range of 25 to 30% compound annual growth rate, which Pam has been registering as compared to many other IM domains. And there are very simple reasons for that one Pam has adopted to adapted to all the various challenges that industry has seen. And second, it integrates well with various types of business systems to provide you the business value that organizations are looking for.
And that's the, that's probably the two reasons why Pam has actually survived and still continue to grow for most organizations. In fact, Pam used to be an afterthought for many IM projects and programs. So most organizations would implement Pam after they have successfully implemented access management, software, IDT, governance, and administration, and maybe, you know, single sign on and other types of, you know, IM systems.
And then Pam comes as, as I would say, succession to them to make sure that they can also manage service users in organizations.
But today there have been, I would say customers who are looking to implement Pam since the beginning of IM solution. So they like to kickstart that are access management program with implementing a BA solution, which is in fact, a good approach. And if taken care of properly in terms of how you manage the entire IM program could, could meet the, could meet all the objectives of your IM implementations.
Well, so yeah, I think coming back to the topic here, what are the primary challenges of Pam implementation in most organizations? The first one that we have identified is obviously what are the primary drivers of Pam? Most organizations are not very clear on what drivers or what actually drives their Pam program or Pam requirements, whether it's compliance to regulations, whether it's inside the breaches that they want to manage, whether it's the abuse of credentials that they like to control.
So what is the primary driver, which is driving the need for a Pam solution in the organization, some auctions even have the requirement of securing access to cloud-based applications, infrastructure like says IAS pass and Pam solutions are very suitable today to manage that kind of access as well as some organizations implement Pam only to make sure that they have the right level of visibility into the outsourced it operations, what third party vendors and managed security service providers are doing on their Intel systems information.
So Pam provides you all these various capabilities to make sure that you are able to meet these drivers, but what remains your primary drivers, that is something which you should be able to identify in the beginning of a Pam solution implementation.
The second is obviously a stakeholder conflict that we see as key challenge for Pam solutions.
Again, many, many organizations have various types of buyers for Pam solutions. Generally, those are it security and risk departments. Then also you have got infrastructure and operation leaders who are interested in buying and Pam solutions, increasingly their auditors security auditors, who are looking to implement Pam solutions to make sure that they're able to have the right audit trails investigation capabilities of what people are doing on the systems. So all these three various stakeholders have their own interests into your Pam program.
How can you make sure that you understand what the stakeholder needs are and how can you balance these needs from the various deliverables that these stakeholders are expecting out of your Pam solution? So there might be overlapping tools in many organizations or some existing tools which are already doing part of managing privileged access.
How can you make sure that you don't conflict or you don't have overlapping cap capabilities and ensure that you have the right fit or right Pam solution that makes sure that, you know, you are not doing an overkill in terms of Pam implementation for your organization.
The other challenge that we talk about in Pam market, and we see in the Pam market today is improper, or I would incomplete scoping of your Pam requirements.
Again, this is a very common challenge across all the I verticals, but yeah, this is something which becomes very important for Pam because people do not understand what Pam solutions can actually do or help you manage. So Pam solutions are not just about managing shared accounts and service accounts. It can actually go beyond that and can manage various types of infrastructure, devices, and systems that you may have in the organization.
Talk about devices, talk about routers, firewalls, all of those devices, your servers, application servers, web servers, going beyond that, you should also look into how can you make sure that you can implement pan solutions for securing access to databases beyond that even you can manage access to the user endpoints.
So whether the user endpoint like your windows and Mac devices are then scope of APA solution, what kind of delivery options you like to support using APA solution, whether you like an app plan based approach or agent based approach, which kind of a delivery option is most suitable for your enterprise, for the usage by your business users, as well as your administrators, what are your immediate use cases that you'd like to, to satisfy or meet with the P solution? So all of that should be part of your coping problem.
So make sure that use scope your family requirements well understand what type of infrastructure you have, especially for organizations who have a hybrid I infrastructure. And I think David will talk about that in terms of how you can even manage various types of devices and servers, especially for organizations who have a need to manage, produce access on IBM mainframe devices, for example, not all vendors, do they have the capability to do that?
And I'm sure David should have some, some indication or hint into how health systems who specialize into managing some ki some of these kind of infrastructure as well.
Right. Coming to the next challenge that we see is the lack of focus on the user experience.
