Thank you. Thank you once again and good morning. Good evening. And good afternoon everybody. Once again, I really thank you all to join me in today's session for cloud on the rise. And before I talk about the different concerns and different emerging trends, let's first understand what are the different risk of privileges and the financial implications as well as the intangible impact on an organization. And this is based on a lot of data breach studies, which were happening in 2020.
So one of the most important fact which came out of this data study was that 52% of the breaches were done with a malicious intent in, in 2020, and some other startling facts. 19% of these breaches were actually due to cloudness configurations and compromised credentials, respectfully respectively, and another very, very important fact, which came out of this study was that the most expensive lost or stolen record was the customer's PII information, which amounted to one $50 per record, which was stolen or lost.
And it was averaging about 280 days for an organization to identify and container breach. The average cost of breach still was amounting to 3.8, 6 million worldwide. And in the United States, it was just to double up this, but all these figures, all these statistics, it boils down to one important aspect that what is really changing in our landscape, what is really getting changed in, in our enterprise environments, which is causing these breaches to get more and more sophisticated, as well as organizations struggling to manage the security of their landscape.
So let's take a look at what and how these landscape is changing. And I'll start with the infrastructure layer. Obviously the massive push towards cloud transformation, as well as cloud first strategy is letting organizations to move the workloads on the big three cloud providers, Amazon, Azure, and Google, but the important, or the fundamental shift, which happened in this was all these infrastructure components are no longer infrastructure entities.
They are also now as identities because you can define roles.
You can define permissions to all of these entities, which entails that no longer these components should be perceived as mere infrastructure components, but should be brought under the purview of managing the privileged access. Like you do it for identities as well as do governance for these entities. The second aspect, obviously on the past layer, there's a lot of investment by customers and enterprises on adoption of containerization, adoption of Kubernetes Docker.
And the challenge here remains the same that all of these boards, all of these clusters, their identities, they can have privileged roles and they also need to be brought under the purview of identity security and, and privileged identity management. And last but not the least, when you go into the application layer, we all are going through an unprecedented crisis cuz of the COVID situation and the push towards remote workplace has seen in exponential growth and applications have become a big target for any kind of hacks.
Recently, there was a big hack on these zoom application where the credentials were leaked. So applications are moving more and more towards adopting applications. And these applications now have sensitive access to your content, to your data. And thereby having a very focused strategy for application is very imperative.
So, so as you can see that all these three layers have gone through a tremendous transformation when it comes to the, the shift in an organization's landscape. And then the question becomes, how do you manage the privileged access across all these three layers? What's the paradigm shift you need to be thinking about and what are the different trends which you need to be thinking about? So privileged access management definitely needs a disruption.
As I said, there's a big focus on shifting to a remote workplace. One of the most important aspect in the disruption is that there is a very fragmented view of security and often asset owners or, or privileged access owners they're required to make informed and intelligent decisions, but they do not have that in intelligence.
They do not have that view of consolidated security, allowing them to meet informed and intelligent decisions. Obviously with cloud being epi and transient in nature, having that privileged access visibility in a continuous manner itself becomes very challenging.
And plus, if you have to realize the full value and potential of privileged access, you have to integrate that with additional tools liked or IGA systems, SIM systems as well. And most importantly, a lot of the Pam solutions are very much infrastructure focused. There is not a clear cut, innovative and creative way to solve the Pam needs for applications, which again is a big need of the argue.
So with that being said, let's look at what are the trends for our next sync time solution and, and basically have summed it up into five different trends, which a lot of our esteem speakers have also spoken about starting with zero trust, moving on to convergence the need for a converge platform to alleviate the needs of a lot of fragmented view of security and then moving to integrated governance because governance have always become an afterthought, always takes the backseat in Pam implementations diversification, where I'll be talking about why not just infrastructure, but a big focus on a hybrid applications is equally important.
And then how do you build a solution on the cloud to meet the needs, not only for your cloud, but as well as for your hybrid or compromise systems as well. So let's start with zero trust. Zero trust is a very broad area and there are a lot of concepts coming up in zero trust, especially around network segmentation, endpoint security, but for the today's sessional focus more on how you can enforce zero trust by a concept of least privileged access, which in turn could be enforced using just in time.
