KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Hello, Christopher. Good afternoon.
Ah, how are you? Hello? I'm well, thank you for inviting us and have a good panel conversation. Perfect. So maybe we start with a short introduction because I know you, you know me. I know Paul, but probably the audience don't know both of you. So Stephan, please introduce yourself.
Okay, so hello. My name is Stephan Martin. I'm the area director of wall responsible for Germany, Austria, Switzerland, and Eastern Europe. I'm since now round about three years at Wix, I'm coming from the cybersecurity and I believe cybersecurity is a very strong part of all about access management. And I'm happy to be here today at the Cole panel conversation. Thank you, Paul.
Well, hi, I'm Paul Fisher. I'm a senior Analyst with KuppingerCole if you were here earlier. Yeah. You'll know that I'm the guy that went 10 minutes over time. So I'm sorry about that for delaying all the breaks for the rest of the day, but hopefully we won't happen this time, but I've been with Kuppinger for about two years now and cover amongst other things, privilege access management. Perfect. Thank you very much, Paul.
And no, no problem. We handled it very well. So only the break was a little bit shorter. So the headline of our panel is cool VO or cool VA Palm. My Latin is not the best, but for those of you who are also not very familiar with the Latin language, the question or the ideas more or less, where will this lead to the Pam journey? This is what we want to talk about today. So maybe we start with the first question to S Stephan, why should organizations transition to P now?
Because really pump is about access and it is very important really to understand that access management is not just being the doorkeeper, but access management is really the full control of the interaction between any user and N E device. So meaning privileged access management, or even without the P access management really means the full interaction with critical data or sensible critical machines or sensible data. And this is one of the really most important cyber security topics to have a control who is accessing how to your critical data.
And this is exactly the job that access management and privilege access management is just one part of it should do. So I see it also really from a full cybersecurity perspective, and that is the reason why a privileged excess management could be also a very important driver for compliance, especially when it is about the protection. And let's say, and, and, and the observation and monitoring of person related data. Def definitely it's a key component when thinking about your organization, cyber security, and also the spending in the future.
Paul, you wrote, wrote the leadership about privilege access management. What are your thoughts about that?
Well, I would probably on top of what Shan said, go back to what I was talking about earlier, which is just the multiplication of secrets and data and things that other speakers have been talking about during the day, which need to be protected. So it is fundamentally about access, why they should transition now is, well maybe if they haven't already got Pam in place, then the reason they should transition now is for that reason of keeping control of the secrets, keeping control of access, and also keeping control of the identities that are accessing all of that stuff.
So I think it it's, it's not just for large enterprises either. I think that's becoming much more apparent that privileged access management is, is not just about giving admins, traditional access. It's about even a smaller software company is gonna have sort of intellectual property that they need protecting. They're gonna have pieces of code they need protecting, and they also need to protect themselves against cyber attacks. And as we'll know, things that have happened recently, privilege accounts have been used as a way to get into, into the organization.
And all organizations are, you know, at risk of cyber attack or at, or increasingly these days, ransomware, which is a pretty horrible way to attack a company. So that's one of many reasons to, to, to get into Power enough reasons, by the way. So I'm pretty sure you had something in your mind when you started to talk about some organizations, maybe let's talk about a concrete example, the solar attacked at tech there, where a lot of unauthorized access to privilege accounts involved. So how can CS utilize privileged access management here really to prevent such attacks Shan?
Yeah, and this is, and this is exactly the point. If you have a consequence enrollment of access management or privilege access management infrastructure, you can really control the accesses based on a, on a role system, for example, that you can really structure and allow that only those persons who need the access will get to access.
And again, access is really the full interaction with the critical devices. So permanently you can really monitor, you can audit what is happening to your data and with, for sure access management or even privilege access management is not the only security technology, but if you can combine it with the parameters, for example, on premises, but also in the cloud, you are able to close all these remote access interfaces because you replace them through one centralized access Porwal, which is pump once again.
And this is bringing a far higher level of cybersecurity to our organizations, because if you're following at least a MI attack framework, you will see that one of the highest security risks that intrus or hackers are using are indeed all these exceptions on a port basis on the firewalls where the thousands of VPNs are terminated in. And if you have access management really as the central access, Porwal, you can really make your parameter, your firewalls once again, to a solid and first and also very efficient first defense line.
