KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Striking the balance between enabling users and administrators to be productive whilst protecting your sensitive systems and data is becoming ever more challenging. Attackers are often one step ahead of organizations, and even those with the most comprehensive security systems and controls in place find that an attacker will discover and exploit their Achilles’ heel.
Striking the balance between enabling users and administrators to be productive whilst protecting your sensitive systems and data is becoming ever more challenging. Attackers are often one step ahead of organizations, and even those with the most comprehensive security systems and controls in place find that an attacker will discover and exploit their Achilles’ heel.
Hello. Good afternoon, good morning, or good evening, depending on where you're listening in today to a webinar with BeyondTrust. My name is Paul Fisher and today we'll be talking about operationalizing least privilege in enterprises, and I'm delighted to be joined by Karl Lankford, who is the director of solutions engineering with BeyondTrust. Before we get going, just a little reminder for some events that are coming up in the KC calendar, these digital events or online, and we have the cybersecurity leadership summit 2020 coming on the November, the ninth through the 12th. That's next week.
I think if I just check my calendar on the wall. Yes, it is also next week. We have KClive tools choice, which is looking at endpoint protection detection and response or EDR. And finally, a little bit later in the month, November 24 to 25th cybernetic world 2020, as I said, all those events are Casey live they're online, and you can find more details on KuppingerCole dot com on how to register and access those events. All of which are well worth attending as for today. Just a few housekeeping rules, the audio control you are muted centrally. We don't. We are controlling that.
So you don't need to worry about muting or unmute yourself. We are recording this webinar and the webcast will be available very shortly after today. And slide decks will also be available for download both mine. And those from call there is a Q and a session at the end of the webinar. And you can enter questions anytime during the panel, which we'll see on the right-hand side, where you can type in your questions and then we'll ask them at the end it then the agenda and content.
I'm going to talk a little bit about the concept of least privilege and how it should help to balance security and productivity. But our actually in today's world, it doesn't always work quite as simply as that. And then call will take over with a, a much deeper dive, into a least privileged strategy for you to implement in your own organizations or at least take some tips. And as I said, Karl is the director of solutions engineering with BeyondTrust. And finally we have the questions and answers at the end. So what is access risk?
Well, access risk is business risk, identity and access is pretty much now at the center of almost everything that we do within an organization. When they're talking about trying to get access to services, data databases, and virtually everything that comprises the extended architects, extended enterprise and identities no longer relate just to human beings, but of course, to machines and applications, the internet of things, and even things that we perhaps haven't thought about yet, which will also get an identity and get access to things.
So through that, the way that we control this at the moment is through identity and access management, of course, and privilege access management, which extends access management into privileged accounts and privileged accounts are obviously at risk because they tend to have access to high value data or to other parts of the enterprise that are confidential or things like intellectual property.
And of course, even things like code and applications and access the risk, if any of that falls into the wrong hands, which it does, unfortunately is significant financial risks and regulatory risks, which the two go together. Not only if your company is guilty of losing data, it takes a hit image wise, the brand is damaged, but also these days in certainly in the European union and UK, and increasingly in the United States, you are liable to pay hefty fines. If you are found guilty or responsible for losing that data, there is a risk to it as well.
It requires an approach that maps the access risks to all of the it estate. And that includes cloud risks and BCN. And of course these days, cloud, it's quite a complex picture that we have, not just one cloud. We may have multi clouds and we may have cloud from different providers, such as Amazon web services or Azure. And all those cloud services have different controls. They have different protocols and they have different dashboards because for competitive reasons, they are not compatible.
So we have to think about the access to a much larger it infrastructure than we, than we might've done previously. And those it risks also have an impact on the business, which is what we're talking about here and the business financials and other factors, if we don't have a secure it infrastructure, then the business is at risk, not just from hacks or cyber attacks or data theft, but also from inefficiencies. If people are, or access is not controlled, if identity is not controlled, we have a much less, a much reduced overview of what is happening within your organization.
And it, it is much harder to do a accurate audit of what is happening and it much harder to see where things might go wrong and where to find vulnerabilities. And if all those things are failing, then that's going to have an impact on the business financially, as well as in terms of the way state shareholders and customers view it. And of course, finally, if access risks are addressed, then costs go up and the value of the business is put at risk even right up to bankruptcy.
Although it has to be said, that is quite rare, even in the biggest cases of data leach, cause through breaches of identity access. I, there aren't that many businesses, well, large businesses that have gone bankrupt.
