KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Let's have a, let's have a good chat, good chat here. And so the topic of the panel, the future of security and why prioritizing Pam is important. I think this is a, this is an interesting one because we all know there's never enough money for security trust today, read in my local newspaper about texts on a medium size utility company in Germany. And they are just trust below the critical infrastructure law. So there's not even the pressure from the, from that law to invest in security.
And so when we look at all the things we, we are told to do insecurity, so told by Analyst told by when they're told Analyst told by consultants, there's the obvious question? Why should we start this British access? Or why should we at least put British access management pretty much to the top of the list. And so to start the, the discussion with, with the two of you, there's this one very popular paradigm, zero trust these days, which help shaping the future of security for mind businesses.
So my first question to you, and maybe I'll have we start, you would be why and where do we need produce access management with within a zero trust concept is in a zero trust model for security, Generally speaking, I would, I would try to start from more from a cybersecurity strategy point of view. Obviously when I go for concepts like zero trust, then there is something that I quite dearly want to protect being, being able to use.
These, this concept in industrial companies is, is actually quite demanding because what, what, what I've seen in practice is that security expertise, even in large industrial organizations is quite limited. So if you come, if as an industrial company, you decide at all to go to a level where you can correctly employ zero trust, print, zero trust principles, then you already made a strategic choice. You want to do this and you take it seriously.
And in such a situation, having a privileged access management component as part of your overall security stack is then something that from my perspective comes, comes quite easily. Yeah, you can, you can quite well explain what it's supposed to do. You have a, from my perspective, quite good combination of factors that that help to protect against external attackers, as well as factors that help to protect against potential internal malicious actors and especially against the internal malicious actors.
It's, it's, it's quite hard to, to, to use the, to use zero trust as, as against the internal threat, because at the end of the day, you cannot not trust in a way where you do not allow your own employee to access anymore. And therefore you need the additional elements to protect against the, against the malicious insider. And that I think is one huge advantage of the, of the privileged account management systems that you have that functionality that does it. Yeah.
So probably could have a very long discussion about how work from home changes the role of employee access these days and moves this burden more towards less of trusted paradigm. But what I take from your answer is at the end, it is I'm fully with you on that. It is looking at what are the risks, what are the biggest risks and how can I mitigate these risks and privilege access management? I think from your understanding, from my understanding as an approach, which just, which helps us in mitigating a broad range of significant sub risks. Yes.
I mean, the thing is, and, and, and you mentioned the, the, you just now mentioned the, the working from home scenarios. We, we, we're all facing now what doesn't change regardless where I am is the question, am I trustworthy? Or am I a crook? And regardless where I work, I'm either one or the other and the, the privileged access management functionality such as logging what I want to access, monitor what I'm doing with the privileged account.
I think it's a little bit independent from the, from the question how trustworthy or untrustworthy the, the computing environment is in which I'm working right now. It, it adds this additional layer.
So, so Paul, from your perspective, what would be the principle factors that, that made organizations desire should make orations decide for implementing a Pam solution? Well, I wanted to actually, I had two points on, on, on what alpha said. And one of them is that I agree that you don't, you shouldn't go and decide, I want a Pam system. You need to decide that you want to secure a business first. And then you to see if Pam is the right solution or one of the right solutions.
Also when it comes to employees, I think we need to start moving away from seeing individuals and employees and start thinking in terms of identities. And that way we can implement zero trust, because I don't think, I don't think applying zero trust to a person that works for you is necessarily a bad thing. If you reduce them all to identities, that then you decide on what they want to do. And what they're trying to do is whether they're a risk or not. So get back to your question, Martin.
Then if you want to, if you feel that you want to in, in go the way of Pam, then obviously you need to realize or assess how many privilege accounts you may have in the first place. And if it turns out, do you have many or, or that these privilege accounts, access, certain things which are very sensitive or valuable, then privilege access is probably one of the solutions to go for.
Yeah, I, I would even say you always will have these high risk scenarios. So there there's little room to avoid having a cloud solution in place aside of the fact that for instance, if you're a supplier, the larger organizations and they ask you as part of their supply chain risk, have supply chain risk management to comply with ISO 27,000, then anyway, the British access management topic pops up.
So, but so, so I think we agree on it makes a lot of sense to have British access management in place. Also, you've been doing this in practice, implementing it in a large organization. So what have been the challenges of, of implementation your experience? So what are the biggest pitfalls to avoid? What are your recommendations on that? I think the single biggest pitfall is that there are people who initially see this as implementing just another security tool, in a sense of there's someone on the security team who has to do this together with someone on the, on the infrastructure team.
And then we are fine. But in the case of privileged access management, what, what we found is that the larger share of the program is not on the technology side, but on the program side, how do we identify these accounts? How do we actually agree with, with the various business units?
This, this is a privileged account versus this is not so, so you need to have a common understanding. What are the risks we are running? What's our general strategy on accepting or mitigating risks in order to do that, then you need to set up the respective processes across the business in terms of, okay, you are used to a situation where if you want to access this account, you enter the credentials and off you go. And this now changes to a situation where you need to log onto a system. You need to request access. You need to actually write down what you want to do.
And then someone will grant you access. And if during your session, you figure out, oh, I wanted to do a, but now I realize in order to complete my task, I also need to do B and I didn't request to do B how do you deal with that?
So, so you suddenly have these questions. And then of course, what businesses then request is a highly reliable process, at least for a company like where we had global activities, where people say, okay, if I have to go through this request process, then I need this process 24 7 with a response time of say less than five minutes and so on and so forth.
