Good afternoon. My name is Maur Haber. I'm the Chief Security Officer at Beyond Trust. We are a leader in privileged access management and identity security. As for myself, I've been with the organization 19 years, more of a career than a job, and I'm also an author of multiple cybersecurity books covering identity, privilege, vulnerability management, and various ways to protect the cloud. Pleasure to speak to you all.
Hi everyone. Frank Sch Mering from Sian.
I'm with Sian as a senior solutions engineer now for three years, covering IGA related pre-sales activities, palm activities throughout the different modules that Sian is offering on its SaaS platform. Thanks for all and for the attendance today.
Yep. Matthias Power one identity more from the governance side as well. I'm one of the kind of inventors of what's today, one identity manager and living in Berlin and working for the space for quite a couple of years and integrating our PAM solution now meanwhile as well. So that's my job in r and d.
Oh, thank you. And well, I'm Anari and I'm from Arcon and we primarily very strong privilege access management solution company. I strongly believe in the conversion identity fabric that we're likely to see today. My role is of a chief mentor and, and what I really do on a daily basis is evangelize, look at the roadmap, try and create a vision. Wonderful to have a lot of my colleagues here with a lot of wisdom in this room. So happy to have an interaction with all of you. Thank you.
Excuse me.
We have, are you on the panel? Yeah.
Oh, I'm very apologize. Well, please join the panel.
Wait five minutes.
Oh, we started early somehow.
That's because of that.
I, so please introduce yourself.
Okay, sorry everyone because I wait for five minutes. But anyway, my name's Philipp, I'm security research and cybersecurity advocate at Cura and we are here.
So we have a number of leaders in privilege access management represented on this panel. No questions yet for any audience. So let's kick off with the question that I wrote, which is something that I've been grappling with recently is privileged workloads. And workloads is something that can have lots of different meanings. Microsoft use it in a different way to other people.
So, but we actually really, I think talking about software identities or machine identities, non-human identities, whatever you want to call 'em. But what we can perhaps agree on is their influence now on the future design of Pam. So I'll start at the end here and maybe you could give your thoughts on, oh, you don't have a mic. Hang on.
Okay, thank you. How is the, the software identity thing affecting what you are doing at Sinha, for example?
Good.
Actually, when you talk about the workloads, and this is kind of interesting thing because we need some, you know, machine and people to access this. And it's so complexity because the one only user have a need to have the permissions and need to have, you know, a policy and rule and a group. So I mentioned that three here. And each of these three parts has a relationship.
So you can imagine the relationship between, if we have a company and we have a workload, they need to give the, the access in this workload for one user with those three steps, like a rule, permission and access, how is complexity? So when you can go to the more deeply in the privileged access management and you know, manage this whole access is more easier to protect the company. It's not of course super bullet, but to increase or to make a difficult attacker path is to go more deeply in this. But the relationship is the point here.
So let's suppose that this room, you know, is a kind of, can you see how many relationship we can have between each one here? So that's the, the key.
Thank you.
Yes, please, Mari. Yeah, sure.
So we take the concept of a workload or represented as an abstract concept. We like to call it jobs to be done. What is the task that you're trying to perform? Where is it operating on-premise cloud automation? Is it machine or is it human? And it compliments what my colleague has stated, but the word workload has that definition problem, as Paul has indicated. So think of it as a task, a job to be done. And then what is the foundation that is needed in the concepts of least privilege? Just enough rights for to form its function without excessive exposure.
And that's pretty much the function of Pam. You never want to give everything too many privileges or it can be a liability. So think of the task, the job to be done if it's in the form of a workload. And how do you abstract that down to the least common denominator of how it succeeds.
Let's just go down the line. Yeah. So next to Mario.
Oh, okay.
Myco, what Mario said and of course my colleague from San Gua. I think fundamentally, if you were to just take a step back and try and understand what does jobs means and what do privilege identities mean and you know, are they going to be important for the workloads and definition? I'm saying let's just go back to information risk management. What does it mean? Need to know and need to do basis, right?
So anything that we want to execute as a task or a job, I think fundamentally what we are doing is do I need to know something and do I need to execute something or need to do something? I think if you were to look at identity management, not necessarily only privileged identity management from that perspective, I think our jobs become much, much more easier, right? So I think well said that, you know, I think we could break this down as task and jobs, but I think the fundamentals of risk management continues to stay. And I think privileged identities for workloads are not really important.