However, for smaller businesses that may find themselves corrupted by ransomware attacks, which do freeze operations, the either pay up the ransom or they go out of business. So this is very, very serious things that we're talking about. An access risk is very much is a business risk, just like it. Security is also all about the business. Then access is all about the business. So that gives you a bit of a background of how access risk is affects the business. So let's get into what is kind of a core of how to reduce risk, identity risk.
And that is our concept of least privilege, but I've put a little diagram there to illustrate how these privilege should work. So this is a definition that I found, which I think kind of sums it up as simply as possible every program and every user of the system should operate using the least set of privileges necessary to complete the job. And we're not necessarily talking about privileged access management here, but we're talking about privilege in a pure sense. So if you take our Russian goals there, if you take, say one user, they only have access to the largest Russian doll.
And then because that's all they need to do to get to the job they get their job done, but then someone else may need access to another secret or something inside the larger adult and so on. So you get right up to six of access there. And if each person is stopped going beyond their particular point of control, then everything is fine. Or at least this is how it should be. Every user starts with zero privilege. So zero privilege is, for example, you couldn't even log on to your PC because you have the zero privileges basic privilege.
It allow you to log on, check your email, that sort of thing, but privileges rider to user accounts, to perform specific tasks. So it all seems nice and simple. The problem is that in today's complex world and complex it infrastructures and organizations, it doesn't quite work as simply as that, because we have so much else going on in organizations. And some of this is not secured. Some of it is trends that are happening out of sight and out of control of what used to be the it departments remit or it security departments. And I just listed a few things here.
Social media is a good example of how least privilege can fall down. At least privilege should say that only certain people have access to social media accounts and are allowed to update those. And to post things, probably social media is that we will know it's very easy to go set up an account and still post things about the company. And quite often, social media accounts are set up, not by it, but by marketing teams or other teams that need social media. So they have everything worked out.
They didn't have the Instagram and Twitter strategies worked out, but they forget about controlling that. And so they tend to maybe give out too many privileges to too many people and then ended up with egg on their face when a post goes viral, which actually shouldn't have done and puts the company in a bad light. But then again, we have things like business pressure.
So it, and the security people are under pressure from the business to do things more quickly and to get stuff done. And that can very often lead to corners, corners being cut. So a good example of that would be kind of in the dev ops or agile development world where people within those organs, those parts give each other privilege without going through the proper channels. And identities are used to access stuff that they perhaps shouldn't have. And then we have the problem of shadow it where increasingly individual departments.
And again, this could be like dev ops or another line of business where they set up their own cloud, or they set up some other application, which again, hasn't been approved and hasn't been audited by it. But these people give themselves access using their own identities. They set up their own username and passwords. And the great danger is that they upload information. They shouldn't, or hackers then find a way into those particular accounts that they're using. They have their identity. And that leads in laterally into other parts of the organization. We have multi-cloud environments.
I've already talked about that. Multicloud means that again, these aren't centrally control and they have different policies and they have different controls and different protocols. And sometimes he's just set up in silos often with the same people doing shadow it and things like DevOps. We have unsupported apps being used quite often. People are now mixing, especially with the growth of homeworking. We've seen it in, in the real world.
We've seen a how and what happens when people start using what should have been a consumer device, I E the family laptop, and they're using it to access the server at work, or to get onto the email at work. And then they may be using other apps on that laptop, which again, can provide a route for hackers using the identity that the person is using. And then to piggyback onto that into the network, we have thousands of users.
I mean, that's, that's just the way it is. And all these users are very hard to control. And when you say thousands, I mean it, actually, some companies have hundreds of thousands and so on.
It's, it's hard. It's really hard to, to, to manage all these people, all these identities. And it's not surprising that some slip through the net, we have people building insecure code code. Hasn't been tested that hasn't been run properly in production, as com goes, is launched with vulnerabilities inside it again, hackers, find those vulnerabilities and say, thank you very much. That's another backdoor into the organization, legacy it legacy. It gets a bad press actually, because people always say that it's hard to work with legacy. It actually a legacy.
It sometimes is more secure than the stuff that's being bolted onto it, but it's still an issue in terms of making security work, both through the new stuff, the cloud, and also legacy it and hybrid. It is kind of related to that as well. And then that brings us up to something that's definitely going to be happening soon. Many organizations after the experience of COVID in that budget cuts are likely to hit it. Departments send security departments, and this again, could affect the ability to apply least privilege throughout the organization.
Because when you start cutting budgets, then you tend to sometimes start cutting corners or people make the wrong decisions about what should be cut. So there's kind of at least privilege the reality of trying to apply at least privilege very, very hard. And I'm sure that Karl will address this a lot more in the second part of the webinar. And here's some challenges, particularly for privilege access management. I won't go I've, I've talked about a lot of these already, but there's trends in business technology trends in business processes.
