KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
So good afternoon, good evening for wherever you are. It's really a fantastic day here in rest in Virginia, 80 degrees Fahrenheit. And for those in Europe are, are in Asia 28 degrees.
So, which is awesome. So my goal to keep active working from home today is step out at least for five minutes.
So, but, but I, I want to also observe something, you know, while it's a beautiful day here. I think India seems to be going through a pretty, pretty bad state of affairs when it comes to COVID. So my thoughts and good wishes to them also, I want to recognize that even under these conditions, you know, they seem to be producing and delivering and so kudos to them. So without much I do, let me just jump in. So what's the agenda.
So what, what to keep in mind when you define a policy and standard? So I want to, I want to bring this down to deploying Pam in your, in your enterprise.
You know, the enterprise I described like hybrid enterprise, and I want to make sure that I jump into things that are like really everyday problems when you're trying to do, when you're trying to define policy standards or, or, or standard operating procedures and what are key drivers. So, you know, I think there are several, but what typically are these major key drivers?
So, you know, it's not limited to what I'm talking about, but you need, you do need to consider drivers and then solution ideas and examples. I think this is where, you know, most conversations happen, you know, because you are now trying to deploy it for your enterprise. And so you need to see fit, et cetera, last but not the least. It's not enough.
If you, you throw something into the control plane, you really need to drive adoption, which is one of the most difficult things in large enterprises, especially if it's a hybrid enterprise. Okay. So that's what I would discuss today. I also want to emphasize on what I won't discuss. If you're here, I'm assuming you already know Pam. I'm also assuming that you know, what the importance of Pam is, et cetera. So I won't, I won't dive too much into that. Also. I won't get into product and product features.
So I want to keep it diagnostic and talk about Pam as a initiative inside your inside your enterprise, which means essentially you want to be in a state where you want this initiative to properly be adopted and be driven. So, so I, you know, I won't talk about products last, but not the least. What I won't talk about is FUD statistics, you know, fear, uncertainty and doubt statistics or Analyst views.
So, so essentially there's a lot out there and you could read it. So I won't, I won't emphasize that in my slides, sometimes you would see on the right hand side, you know, some stats included, I would include those stats. If it's relevant to the conversation I'm having, otherwise those are just for, you know, information and you can consume it the way you like, okay, with that, I'm gonna jump into content. So the first one is, you know, how do you define your policy? Right?
So, so, and, and your standards and operating procedures to a key thing to note here is, you know, that typically when we talk about privileged privileged accounts, you're talking about quite a large surface area, and you can think of it. We, we we'll talk a little bit about audit versus a tax surface.
So, but when you think about it, it's pretty large, right? So one, we think, you know, why is it so large? But remember you're including system accounts, you're including, you know, accounts from infrastructure that need to be managed other than the ones that are for privileged users, right?
So, so this, this combined score is pretty high. So something to keep in mind now, what, what I, what I've observed, you know, so in my past about 20 years of I am experience what I've observed is many corporations going to analysis analysis mode when you start thinking about policies.
So, but it's important, you have to acknowledge that. And it's also important to take a position.
So, and, and, and the position should be, you know, when you take a position, you should have some, you know, tabletop exercises to evaluate the impact to the organization, which means, you know, are you suddenly throwing the organization into a huge flux, you know, and, and such. So you need to make sure that you've incorporated those kind of thinking that kind of thinking into your, into your policy definition.
So once you've done that, you know, once you've thought through these things, you need to make sure that the standard operating procedures are well defined, which, which means get it to a level where people can actually implement it and think through those implementations. So what may apply for star next, which is like a Unix Linux, et cetera, and windows may not apply to cloud.
So, you know, you need to think through your standard operating procedures and in particular to the ones that you are considering Pam enabling them. So, so that's, that's the next piece, the last and the important piece is when you do roll this out, you need to have proper governance. What I mean by proper governance is, you know, once you acknowledge that once shoe doesn't fit all, you need to make sure that exception management is well handled.
