Sure. Hello everyone. My name is Joseph Carson. I am the chief security scientist and advisory CISO at Deline, which is a company formally known as psychotic. And Centrify rebranded in the industry for quite a long time based on talent Estonia at radically.
So, yeah. So thank you. You
Have your own, I have my own microphone. How about that? I'm Brian chapel. I'm chief security strategist with beyond trust. So very similar to Joseph. I've been in security for probably only about 10 years as a primary career, but in and around the it space for 35 plus don't reveal. And I've been in both vendor side, I've been on the customer side, like yourselves as well, as well as in system integrators. So got a good feel for the scope of things that you might be encountering and over to near.
I borrowed that from you. So I'm near Greenberg.
I run the solutions engineering in, in elusive. Also talked about changes in, in there. So I'm in security mainly and elusive was shifting into the identity security world.
And yeah, I'm in this industry for, I would say around 15 years and yeah, it's gonna be an interesting discussion
Yeah. To move. So we are changing direction again. So Matthias I'm director of the practice I am here at KuppingerCole Analyst. I cover the whole area of I am. And Pam is an important building block of that. So I have maybe a different viewpoint I'm in identity actually since 1994 when it was not called identity, but directories. So looking forward to that discussion.
Okay. So let's start that discussion. When we look at the market, we see a couple things.
So the volume and the type of the privileged accounts is continuously growing. And we see that in the cloud environments and the DevOps environments. And what we also see is that it is claimed that traditional Pam is understood and established today. So coming to the first question, in which areas do you see the most urgent challenges for organizations at their approach to Pam in the context of these changes?
Matthias, do you want to start?
Oh, that's, that's a hard one. I think I don't care about the areas where it happens. I think we have to look at the accounts that we do not know of that just came into existence because we just did not realize that somebody did it for some purposes that we did not realize.
Yeah, absolutely. I agree. One of the things in the last couple of years, a lot of organizations have been, you know, Fastly translating to cloud computing cloud services, and specifically going to, multi-cloud not one organization I know has a single cloud provider. They are using multiple across multiple stacks. And the challenge they have is that many organizations really try to take what they've done traditionally on premise from a security practice and push that into the cloud and try to replicate what they've done in the past.
But in cloud computing, it's a very different security approach in best practices. So a lot of the breaches we've seen in the last number of years have simply been from taking that simple security controls on premise and putting it in the cloud and trying to make it work. But when you have a cloud strategy specifically for privileged access, you completely need to change your practices and approach to protect cloud because it is very different.
I always compare it to almost like protecting your garage where you have your car and moving it to now, you've taken your car into the garage and you put it into a shared parking lot. The security of that is very different. And a lot of those providers might provide different security technologies and approaches to help you, but you need to understand how to implement the, configure it and use it to get the best out of it. So I think that's one thing is organizations from traditional to moving to cloud and hybrid that you really want to get visibility.
You want to know what you have cuz you can't protect unless, you know, it's there.
How do you add to that? Really again, I agree with everything my previous colleagues have said there it is a challenge. And the visibility I think is that it's the focal point of all of our cybersecurity activities is the one thing that does translate from on premise to in the cloud is you need to know where things are and what they are. And the ability to also discover where there are unusual privileges being assigned or allocated in your environment. It kind of reflects one of two things.
You're either seeing a breach in progress or you're seeing some bad practices which are being executed by people within the organization. So, you know, visibility is gonna be the biggest challenge I think for people going into that space.
And again, I'll just add to that. So I think that, that, you know, when we, when we talk to, to clients, potential clients and we talk to other other security vendors, you need to ask yourself in, in what stage online, this transition into the cloud.
So that's, first of all, that's the first thing. So if you're in a certain vertical that can be of financial services and you're moving your, some of your, your data centers into, into other other places you need to ask yourself, where am I most vulnerable in this move? And if you understand that you have vulnerabilities in where you're taking your service too, but also you have vulnerabilities by moving to those places. This is an area where you really want to understand what happens right now in my area, in my, in my endpoints, my servers and so on.
And what additional risk am I adding into this movement? So you, you have visibility over the cloud. You have visibility on in the own premise and you, you make sure that you have proper visibility into this, into this transition into, into cloud computing. I think this is a huge challenge that that companies do see today when they do decide to make the change, or they're just playing with this idea of, of moving to this area. So that's my take on that.
But maybe to add to that, if we think of you thought I said it as well, and he said it as well.
And he said as well, that on premise understood. But if we think of the, we all Analyst talked about this, this diminishing perimeter design and new attack vectors and, and working from home, I think at least to revisit their approach towards what happens within the perimeter and when it comes to Pam, you were thinking of, okay, nobody can get to the system because it is blocked and you just have one way to get into it. And you have Pam there and you have session management and session control. I think this is no longer true. At least it needs to be rechecked.
What's what's your thought on that?
I would have to say, I don't think that was ever true just on, on experience. I think we only have to look across the breaches that have happened over the past five years and nearly everyone of them comes back to one of the basics, bad vulnerability management, bad configuration management, bad privilege management, bad identity management.