And then of course the art governance risk and compliance challenges and security challenges. So I'll just pick, pick up. One thing I haven't mentioned was APIs and microservices, which again is something that is very fashionable. We're not fashionable. Maybe that's an a word, but it's, it's, it's becoming the model for many organizations to run their architecture. And for good reason, the APIs and microservices are very efficient and they also enable organizations to develop stuff without the legwork they might've had to done before.
And AI and machine learning is also affecting, particularly in areas like manufacturing, which also is a challenge for Pam to keep control of artificial Italian, some machine learning applications, which are automating some of the stuff that used to be done by humans just quickly talk about customer access and vendor access because they particularly vendor access as architectures extend out into third parties. And through the supply chain, as organizations become more joined up, you then have another risk to privilege access.
And to the, these privilege in that you have people that have don't even work for your organization, but also may get access to things in your organization that should be secured and kept confidential. So you need to think about vendor management in terms of governance compliance.
Well, G Pam needs to be able to take account of compliance demands. So it needs to be able to do an audit. It needs to be able to be accountable. It needs to understand fully understand where privilege exists in your organizations in an Inn so that it could protect it. A privileged creep is really what I've been talking about right up until now is when people in parts of the organization give their colleagues privilege access simply often in the most crudest way possible by just giving them the password and username to something.
Because I think it's okay because they need to get something done and, you know, Hey, what could possibly go wrong? But we ended up with things like orphan accounts, where a privilege user may have just used an account once and then they've disappeared. And then the account remains dormant, but potentially open to an attacker and vendor risk. Again is as I said, a threat to security. So finally then just looking what we can do to ensure that people can only do what they need to do, but no more. So number one, restrict permissions restrict permissions to all users for all of their tasks.
And task is a, the important word there. We're moving more to a kind of task based management of privilege, access, and least privilege so that the identity is matched with a task. But sometimes the task is the clue of how vulnerable or how dangerous it may be to allow someone to have access to certain data. So that task basically is becoming much more important. You need to manage the access, you need to manage access to systems, but increasingly you need to make the right systems easily accessible. And this is where the, the, the challenge of security versus convenience comes in.
And especially in areas like dev ops and agile development and multi-cloud environments where people do want to go in and out and they want to create stuff and they want to get it done as quickly as possible. We have to make sure that it's secure, that it follows least privilege, but it allows the right people to get the job done that they need to and no more. And doesn't put obstacles in their way. We need to restrict and monitor access to systems specifically for highly privileged access.
And that comes down to the kind of least privilege system you implement, but also the kind of Pam tools that you use and how well they can do exactly that restrict and monitor access to systems. And finally, we need to ensure that all tasks can be executed as easily as possible to mitigate human error related to that is increasing automation within privileged access management itself, taking away some of the, the more cumbersome tasks that human analysts may have done in the past.
If we can automate these things, we can make quicker decisions reliably and still enable people to do what they want to do. So let's go from passwords to tasks. As I just mentioned, there's no single solution, but we have five options here.
Passwords is by far, still the most common way that privileged accounts are protected and passwords have, have obviously problems, but they can be managed and they can be managed well, if you have a secure vault, if you have password rotation and those features built into privileged access management, but the key is to focus on shared privilege accounts, to avoid a sprawl of passwords and ideally work with one time password so that you're not keeping passwords, which could potentially be hacked.
Even a volt, particularly volt that may be held in the cloud could theoretically be found and hacked, and those passwords lost. So we need to look at entitlements and IGA. So let's look at static entitlements control and restrict the entitlements privilege accounts and govern the status of these intelligent. So you need to keep on top of ITA and IGA increasingly is a crucial part of these privilege and privilege access management privilege, elevation management and privilege. Elevation is something that also happens all too often.
Again, it can happen on the sly or it can happen through the secure channels and through an administrator in Pam allows people to elevate privilege access for one particular task, but it should be temporary. You got to make sure it's temporary. It has to be system specific so that people can't jump around using the elevation. And there should be less innovation, but striction of commands of admin accounts and it shouldn't be intrusive to systems. So we need to control elevation.
We need essentially, we, we w w it's essential that records and monitors, everything that happens not only is this essential for compliance purposes. So they have a record of who's doing what, but it also can enable in real time to send something that's happening, that shouldn't be happening and to stop it. And it can be combined within fonts, user behavior analytics for identifying anomalies in the networks. And finally, an M five task management restrict what users can do to just granular tasks, focus on repetitive tasks, which makes up for most of privileged access.