So, so you defined a policy, you put it out there, but you need to also make sure that while adopting, not everyone can adopt the control that you have. So how is that exception handled? How is that exception managed? Do you give them 30 days? Do you give them 60 days? Do you give them 90 days to adopt? Or do you say this particular thing cannot adopt it? So you come up with tactical methods and you need to systematically reevaluate your control itself. And the process, the, you know, is the process aligning to, to, to your enterprise.
This, this usually is not this meaning policies and standards are not usually kept in mind. People jump into technology and talk about jet versus no zero trust versus no zero trust, but it's, this is paramount. Like the policies and standards are paramount for an enterprise to run.
And so, so that's why I'm introducing this as my first topic. So after that, you know, you, you, you know, while, while you're putting your policies down, you obviously did consider key drivers.
However, you know, you need to also consider them, you know, during and de deploying, et cetera, during building solution and deploying solution, you need to consider the key drivers. So key drivers here again. So if you look to the right hand side, the triangle, you know, these are key drivers and I've, I've taken, I've taken what a standard enterprise looks like, right?
So you, you do have a network perimeter and in the network perimeter, you have a whole bunch of things like APIs, RPAs, cloud targets, I mean, endpoints and blockchain, et cetera, etcetera. So all of these things are inside the enterprise.
I mean, this is just an example, right? So you have much more, so what, what, how does this really manifest itself? And what do you need to think about, you know, when you, when you start thinking along privileged access or privileged identity management.
So here's, here's a way to think, right? So you think you need to think through identity first, right. Or how KuppingerCole describes it as identity fabrics.
So it's, it's essentially you, you're thinking through how identity is paramount, so you know, how whatever gets your goat, right? So you, you can think of this as don't trust verify, always, and, you know, think, think of securing identity first, think of least privilege. Think of just giving access only for a period of time and removing access temporal. That is right. Think of keeping hygiene high.
Now, whenever we talk about applying a control and instituting something in an organization, you are already carrying the burden of huge amount of, you know, residual risk, many companies do that. So I'm not saying all companies, but many companies have that.
So, so when you think about residual risk, your goal should be while applying controls and adopting controls. You're also trying to keep the hygiene level high. When I talk about hygiene, what I mean is, has anybody used this account for, you know, you know, six months, does this have accesses that it does not need, you know, and so on and so forth. So identity, when I say identity, I, I talk about identity and related access, thinking about that. So here you've, you know, you converted your, your traditional network based network, perimeter based enterprise into an identity perimeter based.
And I, I, you know, enterprise, so you've shifted your thinking, and this is, this is important for us, right? So now let's see how you take this and actually apply privileged access. So if you notice what I've done here is drawn another parameter, which essentially talks about privileged identity parameter.
So you, you kind of transformed your thinking from, you know, identity parameter into, into what, where you need to focus. So, so here, what we are saying is this, this is, you know, both human and non-human type of privileged identity identities in the enterprise and how you think through them. So essentially here, we need to make sure you need to make sure for identities in general, but particularly for privileged identity, you need to make sure that you proof them and you secure them, proofing them is critical, which means, you know, I do you have MFA in place.
Do you know, you know, do you know if an ongoing session which may be compromised, do you actually check for that? And, you know, do, do you have capabilities of tearing down sessions?
You know, do you have more modern protocols that are implemented or are using, you know, traditional traditional protocols, which, which may be, you know, not enough, right, not sufficient. Are you thinking about inserting sec into DevOps, which means dev sec ops and, you know, allowing people to really touch systems in this day and age versus making sure that it's, it's securely coded and it's automated in, into your, into your DevOps lifecycle, you know, and so on, so forth. So all these things are considered when you think about drawing your privileged identity parameter.
So you went from an identity parameter, which, which you can visualize it as larger and privileged identity parameter, which you can visualize it as a subset of that. Now these are, these are connected to your target systems, right? So like when I described you have endpoints, you have storage, you have blockchain, you have RPAs and so on and so forth, right? So identities from all of this and then privileged identity from all of this need to be considered. Okay.
Once we've established that, you know, we know, we know from, we moved from a network based perimeter into a privileged identity perimeter, and now you apply your key drivers to this. So in your tabletop exercise, you're thinking through, okay, my, I need to be sure that this is regulator friendly. This applies to third parties. This applies to attackers who may be inside, outside. This also applies to this shift we've had from working in an, in a, in, in a, a building where you had physical access to and working now in virtualized environments, working from home.