I think it's a necessity that you look at it today. I dunno,
Frank
Also towards the policies which are assigned to the workloads, right? As are just attached to a particular workload that needs to be executed or tasked in a certain way or to how many workloads it's being configured and permissioned. And this is the primary aim about privileged excess management.
Well, we talk about the buzzwords, right? Zero trust frameworks, zero trust initiatives. You mentioned least privileged principles.
Well, what kind of policy is assigned to me as a particular identity, whether I'm an internal employee or a third party that needs to be accessed or needs to access the, the particular workloads being attached to a, to a certain policy. So whether applying a single policy per workload or grouping a policy for accessing a variety of different workloads is the the fundamental aim that we are stressing also within the salient pump solution that everyone is stressing within their respective pump solution in order to gain the visibility. Yeah.
And then we'll talk about not only the, the accessibility, the zero trust principles, so to speak, but also the, in the, the continuous compliance that I require. And that is the, the foundation of the underlying security model, which de describes my zero trust framework or the least ED principles, which drives my security compliance, security regulations within the company.
Thanks finally, Matthias. Yeah.
Hard hardly heartless
Wine.
It's all you
Hardly anything to add, but, but I think when we are talking about modernizing or using modern terms, Pam, in the very traditional thing, don't kill me please was very static saying you have here some privileged account, you get access to the privileged account by checking it out, whatever. But today it must become more really the task driven thing. That policy driven thing. I think you said it in the, the session before.
And then I think this is the important part that we get from really that static assignment of a something to a task driven dynamic approach of accessing privileged assets, things doing privileged workloads regardless whether you are a human being or a machine. Okay,
Mar did you wanna, one final comment. Okay.
Any, any questions from the audience on that topic? You're all happy?
Oh, yes sir. Please could you just say who you are? My name is Eddie, no. Hi
In Sweden. Well
Handels van, yeah. Yes.
Yeah, weed. That's a great tip. Thank you. That should work.
Thanks. Well you guys just mentioned a lot of, lot of terms and a lot, lot of stuff connected to the workloads, but I mean what it all ends up in, in is what you guys do to support, to secure the machine workloads cuz you do different things. It's very difficult for us to figure out who does what. Actually it is firstly difficult to figure out our needs, what we need and then, and then what you guys to support.
But now like we, we had PAM investigation and secret management investigation, we actually ended up in connecting it to the two. We figure out that Pam, people doing more, more and more of secret management, but is how there are traditional secret managers like HashiCorp, like stuff, how long have you guys come on the way?
I mean, should, like what's your argumentation? Why should I choose the PAM solution for the secret management instead of dedicated secret manager?
Okay.
So that, your question I think is why should you choose PAM over a dedicated secrets management tool? Yes.
Okay.
Yes, that's right. Yeah, thank you.
Do you want anyone particular to answer that?
Take it up quickly and then I'm sure Okay, there's lots to talk about it because I think this is a fantastic question and it's, I think, I think we've got 30 minutes Nice. Generally speak a little more. So maybe I could keep speaking, but I'm saying the bottom line and the shot of the long story is discussion has been asked several times in terms of, you know, why not just use heop and you know, why use PAM solutions?
I'm saying the, the, the simple answer to this is you would need to figure out if you're talking about interactive and non interactive identity and, and and stores and the walls, fundamentally, I think the PAM that we see, which has evolved have the ability to do secrets management, I think one-on-one with he she corp or anybody that one could think of. But having said that, you would need to in your organization look at more from a perspective that do I need it to be integrated?
And fundamentally you would need it to be integrated and because you need it to be integrated, because you would need to take interactive sessions and like my my colleague and friend Maurice said that you would have task and you would break them down and tomorrow you'll probably have a playbook coming up on a PAM solution, right? If then else, but, and if you were to do that, then you do not do and get into a Hashi carbon and inject and try.
Well, we love competition, so it's not trying to bash competition, but what I'm seeing is the more integrated it is, the better, eventually it works for you. So if you were to ask me what do you choose, of course we gotta say, you know, you choose the PAN solution, but I think you may want to divide it between interactive and non interactive.