It requires integration with target systems to expose, define fine grain tasks, but it's often beyond traditional administrator and operational tasks. So we need to be flexible enough within Pam to accommodate those tasks, which are unusual, or are pertaining to a specific product project or, or something that is happening right now. And it may not be listed as a particular or a typical task, and certainly goes beyond what we call the traditional administrator and operated task. So that's the end of my introduction. I hope it was worthwhile with that.
I shall now hand over to Cole from BeyondTrust to take us further in the journey on least privilege over at UCO. Thank you very much, Paul. And thank you for kind introduction, particularly to the principles of least privilege. So if I just share my screen, you should now see my shiny BeyondTrust blue slides. Yep. I can see it. Everyone else can.
Oh, thank you, Paul. So I'm really here and I'm going to dive into how we, how we really recommend you should implement least privilege as part of your security strategy. And I think from kind of all of sort of Paul's context you see here that, you know, we've covered a lot on kind of the strategy. And for me, whilst every organization would prefer to kind of prevent cyber attacks from happening in the first place. We really understand that it's not feasible in today's environment. And what you should do is take that kind of focus on how we manage the risk of highly provisioned accounts.
Really then limiting the ability for a threat actor to inflict damage and help you kind of detect malicious behavior in a timely fashion. And so I kind of break this into three areas. There's the strategic element, the managerial and the operational.
And so what I'm going to do in kind of second half of this webinar has really focused on the managerial and operational aspects of a successful least privileged program, really, just before I kind of dive into that, I think I agree with everything that you've sent that poll, but one of the, one of the big things I feel is, is having kind of strong security, is that next biggest competitive advantage.
And if we reflect back on the last 12 months, any business that we've seen or heard about reports in the news of being attacked, or has really been unable to adapt and change to circumstances rapidly, have not been able to serve their customers well, and they've not been able to then transact safely online or at all, you know, work with different supply chain partners or even support and interact with their employees in a safe way. And that disruption is only translated to loss.
So the idea behind all of these kind of privileged access management technologies is let's try and stop some of these threats before they move your organization into that position of loss and make sure you have a, a safe platform for future success. And so one of the best ways to kind of accomplish this is really by managing that access control via least privilege, and principle of least privilege has been a term that's been around for decades. So hopefully most of you recognize the concept.
And I think there's a fantastic explanation of how that can spiral out of control with the kind of scribble of where accounts exist now. And so what we want to do in this kind of managerial operational focus is how you transform that theory into a reality. And by and large, this two opposing viewpoints on how privileged is assigned to users, and one extreme suggests that users have complete access to all of their devices. So it's very much like a consumer experience.
You know, there are no barriers to the activities they can perform, so they can install software, they can change configuration settings and access different services on the device, meaning they can be much more productive as they require a lot less help to do routine things, whether that's adding a printer or setting up some new hardware, and it gives them the platform to learn how to do more with the device.
Now, the opposing view to that is that all users should start off with zero privilege and again, fantastic security concepts, and really only be given that level of privilege as they discover them need it. And really what as an organization you're trying to do is kind of balance between, do we give users enough access to do the work we need them to do and make sure that you're not giving them an excess of privilege with nothing more, which for us is a key part of defending against determined threat actors.
If you kind of take that first approach in mind where everything's open and we don't want to inhibit the end-user, this really creates a huge risk when using a system with full administrative permissions, it leaves the organization open to a wide range of security issues. You know, if, if a user were to unfortunately execute a malware infected file or a malicious application, and they're running as an administrator, will that program naturally has considerably more freedom to alter the operating system and any software installed on that host.
And unfortunately, if, if the attacker has compromised a user account with excessive privileges, maybe more than just administrative rights on one device, they're essentially given keys to the kingdom that can be misused across the entire environment and from various different kind of reports. So you can see that nearly any type of attack that is discussed Lorne from almost any source has a huge impact when allowed to access or w when using administrative permissions on a host.
So for us a sound part of your defense is, is really saying, let's stop this kind of privilege, escalation from happening.
Let's put barriers in the way for those attackers and make it very difficult for them to exist in the environment is that we would do that by again, limiting the privilege on the systems to the minimum required, allowing users only to perform their required tasks, and that will then help you, or how to attack us to really struggle in your environment, particularly when they try to run any applications from a user account that only has permission to run specified tasks or applications. So this really boils down to kind of five critical steps of endpoint security.
