KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Industry thought leaders have stated that if there is only one project you can tackle to improve the security of your organization it should be Privileged Access Management (PAM). But successfully securing and managing privileged access is a tough task and is only getting harder to solve.
Industry thought leaders have stated that if there is only one project you can tackle to improve the security of your organization it should be Privileged Access Management (PAM). But successfully securing and managing privileged access is a tough task and is only getting harder to solve.
Good afternoon, latest and gentleman, welcome to our webinars. Six myths of privileged access management, busted. Why every business will benefit from a successful program. This webinar is supported by beyond trust. The speakers today are me, Martin Kuppinger and Carl Langford. Carl Langford is director solution engineering at beyond trust. Before we start some quick information about copier call some housekeeping information. And after that, we will then directly move into my presentation followed by Carl. That is our common flow. So let's directly start copy a coalition Analyst company.
We are working globally and delivering a broad variety of services around identity and access, cybersecurity and artificial intelligence. Within that, we have a series of publications, such as activity, view reports and leadership compass. We have various types of events that our, as our webinars, our conferences and meetups, and we support our customers with advisory. We also soon will launch an e-learning approach. So broad variety of services.
If you want to get access, gain access to our research, we have a platform which is Casey plus, which gives you one year access for 800 zero to all of our research. It's an individual access license in that case, trust dry and figure it out. We have also a series of upcoming events in late November. We will have so it's next week, even not that late anymore. And AI went in Munich next year, may we will run our flagship event, which is the EIC, the European iden conference, which will be again, held in Munich. It's the largest and most important conference in that space in Europe.
And then we have a next year November. We will do our cybernetics world, which will be around AI and related topics and how these are evolving for the webinar itself. Some quick housekeeping information, we will, we have mute you centrally, so you don't need to control your mute. Unmute microphone. We are recording the webinar and we will provide a slide X for download afterwards. Usually we do this by tomorrow. There will be in Q and a session by the end of the webinar.
However, you can end the questions at any time using the go to webinar control panel so that we have a long list of questions for the Q and a session towards the end of the webinar. Let's have a quick look at the agenda. So first part will be done by me. I will talk about why Pam is a high priority topic. When it comes to cybersecurity, I will look at the capabilities of Pam and we look at their relevance for addressing the challenges organizations are facing today.
So this will be more an overview on this topic, building the ground for Carl, Carl Langford, then we'll talk about six myths revolving around Pam and how to deal with these myths in practice. And as I've said, then a third part will be the Q and a session. Let's start with a pretty generic perspective. But one which I believe is very important, which is around compliance, audit, and security, all things which are affecting what we are doing in payment, which, which what we are doing in other areas of cyber security, in other areas of identity management.
So there's one area which is compliance. And, and when we look at, for instance, Pam, there are there's one control, which is a 9 2 3, for instance, an ISO twenty thousand twenty seven thousand one, which are the Pam specific controls. So compliance requires us to do something in that space. If we want to meet certain types of standards, certain types of certifications. In that case, it's not a law, it's not a regulation, it's a standard.
And we, we, but we see more and more businesses which are requested to comply with the standard. Obviously then being part of such standard also becomes part of a good practice. We also have the, the audit. So compliance is you can make a track on that. Audit is you pass the audit. So you're able to prove that you do what you say you're doing, and the actions are what you actually do. And at the end of this, it's very important, always very important, not only to be compliant and pass audit, it depends on the action. So that together really makes security.
And if you don't act accordingly and that might be go well beyond what is the minimal requirement from a, for regulatory perspective, you might greatly fail in security compliance for itself and passing audits doesn't necessarily make you secure. You might become better, but at the end, look at it. What you really need. If we need to do that. Because when we look at today's situation, then access risk is a business risk. It is essential for business to be able to mitigate risks. So we have this risks and access risks, which are part of identity management.
So you could consider Pam being somewhere between IM on one end and cyber security on the other end, there's an access risk. So fraudulent access to certain data to systems, etcetera, all these are risks and there's broad range of these risks. These are it risks. So we need to, to really map these risks, to understand what they mean from an it risk perspective. We need to understand what it is from a business risk perspective, because it risk today can have a massive impact on what happens in the business.
It even can, if something goes fundamentally wrong, they can drive a company out of business and there's cost. And shareholders need to be aware that they need to invest in security because at the end access risks and other it risks can turn out being so essential.
