KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Why PAM is a must and how you can benefit from it: Many corporations need to comply with regulations which result in extended logging and monitoring of privileged activities. The Presentation shows how to start a successful PAM implementation and how to benefit from it.
Why PAM is a must and how you can benefit from it: Many corporations need to comply with regulations which result in extended logging and monitoring of privileged activities. The Presentation shows how to start a successful PAM implementation and how to benefit from it.
So let's talk about privileged access management, the motivation and benefits that you can actually receive from having such a project. Or we have just, we are just being implementing the project Palm. We call it PLS, which stands for something like access management for privileged access and remote users. And I think one of the most important things to get a project done in a company is to give it a name. So you can always talk about it and do your intro public relations.
And that given we designed this little nice logo over there, actually we started with the first idea of having big brother watching you. Then report's not necessarily the best approach, but having this little eye, the key to person and the computer actually indicates what the project is about. And this is how we do our internal PR or forgetting success for a kind of project like these who is unit power. So as the energy markets have been changed over the last few years, our uni was actually split off from E another major player in the global power supply market.
And RWI E actually split off energy, which was then taken over from E. And this gives you an, an interesting overview about the challenge that we're actually working on. So we have lots of privileged access, and we have lots of people to manage in here as a power supplier in brief, are we about 80 billion euros revenue? Are we transport L G or from the United States to Germany, for instance, or liquid natural gas, or we produce power from gold gas, gas, hydro, and nucleus stations. We do energy ratings. We operate power stations in charge of others.
So the highest structure becomes critic relevant. And this is one of our most important topics that we have to cover. We're talking about the privileged access management in our company. So what is the privileged access and what may happen if you misuse it, you have may have read from the news that there was a case with police officers actually using police databases to retrieve data about a people at then later on the attack done, this was actually coming political motivated attacks over here. These police officers misused a database.
And in this case, we talk about a clearly privileged user accessing privileged, highly sensitive, personal data about people in our country are, this is probably one of the most public cases of how this has been misused. One of the most important pieces to start the project in the Palm environment, we probably should discuss what actually is a privileged user from your point of view. And we defined privileged user as any person who has been entitled to access a server or a system to manage or manipulate it, who can execute privileged access and or privileged access.
Finally is executing our, this entitlement with that kind of definition. Given we were clearly in a situation to define what we need to do and where we need to go to. So this leads us to the motivation, and that's probably something that can easily be shared. Those slides not there yet.
Yeah, here we go. All so compliance is probably one of the most important motivators who are going into privileged access management environment, lots of companies, or have to struggle with their rules and regulations to cover. Most people start with ISO 27 for is, it is important to cover ISO 27, 11 or the German Fisher Heights catalog seeker 11 one a following are, these are regulations that cover specifically our business gas storage, energy provision, and there maybe many others of these regulations that you need to cover in your business.
Actually, actually another motivation for this is to improve the rating and reduce insurance fees. So whenever we talk about how to actually get a return on investment on these kind of projects, there's these little hidden issue of, or assurances or the rating agencies, which actually rate a company very often, not only, but as well, based on how they can actually execute their own policies, they have applied. So if you don't apply your own policies, rating goes down. And with that, given with rating down costs for credit, interests will increase and assurance fees may increase as well.
So there is a high return on investment from, from an area where you actually don't would expect it to be that's a financial point, and this is one of our drivers over here. So of course there's not only legal requirement to do these things. We have a financial interest in doing these things because it increases our rating. And as such decreases interest rates that we have to pay our credits, another point of course, is to our very close optimization.
So whenever we have access to any kind of remote site, we typically have people going there, driving there, and we want to allow people to access our assets. We power stations, DCS, which means there are distributed control centers. This is where you run the power station. We need to have people accessing that from remote, especially now in the Corona crisis, we have lots of people working from remote.
Now, how can you actually manage a power station completely remote? So we have one power station in the United Kingdom that has been managed completely remotely from the bridge. So from the control center of another power station, fully remote, we need to secure these kind of access. And at same time, we need to allow people who do service on particular engines or pieces, or fully remotely and well secured and well or monitored. And the monitoring is actually a legal requirement that we have to apply. This does not only apply to us.
It applies to your business, probably the same way as question on actually, how it applies here is we have some input on that already before we have multiple privileged users, typically administrators who access multiple or targets servers, firewalls, industry devices.