And I think a lot of people always say, it's really easy to think you've already invested in endpoint security. So you might or must be protected. Now w what we see, and again, I think there was a really interesting report from the Ponemon Institute that the 2020 state of endpoint security to your poll, we see that organizations tend to overlook some steps. So most organizations implement kind of traditional antivirus controls, and then they move on to implementing EDR.
So endpoint protection detection and response tools to try and help identify attacks that evade, that kind of traditional AAV protection. What was saying in that report was actually that most organizations are missing in the region of sort of 60% of attacks. And when you factor that into the more concerning statistic, that the number of malware attacks is up 30000% since the impact of COVID-19, I think it's a very worrying situation that employees are kind of out there without necessarily the same corporate perimeter and protections that they would have.
There's a common theme with both the kind of traditional AAV EDR and other security tools. It's all very reactive technology. So it's information about the endpoint attack, surface and vulnerabilities that have happened. And whilst that is really, really valuable, and we don't want to kind of downplay that. It isn't enough.
You know, what, what we're seeing consistently is that the threat actors are kind of outsmart in this technology looking for work arounds, and it becomes a very different, difficult to rely on technology that only relies on heuristics or kind of machine learning algorithms and signatures. So what we want to do to kind of complete that endpoint security stack is actually take away privileges in applications that perhaps a user doesn't need access to on a daily basis.
So then quite simply, if, if the user doesn't have the ability to execute, that will neither would a threat actor, that's impersonating them, it'd be, then becomes very difficult to escalate privilege. And really that determined threat actor is then stopped in their tracks. What we want to do though, is deliver this in a pragmatic way. So it can really kind of reduce the likelihood of a breach, but without impacting your users.
And it's such an effective control, I'm always surprised to kind of work with organizations where they, they haven't recognized that they have an excess of privilege in the environment. And so kind of the first sort of tips or advice really are to help you understand why organizations are still reluctant to remove admin rights and routes accounts, and some of the perceptions around that. And the first one we normally hear about is this perceived negative impact on user productivity. So if users can't do that job, they can't be effective.
You know, I can't access my application. We're going to miss deadlines. There are consequences to that. And actually this is kind of the traditional balance. We always see in a security team productivity versus security. So again, kind of this, the second challenge we then see is that it's far quicker and easier to give admin rights to people. And this really speaks to availability being the primary concern of the business.
You know, if you think about kind of a developer environment, well, they need to be able to execute and debug their code. So you've got a huge dev ops team building new business applications. And rather than just thinking about the privilege that they need, they, the default decision is to just give them administrative permissions, creating essentially a huge attack surface for a determined threat actor.
And then really the third reason that we see organizations struggle with implementing a principle of least privilege is actually an excessive workload for the service desk and it operations team. They're already very busy, a very important function in the organization, but actually when you start to think about if we were to just remove admin rights overnight, or how are we going to manage the exceptions that do need them, how are we going to think about the applications and manage those allow lists? It really feels like it could be an insurmountable task.
So what we look to help organizations where it is, is really give you a very different view on reality and RPO understand that actually the ideal endpoint privilege management strategy will actually improve operational efficiency and security by taking away those unnecessarily unnecessarily over-provisioned privileges. And for this, it's really a combination of combining privileged management application control to make this very simple, make sure you're meeting your compliance and regulatory agreements whilst maintaining that operational efficiency.
And for what we see, actually this has a huge impact on reducing the number of threats coming into the organization. So lowering your risk, but actually by implementing a technology that can support these workflows, actually you can really empower users to perform day-to-day activities without needing to give them full administration rights. And I always think about this in the example of a chief information officer, you know, she might be working at home and she decides actually my printer's broken. I've gone to my nearest store, bought a new printer, and I am now I need to get this set up.
Now, normally this task would for a business device would require a service desk innovation where you'd have a remote access session. The technician would set this up and kind of solve the problem for her. Whereas actually, if you had a well-structured endpoint privilege management technology, you could permit, this is a safe action for the end user and make it very easy for her to get set up without having to have her wait with a significant delay for someone from the service desk to assist.
So at that point, you're already giving back that availability, but having those kind of invisible guard rails to make sure it's only the task that you're comfortable with. And then building upon this kind of, when you start to think about trusted application protection, really this is where you start to think about the different policies and the different work styles of those users.
And it's using this kind of combination of technologies where you can really reduce that time to value and think, but actually let's draw on some of the experience and give users the freedom to do their job from day one, using some of these kinds of templates of policies.
So when it comes to kind of best practices going kind of one stage deeper now from the sort of managerial aspects into that operational approach, what I want to do is kind of talk about the traditional kind of attack surface and expand on those discussions earlier, particularly when we hear about attackers living off the land. So if you're not familiar with this concept, that's where an attacker or threat actor will compromise a system and then try and remain under the radar from traditional detection tools.