And this is a very strong point in the cybersecurity point of view. Absolutely.
Paul, did you also think about the, the solar tech or had you something else in your mind when talking No, strangely enough, I was thinking about the solars, but I believe that that was successful because they got through service accounts and by hijacking those, they were then able to go laterally and plant the, the malware. But I think that that kind of highlights somewhere along the line, APA or the lack of Pam was not monitoring what those service accounts were doing. So the service accounts were allowed to do what they, what seemingly looked like was normal operations.
So that's where a Pam properly configured or the right type of Pam would actually then say, hang on, what the hell is happening? Why is the those service accounts now being used to go places they shouldn't be going to? So that's a great example of how privilege accounts were hijacked and then used to cause where, as we know a whole, an awful lot of damage Yeah. And service accounts is a really good topic. And in your presentation earlier today, and also my introduction, I also mentioned modern agile development approaches. We had also presentation about the topic.
So DevOps here, especially where you implement something, you commit something, you deploy something, and then it is running with service accounts and you have a lot of challenges here. How could, or how can a privilege access management solution help here to how to do you the integration here with dev ops, especially Stephan. Yeah. So for sure, dev ops, everything which is about automation is a very important point.
And at least when you, when you think over the next step, the direction where access management should go, so the world is coming even more dynamic, especially for cloud usage, you have a lot of dynamic systems, virtual machines. Sometimes you need just for a dedicated project, you need dedicated machines, which will be disabled after. Sure. Also an integration devs, let's say architectures.
So, especially in regards of automation, you can really provision and deprovision machines very quickly. So in just in a customer example, we have a scenario where at least hundreds or even thousands of machines must be just provisioned just for, for one dedicated use case. And after it, it should disappear again. And if you have this kind of integration and here we have at, Liks a very strong API to do that.
You can at least with dev scripts, Nates container, you can really raise hundreds thousand of machines with all the, the authorizations, with all the users, and then you give instant access to the eligible users. And once the let's say the work is done, you can deprovision again, within seconds. And I think this dynamic is very, very important and, and, and will become even more critical to all access management or privilege access management infrastructures. So dev ops is at least that the advantages of the automation is a huge opportunity. Perfect. Thank you. Yeah.
And, and I think the, within DevOps, you're, you're talking about the, the, the sort of service accounts, but times like a million, Every, every account, every account, every machine. So it's, it's a huge, huge challenge, but So Amazon is delivering something I knew that would happen. Customer will want to order. That'll be the developers one second. Okay. So maybe we proceed with a question towards Stefan, what to consider while authorizing access to business critical information on the basis of identity. What would you say here?
I think, I think business critical information. This is especially that what you have to protect, and this is at least also very clearly stated nearly all of the, the, the main requirements of the, the, the European GDPR is for example, the protection of person related data. And you also know there are big penalties, if you are not missing them. And at least it is all about access, I would say. And an it infrastructure is only then efficient and valuable for an organization when you can really interact with it. And this is not just critical assets or critical data.
It could also be a full digitalized business process. And if you have the, the chance to, to have a canalized access from different rules to exactly the right information, you can also bring a real additional level of, of cybersecurity on it. And I believe that really critical information should really have a strong protection through access management, which is a dynamic security placed directly where the information is. But even furthermore, this is not just about data centers or even clouds.
This is also happening on every individual workstation on every individual laptop, where you also have critical information, critical applications running, or sometimes even you have applications, literacy applications who have not the right security mechanisms anymore because they are outdated, but still important. And this is why we need to have the access management as well on the endpoints.
The, the, the big expression is here, endpoint privilege management, where you can also control accesses on a process level, for example, even a ransomware. When you, when you get a ransomware, it starts to, to encrypt your machines. Everyone knows that, but what, what is really happening there even when you have a ransomware on your machine, on your workstation, the first thing, what it normally does, he tries to get access to the encryption library of your operating system, because normally they took your own keys.
Some others, for example, the deer cry run somewhere is working a little bit different, but all the time, there is also an access on a process, layer, insight, even a workstation. And this is something you can also control and block. And if you have a solid zero trust enforcement concept there, and this is yes, something where access management and privilege access management must be used as well. So critical infrastructure should be pro protected by pump or access management. And that's a good point question from the audience.