Now, a lot of leaders would come back and say, why do we really need to focus on user experience for administrators? I think it's very important that you look into the overall experience of managing bam solutions, how an administrator is having access to, to the way systems that he need to perform privileged activities on so that it, it offers the right balance of security as well as use experience administrators.
Again, if given, if not given the right experience, tend to bypass several Pam controls, which can defeat entire purpose of implementing a Pam solution. So it's very important that we focus on the user experience part of implementing Pam solutions as well. And finally, a lack of vision.
Again, lack of vision is very important in terms of where you like to see a P solution going forward.
What are your various security initiatives or what's the direction of, of your CSO or CIO in terms of, in terms of aligning your Pam objectives with their vision, is something very important for you to also analyze and make sure that it happens. Things like move to the cloud, is your spa solution capable enough to support the move to the cloud that you are see in the organization are able to support any the digital initiatives.
For example, DevOp Pam is a great enabler of DevOp in most organizations as well as IOT. So if you're looking at implementing IOT security, Pam can also support some use cases towards securing your IOT devices as well. So overall, I think make sure that you understand where organization is going in terms of managing security and supporting this initiatives. And Pam can be a great enabler for you to support those initiatives coming to the slide, which talks about the latest previous access management tools and technologies.
I'll quickly like to take you through how we define P access management, or I would say categorize P access management at copy a call.
So obviously there is shared account password management, which is at the very much heart of a Pam solution and offers you the technology to securely manage the privileged credentials, all the types of various accounts, including shared accounts, system accounts, service accounts, application accounts, and offers you an encrypted and hard and password vault that takes care of storing the credentials, a passwords keys, be it SSH keys or any other types of credentials in very controlled fashion, as well as make sure that it delivers a policy driven release and update of those credentials.
The other technology is obviously the AAPM, which stands for application to application password management, and is, is a very logical extension to the previous uhm, tool or technology, which is shared account password management. Basically it's about managing the various applications or systems accounts that communicate with other application systems. So these tools also deal with elimination of any hard coded credentials in the application codes, scripts, or any of the complication files that you may have on systems and offers.
It basically offers a mechanism to make sure that these credentials are securely available to the calling entity with application database or server by a mechanism generates APIs or, or even CLIs, which can help you to, to manage these credentials. The third technology is basically C P E DM, which stands for controlled privilege elevation and delegation management.
And the technology basically deals with the, obviously the control elevation and policy based delegation of our users' privileges to super user accounts, super user privileges for administrative purposes, things like online substitution, filtering of commands using white listing back listing.
All of that is part of control, privilege, elevation, Allegion management. It's different from what we experience or I would say observe on BM for windows systems, which I'll talk about in the EPM part of it.
Now across all these three, we have got Porwal session management technology, which basically offers you the capability to establish Porwal session to the target systems for basic auditing and monitoring off those activities. And these tools generally offer you authentication of both services and the users across all these three technologies offers authorization as well as single sign on to the target systems.
A very logical extension to PSM is SRM session recording and monitoring, which offers you an advanced auditing and monitoring and review of those activities during a session and is done by various mechanisms like clogging video session recording screen scraping some binder, even for OCR based translations so that you can run a text based search on, on our windows or group type session.
Right? So coming to EPM, which is the end point privilege management, we are seeing many vendors trying to build in capabilities for EPM either by organic development or by acquiring.
So starting other vendors in the market. Most vendors today have these kind of capabilities in the market to make sure that you can offer management and Aion of threat, which are associated with endpoints. And as I say, because of EPM, Pam tools are emerging as a strong threat Aion threat detection platforms to make sure that there's a second line of defense for the overall adaptive security architecture for organizations.
So things like malware ware that can easily be downloaded and can bypass your existing EP, you know, threat protection platforms that require elevated privileges for any of those kind of actions. So if you have a right EPM solution, which has a controlled privilege, escalation mechanism, this kind of spyware malware threats that can enter your organization or your network by any means should be, should be easily controlled.
Yeah. Coming to the point here, the EPM technologies basically provide you three 10 kind of capabilities. One is application white listing and blacklisting.
So control over what kind of applications should be allowed to run applications and boxing, which allows, I would say makes available a separate environment for applications to execute so that the applications which are downloadable from internet do not have access to local files, or did I share on your systems? So the damage can be limited and third, obviously for the privilege management or privilege escalation of users. So these three technologies basically constitute a complete EPM technology.