So, so, so big that if something really happens, that their entire investment is at risk. So we need to look at that. We need to invest, but it's not getting easier. And when you look at this entire topic, then we are somewhere in the cybersecurity challenges and they are more and more challenges we are facing. So one of the challenges, that's probably true for everything we do in cybersecurity and identity management around Pam or our privileged access management's skill kept. It's always difficult to get the right people and to get sufficient of them and to be able to pay them.
On the other hand, we have ever increasing tax and we need to be very clear about one thing. All targeted attacks are after the highly privileged accounts. So Pam is essential to counter that when we have the problem also that we have attacks, which start far earlier. So we are under attack for a while. So we might not stop the attack.
So we must reduce, we must mitigate the risks of what happens if someone gains access to an highly privileged account, for instance, because there might be someone in our network already, the less that person can do that attacker can do the better is that's again, one area where Pam comes into play, reduce what privileged uses can do restricted, and you are mitigating your risk. There's an interest through behind it. We all know that they earn money with that. They have their business models. They know very well how to execute on that.
And our challenge always will be, we need to defend against thousands and cents of tens of thousands of attacks, and attacker only needs one successful approach. So we are always in the diverse position.
It's like, like if you're playing soccer or football and you have one defender and 10 attackers, you, you will lose. It's hard. Our environments are more volatile data shifting to the cloud. And the business impact is really getting bigger and bigger, and this is why we need to act. And that is where Pam comes into play Pam, which is privileged access management. So privileged for these are the, the, the specific types of access, which are bath a certain level of risk.
So when, when you define what is privileged, you always look at it from a risk perspective. And, and then under define use thresholds when you perceive this as becoming privileged. So beyond or above that threshold it's access. So the use of systems and applications for both executing it tasks, such as configuration of systems and business tasks, there can be privileged business access.
However, privileged business access is in many cases than more covered by, by the identity access management piece, by setting title and stuff like that. But even there could be scenarios where you need some sort of monitoring and other capabilities, which are traditional Pam capabilities and its management. So reduce it to mitigate the risks successfully. When you then look at Pam, you could create a broad variety of pictures around that. There there's some, some sort of baseline Pam, which is around the privileged access request.
We, someone raises or way start from a system, which is in some way, authenticated authorized passwords that frequently are used, which are stored in the wall. They are passed past. The passwords are handed over in the 10th past to the application, which is managed and there might be some session management.
So, so managing the access, managing the sessions, managed the passwords are key capabilities. However, there might be significantly more elements in that. So I don't go into all of these, but there's for instance, AAPM, which is application to application password management, there are elevated credential desks, the management of elevated credentials. So credential and privileged elevation there's trust in time access to certain resources. There's the privilege SSO, there's the P user behavior analytics.
So there, there are really a broad variety of disciplines, endpoint privilege, and, and other stuff. So you can, from there enhance your Pam to cover more and more of these risks. And you should carefully look at what are really your, your, your biggest requirements, where to start, where to look at, and then sort of build your Pam strategy to move from, from a baseline Pam, to something which is a more comprehensive, pretty strong offering. So privileged access management is something where we believe it's absolutely essential to have it in place. There are a number of reasons for that.
It's the risk mitigation it's restricting and minimizing the privileged access. And again, targeted attacks always are after the highly privileged accounts compliance, it's part of lease privileged, which is a very fundamental principle of everything we do around identity and access and security, but it's, there are other regulatory aspects.
So if you look at what is required with regulations for, for critical industries, or when you look at what is common practice, which then builds on standards, such as ISO 20,000, 27,000, then you end up with that is something you need to do from that perspective. It is I brought it already up increasing your cyber attack resilience and overall protecting your systems against malicious use, which also includes, and a big portion of that still is internal attacks. That's a very good reason to have a strong, privileged access management in place. You need to split responsibilities.
So it is never a good idea to have people who can do everything on a system, try not to do stuff with rude accounts, with the super users, the admins, et cetera, try to go down into clearly different responsibilities, which are then which limit just what someone can do. It will effectively limit your risks, which also more and more around MSP to tenant relationships and stuff like that. So when you have managed service providers, accessing tenants restricting access by for instance, session management is an important thing.