You would've all heard about just in time, Pam, which in itself is again, can be implemented in two different models. One would be a idea account based. And the second one could be role based just in time in an idea and account based. You would also find that there are solutions which Tomal access and then that is where they stop.
But the Niana stage is where you actually go with anal accounts and access based just in time, which means that in an ideal situation, there are no standing accounts in your target workloads leaving to a zero exposure on your workloads because there are no accounts to hack onto. And then obviously for role based, this is where the convergence of IBM and Pam comes in play because when you look at a Pam system and if you can understand and ingest the fine grain entitlements of underlying system, that information can be used to create privileged roles in the band system.
And your users can request for roles to get an in session privileged elevation rather than requesting for privileged accounts. And just an illustration of this whole model would look something like where a user would be requesting for a privileged access and at runtime, and here in this case, the user is trying to access or gain privileged access to Google workload.
So at runtime, the Google IM roles can be crunched and the conditional access could be sourced from Azure radio, any other system which can do that and Okta to create or crunch the group membership and combine all of that information, figure out what's the context of this user and what exactly this user really needs access to. And based on that, you get the minimum set of permissions and also create a just in time account on the target work.
Next principle is all around convergence. So when you look at convergence, the fundamental goal in conversions is how do you consolidate risk?
How do you enforce zero trust and make your plan processes intelligent? And when you talk about or think about risk, there are four different elements in risk, which comes into play, obviously the risk associated with your user, the risk associated with the privileged account, that user is requesting for the access on that account. And obviously, and most importantly, the asset to the workload risk. So if I look at an illustration here in this case, a user is requesting access to an Amazon Linux instance.
So if this request comes to me for, for my approval, what I would start looking at this consolidated risk view is the user's risk score, which is pretty high, and this is coming or sourced from a SIM or a sole platform.
And then the privileged access and account risk itself is coming in from IDM system, which can tell me what this access really constitute from an AWS IM roll policy standpoint.
And lastly, you also would see that the workload or asset risk is being sourced from cloud vulnerability solution or scanning solution, which should tell that whether this workload is having a open port on internet, or it has an older version of Java, which is not being patched.
So all in all, when I have this view, a compendious view of what my overall risk looks like from all these four different dimensions, I can make an informed decision, whether I should be granting this privileged access or not, or rather I would go and talk to the individual owners on of these risks to, to fix those risks before this user even gets access to it.
And obviously convergence also allows you to stretch and get better returns on investments.
If you look at com converging all these technologies together, the key benefits, obviously you have to, you, you basically get a single platform available to you as a service, which alleviates a lot of integrational challenges and complexities, but most importantly, this whole platform becomes risk driven and easy to integrate in your overall environment and take care of your business drivers and technology drivers as well. Moving on my next principle is integrated governance. So governance has always become an afterthought.
If you look at any panel implementations, what you would find is that organizations are doing the bare minimum so that they do the MVP or the phase one implementation, and think about governance as an afterthought, or do the governance as part of the bare minimum compliance mandates, which are required. And look at the intelligence aspect of governance to be something done or dealt with later on.
And as organization priority changes, the, the budgeting and project management requirement changes that always takes a backseat, which should not be the case because in the next gen Pam solution, what you can really do is you can tie your HR events, the joiner, move lever events, and invoke, or create a least privileged access policy based on these events.
And that least privileged access policy itself can be driven through a comprehensive risk evaluation model, which could be either done through an outlier analysis, a business policy analysis, and all in all it lets your end users or Pam administrators to have a lot of important and intelligent features in your farm solutions.
So for example, your end users can have an intelligent self-service model, which allows them, or provides them with recommendations based on what their peers have access to and such users should not, or would not even request for something which they're not supposed to the access certification, which has become a big rubber stamping process in organizations need not be because you can completely drive your access certification based on risk.
Those could be based on events. For example, if someone changes a job in your organization, what happens to the privileged access?
What happens to the succession management who owns those privileged service accounts post the user's departure from the organization. So you can really tie in those events into your certification process and do micro certification, or just in time certification, thereby making it completely risk driven.
And, and, and more importantly, with making this risk driven, you also avoid the whole process of doing a bulk access certification, which more or less becomes a stamp in your overall processes. Separation of duties.
