KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Welcome to everyone here for that call Frank, a pleasure to have you here. And maybe you quickly introduce yourself first before we go into the discussion. Sure.
Martin, thanks for the location. Yeah. My name is Frank Fisher. I'm the head of security and C of Deutche band for two and a half years now started in October, 2018 and clearly focused on improving information security across the board. I guess we will touch on a topic to die and it's, it's one of many we are currently focusing on. Right. And looking forward to that.
Okay, great. So, so when we look at privileged access management, so from your thesis perspective and, and you as a C, you always have to identify what are the, the key areas you're focusing on, what makes privileged access management, a topic that, that is really high on your own agenda? I guess it's just one of the critical line of defenses. So when you look at attacker's behavior and one key item, they usually try to aim at is privilege escalation.
So it's, it's natural that they're aim at getting privileged, namely administrative or rude access, or what have you. So increasing the, the control boundaries around that topic is quite critical in order to fence off, let's say a large population of those guys effectively. Okay.
And, and when you, when you approach such a topic such as privileged access management, where do you start? So what is from your perspective to point to start?
So we, we, I see, as an Analyst, I see a lot of organizations just saying, oh, we have a problem. We need a tool, but I'm, I dare to say, it's that the best way to do it? So what's your approach in that? Yeah. So people who call you with the CD in the drive and ask you for a solution, right. That's I guess that's the wrong way around, right. And the way I would approach it, and then what I've always done more successfully than just looking at tools is clearly looking at the problem. So what problem are we trying to solve?
And that's basically a combined viewpoint, both looking at what is my exposure profile. So what are people interested in when they look at me? So what's my problem from an attackers point of view, what's my defense capabilities today. So what do I have deployed? And then how do I basically stage in different environments?
So what's, what's basically my operating model I have today. And it makes quite a difference depending on how I organized, how much I'm doing things in a federal or in a centralized mode or any flavor in between. So organization is quite an essential part of that and eventually process, right? So how do I manage the operation with respect to privilege access, right. Am I aware of what I have? Do I understand my ecosystem? So another key element is certainly transparency about what problems I may face before I depart into solutioning and, and tools, selection, stuff like that. Yeah.
And, and when you look at this challenge of central versus decentral, and I believe every larger organization has this charge of many different locations, many different divisions, certain existing technologies. And so, so could you give some, some, some advice on, on how to best deal with this, this situation?
Where, where, where it's not that you could say, okay, I have a green field and I have a unified organization. I go out and say, that's the way we do it, but where, where things get a little bit more complex?
How, what are your recommendations here? I, I guess you have to have a clear view.
What's, what's critical in terms of my operation, for instance, am I part of critical infrastructure and obviously specific requirements also from a federal point of view or from a regulatory point of view? I usually look at two main drivers, right? One is regulatory background. So what am I supposed to do from a, from a federal point of view or, or rule setting point of view? The other part is how do does my defense stack up against attacker's behavior? Do I have a good understanding, good visibility of the defense in the field?
And, and clearly I have to understand how do I operate. I may have different divisions that have their own operating model with their own respect. So it's quite essential to work with your organization in order to come up with a good model that eventually holds up against our ecosystem. And so bringing the key stakeholders in early on is quite critical to, to build support, and then come to a collective view of what we need to do as, as, as of policy setting, what are things we have to do? What is the framework conditions I have to look at and what is the point I stop enforcing?
And I ask people to come up with their contribution to get the solution in place, right? And I guess it's important that you have sort of a collaborative engineering step done in the first place, which allows people to reflect their own business operating model, because obviously interested in maintaining the business and, and enable the business, right. That should be my steering point. So thinking from a production, from an operation point of view, and then working backwards to what I need in order to protect it.
So essentially what we're trying to aim at is we wanna protect the business early on, and we will increase defenses to a point where most populations won't be able to climb over. And the last part is probably have to be clear that this is not my only control, right. I obviously have to send, add additional control points from other domains in order to make this a whole picture.