And obviously there's a PB, which is a privilege user behavior analytics technique, inherently data analytics technique, which detects the threats based on anomalous behavior against an established, I would say behavioral profile of, of administrators compared to their peers or the roles that they're assigned to.
And there's also privileged access governance, which is increasingly becoming very important for many organizations, again, across all the type of technologies in Pam and deals with giving you insightful information related to what's happening across your Pam infrastructure gives you information, which can be really necessary for you to support any decisions. It can also include conducting privileged access certifications, which are more important than standard user certifications and gives you the capability for reporting and D boarding across, across environment.
So yeah, this is, this is how we classify the pan. I'll quickly come to the best practices for previous access management. And since my last webinar, there have been people who have been asking for some more explanation on some of these best practices and how we have gathered that. So this is something that we have analyzed as part of our interaction with many organizations who have implemented Pam and they have found it really, really important, or obviously helpful for a success successful Pam deployment.
The first thing which I would like to focus is identifying the immediate Pam requirements that you need to address.
So, as I said, you know, understanding what use case you'd like to manage first is important and making sure that you drive your Pam requirements or scoping with those use cases, deploying the Pam tools so of low deployment complexity first, and also you try to onboard the set of resources, which have higher visibility in the organization, and also are, are easy for onboard so that you can limit the complexity and established the required credibility to, to communicate it to a stakeholders so that they have confidence in your overall P program.
A key prospect is again, to make sure that you have your Pam administration separate from gen it and infrastructure administration. They should be not it administrators who have access to the windows system on which you have also installed Pam solution so that he can go in Pam solution, make changes, come out of it, make changes to the log files of it.
And you know, everything can be, can be compromised here. So make sure that you have a, you are able to segregate the Pam administration from it administration.
You have separate Pam administrators and they sit on top of the it administrators, but from that adequate testing for application to application password management. So that you're confident that it's not going to break anything in the production environment. It's very important because this is something which is, has a higher level of deployment complexity as compared to rest of the Pam technologies and tools.
So make sure that you conduct enough testing of, of APM in your pre prediction moments, Harding, the password vault and ensuring a secure replication of your vault is again, something very important, make sure that this is supported by the vendor or the product that you are selecting for Pam implementation. Generally making sure, just making sure that you are installing your Pam solution on system, which is a behind network firewalls and doesn't have internet connectivity is not sufficient to make sure that Pam system vault is not compromised.
Make sure that solution is supports high availability architecture, and has also got the capabilities for automate failover in case of any, any operational disruptions, making sure that you establish a process for exception, exception, approvals for fire call scenarios for any scenarios like break glass scenarios is also important. Pam tools are generally easy to implement, but then again, there are so much things involved in terms of integrating them with various types of systems. There are special caveats for various different types of industries when it comes to Pam implementation.
So I think you might want to take help from external service providers, professional services, or that size for initial implementation and personal training requirements. If you think that you would need help from third parties and you do not have sufficient skills in house to support end to end time implementation. And finally, I think it's very important for you to also ensure that you conduct periodic privileged access management reviews.
So making sure that all the users have the right access or even making sure that they have the relevant access more frequently than incentive users is a good practice with that. I would like to hand it over to David and he'll talk about the Pam controls and also the thinks how to make sure that it's successful and a Futureproof BA solution or audio.
David,
Thank you for those who were listening at the beginning. My name is David Dingle. I'm part of the cybersecurity business unit at help systems. And I'll talk a little bit about our company towards the end of today's session. The focus for today is to talk about privileged access management as we're moving towards more hybrid computing. So I'd like to start the session talking about some industry trends that have been impacting us all in the, in the last 12 months or so. So let me start with the middle of this slide.
I think it's fair to say that privileged access management products have been allowed in various verticals for almost 30 years outside, highly regulated industries. Pam solutions have really come to the four in commercial organizations maybe in the last 15 years or so. And a lot of those solutions have been password based. Unfortunately, the, with the technology in the speed of computing in your standard desktop PC, it's not capable.
If you can get hold of a password hash to break that hash within 24 hours using a, a seventh, three generation Intel processor.
So there is significant pressure to move the way that users are authenticated to something away from passwords. The next likely candidates that has been used significantly in our technical infrastructures, but also in integrated into Pam solutions has been OTP sadly, the us government about 18 months ago, surprised at all and said that OTP solutions themselves are intrinsically not secure and subject to quite easy man, in the middle attacks to the point that the us government has banned OTP solutions from any delivered services to the us government are associated agencies.