Sometimes it's also that you can define more granular things to enable your workforce first and might be even automating stuff wherever you can to avoid human error. So it is essential that you restricted privileges and there are various areas and it's many of these are Pam, but all of them are sort of traditional Pam. So one things need to set entitlements, right?
We also need to set the permissions where we can set do it based on entitlements, for instance, by privileged elevation management and defining who's allowed to do what in, in, in an root session, on, on a, in a console of a Unix or windows UN or Linux server, stuff like that, we need to restrict the access to the system so who can access it in which way can the systems be accessed, narrow it down so that you have good control and that you have strong authentication that you don't have any brawl of passwords.
So all this shared account stuff, cetera, you need to, to, to restrict and monitor access to the systems and monitoring is important. Also automatic analyzes is getting more and more, more important here. Obviously trust having an unlock might help you in a forensic scenario, but it doesn't help you to, to effectively mitigate your risk. So unless you, you really take actions, it doesn't help you much. And you need to tasks. You need add the skills you need to ensure that people really understand what they are allowed to do, how they can do it and restricting what they can do.
Again, helps you in mitigating some part of the risk. So going back to, to cybersecurity and I, I believe panel and essential element in cybersecurity, and there are a couple of things you need to, to keep in mind. And that is from my perspective, a good reason for investing in a well thought out manner into cyber security, and specifically also into Pam. You need to be really prepared for, for today's cyber attacks for the cyber risks you're facing. And one thing is clear. Every business is a target to, to say maybe a little oversimplified, but probably factually absolutely correct.
Once you are connected, you are under attack. There are enough approaches which can for systems, which run automated attacks. And there are enough scenarios with honeypots, which were set up and it doesn't take long until the attacks start. So you are a target, regardless of which type of business you are, everyone is under attack and there's no a hundred percent security. You also should be aware of that. So everything you do upfront, so to speak, all the stuff you do around avoiding that someone can enter your network can move towards the greater system is limited.
To certain extent, you must assume preach and privileged access management is one of the means. One of the important means to mitigate some of that risk, look at a zero trust principles. So don't trust the single entity anymore, such as a firewall assume preach, but stop the letter of movement and combine the right set of technologies. Pam's one of these technologies plan for the worst beyond Pam.
So once you're attacked, know what you do, how to get your systems up and running, how to keep your business alive, so to speak and think when you look at this sync beyond tools, not only say this is the tool, Pam is essential, but all of these tools will not work well.
If you don't have to write a organization, if you have to write people, if you have to write process and the right policies, and you need to start doing this, my advice beyond Pam, when you look at your overall security tools, landscape starters, portfolio management, there might be a, a lot of things in which don't help you that much anymore. And there might be a lot of things which are lacking. Try to understand how to redefine your tools, landscape, how to modernize it.
And one element, regardless of how you do it, analyzes what you do, you should end up and will end up is there's Pam, as one of the essential elements therein with that, we move to the second part of the presentation, which will be given by Carl Langford director solutions, engineering of beyond trust. And here right now, we'll look at his six Smith revolving around Pam and how to deal with these myth and practice.
Carl, it's your Thank you Martin. My name is Carl Langford. I'm the director of solution engineering here at beyond trust. And I just wanna thank you all for, for coming along to this webinar with and ourselves. And as you heard, we're now talk about some of the myths of Pam for, from really my team in my organization's learning in the field. So kind reaffirming what Martin just said there around data breaches.
They're, they're really not slowing down. We're still seeing organizations breach daily. Following some of the, the reports here. You can see that actually there's a significant rise in the average cost of a, a data breach, as well as the size reaching now 3.92 million for, for the kind of average average data breach that might happen out there in the field. And I just wanted to kind of unpick, why is that?
Well, actually privilege becomes a big part of this. So depending on where you collect your statistics, nine out of 10 breaches are associated with in excess of administrative privileges. You can see that over 80% of breaches are, are, or originate by using stolen or weak passwords. You also have kind of similar numbers around the misuse of privilege accounts for, for insider threats.
And actually interestingly, despite all these statistics and despite the fact that we know the number of data breaches is ever increasing, and the costs are going up actually well over half of, of all organizations, don't adequately track access. So, you know, the impact of doing nothing in this space is, is pretty significant. And I'd like to kind of take you through the way a threat actor would think about this. So this could be a malicious user. This could be an external kind of black hacker.