I don't know if
I think O'Neil's approach is sound, but I will basically reiterate something we've seen in, in all industries for software in years, 20 years ago you bought antivirus, then you added spyware protection and then it became one solution secrets management, privileged access two solutions. Up until about five years ago, that's where Hash Corp started. PAM and secrets management have converged in the I am space to be one solution. So you will find PAM vendors offering good secrets management, maybe not as good as a dedicated vendor, but more than good enough for the task.
And you'll find the secrets management vendors starting to get into Pam so that they don't lose their marketplace. The question becomes are they good enough for Pam and biased answer, I will be fair, most of us have been in this industry for more than 15 years. They've got a long way to do, to catch up to be a PAM solution. It's not as hard to make a secret solution as it is a PAM solution. But single solution has multiple benefits as my colleague has indicated.
Please, that's it. You know, so what is the best depends of your business. So you need to do more easier your job. So if you can integrate just to only one, so it's more easy to manage, you see, and as we talked about the tasks and activities and multiple relationship. So we need to do your job more, more easy. So if you have a, a core solutions and you can, you know, manage the secret cis and you know, you manage your, for example, lifecycle certification management.
So more automatically because you need to automated your process, for example, like you, you need to look from the DevOps teams, ci, cd, pipeline, other things integrated. So how you can manage it. So if you have more than one tools to manage it, you can find more space to broke your pipeline.
Okay, maybe one final comment from
One question on the other side, like going back to the roots, right? Super management workload, cloud security, two different topics, right? The approach for taking palm in those infrastructures is a totally different. And while secrets management has been introduced like 20, 20 years ago, 15, 20 years ago was a another process on dealing with the secrets, talking about rotation, et cetera.
Well, the new way on dealing with security and the cloud has shifted dramatically. And as you just mentioned, like trying to combine the, the management of secret management and the new way on profile authorization management is new way, which we are all in the same business, obviously competing, everyone has a good solution and it's just a matter on what solution is best for you at Daniel at the end of the day, since you will keep your on-premises infrastructure for secrets management for still some time, right?
Well then the cloud adoption is expanding more and more.
You're leveraging AWS Azure, GCP in a, in a much more common way. And then we, we are coming back to the first question, workload security, policy-based security is the, the main instance and the, the difference between the those two initiatives are dramatically on the other side.
There is one solution at the end of the day that needs to fit your requirements for dealing with the new authorization management, profile management privileged elevation and the cloud towards a assets infrastructures, virtual infrastructures compared to the circuit management on requesting traditional access on, on a particular secret and, and your on-premise infrastructure.
Great, thanks. So
I hope that helps. I just wanted to just probably add, oh, he wants quick one.
Okay, quick I think look at a wall, you would probably also wanna look at a secret management. You'll probably also wanna look at a high velocity vault. And that becomes very, very important when you're talking about workloads in the cloud, right? So you would to just cut the biases out and, and, and get the solution, right? You may have to look at a secrets management from a perspective that do I nearly really need a very high velocity vault in the cloud?
Which goes all the way to your database secrets or script secrets or you're able to have a container spin up and you know, you're still able to maintain all your secrets, right? So you'd probably also have to visualize it from that perspective. And I'm not saying that, you know, I'm, I'm saying we, all of us probably would have good amount of secret management, but from your perspective, you may also wanna look at that piece, which which is likely to become very, very important. Yeah.
Okay.
So it kind of suggests, and this came up earlier, another panel that Murray was on about someone said, do we actually need Pam anymore? And I think there is a subtext or all of these kind of questions and I think the answer on that panel was very definitely yes. But Pam is fundamentally is changing. I think we've done enough on that question. So any other questions from the audience on anything to do with privilege, access management, pain points or as any, you got five leading vendors here, so now's the time to interrogate them.
You won't get this chance again, you can't ask yourself a question. Okay.
No, I will do a question actually, I would like to bring a discussion for the attendees. For us, I think it's interesting because we are talking about the future of the pan, right? And probably we already heard about the CMS and other leather, so let's say this way, right? But we already heard about the zero trust, but the question is zero trust is a tool concept or future. So it's a tool
Did you say?
