So when, when we look at this topic and, and I already started introducing it, British access management, you're not alone. There's, there are tight relationships to cybersecurity, to other areas of identity and access management, but also for instance, to it, it service management. And from my perspective, one of the, the, the interesting points is when you look at at a Pam project, there frequently is a discussion about, is this more part of cybersecurity, or is it more part of identity and access management? And that already shows there is a linkage, there is a relationship.
And so what I wanna bring to you within the next, well, roughly 20 minutes is where these relationships are. And how does understanding this is working. This really helps you to get better. And by the way, if you are using the Casey event app, you will have access from this session to an advisory note that looks at the alignment of access governance on one hand and British access management on the other, because governance on some way is about privileged access.
It's about a privileged access of business users.
And the way we manage this with entitlement and privileged access management is also looking at privileged access and other types of privileged access. But at the end, it's both about mitigating risks and there's secure relationship. And there are many use cases. My colleague Matthias Rema described in this advisory note, which you can get for free by using the link you, you find, I believe when you go to the event, up to my session and then look at the associated link there. So let's dive into the topic before we start.
I want to give you a very quick update or, or definition of what we see as privileged access management. So what, what is our definition or what is the definition for that?
It is a technology that helps managing access of highly privileged users, and that helps organization to identify, to assess and to appropriate appropriately manage these accounts that might be shared account that might be individual accounts, but it is accounts that have above average level of privileges.
So my recommendation is always to define privileged accounts based on a risk rating on a risk score and having a grip on these accounts helps protecting the critical business process as well as the assets from attacks and fraudulent access. And I think it is obvious. And I've talked about this in a, in a number of previous webinars and other occasions that the targeted attacks always are after the highly privileged accounts. So we also need privileged access management for compliance reasons, starting with the ISO 27,000 standard, where privileged access is part of some of the controls.
So to comply with ISO 27,000, you need to have a produce access management place at the end.
The main reason is really protect your organization, protect your systems, protect your data against breaches against attack, and so privilege access management. This is what we are talking about today. It's about this high privileges. It's about high risk about that part of access, which is not in scope of the core I am.
So which is not just static entitlements, but for instance, shadow account access sessions of administrators, where you unfortunately frequently still have a lack of lifecycle mentioned you, if you integrate well, by the way, you could remove that lag of life cycle management and the same for request management integrated, and you will get better there. But these are the accounts we look at and try to get better with British access management, as well as with the integration into other technologies. So where are some of these integration areas?
And there's obviously the integration into, or with IGA identity governance and administration, when it comes to life cycles of accounts, when it comes to scenarios like someone is the owner of a privileged account of a shared account, for instance, and that person changes the job.
Then the move process in IQA must trigger the change of the ownership. That is where we need an integration. And there are many of these samples, as I said, many of them described in that advisory node, other areas, adaptive authentication.
So most businesses we see most organizations we see are shifting towards adaptive authentication, adaptive in the sense of we support many, a syndicators, but we also are able to work this risk and context when it comes to authentication. So adaptive authentication is required also for privileged access management. And there's a logic in saying, if I have a strong solution for adaptive authentication, why not using it for all use cases, the standard user access to customer access, the privilege access. It's an area to look at.
There's a, well, there's a logic in doing that it asset management. So which applications do we have, which what do we have to protect them?
I remember a conversation with someone from a security department of a large organization a while ago, and person said, you know, we had this security incident and we then first needed to understand which systems might be affected.
And if we want to know what needs to be protected, if we want to understand where might privilege accounts such as system accounts, such as service accounts reside, we need to have an integration it asset management and part of, of things, which, which are sort of a standard capability within British access management is the discovery of such accounts. So if you have a well working asset management, this will become far more efficient. We have the integration with all these cybersecurity key areas, such as theme. So source. So around our security operations center, cyber defense center.
So ed access management on one hand collects a lot of data about privileged access.