Really what they're looking to do is they gain the initial F footprint into the network and then they need to maintain persistent access. So they're looking to compromise and always on accounts, so, or identity as you'll hear us talk about the next phase of their goals is to really try and gain an, a higher level of privilege to allow for lateral movement in the network. So this is when we hear people taking over administrator accounts, domain administrator accounts, route accounts, and service accounts.
And then ultimately they use this level of privilege access to exploit an asset that holds useful or valuable data. And then they'll exfil trade that from the network and realistically organizations today where we start to engage with them. They're kind of before scenario is that everything is unmanaged and it's very much an all or nothing type of access. You either are an administrator or not an administrator.
And it becomes very difficult to, to validate any sort of compliance around that outside of age of the accounts, it becomes very difficult to report on how privilege is being used in the environment and how people are actually gaining access to these systems. And ultimately we tend to find that this leads to impeded productivity because with all of this comes management overhead and by and large, without any privileged access management solution, it's a very manual process to, to manage this.
So by implementing a very well structured, thoughtful privilege access management program, really, we can look at the kind of right hand side of this slide. And, you know, the understanding that your privileged accounts will be controlled and managed from a, a single platform, which allows you to give access only to the resource requires. And we will kind of dive into this through the myths, as well as being able to use that data to, to aggregate it across your wider security posture. So not just who could do something, but actually when they are using privilege, what are they doing?
Where are the systems they're administering?
Where are the devices they're connected to as an administrator and, and really mapping out the, the possibilities of those privilege attack pathways also then capturing things like video recordings to make sure you're meeting your regulatory compliance mandates, making sure you're shrinking that attack surface, but all at the same time that not being a disabler, but actually being an enabler in the business, making sure that the user's experience really empowers them to be able to do their job and, and actually continue working as a very effective member of the team.
And it's helping organizations transition from this before to after scenario where we've really used our experience to, to highlight some of the myths that we found in the field, the first one being around the, the zero trust model. So I, I absolutely agree that the zero trust model is a fantastic concept, but actually it can be very difficult to achieve in a, in a short space of time where we're seeing huge amounts of success around zero trust. As you heard from Martin earlier is making sure that you are building this in, at the foundation of your network.
So rather than trying to re-architect something as you're working on, it actually is new applications and services come into the business, making sure zero trust.
Is it the kind forefront of, of that technology in ensuring that, you know, when you are working in this environment, you engage with the employee and make sure they're able to adopt the new practices and the way things are working, where we've seen kind of challenges around this is when you start to work with applications that require identities, or perhaps where there's a dependency on certificate distribution and any kind of performance penalties that come along with software defined, networking and firewalls.
So fundamentally when, when you come to implement a whale structure, pragmatic pan program, consider this as being a huge part of, of how we're going to re-engineer it and restrict people's access. And the kind of first step in that program in the, the taking us into the second myth is that to enable Pam, you need to move to shared accounts.
Now, this is a really interesting concept because actually when you look at tools such as bloodhound ad and, and you are kind of mapping out those attack pathways, using a shared account actually gives a huge scope of risk. And it creates a, a really nice target for threat actors to compromise. And we fundamentally believe that the advice most organizations are receiving out the back of security assessments and out the back of penetration tests is to reduce the number of administrator accounts.
So this can often be kind of interpreted to actually let's move our administration model directly to shared accounts. And as I say, what you're doing there is just creating that crown jewel for the attacker. These highly privileged shared accounts can just create other accounts, modify huge amounts of configuration systems, settings, across many systems, corrupt data, or even just be used to launch attacks on other hosts.
So actually what you should be doing is, is looking to maintain some individual attribution and try to limit the scope of privilege by really regulating what elevated privileges of user needs. And I like to think of this as a security dial. So as we start to implement a very well structured pan project, you start to move that dial from being completely unmanaged, to actually locked down and very well managed.
So starting with taking over some of the, the highest risk accounts, so where you can actually mandate how people connect, perhaps thinking of vendors, your third parties, where you don't have control over that target connection. And then the next is to start to take over those dedicated or individual administration accounts under management. So I certainly know from, from my time working in the service desk and, and systems administration, one of my frustrations was that I had multiple privileged accounts that I personally would have to manage the credentials for.