Yeah, it's a tool future. Okay. Or I dunno, requirements. So I would like to bring this discussion for the panel and because, so how we could, if it's possible, because it's a discussion, right? So correlate the PAN solutions or CMS and zero trust, because my point of view zero trust is a future that you need to implementing user different tools, right? It's my opinion, and this is one of the ideas, so I would like to hear more about the my colleagues. What do you think about that?
From what angle do you want to discuss Zero trust. So various ways on on approaching that.
There's so much spoken about zero trust, I've simply lost the context of zero trust also maybe Murray or maybe, you know, you would wanna pick that up Matthias,
We can, because we had a short discussion around it earlier this day. Yeah, zero trust became more like a buzzword. There are other terms where it maybe, let's say least standing privilege or just in time activation of a privilege.
I think this is more the concept that we are talking about in our world of zero trust, zero trust overall is more a concept that affects more than just governance or Pam, it affects the firewalls business, the affects the entire business in the end. So in this discussion here, it's just a small part where we can break it down to that kind of lease privilege, policy driven and just in time.
Okay,
I think this is where I would start from in, in, in the discussion like here where we had to go with Pam and, and, and, well I agree please the conversion,
None of you have actually said now with zero trust included on your product. So that's, that's
It is not it.
It's, it is a concept. It is not a tool, it's not something you can purchase. If you've never looked at NIST 802 0 7, it provides the guidance and tenants and principles for it. If you look at NIST 800, 1835 A through F, so there's five documents, focus on C. It tells you how to take a product and do a zero trust architecture to actually deploy it in your environment. But that still doesn't help.
Back in October, 2022, the United States Department of Defense created a document that has 152 security controls most mapped ten eight hundred fifty three that say if you're doing this, you're doing zero trust. So we now have a definitive way of actually saying, yes, you are doing it without the tooling. I caution you however, that when you start running through those controls, you're gonna find some of them are near impossible to implement. Do all I all identities in all accounts, identity, behavioral, baselining.
There's no tooling out there that's gonna do baselining for every account in your environment, machine and human. So the goal of zero trust is quite high, but it is now well defined. There's great documentation out there and from a vendor perspective, I think all of us can help. But it is not a tool, it is a goal, a strategy, and now has official controls behind it.
Fantastic.
Okay, another question perhaps Mari by the way, impressive that you actually know the numbers of the newspaper, not just n that's truly impressive. If you know about the numbers of newspaper individual around NIST documents, fantastic. But NIST is actually, I agree, one is a, a great resource. More questions if not, then I'm gonna switch to data governance. I have suggested that, and I'm gonna talk a bit about this later on in my bit of this track, that data governance is creeping in as a potential capability l and need for privilege access management.
As in how can you protect the stuff that you want to protect if you don't know what it is and where it is and whether it's worth protecting. So I'd be interested in your views as panelists, as as vendors on whether I'm completely bonkers or whether you see that the data governance could have some impact on the market. So I'll start with you because you, you, you, you just can't stop yourself.
I no, I I love the topic data, data data, data production, data governance. You know, eventually all of us are trying to do what, you know, whether it's a lease privilege or entitlements or all of that, all of that confusion only leads to one point. How do you protect the data eventually, right? And for example, I think, I think most of us have an endpoint privileged management solutions here.
And I think one of the, one of the main key focuses of our endpoint privileged management, for example, and I'm sure my colleagues will talk about it, is trying to learn, identify, classify, and understand data and data models. And I believe that the future of security in maybe at least in the next five or 10 years is gonna be identity centric and contextual data modeling centric, right? Contextual data means, for example, we are sitting in Europe, so I may have your phone number and you may have my mind, you may need to protect it.
I may not need to protect it, right? So that's the context.
And if you take a deep dive in the context of what you're working and who's working and the data is generated by the finance or the marketing, I think this is an amazing subject, right? So I think one should look out for data governance and I think probably you'll see trends coming in the EPM solutions trying to touch around the data points and the data governance points. I don't know if my colleagues agree or not, but you know, put it back to them.
Yeah, but
Where's the data stored on you?