So whatever, basically everything that you can manage by logging onto it and having a whatever kind of user interface that you use to change anything, or in this leads to a situation where the number of administrators multiplies by the number of targets, of course, the targets that you want to manage and the relationship becomes unmanageable anymore. So at first we tend to start with the reduction of the amount of privilege users to the absolute bare minimum.
So you should probably ask yourself a question, how many global admins do you need for instance, on active directory, quite many PE companies that are managed by external suppliers easily may have up to 100 global admins just because the external supplier needs that many people in a shift system or whatever. So remove, reduce the amount of global admins or for build accounts for customer accounts, or to bear minimum, check your entitlements, get them smaller, or, and reduce to the absolute minimum as well.
By entitlements on the target system, even in premise access management, you will always use to build in account that's on the Tagg and then consider your target protocols. What do you plan to manage? Is it web based, such as the Azure console? Is it based on RDP V and C SS H or whatsoever, and define the access points and how to access them here, integration over here, of course, identity management. So there must be one place within the company where you actually manage who is going to be a privileged user and what privileged user means to be. Yeah. What is the actual entitlement?
What is the process to get there? How to manage that, all right. At the end of the chain, you will actually supply this information to the Palm tool and Palm tool manage it.
However, there is one component typically in the middle, which is your service management tool. This typically has a good overview about the inventory. At least it should have, and it should be able to assign the owner for a particular device or target or to the target. This is important for managing the process of being entitled to become a privileged user on a specific device. So knowing about the users alone is not enough.
You need to know about the targets as well, and then you have to actually match the user to a target and a privileged access management tool will do nothing else than allowing or access to the target to that person with that preparation given, or you can think about the right tools that achieve to improve your benefits on a high level. There are two typical strategies, how the tools work ones, what we call the proxy mode and is something that will be placed in between the user and the target on advantage of this kind of solution is that the implementation effort is smaller.
You put up a proxy system, or it's a couple of vendors who actually work this way. I'm not going to talk about any vendor, but you will notice if you do attend on this or most vendors actually wait, work the way of having a proxy system in between. So the user locks onto the proxy system and will be forwarded to the target. The proxy system does all discre, recording, monitoring, password management, password, resetting things. The other option that you can do is setting up server side agents from a preventive measure, point of view. This is the better part.
So this allows to, or manage a user access and its actions on the type of device in very little details. So you can actually or manage whether someone is allowed to push the single button on the screen, on the target device. Yeah. Or not. This is not necessarily possible with the proxy system. Yeah. But downside of this is you need to install the agents on every single server that you want to manage. And that's a bigger effort actually at UN, we did both of them. You can combine both tools. So we have the proxy system to monitor all the users in or in general.
And we have the service side agents parti for, for high number of particularly defined devices, not necessarily everywhere, but most of our devices are covered by the service and agent system as well. So we can manage that in a very little detail over here. All right, this the most pure access management systems work based on managing passwords are you, you are getting into a dependency to the system. So what's gonna happen. If the pump tool actually breaks, it's not available anymore. You need to have a way to bypass it.
And this is what we call the break class process and the break class process. You need to know what is the password and the username that you can use to log onto a target device. Even if the Palm tool is not available anymore, most windows, we probably tell you, this is a simple thing. Just print the password, put it somewhere, the envelope, put it in a safe, and then if it it's a problem, just take it out of the safe.
Well, in theory, it just works practically. We're talking about 70 locations. Every single one is remote and everyone needs to work without any input from the outside. Yeah. It needs to be completely autonomous. So printing a password and putting it in a safe wouldn't work to manage 70 remote locations. And so I'm building up the break loss process is not some, isn't something that you can do just out of the box. It is very individual. You need to talk about it. You need to think about it. What is possible in your service organization?
Do we have role such as we have it, of course, manager on duty. That's a person that you can call, try for seven and ask for support, whatever your problem is, right. Are this is one of the possible approaches. So think about how to manage this break class process. What is going to happen with the tool phase? Let's have an outlook. What's going to be your extended scope when starting a produce access management project, how to cover web based tags. So talking about everything that ASAs gives you the opportunity to manage it from a web browser.