So every 30 days I found myself changing tens of accountants, where I have different domains that I administered different work groups, different applications and platforms in keeping up with that was actually quite difficult. But by taking those dedicated accounts under management, you maintain that individual attestation of events, but actually you remove the headache away from the end user having to, to manage all of those accounts. The next step would be to apply the same logic to vulnerable application and service accounts.
So where we've defined these within a script or within a window service, making sure that we're actually taking these under management understanding that those credentials are used in their dependencies and automatically maintaining the life cycle of those accounts. Cause you turn that, that no round to the right, what we're gonna have is then the ability to stop unknown and unapproved applications from running.
So this is really where you start to think endpoint lease privilege and being able to then say, well, actually, you know, this is a really effective way of stopping things like file list malware or any kind of external threats that may come in through an introduction of an unapproved application, but having a really simple, easy to follow exception handling process when actually the business needs to continue working is a great idea.
And then lastly, using that same logic of application control, actually thinking does a privileged account need to be a full administrator, or should we really try to follow that true principle of least privilege and remove those local administrator rights from our servers, from our, our laptops, our workstations, and enable that user to perform only the task that they need to would elevated context. And again, that kind of leads me nicely into the third myth where a lot of the time, when you, you hear Pam, you think I need to manage accounts, I need to manage identities.
Well, Pam, isn't only managing privileged accounts, actually there's a, a whole lot more to it than that. And I like the kind of iceberg analogy we have here that fundamentally it's, it's just one of the many pillars that we need to support the security strategy. You heard earlier about the layer defense from Martin and making sure that we're, we're thinking well, how is privilege used in the environment? What does optimal security look like?
You know, should we think around remote access considerations or do we need to consider the vulnerabilities in the environment? Because, you know, Pam isn't necessarily just controlling that username and password. It's also that privilege the DevOps secrets and you're kind of moving away from this on or off concept of being an administrator to actually implementing things like just in time privilege access where at the point it's required based on a trigger, the user receives the administration privileges that they need for that task.
And so it, it takes you, as I say, away from that on or off into having a, a, a full roadmap of, of Pam where you're going to see some incredibly quick gains and be able to manage things in a much more effective way. Now, the fourth myth is something that we've seen with a lot of organizations that have started on a Pam journey and they, they come to us because they, they really get stuck in this mindset of Pam is only helping us with our active directory accounts. But cause we know to today's it environments are so much more diverse.
It's huge multiplatform effort around open source around devices, such as macing the next, even the DevOps challenge. And when we start to think about things like modern desktops in, in the, the Microsoft modern desktop, actually, how are some of those panels that depend on active directory going to work such as Microsoft labs, where it has a dependency on group policy?
Well, with modern desktop that doesn't exist and we start to then see challenges around bringing your own device. Can we implement this without affecting our, our end user and even onto their mobile devices?
I mean, just now looking at some of the internet traffic statistics, we're seeing that there's a prediction right now, 2018, it was 52%. We're expecting that to rise to 63% of all traffic on the internet, originating from a mobile device. So you have more of those remote workers. Are they using a, a Chromebook? Are they using their phone, their iPad, whatever it might be to connect here. And just having that in the back of your mind, that that Pam isn't just solving an active directory problem, it is taking the entire network into consideration.
Your applications and services is, is really gonna help you on that Pam journey. Now myth number five is, is something I'm incredibly passionate about, which is vendor access. So most of the organizations we deal with on a daily basis, depend on vendors to come in and actually support them with their business operations. And during a Pam program of work, I like to pose the question that should we be treating vendors the same as the employees? And if we think in the physical world, actually, we, we don't treat them the same as employees.
They're on different contracts, they have different requirements and regulations they should meet. So why should that be the same in the virtual world, that what organizations kind of fall into the trap of it is giving access directly over a VPN, allowing users and vendors to connect directly to high value sensitive systems to perform those operations.
But actually you don't need to give this always access onto a vendor, give them the access when they need it again, that concept of just in time capabilities here, but also, you know, maybe you want them to go through multiple layers of approval before they have access. Maybe you want to have that four eyes principle and actually chaperone them and, and watch what they're doing ultimately, where I think there's a huge difference between using VPN in kind of a true robust vendor access solution is part of your pan program of work is around the auditing.
So rather than just saying that yes, a vendor connected, or they had the ability to connect at this time, actually having a dependable audit trail of all of their activity and everything that they did in your environment at that time is going to become more and more valuable. Is this dependency on outsources, third parties and vendors grow.