But, but at the end, it's start with getting all the people on board and, and educating in them and why it's not only required, but why there's also in some way, some sort of a benefit for their part of the business in doing things like P or other types of security operations. Right? So clearly, I mean, it's, I mean, what I, what I did successfully in the past was that we tried to come up with a qualitative risk picture. So what are the risks I'm running? If I have it, or don't have it, or have only parts of it, what are components of control sets I'm looking at?
What's essentially the, the X amount of solutions I would have to deploy what are my processes around it, right. And then clearly, I mean, you always have a relationship between speed and effectiveness, and clearly you can't actually wait until you have the perfect solution. So you probably have to look at an alternative process that brings people early on, gives them a feeling how it's, what it means to them to do that. And I have to have a clear view of my real estate, right? Clearly I need to know how I operate and what is in scope of privilege access.
And it clearly also folds into my overall identity and access lifecycle, right? So privilege is a subset of that. And then I have to make sure that this draws in different types of operation, I probably handle Def DEFAC, Def cycle ops or development in general, slightly different from operations. I may need to differentiate between an it and an OT environment, which has different rule sets. And I probably need to differentiate between on-prem and cloud. So I have different attributes I have to consider.
So you tricking a lot of points and your answer here, one is clearly about, could be one tool enough with all that, oh, there's, there are the Pam for DevOps tools. There are these Emeral certificate things. There are very traditional tools. There's Pam from the cloud, there's sort of cloud integrated, privileged access management.
So that, that would be one point. And I think for your answer, your clear perspective is you will not solve the challenge in a larger organization with a single solution. Right. I guess that's a fair point. Yeah. And clearly, and more, more, more specifically, I guess you won't have all the answers in the first place. You will probably have to start out with, with a pragmatic solution and gain experience, and then carry on. You would also wanna look at the risk driven approach, right? Because you can't possibly fix all your real estate.
And since it's very much focused about your admin groups, it's valuable to understand how what's their way of working these days. You can obviously be a lot more successful if you show them the benefits, rather than just push them in one direction, just for policy setting. I guess you won't win that battle. You need to gain their interest. And obviously, basically sell that also as a matter of protection, because it could also help them defend against false, false accusations or, or claims, right. Where an admin is always in the focus when something bad happens. Right.
And this is also a way to, for them to satisfy audit requirements and, and defend against false allegations. Yeah. But also I think part of that is also make it work for them in an efficient manner. Because when, when I look at the various projects I've been involved in one of the points, which always came up very early from administrators is something around. But if we do that, we can't work anymore. It'll hinder us in working. And I think this is something from my experience we need to take earnest. Absolutely.
And, and we have to take these things serious. Right. And understand how what's the way of working. We have today. There might be alternatives that are as effective, but they haven't been conceived yet. Haven't conceived yet. And it's not necessarily always the case that just because I bring in a jump post or I bring in a fencing solution, that my life is difficult. What I believe is absolutely critical. You have to account for regular versus emergency operation.
When time counts, you probably have, have to have some alternatives in order to fix something quickly and then go back to normal operation. That's certainly one of the key items we see on a regular basis.
Also, you have to find easy ways to keep audit trails without getting in the way of people. And for instance, I'm not a firm believer of session recording these days, I guess, you know, that because I believe it creates a lot of burden when doing the forensics afterwards, I might be other ways to do that. So I'm more a fan of preventive solutions, right. That older things early on and, and help admins rather than inhibiting their work. Eventually we all have to get to chest enough or chest in time access, which is, I guess, on the slate anywhere when you go into the Def side world. Right?
Yeah. One of the other topics you, you raised earlier is the relationship of British access management with, I would say with it asset management or CMDB on one hand and with it on the other hand.
So, so is that you need to know what, what is out there in some way that implicitly, at least you, you mentioned that, and you, you said you can't see project access management, isolated from the identity life cycles and, and, and so on. So, so could you elaborate a little bit more on these aspects?
Yeah, obviously, I mean, when I do a risk based approach, I obviously need to know what I have as real estate. So what's in my asset base. How do I differentiate risky from less risky operation? And so what's critical. What's crucial.