The data stores of course are a of course in the databases and the next data stores are on all the machines that you carry, whether it's it's mobiles or tablets or computers or PCs. So you have elements setting all of that. And for example, the way that we do it, we squeeze every piece of data and put it on an anl box. So how much do you do? Where do you go with that? It's a question of time and you know, place and we'll probably see where we are going, but I think, I think it's all over.
Yeah.
But of course it's, at the end of the day, it's certainly storage. If we are talking about regular cloud storages or on-prem storage is primarily around the cloud adoption. We are talking about our three buckets, Azure storages, which are workloads at the end of the day. Which brings us to the initial question about workload security and policy based inline provisioning where data access governance is a huge topic also in, in the future of palm related questions.
However, driving the compliance controls around the workload security is the more effective way rather than integrating naturally data access, governance solutions, behavioral analytics, something totally different topic. However, the, the workload security, how can I make sure that the databases are encrypted in a, in a proper way? How do I have the compliance controls around the NIST standards apply to it? Or Swedish regulations from the banking authority, right?
What kind of storage I can use and how it's being controlled, how it's being effectively secured at the end of the day is the main question. Rather than integrating or looking at every single piece of file on looking on the sensitivity, on the level of maturity at the end of the day, right?
Right.
So I, I play with you, but you know, the different approaches that one would look at the way that you're looking at is, is trying to protect the data at rest in, in some of the form, right? What we are talking about is, is is there a way that we can contextualize data and try and protect data and does that fall in the realm of what we are trying to do from an identity or a privileged identity perspective?
So again, if I were to take MA views in terms of a task and if the neper eventually, and I, well there's no right or wrong answer, but eventually would you get to a position where if this happens with the identity, then this is what you do with the data or you not do with the data? Is it, are we likely to reach there? Not likely to reach there? I think that is a question that we'll probably have to eventually answer.
So I dunno if anybody wants to, but
If you're talking about data governance is the first step, not really to discover stuff that is to be protected because this becomes more and more the big problem from my perspective, in the early days we had files and folders somewhere locally on prem, then we had SharePoint sites or any kind of CRM solution and, and, and, and now we have cloud and tons of buckets, tons of machines dynamically spun up and down.
So I think first, the first part is really discovery and, and putting in place absolutely clean up and, and, and, and governance in the end first before we can really protect it. And I think this is the first piece where the less, sorry, the PAM vendors, but more the, the governance vendors come into place to help there.
And, and, and I think yeah, we're doing it, we are doing it. There are other market companions who are doing it meanwhile. So I think, but this is the first step. Identify and classify the data and then classification is the next topic.
Can we, can we auto, can we automatically classify word documents? I, I've, I've seen, I've, so far I've not seen any solution really being able to do that by automation or, or, or it, it, it was all stopped and basically all still comes down to okay, we have a rough classification and you have to add it, tag it, and then then you get a,
Yeah.
I mean, I'm not suggesting that data governance should be tacked onto plan and you do everything that data governance could do. But the re the reason I thought about that was because there is at least one data governance vendor, not one of the big traditional ones, but a, a sort of startup one that is adding a little bit of privilege access in its tool. Which is why I thought, oh, hang on a minute. This is getting interesting.
It is getting interesting and I think there's a definition problem.
I'm, I'm a stickler for definitions. Yeah, yeah. Data governance versus data loss protection versus data discovery. Data governance is the protection of data or discovery of data for where, you know, where it is. Data loss prevention to my colleague is, I've identified it and I want to make sure its workflow doesn't egress an improper path from a PAM perspective. Any place that you have the storage of data you need to protect it from privileged access.
Cuz you never know exactly what's going to be there at any given time or if it's going to be maliciously used as an ingress or egress point for malware or for data. So an S3 bucket, you protect it no matter what. It always should be locked down, it should never be open. That's just a security best practice. Now its contents can be a part of data discovery and if you're worried about egress, even from a USB drive, that becomes D O P D P is not Pam. And I would question all of you or ask all of you, have you ever seen a DLP implementation really work? I personally have not.
Yeah, that's the point. When you talk about dlp, the first step you need to classify who is the documenting Porwal and I, I would like to add some views. The first is the attack review, attack review. Because in the end of the day, the attack, when you try to explore some victim, the idea is to gain the access in the first point, the entry point. And after that they will try escalate privilege. It's a simple step when you perform some, you know, penetration testing or when you're suffering some attack, okay? And this is one point.