So you did this transform the space, you know, so all these things are, are considered. So if this is not, if this is not resoundingly getting to the point, I want to spend just a, a minute or two on, on what constitutes an attack today. And if you think about attacks where we, we refer to them as TTPs, where tactics, tech, techniques, and procedures, you know, most of them, I would say, leverage, leverage the, you know, the privileged access, you know, credentials and within the privileged access credentials.
If you, if you, if you think about the attack itself, you know, most of the time what's vulnerable is a normal identity. And from a normal identity, you know, the attacker tries to escalate their privilege. And then once escalated, they do internal reconnaissance, which essentially means move around in things like network shares, et cetera, you know, trying to find passwords a and such. They also may look through easy to open scripts, et cetera, and, and find these credentials embedded in them. Or they may look at, you know, you know, exchanges between apps, et cetera.
If, if passwords are in clear text or in credentials are in clear text. So, and, and there's tons of examples out there.
And, and I'm not going to spend a lot of time on talking about solar winds or, you know, ransomware, et cetera. The goals may be different, but the patterns are always the same.
So once, once the recon is done, they move laterally. So essentially this is what you want to arrest. So when you're thinking through a solution, you want to make sure while you are focused on, on, on a developers or production, production support folks accessing, you know, their environments and making their life easy by moving from one system to the other, you know, you also want to think through why that may be bad, you know, is that good? You know, can you control it? Are you doing more to arrest such behavior? Right. So I think that that's something you need to think through, right?
Because moving laterally is one of the major techniques in, in attack patterns. So while you enable systems, you also need to think about how to not enable them. Okay.
So then I, I, I want to jump into, you know, how to think through solutions, given the fact that I have 20 minutes end to end, you know, finish this topic. So here's, here's jumping into solutions right now from a solution perspective. We thought about how to think through our problem space and how to kinda, you know, get a handle on it.
And we said identity Perter would be, would be one of the ways to think through such a, such, such a, you know, a problem right now, once you did that, we want to make sure that you draw what we call micro parameters around, you know, your target systems, because that's what you want. Pam enable them. So you like what you, what I want you to imagine is identity is super imposed on the target systems.
And you've drawn a, a privileged identity parameter and made sure that within these boundaries of each, you know, entity, if you will, which is like, you know, your RPA or API or cloud, et cetera, you are considering privileged identity parameters for those target systems, which, which have to be Pam enabled. Okay. So once you did that, let's think of the solution.
Now, if you're one of those lucky ones who's starting from scratch, really, this is awesome. But if you notice, you know, in cupping a Kohls survey, they found only 25% of participants who have not, who don't have a Pam solution.
Well, actually this is true because there are, you know, enterprises who have gone, who have not implemented Pam. And if you haven't think of it urgently and make sure that you do right, which is, this is pretty critical, pretty critical, and very important that you do do this. So in this, in this solution, I mean, again, it's, it's an example of a solution I would say, right?
So some of the things I would think through is like, you know, how does your enterprise look like given the, given that, you know, I'm thinking through an enterprise, which is fairly complex, which means it has on-prem, it has cloud, it has its hybrid, cetera, et cetera. Right?
So, so essentially we need to make sure that, you know, we are thinking through such, such a, a scenario while, while we are, you know, designing our solution, the next thing is to think through all the target systems that you want, right? So endpoints applications, APIs, infra, you know, whether you're, whether you have a cloud, whether you have SAS solutions is PAs.
However, you have your clouds that you've segregated into, plus, which I haven't shown here is DevOps, right? So these are all the things that you want to keep in mind. One important aspect of this is discovery, right? So I think there are multiple solutions out there.
So, but I feel some, some solutions that have the capability of discovery are especially helpful. When I talk about discovery, what I mean by discovery is that, you know, it does reconcile with identity stores, right? So that's number one. So it should be, it should be well known. It should be something that you rely on an access governance tool, or it has, it is native to the Pam tool itself. So whatever, however you solve that problem, discovers reconciliation of all identities in your enterprise is very, very important. So make sure that that's part of it.