So they do this by using existing packages in what would normally be trusted software deployed on a system that could be misused for nefarious purposes. Now, the benefit for the attacker means that they don't have to run the risk of introducing new software that could be detected or discovered using those traditional endpoint EDR or AAV type tools. If we kind of look into what's happening in the real world.
Well, we've seen many examples of this in very recently, some of the kind of econs malware outbreaks that have happened out in the middle east, which are really very targeted attacks, but interestingly that they follow a very similar process of enabling the systems, firewall, blocking any outbound communication. So any of that kind of notification traffic that's something bad is happening on that fact, it system won't make it to regular corporate network services.
And then from that point forward, once that machine has been isolated by the malware, it starts, it's kind of follow on processes and services to stop any local protection and then make use of other system tools to encrypt data, and actually then display those ransomware messages. Following that turns the firewall back off to reenable traffic and allow traffic to flow, which means the malware can then move laterally across the organization.
And that's exactly the type of attack we're trying to prevent against by implement, implementing a proactive approach to privilege management and end point devices. What we want to do is think about if some of these commands activities and operations that perhaps don't make sense for a normal user to run in the course of their day job.
And if we take it kind of one stage further then of having reduced a reduction of privileges, a primary defense, this is where you start to kind of run into those challenges we heard about earlier in that balance, that's very difficult to achieve just with native tools.
So you either end up with a very under lock system is that it's very easy to use and, you know, an excess of privilege due to, you know, either an exception, the policy, or you can, we mentioned earlier legacy applications that have to function in that way, or even just an urgent need to allow a user to operate, which I'm certain many of the organizations and many of you on the phone and watching the recording would have, would have had over the last few months, given the global pandemic.
Now the opposite end of that spectrum, as I said earlier, is the ultra secure system, which, you know, fantastic security posture, but can be seen to have an impact on productivity and really offer a poor user experience in kind of traditional roles and long term, whilst having a good sets of security principles that could actually end up in a negative security impact because it's commonly where the business challenges, what the security team wants to do, and then starts to make many different exceptions.
And in these overlapped systems really then allowing operations to continue, and you have a very disparate and disorganized collection of systems with different levels of policy you end up in that privilege creep as we heard earlier. And so what we want to do is think about how we tackle privileges over commissions. Every time we don't want to think about how we give an account permission to make wide reaching changes. We want you to be more granular and think about the privileges assigned to applications, tasks, libraries, and scripts.
So this ultimately means removing the standing permissions that are permanently assigned to a user accounts and then moving it to a in privilege management approach. So at the right time for the right purpose giving only the minimum privilege required to undertake the task. And so when it comes kind of the portfolio and how this manifests well, as you saw earlier, Pam has kind of the traditional privilege, identity management and session management, but actually it's much wider than that.
There's an element of secure remote access in addition to the privileged password management and endpoint privilege management technology. And so that endpoint privilege management technology is what we're really focusing on here. That is the proactive control that helps you decide once a user is connected to that device, what is it they should be able to do on that system? What can you install? What can you configure?
What changes can you make across all platforms, whether that's a server operating system network device, a desktop Unix, Linux, Mac windows, really it's taking the capability from being either an administrator or not into a much more granular approach covering both privileged management and application control.
So again, it's breaking away permission from the accounts, moving into a just-in-time approach to elevate only the process or tasks that requires privilege, and then better understanding the applications that are used preventing threats, like malicious documents, where you may see like an active X control or other services on the system and delivering that in a much friendlier, much more simpler user experience. And with that kind of comes into a number of key benefits, really.
So, and it's core once you kind of remove those admin rights on particularly on Microsoft desktop operating systems, actually only over 80% of known critical exploits would have been mitigated by not having local admin rights. So that's four out of five kind of critical vulnerabilities that you could stop overnight. And now I say overnight, because one of the things that we hear with organizations is they find it very difficult to understand the environment. So we draw upon kind of our over 20 years of experience here and make use of things known as quick start policies.
And these are typically set to meet 95% of most organizations requirements out of the box and they feature in kind of a high, a medium and low flexibility. So the idea here is if you have a very educated end user, very it literate such as a developer, you might want to put them in a high flexibility policy where they can make an educated decision on the use of privilege on their local device. Whereas someone perhaps less it literate may need additional support.
So at that point, when there is a challenge for privilege and we need to use an additional level, or it might refer to the service desk rather than having a non-standard configuration, of course, all of this collection of information of how provision is used in that context can be either looked at in a central reporting platform.