That data is relevant for security analytics. On the other hand, when you learn about incidents, about attacks, about other risks, this is important to adjust the behavior of our ed access management solutions. And some of the vendors also have some ed user behavior analytics as part of their technologies, which then sort of overlaps with what we do in the security operations center, but which also should ideally be tightly integrated and tightly aligned. We have cloud management as one area.
So when we look at many of the cloud solutions, we have a rather cost grain security model. We have a few administrator accounts for many of these cloud services. So we need something which helps us managing this privileged access to cloud services and there every now and then there are incidents where, for instance, that is also part of the, whatever the corporate Twitter account get sucked, which can cause a lot of damage.
So we need to protect all these types of privileged accounts being used to administer, to do critical activities and corporate social network activity is critical, cause it can go fundamentally wrong to protect these as well. So again, an area where we need to think about integration, it service management, when it comes to fulfillment, touch is a little bit more detail later. Remote access might be an area where we need to integrate where we also might trust, identify there, significant overlap. So some of the things like handling sessions can be done well with remote access solutions.
And then we have this area of the entire DevOps world, so to speak the DevOps tools. So who can manage, who can configure the DevOps tools straight. What about runtime environments? How do we protect these? And there's a, an area which is Pam for DevOps, so to speak, but is really emerging, easier as new capabilities and existing solutions or as a separate set of tools.
So we see a, see a significant range of areas where we need some or where we should consider some integration of what we do in Pam with other parts of our it. So Pam is not alone. It's not a isolated technology.
It is something where we need to think about is integrations and there's this relationship to it. So where we have on one hand IHA was the lifecycle processes with the access governance, with the access request management. And we have the more technical, British access management, which is about protecting shared accounts, managing sessions, analyzing sessions, et cetera. So there there's a functional distinction. I don't want to reach the entire slide, but there are the obvious interfaces between these two areas.
And there are some standard integrations which when provide, but they are also on the other hand, usually APIs for T as of now that can be used to integrate solutions. And so this is for instance, for lifecycle, for life cycles, for recertification of privileged access for integrating into mover and destroyer process into lever process, to ensure that P accounts are removed successfully when someone leaves and what we really need is to create these integrations, as I said, and again, that hint on the advisory note, which then lists and describes a serious of integration use cases.
But there's no doubt from my perspective that we need such type of integration. Is it? So to be honest, not that easy. So is it a dream tea by IG and a strange couple? And if you look at a relationship status, then a little bit more on the it's complicated side, at least at, at first impression.
So, but there are things which help us to do that. So we must think in process and policies across these domains, think about how do they integrate what needs to be done there, and also think about adjusting our policies.
So having, for instance, a review process for our Pam related policies, which define who is allowed to access, which account, which session, what is monitored in which way it requires the technic technical integration, which is sometimes better, sometimes worse, it's requires a strong governance and management in the sense of you need to have guidance and then really drive both teams to integrate, to work closely together.
And that sometimes it's easier if it, and Pam sit in the same department, sometimes it's more complicated if they are sort of somewhat more segregated, but you need to guide it from a management perspective, from a C perspective, from an I lead perspective, this must be driven and supported. It might also requires an organizational adjustments also around who's responsible for which types of S how do you get the information about what to do? And it requires some, some maturity level in IM and IGS prerequisite. So you should have well defined processes beyond just a level of a legal process.
So there's more in that. And so if you do that, you can succeed. And on the other hand, there is this relationship. So we need to do it because it helps us breaking up the governance silos. It helps us enabling real segregation of duties also for privileged access.
So if someone has privileged access to the system, to the database, to some application capabilities, then there might be a segregation of duty conflict because people might have far too much power on, on business systems.
So we might end up with implementing also segregation of duty controls, for instance, for administrative access. It helps us in improving security. It also gives us the visibility of all accounts of a person. So not only the ones which are managed through IGA by standard. So the idea account the account or whatever, but also all these shared accounts, someone has access to et cetera, and we can manage it. We can remove access, we can secure better than we can do. So we also can identify this overprivileged accounts.