Now, the last myth I'd like to tackle is that Pam actually requires a big team or effort to implement and manage. Now you Martin presentation at the, of this webinar, you know, we are aware of a skill shortage in the industry and when it comes into privilege access management, actually there's some significant savings you can find through automation, whether that's through that just in time principle, where rather than creating accounts, that always have privilege. We use the triggers to allow us to give privilege when needed through automatic discovery.
So being able to find the assets on your network and where privilege exists and then automatically onboarding them that can really offer significant time savings and significant administrative efforts. So we've certainly found capabilities like smart rules, where you can define a set of requirements. If anything meets those requirements, it's automatically taken under management. They've been fantastic to, to help out sort of our, our customers.
What, what we've also seen with a successful Pam project is when you work with partners. So you talk to advisories, you, you listen to the advice coming from organizations like where they can really, really help you understand that journey from a, a vendor neutral point of view. And hopefully from the other kind of slides that you've seen through my myths is, you know, taking that movement away from, it's not just passwords. Ultimately this is always going to be a journey. And along that journey, there are quick wins for your organization. I mentioned vendor access.
I mentioned application and service accounts, individual admin accounts, whatever it might be there, there are always quick wins. You can see to move your security posture from potentially a weak place to a much stronger place. And ultimately throughout the, the project I would ask, you know, how is this going to work for us? How are we going to show this efficient time to value in the processes that we have today rather than re-engineering all of your process to meet technology solution. And with that, that, that was all of my myth together.
So I wanted to kind of hand back over to Martin for any questions that have come in now. Thank you very much, Carl. We are right now entering the Q and a session. I already have a couple of questions here. And so let's go through these questions, maybe start with that one. So when I look at, with you talked about things which are frequently understood as being more complex as they are, or which are understood wrong and driving the wrong direction. So one question is I don't follow what is mythical about with number three? Maybe you can touch your myth.
Number three again, and, and bring up your point maybe here. Sure. So myth myth number three was Pam is only managing privileged accounts. So quite quite a long time ago used to hear a Pam referred to as privileged account management.
Now, accounts are just one part of the story. There are, there are lots of services that require privilege. There are lots of capabilities that, that you have in a, in a Pam solution where it actually truly becomes privilege access management. So that's the, the name of the technology in the industry and whether this is secure, remote access, whether this is auditing and understanding privilege, really password management is just a, a small piece of the puzzle.
What we really need to kind of focus on is some of those wider elements of actually is there least privilege management that needs to happen to take you from this either being a full administrator or not. Is there session management to allow us to reduce the attack surface and limit some of that east west movement of an attacker is certainly in the past what, what organizations are very good at at putting barriers around things, but actually once you've breached that perimeter and you're inside the network and you have that level of privilege, it's, it's very easy to then move to other systems.
So for, for me, Pam is more than just managing the username and password or SSH keys. It's actually managing the ability to move laterally in the network by misusing those privileges. Okay.
And maybe, let me add one thing to, to zero trust. So zero trust is not a tool. It's not a single solution.
It's, it's a concept, it's an architecture, which you solve this, where is elements. And Pam obviously is a very important element in that, but it's not that you kinda go out and say, okay, I buy that zero trust solution. There's not the one single solution. It's really something you need to understand as a, as a comprehensive approach where you, which you sort of follow to, to, to change the way you do it. And it's also, I think one of the, it's not zero trust networks, it's zero trust affects data. It affects identity. It affects a lot of things.
So it's well beyond the zero trust network, it's modern a network level. Next question, I shorten it a little down because it's a pretty long question. Basically. The question is, can your P infrastructure become sort of the single point of failure in your environment? Or what can you do against Pam specifically when comes to, to injecting passwords credential, stuff like that, to being the access point? How can you avoid this to become your single point of failure? That's a, that's a really good question.
And I think the best way to kind of think of this is if Pam does become a tier one application in the business, it does, it does become a business critical system in, in exactly the same way. Something like, you know, to active directory would do or DNS.
So, so when you do kind of embark on this Pam journey, just, just think, is there other ways of consuming the technology, maybe you would like software as a service with resilience built in, or maybe, you know, do you need to plan to have your, your Pam infrastructure disperse geographically to, to make sure you have that redundancy and resilience, or should there be a, a high availability deployment? Ultimately it is possible to deploy this as a single point of failure.