So understanding and being able to demonstrate how you can meet your compliance requirements, but actually then becomes really, really powerful when you want to enrich the security data that you already collect by demonstrating how privilege is being used in the environment.
So prior to coming into the sort of last part of my slides here, what I wanted to kind of share with you, a sort of three steps to success that we find make a very successful least privileged project and rolling straight into the first one, really as with any project planning upfront is the best way to ensure success and rarely we see the best results come when you try to understand the business needs, rather than just thinking of this as a technical control, because we do find it's probable that organizations have tried to remove admin rights before without an endpoint privilege management technology.
And a lot of the insight and lessons learned that can really feed into those different work styles, understanding how people need to use the system in order to be successful in delivering their output for the organization. So very important and some kind of sample questions here for you to drive into your organization. If you are undertaking one of these projects really here, it's about understanding the users, the function and the business.
How are we going to look to see whether this is a successful program of work based on the business objective, not just showing the number of administrators, the environment, you know, I'd be thinking, well, why do we ask those questions? Well, actually, that's kind of the next successful tip. And really here, what we see is this type of project affects stakeholders across the entire business, but it actually gives you as a security team. One of the few times you'll be able to really improve the user experience from a security point of view.
So you can have a positive impact on productivity, really instilled good security practice, and then reduce those pains for the service desk and end users. And to kind of frame this, an example, you know, you could approach the network engineering team, again, highly skilled technology, literate individuals who go through the course of their role as that configuring new devices, new bits of equipment, they might need to change the IP address settings of their local device.
Now, if you were to take away their admin rights, they wouldn't be able to do that. But actually by using endpoint privilege management, it means you could automatically allow that team to be able to elevate their privilege, to change the IP settings in a safe and controlled manner, but also capture that audit trail as the factor happened.
And again, you might see that, okay, during the middle of the working day, that's expected behavior, but hang on a second, there's now a process running overnight. That's trying to change network configuration settings when I'm not expecting an end user to beyond again, you're getting that then rich context of how privilege is used and then the kind of third top tip, and really the last consideration. When you come to technology selection, you know, we've spoken about the process and people, and really here, this is the kind of six key areas to think about on the technology side.
So starting off and I think to prioritize really the end user experience, the ease of use and the integration capabilities build the most successful project and to kind of step into those a little bit deeper really here. When we talk about ease of use, what we're talking about here is being able to have that end-user have a very simple, structured way to understand the challenge that they're being asked. So why do you need privileged access to be able to run this task?
They understand that you're able to report upon that, but actually that message only comes up when it's appropriate and you have that kind of quick start configuration out of the box. And then when we talk about integration, one thing I'm always really, really positive with is making sure that you don't have an island of security and you're not just isolating users by taking away that privilege.
Now, what I like when you apply just in time privilege is that you can further validate processes for safety. And so one of the things I think is fantastic is if you have an application that requires execution with privilege, you can integrate this into a service such as virus total to say, well, I know this application. I think I'm pretty sure that we should have privileged to run it, but can you just check for me that this isn't a malicious version of that file?
And so I run the file hash against the virus, total service, and everything's okay, then the user can execute that with privilege in it. You know, they're able to continue in their role. What I also like is then integrating it into its own workflows. And particularly when you start to think about the server estate where your change management is a key parts of security as well. And so when you go to elevate a task or run a particular application on a server based operating system, before we want to make a configuration change, maybe you need to validate with a ticket.
So such a change ticket in service now to say, well, you know, do we have the appropriate change window to undertake this task? Is it safe to do so? Or are we going to interrupt the production system? So it's that kind of really powerful concept. That's easily extended into many different use cases, but as I say, it means you just don't end up with a technology that sits as an island in a barrier to success as part of your kind of technology stack.
And then hopefully the results you'll see that after implementing a technology such as endpoint privilege management, to help you implement the principle of least privilege is that you do actually remove administrator users. So you reduce the number of administrator accounts in your environment. You have a much better understanding of how privilege is used.
So you can demonstrate that you're meeting compliance regulations, users can remain productive, you've then reduce your costs of management because you're not ending up with multiple different configurations and service desk calls to kind of triage and troubleshoot these issues. And of course, integrations into other platforms for correlation of that data. And so with that, I'm opening up the floor to questions. I think it's at this point, Paul we'll come back in as well.
Karl, thanks very much some great, great stuff in there. And I like that just one thing that I noticed when you were talking about stakeholders, that you, you mentioned human resources, which I think is interesting, w when we in our world of security and privilege access management, and it, we tend to sometimes forget about what is actually here for, and that is to obviously run the business, but also to make employees lives easier and get their jobs done. So I thought it was very good that you included HR was one of the stakeholders that, Yeah. Fantastic.