You know, we, I don't know, do we get caught up in the, in the shiny stuff, we want to be monitoring traffic across our network and seeing attacks in action and trying to have seams with machine learning on the back end of the making, you know, split decisions on stuff that's going on. We're so focused up there. We've forgotten all of the basic stuff that needs to be there because it is the foundational, that's the things holding up, all the other stuff that's being built.
And until we start getting that stuff, right, I think the move to the cloud is all the scarier because we, we haven't got the basics right there either.
Yeah. I completely echo what Brian just mentioned is that a lot of the breaches that we've seen as a result of organizations, not having the basic best practices in place, I've seen lots of incidents where organizations basically have given an employee local administer rights and they assume I give them local administer rights. It's local to that machine. It's not gonna impact they can do what they need to do.
They can install their applications. They can work from home that employee's happy done, but I've got all these solutions in place. That's gonna stop me from basically being breached. But what organizations don't realize that for attackers, when they find that single account, that's a local minister account, it's only a matter of three steps to elevate up to a full domain administrator, three steps all from the local account because attackers know how to abuse the trust, how to get people to do things they want them to do.
They're the greatest fishing, social engineers in the world.
And they're able to get us to do those things that they want and therefore elevate up the full domain rights. And we have to look at making sure that it's, we move away from persistent privilege. We have to move away from it. We have to move to the principle least privilege or to moved away to where refer to is non-persistent privileges, meaning that you just get those privileges when you need to on demand. And I think that's the practice we need to get.
First of all, get it really well done on premise because I don't think many organizations they've checked the box, but I don't think they've fully got it configured and implemented perfectly to really get to reduce the risk.
Did you get all the answers or you want another one?
Yeah.
Go for, yeah. Yeah, absolutely.
So, so I think that, you know, to touch on that, I think local administrator is, is a big problem. Think you have good solutions to, to go and fix those today.
And yes, they do need to put more attention in those. I think that there are, you touched on unknowns unknowns over there before. And I think the unknowns unknowns are those shadow administrators that are hiding behind someone did a side attribute on that user and gave him change force, change password on all of the users because of a forgotten project three years ago. And then all of a sudden you wake up in the morning and you get ransom, and then you ask yourself a question. Yeah. But I put this in place and I put the network traffic in place and I put Pam in place. I put all of that.
So what happened there? So I think that the unknown unknowns is critical to, to monitor and make sure that you cover those as well.
Okay, Joseph, you were talking about least privilege and, and, and limiting the, the space, an account is able to move. We have actually a question from the audience that, that fits perfectly here. So the question is, what impact do you think passwordless will have on privilege password management tools and on privilege access management and, and in that regard,
I think that's a great question. And for me, I've always had the concept is that we always misunderstand passwordless that many people have their different opinions assumptions of what it truly is.
And what we see today most passwordless is it's changing the interaction between the user and the authentication experience. It's moving the password per se, changing it to being a secret and moving it into the background so that human has less interaction with it. But there still is actually an authentication happening. There still is a secret that needs to be protected, needs to be managed, needs to be known how to secure it.
So, absolutely passwordless, I believe it's more about less password interaction between humans and we change what that password contacts has been. It moves to much more being a provisioning key. It moves to being a backup key, a migration key.
It, you know, a backup, you get the backup, the secret keys in order to restore, whenever you forget that access. So absolutely the, the change of that experience is happening, but passwordless is all about the authentication portion. Privilege access is all about the authorization side. And we need to make sure that you actually de-risk your organization and not put both of those into making authorization, being privileged.
You wanna make sure that the, the authentication and authorization is separated in duties to make sure that you actually can do continuous verification and satisfy the right security controls.
Yeah, I think that's a good point on that confusion about passwordless I've often talked about the fact that as far as I'm concerned, any bite of any string of bites used in authentication is a password. I don't care if it's a certificate, if it's an API key, or if it's just a classical password, they're all passwords. And they will all continue to be used in one shape or form.
Because if you, I don't know if, if something happens to you and your face changes, for whatever reason, you need your password to get back into the system, or that particular, your camera breaks on your laptop, you need your password to get back into it. They're not going away essentially.
But when we go into the classical privileged access management, where we're often talking about the backend systems, my server doesn't have a face or irises or fingerprints, I could try and give it some kind of unique identifier, but it's a machine that box or that virtual machine contains everything that is needed.
So if I can extract that it's done, you know, for the current time being, they're getting close, but they can't pick a password out of my mind. That's an advantage we have as humans.
Similarly, with the biometrics, you know, there are things they do to make them difficult to, to overcome. But I think certainly for the back end, passwords are gonna be with us for a good long time in one way, shape or form. And we have to make sure that we're protecting them because that's the target, the hack is after they landed on the end point, and they're gonna use local admin and other things to move laterally across your network. But they're looking for the juicy stuff in the middle and that's gonna be behind us some kind of password.