So they've the us nest has given us all in the commercial world, a very heavy steer that OTP as a technology base has had its day and we need to move to something else.
I'm sure all of you have been subject to pressure to make sure that we make the best use of the systems and servers that we have. And you'll seen from market data over the last four years, year on year, that hardware purchasing for internal infrastructure has dropped somewhere in the region between 10 and 15% year on a, on a year by year basis for the last four or five years.
I'm happy to report that this last 12 months in north America in Europe and in Asia, there's been a 30% uplift. People are finally spending money to Rere and rebuild their technology platforms, whether it's to expand their VMware infrastructures for the private clouds they've had in place for many, many years, or to move into new technology platforms. I think it's fair to say that no one is buying infrastructure to build a standalone server anymore.
People are building technologies either based on virtualization or the using typically open stack in combination with containerization and Kubernetes for application coordination. And of course over the, over the years, since 2004 public cloud computing has been available starting with Amazon and then spreading out to the other main vendors and over time create allowing us to create bridges into what we now called hybrid computing between internal resources and some workflows that, that live out in someone else's data center across the web.
So hybrid computing is really coming into the four few years ago. I I've never have seen or expected to see the us government preparing to outsource it. It operations to a public cloud vendor. And the same thing we're seeing in the commercial world banking operations are a across the world are being running on public clouds. And we're certainly seeing a commercial drive to move oil and gas companies and other companies who were in the past.
Very sure that they had to own their own infrastructure.
That move is starting to be produced quite substantially as public cloud vendors have proven the, the technology and the stability and auditability of the infrastructure that they provide. For those of us who still own internal systems, though, there are other demands probably in parallel to the compliance and audit challenges that we are. We are being pushed to that I'll, I'll talk into in a, in a moment in the past, there's been a very strong alignment between various technology stacks and support teams who look after them. Those support teams tend to report to technical system owners.
The audit and compliance view of the world has, has pivoted that 90 degrees into a more horizontal view. So in the traditional infrastructure, if you owned it yourself, you might in this very simple example of the web facing customer company with customers coming in over the internet in this operation, the customer and transaction data in this case lives in a data warehouse.
This web based organization builds models and therefore delivers offers back to their customers and prospective customers for modeling.
They do in the public cloud and their marketing team do their own activity in a different public cloud altogether. So in this example, if you were thinking of the technical stakeholders, they were very much aligned with the support teams that looked after these different technology stacks with audit and compliance. Things have changed quite significantly. Senior business owners, senior management, and more importantly, board level executives are now personally liable for different parts of the business processes and the infrastructure that they live on.
So in this example, a view of the world with the same technology stack, looking at it from a horizontal perspective, a chief financial officer may be legally responsible for the maintenance and, and support and privacy of the customer information and that customer information.
And this example lives in two different technical infrastructures.
And to a certain extent, he or she doesn't care how that data flows back and forward from an audit and compliance perspective when using a Pam solution, that person needs to understand which staff teams need to be able to log into and how people have actually accessed the systems, how they've assumed privilege to carry out their technical or business support functions over time, and to be able to provide that information to internal and external audit.
So this pivot is something that needs to be supported in your Pam solution very much in, in parallel to the ongoing technical data owners that already exists in your internal data centers. So having to support two at the same time, two views at the same time is, is part of our, our life going forward.
Of course, we have all been migrating various workloads through different technical architectures. Pretty much since 2004, we all lived with physical systems or if we were in banking or government, we have, we had very large multiprocessor systems.
A lot of that over time has migrated into virtualized infrastructures. VMware has been the biggest player in that space, but not the only one since 2004. Most of my customer base are completely virtualized on the Intel platform using VMware and a certain amount of legacy infrastructure for IX, HPU, X or Solaris.
Of course, there's been another significant move. I already talked about the sustainability and auditability of public cloud and commercial cloud vendors like Oracle and IBM showing their capability that data can be protected in, in these various clouds. What is interesting from a technology perspective and for someone who seriously interested in business operations is that the potential to move workloads almost transparently.
Some work started in VMware and Amazon in Australia three or four years ago.
And that's turned into live migration tools that are tantalizingly closed to being production ready. What that means is maybe next year, a decision is made to move a workload that is business critical and contains a customer or supplier information that could move from your data centers into the cloud with a push of a button. And all those controls you have in place internally, the security policy, the access management, the encryption, all of that needs to be able to transition if the decision is, is made to move that into the cloud and to make sure that the risk management's exactly the same.