It would, it would be probably not the best idea to do that if when it comes to kind of disaster recovery, some of the scenarios where you perhaps have had a pan vendor that the solutions failed and you need to start again from the ground up. Well, fundamentally when it comes to enabling and managing accounts, what you're actually doing is taking control over the credentials. So if you have the ability to deploy a solution that can manage and rotate those credentials, you can get back to a, an effective working state quite quickly. If you reset all of those credentials in an automated task.
And, and we've, we've seen that happen in some incident response scenarios where we know an accounts com compromise through our threat intelligence, and you can actually use APIs to trigger a credential reset to then mitigate that threat and then take that account away, or the credentials away from that, from that rogue actor or service from using them. So kind of two answers in one there tier one application, think of this is, is business critical when it goes in, because it's going to really power your, your administration in the environment. Yeah.
The simple answer would be trust to is right. Think about high availability, failover and all that stuff. You need to do that, but it's feasible. And the question is one which I have to say pops up in every single pimp project, obviously. And I think every vendor specifically the ones who are very long in the business have very good answers on that. And as beyond trust has another question to you, Carl, you touched this topic of shared accounts, and that's the question whether you were advocating against or for shared accounts.
My understanding was you are very reluctant regarding setting up additional shared accounts to manage shared accounts, so to speak, but maybe you can elaborate a little bit on that again. Yeah. That's probably a very good way of, of looking at it. So shared accounts will, will always exist in an organization.
You know, frankly, there are some applications that depend on them, but you, you can't create new identities for, for it to use. My point there around shared accounts is, is very much, they are significant targets in the environment. Historically, we we've seen organizations try to use shared accounts to, to really bridge, not having a panel. It comes down to that having the, the concept of spreadsheet where when we know where the privileged accounts are, they're on our spreadsheet, it's password protected and we'll copy and paste the password from there.
So, yeah, I think the, the way to look at that is it's a bad idea to add more shared accounts, especially if the way you work today is that people have that experience of, of having their own privileged accounts.
And if you think about this in that kind of wider security context, if, if I'm pushing information out to a, to a scene tool or to a SOC, how are they going to effectively alert on that kind of misuse of privilege when you perhaps you've created a shared account with permission to every system in the network, what does normal behavior look like at that point for such a wide reaching account?
So I think it's a case of just being aware of those wider impacts and looking for a solution that allows you to work in an effective way rather than driving you down into a different method or a different administration model. And that's where we start to see organizations struggle to complete Pam projects.
You know, if you're trying to rearchitect the way your, your network works, it, you know, very similar to trying to change a wheel as you're driving, it's just an impossible task. Yeah. And I think so sometimes when I, when I like to broker a little in, in presentations, I do bring up the point that if you have the chat accounts are trust earth out of that software and security architecture and programming. So there are many, many ways to avoid shared accounts and most chat accounts we are using. We shouldn't have.
So it's, it's really the, the, the best thing obviously is to try avoiding the use of shared accounts. And there are many ways we can reduce the number of shared accounts, but we definitely must avoid increasing shared accounts to reduce the risk of shared accounts. At the end day, I have one more question or two, maybe Carl can, the beyond trust solution work in the cloud. Absolutely. So we have kind of different solutions in the portfolio available as SAS delivery model available as, as platform, as a service as well, and, and can be hosted in your own private cloud too.
So I know cloud's quite a wide reaching topic and probably lots of different answers to that, but yes is the easiest one. Okay. The last question we have here is can you automate tasks such as password resets discovery for servers and discovery of network devices? Absolutely.
So I would say automation should really be the, one of the fundamental features you look for in a Pam solution, whether that that's ours or anything else having that capability means, as you know, if you take a step back, if you, if you have an automated capability, you just have to think of the number of devices that may change inside your inside your network. I always talk about the scenario where, you know, how many, how many new laptops do you issue on a daily basis?
Well, that's gonna have a privileged account on and, and how often do those changes get made, frankly, trying to be a human keeping up with that is, is very difficult. So automation should be a big part of this in yeah. Password management life cycle. There is a key part of any pan project. Okay. Thank you very much, Carl, for all these answers. Thank you very much to all the attendance of this call webinar for listening to Carl.
And to me, hope to have you back soon to one of our other upcoming webinars or see you at one of our upcoming events. Thank you very much and have a nice day.