Good,
Good point. Yeah. I think as long as the authentication part is as strong as username password or better, better, everything else is authorization as
You can MFA MFA, MFA, but don't try an MFA end points through your privileged access management solution. Cuz now you've got a machine talking to a machine that's not worth it.
And when you talk about MFA, I think it's really important, but that a lot of times we talk about zero trust and it's important to understand that I, I, I'm not a big fan of the name and the term people probably hear me say it that often, but we need to move away. We need to move to zero assumptions and zero friction. It's about making security usable. And I think that's the main goal is to make it actually something that people can use and want to use and actually provides better security, controls and attributes to make sure that we actually reduce the risk.
So I think that's some of the key important things, especially when we talk about MFA, it should be reducing the friction as much, as much as possible and be very much risk-based.
And because the question mentioned least privilege. I'm gonna dive in that direction for a second.
If I may, in that, you know, as you said, reducing the assumptions, reducing the risk and by adopting the principle lease privilege when you are provisioning users on your environment. So everyone logs into a standard user and we elevate the things that they need to run individually without ever affecting their account.
We gain, you know, a few additional protections. Your safety net is now no privilege on the system.
Someone, you know, I had questions when we first did principle police privilege in our tooling. It was like, what happens when someone Schutze it down? It's it doesn't matter. They're a standard user. They've just cut. As we say in England, cut the nose off despite their face. And that also means that you've got less opportunity, less risk on that endpoint. It's less chance of that lateral movement. It's just another layer that you can, you can bring into that space.
So, and it's one of those areas that always astounds me cuz you go, I mean, I'm, I didn't ask this on, on yesterday in my talk, but hands up in the audience who thinks they know the first time, the principle of least privilege was kind of mentioned in some kind of document or got to, I'm gonna ask you now
Go for it. When was it?
I think two years back.
Okay.
1975.
It's about accurate.
Okay.
I I, so late sixties, early seventies is where I've with the ballpark. Yeah.
Yeah.
I I'd, I'd go with 1973, the association of computing mechanics in the states. Yeah.
And yeah, it was Saltzer Jerome. Schutze one of the architects of the mul operating system, which I find astounding cuz Unix doesn't do it. Windows doesn't do it. But the technology's there now to have proper principles of least privilege. I think that's an important one. And it's all about layers. Isn't it?
Absolutely.
Yeah. Looking at the time we are already running out of time. No way. Yeah.
I mean,
No one wants to go to anything after this. So we'll just, we'll
Just for sure. We are just going one more.
Yeah, we can go
More. Yeah we, we could, but probably we don't want to steal the time from other speakers. So in a remaining three minutes, what is your final statement? Your advice for the audience when it comes to privileged access management, is there a message you, you want, want to deploy through the audience? Matthias? Do you want to go first?
Okay. We have not touched anything about what Gartner calls, cm, everything that goes around the ver the, the high frequency changes of infrastructures in the cloud.
I think take that later start with, with on premises, but make sure that you have a proper IM on top controlling all of your identities and provisioning into Pam systems, wherever they are controlling them, taking care of the user lifecycle that you have and make sure that the identities in Pam and in the target systems relate to your identity and access management.
Excellent. I'll I'll follow up on that. So the area that I recommend starting is really having a good Pam definition for your organization.
Every organization's different privilege means very different things than many different organizations. And I think it's really important to have a very strong definition. I actually created the concept of what's called as the pan matrix. And the pan matrix is an idea as a methodology to help you get a strong definition of what privilege means for your organization. Cuz if you don't have a good definition, you don't know where to start. You won't know where to get to discover it. You won't know how to basically reduce the risk. You don't know what the risk is.
So start with a very strong definition and you go search for the pan matrix. You'll find my content and you can use that to help you get started.
I'm probably gonna go a little sideways and say requirements.
The, I was asked this in talk yesterday, what was the biggest failing I saw on privileged access management projects and its bad requirements gathering, you know, by all means, get everyone send you their requirements, collate them into a list, de-duplicate them, but send them out again and get them to revalidate them, follow good requirements, practice because that's where you're gonna get to your need. And if you are not solving your need, the whole thing is gonna fall apart. Anyway. So that's my, my kind of advice.
I would say, remember that you have a top down problem in a bottoms up problem because you can put all the, all the controls in place and then all you need is someone from it, some privileged account service account that just messed everything up and then leaving service accounts running into your network because someone decided to give it interactive logo in the environment and then whatever attack, what, you know, attackers can do whatever they want with this, with this type of user.
So when you think about your, your security strategy in this aspect, just make sure that you understand your ad, your Pam strategy, your Kim, you talked about Kim, all of that portion, but don't forget that there is the reality behind it. So that's something to really think about when, when you build that.
Okay. Thank you for your participation in that panel. We've heard it. We could go on for probably hours. We have a lot of experience here in the panel and all the panelists are available on the conference. So yeah.
Get to the, to the panelist, ask them for your, ask them your questions, ask them for their, their experience. I think they are happy to, to share them and that's that ends our panel. Thank you very much.