Unfortunately, there's basically no tool available at the moment that seriously and reliably are manage monitors, web based access. So this web totally bypass or your pump tool cannot do any monitoring. At least the application only which would do the logging. The only way to cover these things is to do something which your administrators probably don't want you to do. They really don't like it because you can force them to use a terminal server to open the webpage. They will tell you, well, we are losing the big advantage of having a web interface for managing this device.
Currently, none of the tools is seriously able to manage web-based access to SARS. So we are waiting for the improvement of tools, actually talking about operational it. IOT D amount of devices is increasing everywhere. So we are talking about firewalls. We are talking about access points. They have very different technologies. You can access it. Typically most industry devices are available. We are some kind of SSH console, but some of them are only available about, we are a web access interface.
Again, let's talk about robotics process automation. So a robot running or on behalf of a human user is a privileged user. How do you manage the support for that? A robot will actually use the password of the user that has been assigned to, and the robot cannot use multifactor authentication. So having a good view on what the robot actually does or can be achieved by leveraging power tools, talk about service accounts. So on every window server or UX server that are services running. And to typically you need an account to app indicate the service against the operating system.
How do you manage these passwords? How can you, or you change them? And you will probably find another challenge for most learner tools. And on the second, how do you change these passwords during operations? Do you have to shut down the service to change the password? Typically it's not covered. And it's almost impossible to cover this with a pump tool. You need to have a well thought process to manage that we have to lower or less same challenge.
When talking about application to application or application to database credentials lock on, or how do you change the password and credentials that an application uses to, or connect to a database. There are some tools available in the market, which allow you to do these things. Some of them require you to change the interface that you are using. So you need to have customized code in your application to allow this. Typically it works the way it opens two different channels to the same application or database, and it changes the password on the unused channel, right?
It makes things quite complex and difficult. And these are things that you better think about before you start your project. And where we common at the moment is how to connect automation processes between SA or systems based on the rest API, where you have to manage credentials as well, or typically the VR coming with the, the VR token, coming with the rest API. In this case, I haven't discovered any tool that is able to manage that from the same point of view or so the typical API gateway, this server should be a better solution for that. Think about all these topics.
When you're deciding on your strategy, what you want to get into your scope. Obviously you can get the best benefit out of it, but covering all of these topics, however, covering all of them is quite a challenge. And so should be well thought about when discussing your project planning, when to do what and what you want to achieve at what point of time. So this gives you a little hint on finding the right tool and strategy. So the criteria for the tool, do you need to have a centralized or decentralized? So in our case with 70 remote locations that need to work completely autonomously.
And there was only one option that is fully decentralized. We found only two vendors in the market who are able to support a fully decentralized environment, such as ours. Do you want to go in a size environment? Or if you do, if you do be aware that you will save all your critical passwords in a size environment or in a cloud drive, can you make sure that this is a well secure account? Those people who really don't like you. And in this case, we have to say we, as a power company are in work with not two. And you know that the us ING us, not two.
So for us, there's absolutely no way to save passwords for critical devices in the cloud. Yeah, because we always have to think about what are secret services doing. And in some cases there might be something that you really need to cover against the public. This moves you to your strategy delivery, consider about neighborhood. What is your pin tool privilege, identity management privilege, user management, multifactor support definitely is a necessity for I approval is a necessity.
How can you manage all these things and then build up your strategy and think about the or individual items listed here, how you can manage them. And finally, best way always is always keep it simple. People need to be able to use it. They need to have a good idea in how to manage it, how to use your tool. There is no, no worse thing than having a tool implemented or having a project executed for a lot of money. And people in your company cannot use it, or don't want to use it because the usability is too low. The user experience isn't good and all these kind of things. So keep it simple.
Start with a lower hanging fruit first do not oversize the tool and or think about what is really possible. Check it, test it, do a POC, right? It is a complex topic. And you will find out that not necessarily the most expensive vendor is the best solution. You may find vendors who are cheaper and have better fitting solutions, whatever your demand finally will be. The market is pretty wide over here. You have a variety of tools is big. When we did a tender, we had more than 10 companies actually quoting for it.
I, we had a good selection of what we did. And then as the most important piece, get to organization and users aligned to support it. This is the experience that we can share as a principle for getting a successful previous access management tool done. We finally started in February deploying it, and we are about to go live and hand it over to production next week or so we are quite happy about what we achieved. We followed actually this plan and it worked finally very well from that point of view. I wish you good luck when doing your pump project.