So one of the, the offerings that we provide and other vendors provide as well, is the ability to provide the same Palm experience with exactly the same security policy, regardless of which technology stack, which cloud stack you happen to use this year, or if procurement decide to buy or procure from a sec, second cloud vendor, because their commercial terms are significantly better for next year. That becomes not a problem.
So this is something that you are going to have to consider as, and we'll talked about earlier, there's been a certain amount of acquisition of cloud specific Pam solutions, where they have been seen as a niche product, that gap in the market is going away. There's severe pressure on the, on the Pam vendors to provide the same experience and the same security policy everywhere, because you just don't know where your customer data, your supplier data is going to live from month to month or year to year.
Of course, most of us will have been involved in another piece of disruption, the changes to our business processes, technology processes in audit and reporting for GDPR covering the 27 countries in the EU. We have all struggled to get ourselves ready by may to meet the deadline. And I think it's fair to say without disclosing any company secrets from all the, all the customers that we have talked to significant chunk of that effort has been people related. It's been very heavy on, on people to get these processes changed and not so much on technology.
The GDPR program itself reminds me very much of the Sox program in the early two thousands, where again, it was very focused on people doing things. And then over time security policy changed. Default security policy became embedded in tooling like Pam solutions. And a lot of that just became automated and clicked straight out into compliance reporting in audit reporting automatically.
I expect this to happen in the, the GDPR space as well. A couple of small wrinkles, the most of the com the programs are very focused on European citizens in Europe.
And you may have heard reports that us news companies have closed off their internet offering of their newspapers to European citizens based on the European IP address. Of course, if a European citizen say goes on to go and live in New York for two years, if something happens to that person's data, then GDPR regulations still apply and something needs to happen when reporting needs to happen. There seems to be a gap in, in some of the initial implementations that we have seen so far.
Secondly, there is no single reporting authority for you to report to one of the compromises. A political was each EU country has its own data protection authority to enforce and advise on GDPR, which makes it an interesting issue of you're a north American or Asian organization who has no footprint and new offices in Europe, which of the 27 authorities do you report to one or all 27? So there's, there's certainly some refinement going to be required from GDPR. And our projects are going to have to be updated over time.
And tooling is going to have to be updated with more refined security policy, especially in the Pam tool space.
GDPR has been very focused on three main areas, very, very broad Bo terms on security policy definition. And I'll come back to one of them shortly.
There's been a very clear focus and drive for business owners and directors to clearly identify risk and make sure that risk is balanced against appropriate mitigations and for the it and operations people to make sure that the operation that you're running is secure can be available with the appropriate level of availability is resilient and covering some specific topics like the ability to restore data to a clean state. So back and restore is something we've all been doing for most of our working lives.
GDPR has a different focus to make sure that you can restore the data in a very short period of time and make sure that the restore actually works. That's gonna be a challenge to prove that.
So one of the side effects from implementing your GDPR project is a rolling program of business as usual changes to make sure that the testing you do is done on an ongoing basis, what you're doing and how you're doing it is assessed and reassessed both internally and externally and evaluating the effectiveness of what you do and whether you need to make some changes.
Again, this reminds me very much of socks in its early days and how we changed how we did Sox over time. Although this, this presentation is really focused on Pam and, and hybrid, there is a bit of an extension. We all have to support various compliance and audit regimes, sadly, outside our focus on GDPR, which is taking a lot of effort. I should report that there are 32 other compliance regimes, very focused on data protection. This is a slice of the middle east and Africa. There are similar pitches for south America and for Asia.
So for example, Israel released its updated data protection regulations, and they also went live in, in may this year. So if you have a supplied relationship or you have offices in Israel, then your, your technology solutions, your Pam solutions and your compliance reporting are also going to have to, to comply with the geographic countries that you cover or the customer base that you, you provide your service to, or the supplier or products sourcing countries that you interact with in your daily basis.
Jumping slightly back towards technology. There's certainly been some changes.
I did talk about passwords and OTP and their weaknesses and failings in our surveying with our customer base and in the wider market. Most of our customers are telling us their number one information security project right now is the implementation of multifactor authentication. Initially for application access and database access. This also needs to apply to the technology systems and operating systems that you're using day to day. For example, if you're processing credit or debit cards, the system admins who must log in at the operating system level must use multifactor authentication.