And so various issues such as the re-certification or the handover of shared accounts and stuff like that, some best practice very shortly in the interest of time.
So where, where can you really benefit one area as application onboarding that should be done consistently? So if you have a new application, that means you got new accounts, you got new entitlements, maybe new roles or whatever in your IGA system, but you also have to onboard shared accounts. You have to manage them, do it consistently.
That's one process that by the way, leads also to the it service management integration, where things like that should be handled in a consistent manner. It's about the account ownership already touched this. So who's the shared account in the mover process and sure that it works access again, something which I already touched.
Can you really review all access, including the British access, which is the one which is of the highest risk segregation of duties across all, and at the end, the overall integration to, to really create a comprehensive identity and access risk management across everything.
So there should be a consistent approach also, including access management, when it comes to access, to authentication other things for all types of accounts, while Pam then focused on the privileged IHA has an impact on standard accounts and producer accounts, as well as access management for all the target systems and applications. So I, integration is one part, cybersecurity is another, I already touched it. There's a need for providing information to what you have. So Pam is very focused on a specific area of the privileged accounts and their access.
Well, the overall cybersecurity is a far broader topic, but privileged access, as I already mentioned, is high importance because targeted attacks always are focusing on these types of accounts. So there are interfaces, and that starts as lock and user behavior data to be shared. And at the end bridge access management is one control within or one important area set of controls within cyber security.
It provides capabilities that are essential for every cyber security initiative.
Again, there's a series of integration points. So where, where to integrate British access management, cyber security for an improved mitigation steam. And so yes, data must flow from Pam into the analytics, into the security operation center to react, but also back from there, for instance, for providing information about new threats, etcetera, which then can be used in the privileged access management tools.
We have this integrations adaptive authentication, which again, benefits from realtime information from the security operations center about what, what, what are the really critical things? Are there new threats? Are there new types of whatever attacks we need to consider in the risk score within the adaptive authentication? Or are there new things in the context and locations that are we consider as being critical? So network security, British access management, one of the, the, the fields where it's supplied is protecting network operator access.
And so this is commonly a, a shared account or still frequently a shared account. That's not commonly anymore, but it's still sometimes a shared account access and it's privileged access. So apply approach, access management, to every access to what you still have in your network, infrastructure, cloud security attached, and also protecting the security solutions. So access to security solutions is highly privileged. So you should have sessions, which managed it next area, ed access management, it service management. I already mentioned the application onboarding.
So when you do application onboarding, it is also about it. Services, drug created. And part of onboarding is something which is in fact, some sort of it service management and the manual tasks then should be well managed in the standardized manner was ITSM tool ending up with onboarding applications, to all parts, British access management, it access management and the it service management in consistent manner, the manual fulfillment tasks, you have a lot of things which are done manually access to data, data.
Again, access management can be integrated with, I TSM for the ticketing part, the ed access to the I TSM tool itself. Again, there are privileged activities and there are privileged sessions within it, within it service management. That's where Pam, the Pam solution should be applied for remote access. Very short, there might be some overlap.
So, so Pam provides function. You also find the remote access tools, but usually there's stronger management with a stronger, stronger set of capabilities. So there are these links, there are these relationships and what you already should do. And if you go back to our Casey life event, number one, and all the videos are online, I talked about the identity fabrics, and what you should do is you should understand privilege access management as one part of your self capabilities of an identity fabric and one important central service within this identity fabric.
So not going into detail on this concept, look at the recordings of our Casey life event. Number one, there, my keynote there was about, or was on the identity fabric. So first access management you needed and you should integrate it. So why do you need it for risk mitigation, for compliance, for cyber approved, cyber resilience for meeting your security requirements, to split responsibilities also between users and that also interesting of your MSP to able enable, depending on what you do your workforce to do certain service and support tasks in a very granular focused manner.
And when you automated to avoid human error with that, I'm at the end of Maya part. Thank you very much for listening to this opening queue note for our cooking a call life. We went on British access management for the enterprise back to thank you.