How important is the identity of the device or your device from your point of view, Paul, in addition to what Stefan mentioned, I guess I, I would go back to, again, something I mentioned earlier in the day that identity I think is, is becoming key to identi to giving access, but like in the case of the service accounts, we need to be absolutely sure that that identity is the, the right identity. And then you need to allow that identity to the risk of the task that they're trying to undertake. So it's up to the Pam solution or the Pam vendors to ensure that the identity is, is the right one.
And that's, I think is, is the real challenge, but I think it's better than just having standing privileges, which is what we have now. So, which allows identities to go in and out without ever, without being checked. So I think we need to move to a more dynamic pan, a less static form of pan, so that identities are allowed into, into, into the access part of it. But only once they have been totally verified. And that's why I think companies like Okta and why companies like cyber a, if I can mention wall ORX I try to be fair.
You see, I can't just, So now you have to name all the others too, Paul. Yeah.
Yeah, For sure. And the other 24 vendors Alphabet role, please ACON is the first one. So let's to get back to the, the point of identity, it, it, it is increasingly becoming part of the process to manage privilege.
Yes, Paul, the, the headline of the panel is my Latin is horrible. I'm sorry for that. It means where are you? Where are we marching? The Latin translators? Where are we marching?
I looked, you see, Google is a wonderful thing. Perfect. Coming back to the headline of our event of our panel, what future development do you expect in that space of privileged access management? So maybe in two years and five years and 10 years or later. Yeah.
Well, that's a very good question. And I think we will see, we will see identity and access management becoming, and Pam becoming closer together. We will see dynamic and joined up solutions for things like DevOps. I think that that's definitely coming and we will see a lot of the things that I mentioned earlier. We will see much easier to use Pam. So people like companies like WX, for example, here's will be able to hide the, the stuff on the inside, but present a user friendly interface for people that have to administrate Pam.
And I think we will, we will move away from sort of people being Pam admins, but we will perhaps have people that work in different lines of business, perhaps say human resources or marketing or finance, which also will be able to give people in their own teams access to what they consider are secrets. And I, I also think we'll see more joining up with data governance as well, so that you will have a, a sort of a, an Alliance between allowing people access to data and governing that data. And also that would then interplay into things like compliance. Stefan.
So also the question to you, and also the final statement from, from your end, what future developments do you expect you as the responsible person and for, for Vols, especially was your experience. Okay. I think one point is I believe very clear. So even in the future, there will be interaction with any kind of digital data, whatever the interfaces is, but at the end, there will be an interaction between a user. It could be a human, it could be, machines could be privileged, could be standard, whatever it is, an interaction will always happen. At least since the digital life is going on.
And for this, you will still need access management that you have this kind of control. And this is why I still believe it's a very strong security because it's a security layer directly where the data is located.
And I believe what we renders have to do and where we are still in a, in a, in a very good developing mode is for sure to have, let's say the full support of, of cloud services, which are, which are already provided by the different cloud providers that you can use the optimization of the clouds that you have at least an interaction with many, many, many other cybersecurity, or even infrastructure devices that privilege access management will be fully embedded in, in this kind of security infrastructures.
But I also think that this, this principle of the password world, where many of the privileged access management solutions are still using, which is more or less on premise platform where you have the access credential stored. I think this will also change and will move a more dynamic system. I believe it will go in the direction of identity Federation, especially when you have different cloud areas have to talk to each other, you need to have a trust to each other.
And I believe that the pump future will be very, cloud-oriented very closely integrated in everything which is about automation like DevOps. And we will see far more in regards of identity Federation, because this is really, let's say a good principle where you can really be bring together organizations, departments, where it's a level of trust between each other. Perfect.
Can I, Can I just quickly, sorry, I don't wanna go, Paul, You will cause a delay again. Yeah, I know, but just, I do wanna pick up what Joseph cast, Joe Carson said earlier, it's also much more gonna be about allowing people to do stuff. So yes. Forget about the privilege. It's it's about allowing people to do their tasks. That's it? And transparent. Yes. Perfect. So thank you very much, Stefan.
Thank you very much, Paul, for this really great panel discussion for this insights into how you expect the future of privilege access management, I will not say the statement and that, and again, we all know I'm not able to do it. So have a good day. Both of you are available in the networking launch. So especially to the audience, if you have any further questions, they are happy to answer them. Thank you very much, Stephan. Thank you very much, Paul. Thank you, Christopher. Thank you.