Password access is completely banned and has been narrow for about a year, gets more interesting with the technology stacks that we've been using that your Linex or Unix operating system is these days typically living in a virtualized environment. So you also need to secure the administration tools, the V the KVM admin console, the VMware virtual console, which very recently has been migrated to a Linex workstation product. If you're using OpenStack, then the OpenStack director console needs to be reconfigured for MFA.
And if you are making changes to your networking and you're moving to open networking based switches and rooters based on Linex or various versions of BSDS, then those switch and rooters are basically just another form of, of Linex Unix operating system. And they are also significant targets to be protected with APA solution and, and accessing those with MFA.
So just in a, a very broad, broad summary, our 10, our four recommendations to when you're reconsidering, how you're going to reconfigure your Pam solution, or if you believe you're going to have to procure a new one, as you need to seriously think about retiring password, access management and OTP access management, if you have a breach and you're using one of these authentication methods to use the term from GDPR, they're no longer the state of the art, and it might have financial consequences and liability consequences.
If you're using authentication, that's seen as insecure or has been reported to be insecure or weak again from GDPR. And some of the other data protection regimes that have recently gone live your business has to think about business risk. And while talked about identification of scope, that scope really needs to start up the business and risk profile and risk management.
And then it gets translated into Pam based policy over time. And if your policy changes in the business area, your Pam policy may know may need to change automatically as well.
If you're looking at a Pam solution, it needs to obviously span your internal systems. If you're implementing new private clouds, using something like OpenStack, and if you're using one or multiple public clouds, then the Palm solution needs to be able to span all of these. And if someone comes up with a new technology infrastructure, your vendor needs to be able to expand their solution in a reasonable time to move into that new technology platform. And then lastly, from a business perspective, it is a fact of life that we are living with multiple compliance and audit regimes.
If you're in north America, you certainly have state regulations, national regulations, and the regulation from the, the industry or sector that you operate in most from surveys. Most organizations are supporting at least three or four compliance regimes in parallel. If you're working in international business that can grow to six or seven, or even up to 10, if you're an international bank. And that's very, very common.
So to be able to configure these different views of compliance, to match these different compliance regimes, and to be able to report in a, in the timeframes that that are required by the compliance regime itself is something that needs to be able to be configured very simply and moved into production rapidly.
Just very quickly help systems has a portfolio of cybersecurity products and a number of them on various platforms. Let me talk a little bit about this one. This is our privileged access management solution for Linx and Unix platforms.
So while the enterprise Unix platforms, ax H P X and Solaris, Linox on Intel, Linox on power and Linux on mainframe very common in our banking customers. As you might understand, the three main areas of focus is account management, making sure user accounts and support accounts are set up correctly, handling the application or functional accounts, making sure they're correct. And on the correct systems, enforcing how a real person logs into a system as they attain a session, how they might transition to a privileged account under appropriate control and logging.
And then lastly that the whole security policy mechanism cannot be subverted and cannot be bypassed.
And it's based on the least privileged model and making sure that that security policy is appropriate to the different types of infrastructures, internal private cloud, or, or public cloud. So therefore covering the whole hybrid environment in one piece. So we have many customers who do this. We have customers who take our infrastructure into the public cloud and create their own hybrid and environment without needing to talk to us.
They just do it by themselves and have been doing so for many, many years, as I mentioned, I'm part of the cybersecurity practice inside help systems. We have lots of different security solutions of part as part of this portfolio on many technical platforms, unique Linox windows and quite uniquely security solutions for the legacy IBM I platform, or what used to be called as 400. That's quite a, a unique proposition. And obviously that, that customer base is quite small, but very sticky as a supplier that people don't migrate off of that platform very quickly.
And we can provide cross-platform views of audit and compliance and access management across all of these concurrently. So that's where I wanted to stop today. I'll hand back Toal for us to take some questions for the rest of the hour today.
Thank you, David. And so let's, let's go into the Q and a. Now we have got few questions here. The first one is we are planning to implement MFA project for our company, but right now it is focused on application web and database access control. Can we reuse the same devices, technology for server and OS protection?
David, do you wanna take that?
Yes, I will take that one. The easy answer is yes.