So they, in the end of the day, they will try collect this data in, depends of the governance or whatever the second one is, if pun is based on privilege access management, if you think in this hand for the attacker view, the what privilege. So if we have a, a solution to implement it, to protect using privilege makes sense to using together, that's the point. So to using some tools or protections.
So we need to try to think how the attacker thinking, maybe it's difficult, but we need to think how they thinking because when you understand how they think, ah, okay, so this is the way that you try me explaining, okay, so I need to putting some sensor here and you can, you know, increase your, you need to make a more difficult, the attacker way simple like this. Of course not simple, but you know
Yeah.
For, for attackers or, or whatever. That's, that's, that's I agree. But how do you pre prevent me from putting in the axle with a list of next hundred people to be fired on my personal one drive that I have as part of my office 365 license and share it with 20 people
Solution.
There is no solution for it. Not yet.
Okay, another question from the audience, although we, we have not actually had you yet. I don't think so. I'll go back to some questions that I've thought up. Okay. Something else that I've seen recently in researching the market is actually, there's still a significant percentage of organizations that don't even use pam. And there is a tendency for organizations to rely on traditional things in active directory or Azure active directory, or they just use generic identity and access management. So I'd like to ask the panel why they think that is.
Why, why is, why is there such a low in, you know, in relation to everything else, a, a low take up of PAM still
That's good for
Business, right? It's, it is good for business. There is a, in some senses a, a low take up of Pam as Paul has indicated. Some companies have actually engineered in from the ground up the need not to have Pam.
Many startups in the last several years understand security best practices and have started with standard user accounts or they've secured things using native tooling or stick stuck strictly to a specific vertical in terms of their technology that the concepts are embedded within the technology that they started using. PAM can be used for legacy, it can be used for cloud, but generally it's for places that there is no native solution.
Now I can reference one company, I won't give the name, but they are very large cell phone carrier in the United States who doesn't use Pam actually they've removed it and you go, how did they successfully removed it?
Well, they went grassroots and they said, we're not using Windows, we're not gonna be using Linux. We are going to go X suite of products and we are going to go Chromebooks for all 50,000 people that are in the field. There is no concept of Pam. They have a problem with the machine. They closed the lid, open it up, and it goes back to its firmware state.
They eliminated the basic needs from the end user community and many of the services because they rethought of their architecture in a way. Now that's bad for my business, doesn't necessarily apply to you. You can't necessarily deploy Chromebooks and be successful with your business. But in their case, they decided to eliminate the risk and the potential breach by going back to the drawing board in re-engineering. This has been a five year journey for them to do so. So far has it been successful?
Yes, but we don't all have that luxury. I can't do it internally even for my own teams, but other companies can. So there is adoption reasons, whether they're startups, whether they're siloed to a specific stack, whether they've gone back and re-engineered their entire workforce that do suggest a need to not have Pam, but in essence they're still following the least privilege. They don't have admin and root accounts and privileges are not a problem for them.
But I are there not too many moving path for them to be probably able to achieve something like this in a larger perspective.
What I'm saying is they would still eventually need a pam, right? They're too many moving parts.
There may be a need in their backend, but when you talk about a 50,000 Salesforce need that individual Salesforce person from an endpoint agent, from a privileged access, from a safe, that need has been completely eliminated.
Interesting.
Because I, I think again, there are a lot of connotations, but I'm, I'll just go back to basics and say that when you look at your laptop and, and we've protected all the administrative IDs and you know, I'm just trying to go down, like he said, you know, maybe in the back end they would probably require one. I'm saying, did we ever look at the bias password?
I mean, did we even think about it to protect it or whatever. So what I'm saying is there would be something eventually when you go a little deeper where I think a BA of course is, is a requirement and, and, and I'm, I'm hoping that, you know, this company would again probably require the BAM solution, but, but there are too many moving parts.
So again, the short of the long story is that I think it's, it's a necessity today the market has been evolving.
People have faith in people. So typically white people have not been investing in a pam. And you know, I've been talking to a couple of CIOs and stuff and say, Hey, you know what, I know these 20 people who are working for me, so that's fine. And if you go a little more smaller shop, I know the set of five people who are working for us. So I think it's been more faith in in the past, but I think that's something that we cannot escape from.