So, so it's really these questions that drive the major effort and not the question of setting up and securing the Pam solution as such and connecting an individual account or storing the, the, the password and the credentials for this individual account. That part, compared to what I said before is comparatively easy. Yeah. Which brings us back to, to discussion I had in an earlier panel or an earlier interview about making it seamless frictionless so that people still can work efficiently, do that job sufficiently, but increasing the level of security have.
And I think this is one of the, the challenges you have. And I also like that you bring up the topic of processes. I'm a strong believer that most things we do in it work better. When we think about the processes first and paint them down on paper to understand how they really must look like, because this, for my experience helps thinking about how should it really look in practice and what will be the challenges who is involved, et cetera. So I definitely like the point being brought up here. So on the other hand, I think it's also very, very clear that first access management.
So while it solves a lot of challenges, it needs to solve all challenges, nor is everything fine with with, so, so, so maybe Paul from your research practice and then offer for your implementation practice, what, what are so, so the prevalent misuse observed in your, in your work. So one or two of these where you feel, okay, this is just not correct in a positive or negative sense.
Paul, do you wanna start? Yeah.
I mean, obviously alpha, I bow down to his greater knowledge. He has hands on experience. I'm much more theoretical obviously, but Pam does bring, obviously its own problems in as much that once you start controlling access and you need to record access, et cetera, then you have an issue about maintaining records of who does, what, what identities get access to which things you need that for compliance purposes, if you have a Pam solution that simply allows access, but you have no record of that and you still suffer a breach.
Then at some point someone's gonna come along and say to you, well, how did that happen? And did you keep any records? And if you haven't, that's a problem. The problem again, though, that even if, if your solution has a session management session, recording and analytics, then trying to sift through hundreds of log records and hundreds of pieces of data to find out what happened is an issue.
So some, some vendors are starting to investigate machine learning and AI tools to automate certain functions. So that for example, they can find much more quickly where something happened and they can even use AI to differentiate between certain typing patterns. So if one authorized user has a logged typing pattern, or even the way they use a mouse and then someone else somehow has access to their workstation, they can see instantly that that's not the same person.
So that's, but the more Pam is deployed and the wider is deployed. The more you have to manage it. Okay. Alpha And, and fully agree with Paul, like with the other functionality, the, the functionality to record a session, to log a session to, to evaluate what's going on is only helpful. If you think about the processes, how you want to make use of it. So obviously if you're in a regulated environment, you need to process to create a proper audit trail out of the logs, the system generates just having the logs.
And then when the auditor knocks on the door, frantically trying to pull them from the system it's, it's not gonna solve it. So you need to have that. And when it comes to using, using the information to, for, for forensics, I would differentiate two, two types. When it is about a case where an inside actor committed something on the system, then I think simple monitoring and recording functionality is probably sufficient because you will track back. I don't know, I'm making up an example.
Someone used the, the treasury system to send money somewhere, then, you know, okay, there's this transaction, it was entered. And that at that date, and then, then you go through this specific record and look who did it. And do you have proof that you did something wrong when it comes to, to using these recordings for, for cybersecurity monitoring? Then of course, the advanced functionality that Paul pointed out, which is currently upcoming will be necessary because obviously you need to be able to automate the process to do these reviews.
I mean, you'll, you'll never ever have someone sit there and look at hours and hours of, of, of logs. It, it must be kind of condensed into a analyzable format. And then obviously you need to put ki on top of it and need to somehow integrate it with your scene.
And in, in we're currently seeing quite good emerging functionality there, but yeah, to, to be honest, I still have to see the environment where I'd say, okay, this is perfect. There's nothing that could improve about this implementation and this connection between the Palm and the scene. That's probably still some time out.
Yeah, I think, I think so as well. And I also would add, you know, when I look at all the AI stuff in there, so, so when one of the first vendors came, came out with this solution, the first question I ask is, and how can I configure a maintenance window? Let's take the summer break in a manufacturing organization where access is totally different from the rest of the year, because all the suppliers of the, the engines that are accessing remotely and changing configurations cetera.
And so, so there there's a lot to do, but I think we are making progress on that. So the last question I'd like to, to, to discuss with you quickly. So we have a few minutes left only is what I quite regularly observe is that an organization says, okay, we have this privileged access management issue and we need to do something, but can't, we just work with some mitigating controls. So do we really need to run through this process of selecting dry tool, starting with identifying requirements down to a POC and so on and invest in that?
And, or can we just in a simple and lean way, a little bit manual controls here and there. So after what's your, your experience or your perspective on that?
So, sorry. You lost me a little bit. Yeah.
So, so can we trust, avoid using a P tool and saying we use some mitigating controls menu? I'd, I'd go to I'd I'd go back to, to, to what I said previously about, about the strategy.
I think, I think it all depends. Number one, besides strategy, it depends on can you actually afford to do this? So I think there's a certain lower size boundary for a company to say, well, okay, I'm I can really shoulder this investment. And my it organization is large enough to actually use this properly. You need to think about that.
And, and on top of that, I think it's really a question of what's your cybersecurity strategy. What's the vision where you want to go and, and where are you on that journey? So if I've done my basic homework already, then I might want to go for Palm, but if I haven't done my basic homework, I think, I think it's useless.
If, if I haven't set up BA basic sea capability, if I do not have basic cybersecurity hygiene processes in place like vulnerability management, patch management, regular pen test and so on, then I don't think it's the right point in time. And I would counsel everyone who's considering to invest in Palm to, to think about, do I actually have, I actually reached level of maturity where this is my best investment, or should I rather invest my resources into, into other parts that I need to do before? Okay. Thank you for the answer. I think we are already at answer time.
There are questions which any probably will prove to the speakers, but I hand back to any, thank you very much, alpha. Thank you very much, Paul, for participating as usual time is to short for that. Thank you.