Again, a big ask from a governance standpoint with multiple organizations, and you can have a sod checks. You can have preventive sod, expert, privileged access embedded in your Pam workflow itself. It need not be a separate complex integration with an IBM system to do it together.
If you have a converged and converged platform of IBM and Pam together, and that allows you to have intelligent governance already included in, in my need, as I was explaining earlier, the next principle is, are trained as diversification infrastructure focused solutions. They cannot work with applications.
The internet security model of applications is very different from infrastructure. So thereby doing the traditional way of solving the pan needs of applications do not do not work. And as I was mentioning earlier that the digital transformation and the push towards remote work have made applications a big target for any kind of reaches and, and data leaks and typically organizations, the way they have solved for is you have a separate dash admin accounts for users who need privileged access to your application to not go with that.
Let let not be that the, your, your defacto model, when you're thinking about doing Pam for applications, firstly, it avoids your, your licensing cost, especially if you're dealing with SaaS applications.
And secondly, it reduces a lot of your exposure because of you having standing accounts with standing privileged access in your application.
Rather, what you can think about doing that is implementing a role based spam. What I mean by role based spam is that your, your Pam platform can integrate with applications, suck in or ingest.
In, for example, if I take Salesforce, the fine grain permission sets the profiles information or the fine grain entitlements from these applications, you do take ingest all of that massage, all that data and create privileged roles. And thereby you do not have to create separate accounts, but users can request for roles, privileged roles when they have to elevate their access onto applications. And this could be an inline session. Elevation users don't even have to do or maintain separate sessions for that.
So all in all with implementing a role based or implementing or avoiding the IDs, proliferation allows you to have less identity lifecycle management over its for your privileged accounts, as well as it helps you in your overall compliance audits, which elevates some of the lot of some of these concerns because of these additional accounts which you have in your, your environment.
Lastly, the, the biggest trend here is that as the focus ship towards cloud, you also have to think about a Pam solution, which needs the NextGen solution or needs for a cloud environment, identifying all these possible interfaces. It is very, very important. You to have a strategize your time solution and the solution needs to be built on cloud to solve the need for cloud and hybrid application. Just to give you an example here, the nuances around managing privileged access for your management consults of AWS.
Azure is very different from how you do the management or privileged access management for serverless technologies. A serverless code is very different from a traditional.net or a Java code because it runs from east to west, unlike a traditional code, which runs from north to south direction. What it really means is that you have to think about how do you eliminate the threat vectors when it comes to solving the needs for serverless function, cloud databases, they don't even have APIs.
So how do you manage the life cycle of your privileged identities in cloud databases, APIs, again, play a very important role. We live in a world of API, but the, the damage, when your API keys get checked in into a public code, repository is, is humongous. And it's so expensive to determine the extent of that lead DevOps tools.
Again, they play a special, they have a special mention here because DevOps teams, they think that implementing these kind of security or privileged access management tools, reduce the agility, reduce the, or create a barrier. And which is against the principle of DevOps. And it need not be, you can have Pam for DevOps in a very effective and agile manner. And that's what is important to, for you to have a consolidated strategy, to secure all the different conduits and interfaces through which your users can gain privileged access to your underlying underlying ecosystem.
So if I have to sum it up, how do you disrupt Pam? And how do you go away from a traditional design pattern is create a solution which doesn't rely on a traditional jump box based model because it often becomes a choking point in your architecture. And it is not scale scalable enough to handle the velocity of a cloud based environment. Specifically move away from thick clients, thick such ANP clients often comes up with their own set of operational overheads. You have to think about patching, rolling them out, no need for you to invest in a separate IG or an IDM system.
You can look at solutions which consolidate these technologies in a single platform, and obviously move away from a model which relies completely on persistent accounts. Rather think of solutions, which are just in time. You always model toward zero standing privileges on and zero standing accounts. And most importantly, your Pam processes needs to be risk aware.
The, the reason being is that risk is the fundamental parameter, which drives your whole Pam strategy and governance should never become an afterthought. So with that, I'll wrap it up. Thank you. Once again, for joining me in today's session, if you have any other questions, I would definitely be in these people's lounge and I would glad to take up your questions as well.