I mean, specifically in critical infrastructure, I have to satisfy federal requirements for instance, order to maintain federal infrastructure down to the point where I'm probably facing penalties if that's not working well. And on the other hand, I have, let's say topology in my organization that not obviously always draw conclusion between two types of assets. So it's important for me to know, not only the assets about their relationships, so I can understand what is the lateral movement. An attacker might actually follow in order to do a privilege.
Escalation, other parts are always falling back to assets. If I need to focus in my role out, obviously I start with the critical parts and go to the less critical parts. So I do scope management in rollout management. And then finally, I, when I talk about federal operation where I would definitely want fence off, I have to fence off operations. I at least want to have the same process excellence, no matter whether it's attached or detached from the core of my ops.
So I, I have different parts to consider, but I always want to have a consensus about what matters. And that's why asset management is quite critical. Yeah.
So, so you can't protect what you don't know at the end of the day precisely. And you can't measure the risk at, at the end. I think this is where a lot of challenges in practice start. That's still, this, this insight frequently is still lacking. So I remember so many projects which ended up with identifying, oh, there are way more systems we, we even feared to have out there.
And that, that, you know, the problem starts way earlier than the, just adding P trust. Porwal adding privileged access management and maybe a few, few words around the IHA to use lifecycle integration. Mm. Yeah.
I mean, I I've seen places where you have a lot of, let's say self grown, privileged access management. I usually start with any type of MPO infrastructure, something that kind of arises, let's say from site reliable engineering, for instance, which is more organic right in my operation.
And, and as I grow up, obviously things become more complex. So eventually people started to build their own identity access. And then at some stage you find out, okay, I have to attach that to my HR processes.
So when, when overall identity access is on the map and I have to implement access governance, clearly privilege access has to be a part of that, including any type of emergency credentials or of flavors around that. So it is actually inconceivable that privilege access remains in place if somebody changes position, right. Because it's one of the most critical credentials I could have as a person.
Why, why cannot, how would I not be able to put that on the map for identity access governance? Right. So clearly that's, that's probably first thought, but also it's only a provisioning target. Right. And you have to make sure that recon specifically in Pam environments works properly. So if you can't enforce it right automatically, which is really hard in many environments, you have to make sure it's recon.
And specifically, if you have detached environments where you, for some reason need to fence off automatic processes, you have no, let's say lifeline, you probably have data diodes or any type of segregation for, for critical reasons. Still the, the way of integrating into identity management has to be there because people are obviously persons, right.
And if, if an admin is leaving, obviously want to shut down its access, right? Yes.
And, and if there's a whatever shared account, whereas an older that ownership must change if the former owner's changing Trump. And so I absolutely this year, I'm, I'm preaching this for, for quite a long time that there's a, a need for a tight integration.
It still, from my observation and the, the broad, massive organizations, that's still a gap in many, probably the vast majority, but it's one of the many things to, to fix over time. So, so when I look at the clock, it looks like we are already very close to the, the end. And so maybe you have one, one final recommendation, one final statement before we have back to Christopher. Sure.
And, but what I would always want to see Pam experts to do is to understand their target group, right. To know what their admins are doing. And that has many flavors.
I mean, just give you one glimpse of that. Most of these guys maintain their own access pathways, right?
So you, you need to make up those gates or kind of create open those gates and basically get an understanding how do they work and, and open a pathway, which is at least as effective as today. So this is something which is supposed to help an organization to be more resilient. And the other part probably is the second one is consider segregating privilege from regular access, as far as it's possible, right?
If you, if you can consider something like privilege admins and stuff like that, that's a good preemptive measure to segregate admin people off without jeopardizing regular operation. And it makes lateral movement or privilege escalation so much harder. And that's what we see, what, what the big hyperscalers are doing. And I guess you can learn from big organizations.
I mean, this might, might be helpful to have one of those tap talks and then figure out how can those organization survive in, in that huge environments. And they choose really same problems we have on smaller scales as well. Okay. Thank you very much, Frank. That was very insightful. And thank you for the time. And with that back to Christopher.