As I say, kind of the key to success is making sure you, you frame that in the view of the business, not just the view of the security team. So Yeah, absolutely. I do have a couple of other questions actually, and it's kind of, one of them is a directly at BeyondTrust really. And you know, how, how, how does the company help customers get their at least privilege program to an operational stage quickly, which is obviously going beyond just saying that we've got the, the, the technology, but how can we, or how can you help people get to grips with this?
Because even though you, you laid out some very useful tips there on, on getting it going, but for some organizations, it still might seem daunting and they might still be inclined to just cut off admin rights to everyone, et cetera. I mean, I can really advise against just to tell you them off overnight.
So that's, that's, that's one thing I think that the benefit that'd be on trust kind of bring to the table is we, we have been doing this for over 20 years. And so within the technology, we've actually built out what we call quick-start policies. So that's that kind of high, medium, low concept that I spoke about earlier. And so what we've done here from working with all of our customers, we kind of collate the common applications that most organizations use for legitimate business purposes and build those into the workflow.
So rather than having to say, well, let's spend this huge amount of time on discovery and analysis. Actually, what we want to do is protect you upfront and then refine the policy. So we see a lot of kind of great results by using those quick start templates to say, well, actually, we're, we're like most organizations let's immediately reduce risk very quickly here, and then focus on those environments that are more challenging with some of that discovery activity and putting them under control that way. Absolutely.
And one thing that, you know, we've seen that the security benefits make sense, but what, what are the business benefits? You mentioned one thing and I overlooked it, but when you have all this confusion of people trying to get access to stuff, and then they can't and then admins go, right, well, he has his access just to reduce the number of service calls, et cetera, just to get people off their backs quite literally. So what are the business benefits that can be achieved by implementing least privilege like this?
So I think there's a couple, I mean, I mentioned earlier, obviously I have a strong feeling that actually good security gives you a competitive advantage. In this digital age, I look at organizations where they've kind of been a bit lax with privilege and the fines that have been issued out by regulatory bodies, you know, particularly in the last few months where you've had industries that have been hard, hit such as retail, leisure, tourism, and then to have enormous fines placed against them.
So, you know, there's a huge ROI by putting in some controls to show that you're taking great steps when it comes to kind of the day-to-day operations. I think the biggest thing about least privilege is building a standardized environment. So the more customization you have on an end point, well, actually that the higher, the cost of support of that device is, you know, you have to understand that you have to nurture it. You have to make sure it's operational.
Whereas if you start to kind of create a solid baseline with workflows to handle the exceptions that would dramatically reduce the cost of supporting that end point. And I believe there's a few different studies out there showing you just the level of impact of that could have. Yeah. You mentioned that the, the Ponemon report, which I know is, is, has been gone for many years and is very respected calculation on the impact or the cost impact on, on security or rather the lack of security. What would you say? Just a sort of bonus question.
I've just thought of some people might say, well, we've got all these people working at home, but we'll just stick them on a VPN and everything's okay. W what would you, what would you be answer to that? Be very considerate of the use of VPN.
So for me, one of the benefits of VPN is that, you know, you're extending your perimeter out to that end point. One of the downfalls is you also have extended your perimeter out to that end point. So end point was to be compromised. You've given them, you know, oh, you've given a determined threats. And so really the ability to bypass any perimeter controls into the core of your network.
And that, that for me, is kind of the biggest concern of, you know, how do we just get these people working? And I feel we're kind of, we're into our second wave of security where we've, we've made sure the business could keep running.
And we, we now really need to tie up some of these loose ends with how we got them there. Yeah. W we certainly see a lot of organizations that are having that. Is there a better way of brokering our services to the end user rather than connecting them directly into our corporate network? Especially as I mentioned, that we, people at home quite often, we'll be using a laptop that is used for many other things, and you have no idea what's on it. And by extending, like you say, the perimeter onto that, it enables attackers to find an easy way in. So I agree with you totally there.
Well, we haven't got any more questions for now. So I think what I'll do is just quickly update you with the masterclass stuff that we, we do at Casey.
And, and finally, you just in case you've forgotten our events, which are coming up next week and the week after in the meantime, I'd like to extend my thanks very much to call Lankford and to be on trust for being with us today on this webinar. And also to you who attendees, who have listened in, I really hope it was useful.
It was, I always learned something from doing these webinars that I didn't know before and today is no different. So once again, thanks again and hope to see you on another way.