However, with our rider, the, you need to check that the Pam solution that you're implementing with will actually support the particular combination of MFA device. So they may be using MFA with a USB token, but they may not support a particular variety of corporate ID card that happens to have an X 5 0 9 certificate on it, or it may not support biometrics. So you need to make sure that the Pam solution can handle various combinations in an M and a type environment. You may acquire another organization.
They may be using different sets of tokens and your solution needs to be able to survive with all of them concurrently. So it's always a challenge from a vendor perspective, but the, the basic answer to the question has to be yes, but there's, there's certainly some supplier issues in, in getting up product upgrades to make sure that your talking combination is supported.
Absolutely.
And, and I would conquer you hear David, I think it's important that you make sure that your MFA provider or M Ms. MFA vendor, which on-prem or cloud based service can integrate with your P vendor as well, most would offer some basic authentication types, but they may not be sufficient enough for let's say, adaptive authentication capabilities, or even the type of form factors that you like to implement for your overall MFA. So three things to consider here. One make sure that you choose your factors wisely for all the various Pam use cases.
Not all Pam use cases are equivalent in terms of assurance. So where a Pam case Pam use case might require a user logging in where the user password and P I token may not be, may not be sufficient for you to offer you the, the level of assurance for another Pam use case where let's say, administrators are logging in remotely on a third body system to, to conduct or execute any privileged activity.
And a different combination of form factors might be required there to, to secure the system. So make sure that they integrate well.
And also you have, you have the capability to offer the payment to step up the authentication capability. So Pam vendor can communicate this vendor or this user, sorry, this user is now trying to execute an operation, which has higher associated risk. So I would like to send a user for further authentication using another token so that the vendor is able to do a risk based analysis of the activities and can invoke step of authentication in conjunction with the MFA provider. Yep. So coming to the second question here, you mentioned a pivot from technical system owners to business owners.
How does a bam solution address both audiences at the same time?
Well, I can only, I can only talk about the solutions that we use and how we've implemented it. We have seen some first and second generation pan products, very focused on the technology owner view and, and unable to support multiple views. At the same time. What we do is put hosts operating systems in multiple views in multiple groups at the same time.
So we can continue to maintain the, the technical owner view that has been there traditionally, but we can start creating concurrent views, putting the same host, the same operating system in different views to cover the scope for the, for the business, the business management and audit from that perspective. It's, for us, it's a very simple operation and there's no limit to the number of, of business views. We can create it doesn't affect the performance of our database at all, but it makes reporting out to the, the compliance and audit teams.
Very, very simple. So they can basically ask simple questions, like tell me all the people who actually logged into systems where data that I am responsible for resides, and that data is instantly available.
It's, it's a piece of functionality that we implemented many, many years ago for our financial customers. It met their compliance for needs many years ago, and it's, it's, it's been a perfect piece of functionality to meet the more general concurrent compliance regime requirement that we all have to deal with today.
Absolutely.
And just, just to add to that, there have been some very, very traditional use cases around managing privileges of business users across your ERP systems, SAP systems, all of, all of those various types of complex authorization models, where you might have business users who have different type of authorizations, and there might be requirement of, of emergency privilege access management across the systems.
When the users actually get access to additional authorization codes or additional privileges to perform a particular activity for time being at a point in time, you need higher privileges, a need for monitoring and auditing of activities. And that's where Pam solutions can actually support the business users as well.
So, yeah, I, I think, I think if it comes to really system owners to business owners, I think you are right in terms of the kind of reporting and especially the privileged access governance, which can support business owners interests a really a really interesting question I have.
And I, think's a really good question is regarding the P tools of loop deployment, complexity market leaders seem to have high deployment complexity for an enterprise wanting low deployment complexity, what vendors should be considered.
So I think, I think there is no direct answer to that in terms of what vendors would support. I think most you're right in terms of market leaders, I think they are actively looking at how they can ease the overall deployment process. And that is a major, major criteria for even us to, to evaluate these vendors. So I think it's important that we look into how we should, we are able to, we are able to look into the overall deployment process and reduce the complexity of the help of vendors.
There are also a support that you might want to look for special professional service providers, because they have implementation experience for industry that you're working into and have the expertise into how you can reduce overall complexity for deployment Bria. I think we can take this answer offline as well. You might want to directly right to us, and we can advise you on that with that. I think we are over the time. I would like to thank you from my end, as well as from David to, to attend this webinar. And we hope it was helpful. Thank you all. Have a good day. Bye.