So probably, I don't know if Matthias or anybody agrees or not, but
Yeah, I think when we, when you ask for the reason why peop why companies don't have it, one is really the smaller company gets, it's always those two people have all the access and those two people I trust and they won't do anything wrong. Absolutely. That's one thing. The other thing is probably a focus on certain applications only from a C level perspective.
So we do everything in sap and for sap we have the firefighter concept and we are done with, with Pam I think and this, and I think the necessity, necessity for Pam is growing now with more applications not used on-prem US spread out. Even with sap, they're trying to bring to SuccessFactors to to S for Hannah, stuff like that. And I think this is, and then we have DevOps in the end coming up more and more and, and I think the, I hope, and I think Pam is a very much growing market in the future.
Yeah, much more than probably IGA is growing from a percentage perspective. Because more and more companies will find that they have this requirement of using PAM for cert for more than they did before where they had the, well it, it is built in application.
It is a growing market, please don't get me wrong. But there are companies that have engineered to Paul's question ways of avoiding it or not needing it. And if you are in that ability to do so, it's been done.
Yeah, what I was getting at really Murray was that there's organizations that are kind of ignorant. Maybe is is so yeah, I can understand that there's organizations that can do what you've just described, but I was thinking more of those that are relying on active directory or, or even that, you know, cliche about a spreadsheet for the passwords and things like that.
That's, that's where I think the growth, there's still growth there and you know, because those organizations are, have so much complexity, the idea of them doing what that company did is probably, you know, unrealistic. So sorry.
Yeah,
Yeah, no, I will mention it exactly this because if you think about the attacker again, so when they gain the access, the first step is a post exploitation that you try lateral movement, okay? And or try to be voting, it's a kind of jumping that you can move in different network inside of the environment. So if you have a DevOps teams and need to give the access for these teams, you know, because nowadays we need to create our product more fast for any, this product is created in the cloud.
So if you are looking for example for aws, you have a bunch of permissions, more than 6,000 permissions on aws. Only aws, I'm talking, okay? So if you are looking from the I IAM service on the aws, you have a specifically right permissions, the second one is just read. And another one is policy management.
So you can disable all this if you put in one specific checkbox. Enable wrong, the attacker can use in this specifically only permission to access the environment and to change some policy. So that's the point here.
Because of that, the point is necessary not because of that of course, but because the attacker are the attackers are increasing and we need to protect, we need an update of this new attacks. And if you see, I mention it about the policy is not zero day, you know, not a vulnerability is a misconfiguration in the cloud. So we need to manage those privilege.
Who is, who is responsible for access? Each services is program or is app. So that's the point here is necessary.
Any, anymore we have a question. Ah.
Oh you, oh well thanks for you. Thank God you're here.
Oh, hang on, I'll get you a microphone. Handles banking.
You see, you can rely on I'm, I'm one of your customers so very pleased to meet you. Oh,
Aye. All right.
Alright, so So now now that you know that we have good security thinking, yeah, yeah.
I'm glad
You here, you'll stick with us.
Well, speaking about organizations, the thinking that maybe then they don't need Pam because they already deployed this and that and including this and that could be MFA and sso. So I already talked to MA about this. Traditional palm is focused, let's be honest on user and password.
That's, you find the password, you'll lock it, you take it, you don't expose it and and rotate it. So, but alright, HANZA bank majority of access is done with mfa. So with good certification of who you are, smart cards and then SSO all the way to the target.
So, so there's no nothing to look there. Maybe some things. So now I know, I know that, that there are different strategies for this just in time and things like that. But people may think that this is enough. So our security officers in huddles bank and said you can do PAM, but don't destroy mfa. Don't put it in a way of, of the mfa. So I'm actually missing discussion, focal discussion, telling about, there's a discussion about just in time about privilege pattern elevation, delegation and stuff like that. But not actually telling what is it addressing?
You know this problem, you say Pam is good for security, but then you say no mfa, but you should do MFA and sso. How does it fit together?