The, the second is, you know, protect your Pam solution with an MFA, right? So while when, when I say MFA, I want you to also think about token and token life cycle and protecting MFA itself. So it's important that your MFA's Bulletproof and your protecting your Pam solution with, with MFA last but not the least is the access governance solution. Where I would say, I, I still think that you need a single pane of glass. You need to know who has, and who doesn't have privileged access.
And, you know, I'm not saying that every access that's granted should be known because some of those access may be a one time or just for a special reason, you've been granted some access, et cetera, in those cases, you know, maybe there are exceptions, but it's good to have a, you know, a single plane that tells you who has access to what plus it's very important to have your JML, which is join, move lever, you know, managed through access governance.
So, so that way you, you may have someone who has a, a Pam account and is either moving, which is especially useful during those times where you want to make sure that that person doesn't continue with those Pam accesses. You know, so you, you have access governance integrated with your Pam tool.
I, I think there are multiple implementations of monitoring analytics and intelligence. So I won't go very deep into it, but it is important to note that the more, the more you move towards intelligence, the better it is, what I mean by that is it's not enough if you are recording all sessions, but not mining through them. Right?
So you, you want to make sure that you're gleaning intelligence from it and there's lot of literature out there and you, you could benefit from that to make sure that you are gleaning intelligence. Okay. So this is like a pretty standardized solution. And I've provided some stuff here, which you can go through in for you to, you know, become familiar with what, what you're doing, if you're a first timer. Okay.
So, but if you're not a first timer, many, many, many companies are in this state where they have a legacy solution or they're thinking of a new solution, or for whatever, you know, the existing solution doesn't fit the bill. So the thinking of new solutions, et cetera, cetera. So whatever your, your, you know, your drivers are, you can, you know, think of how to migrate.
So what I, what I've talked about and the importance of I would Just a short interruption, and what kindly ask you to come to an end was a presentation. So maybe one or two minutes left, if this is possible for you. Thank you. Okay. Thank you. Thank you for the heads up. So I I'll go through this fairly quickly.
So, you know, you can combine your, you know, access governance as a single plane, and, you know, think of this as a way of solving it, where access access governance becomes a single plane, and you do identity provisioning from a single point, both into your new and you're old. And the second second part, or the link could be where you are doing monitoring and you link both the old and the new through them. So this is one method.
There, there may be multiple methods in doing this, but I've shown one example. So I won't go, this is a lot deeper, so I won't go into it. I'll just tell you that there, there is a, a way to deploy. And I was trying to grab your attention, especially from an authentication point of view, there may be multiple methods, even in today's cloud two clouds, you know, I've taken two clouds into consideration, and I am telling you how authentication is completely different here. And it's important also to realize that how your applications are spread across to clouds, right?
So you may have an app that is in GCP, which is Google cloud and on Azure. So, or you can have an app that that's, you know, instantiated in GCP and its infrastructure, maybe in Azure, or, you know, OnPrem. So this could be pretty complex. So you need to think through your think, through your solution and see how it fits all these types of environments. So this is a flow, very easy flow, but again, you know, it's pretty easy. If this material is made available to you, the description is fairly easy to follow.
Only one thing I want to call out here is the number one is the initialization in bootstrapping, which is part of a discount process. And it's pretty important here. So the rest of it is easy for you to follow, okay, last but not the least, you know, whatever your team is, whatever your driver is. Keep that in mind, where when you're deploying this, not just helps you, you know, with, you know, containing operational risk and cyber risk.
But it also, it also helps drive this agenda into the board and your C levels to convince them of this deployment and also gets buy-in from them so that you can deploy and become successful with your Pam, you know, initiative, because adoption is key. So if you notice here, I'm using solar winds as an example, and I'm saying, you know, any pervasive software within the enterprise needs to be first controlled. And when you think about pervasive software, you can think of control planes, themselves becoming pervasive, and you can start getting a handle on them.
So if you, if that's your team, then you have a good driver here to, to say adopt and secure your control planes first. Okay.
So, and, and of course, don't leave this part out, which means, you know, while you are deploying, make sure that you have some tactical methods to cover your, you know, enterprise risk and contain the residual risk. Alright, thank you.
That was, that was it from me.