Well you're referring to the endpoint model for starters. So on an endpoint you authenticate, you use mfa. If the user is operating as a standard user and has no need ever for anything privileged, there is no reason for Pam on the endpoint.
No joke, there isn't unfortunately, even in modern windows to change the time or to install a printer, you still need admin rights. This is where Pam steps in. Or if you want to do things for step up authentication, you want to integrate with let's say Microsoft, hello that a certain command does revalidate you, then you're back to the PAM world. There are very few clients in my opinion that have successfully put MFA SSO in standard user and there's never a need for an admin, right?
Ever, ever, ever. Modern windows still isn't there Mac even worse in many ways, and this is why I go back to the discussion about Chrome, because there is no concept of privileged in Chrome.
It depends on the use case, right? Exactly. And endpoint access as well as administrator for maintenance accesses.
The other, the other topic, right? When I do gain access through identity provider leveraging m afa and then we can just extend that discussion towards the new Fido kind of authentication method mechanisms as well as the passwordless initiatives, which are currently in, in a certain trend, right?
But again, use case, do I have like external third parties who needs to gain certain privileges through MFA through an identity provider, which gives me access to a certain shell or to through, through a remote session whether shell RDP access or do I have my, my maintenance guys operations guys in my own data center on, I'm standing in, in the data center itself in front of the terminal and they need to req, they require privileged access. So there are a variety of of of use cases, right?
While standing in front of the, in the data center in front of the machine, how do you want to gain MFA and IDP kind of authentication schemes? And as a result to the terminal, it's the guy is standing in front of the terminal. There are other management that needs to be put into place where pump kicks in, where legacy pump kicks and where again, modern authentication mechanisms kicks in, right? Where the entire passport let's lock in. Yeah.
And by the way, if you are looking for each vendor, if you're looking for any open source project, one of the main function that we can find is the compliance check for if MFA is enabled or not enabled. So why, because if you're looking for the was top 10, for example, one of these top 10 is misconfiguration because someone not enabled non Putin enable this is a necessary mfa. So if even you enable MFA sso, someone will go there and disable.
I agree.
And and one of Paul's colleagues a couple of years ago wrote a great paper of about KPIs in, in IM, and this was one of those with MFA enabled, central directory enabled, SSO enabled, whatever those were part of those KPIs five, six years ago. But coming back to you, I mean I was young and I'm, I think probably I'm the oldest here, there was the saying in Germany, the the enemy is behind you. Yeah. Today it changed. I agree. The outside attackers are becoming more and more and more every year. Air meets to the east.
No, that's, no, I, I was, I was west. But, but, but, but in the end it's still true. That's all the whistleblower stuff is the enemy behind you and not in front of you. And for example, in an HR solution, like let's, let's take day force, yeah, you can log in as a user, you can log in as a manager or you can lose a log in as an admin. But where's the context by just using MFA or sso? This is where the contextual thing comes in. For example, do we want to have different kind of step up authentication, Microsoft calls it conditional access.
Do we want to have more AI under it with IP address checking and time of day and whatever. So there's a lot of things that are technically around but still need to be brought into processes at, in products and at customers. Okay.
One,
One final comment cuz we are out of time, lot of thirsty people here. So I'll give it to you Anna.
I I think, well of course lots has been said, but I'm saying there's also a key element that one would need to look at if we were to, you know, try and debate between just having an SSO and, and, and a MFA is of course session monitoring. But let me take a deep dive into databases most of the time and, and it still happens, small or large companies, you still have backend updates happening most of the time, right?
You go and update the inter stables and you go update some million records and that itself is one significant white space for us to be able to control it. So if there's any cushion in anybody's mind that, you know, whether Microsoft Azure authentication or an SSO or a MFA would do the job, then I'm sorry you have hundreds of moving parts and one big whitespace database. If you're not able to control that. Yeah.
If you're not able to understand who's doing what and what are the backend updates happening through various means, I mean we may all have different ways to address it, but that also becomes one of the most key elements for a PAM solution. So I think, I think the debate of probably between the haves and haves not would probably not work. You have too many moving parts is what I keep saying.
I mean, you
Know. Okay.
Sorry, I'm gonna end it now cause we are supposed to go for break. Thank you for your questions and thank you all for listening. But most of all, thank you for an excellent panel this afternoon.
