Yeah. So typically we'd be present at a physical event in Germany with a, a booth, et cetera. And although I miss meeting face to face with customers, partners, and others in Germany, to talk about solving their security problems, this is actually quite exciting for us as a business to see how this format works and who knows maybe this will be the another new normal that we embrace. Moving forward. First a little bit about our company. SSH.
If you work in access management to our operations, you'll be aware of the SSH protocol that provides access for systems, administrators, DBAs, application support, and DevOps to the service they work with. Not only that SSH is used heavily in automated business and infrastructure processes, for example, automated file transfer systems monitoring and connecting the functions through the C I C D pipeline.
The protocol I'm talking about was invented by our finder back in 1995, we're still headquartered in Finland, but with a very much global presence, we have a long history of producing innovative solutions around enterprise access management, including most recently privileged access management.
Today, I'll be presenting our view on the top five challenges for managing privileged access in today's modern it environments today. Our it environments are often highly dynamic and scalable to meet their business demand.
Many enterprise customers we have met with have adopted a multi-cloud strategy to compliment on their on premise server landscape. Additionally, these environments have an ever changing workforce, higher numbers of third parties collaborating together and providing services across the globe and an ever increasing number of people working remotely. It could be argued that the outbreak of coronavirus has permanently created a paradigm shift towards the majority of people working remotely. So I'll be presenting on some data points from a few research papers.
First I'll explain the data sources we have focused on and how the data was collected. Next, I'll provide an insight into the thoughts on the research findings. What are the top five problems that we see and how they can be addressed with modern privileged access management solutions?
Okay.
First up, where did we get the data? We first reviewed the Verizon data breach investigation report. I'm sure many of you will be familiar with this as an industry standard in terms of cybersecurity research, I'm providing a comprehensive insight into data breaches. This independent report looks at over 160,000 security incidents of which almost 4,000 were confirmed data breaches. The report provides details on the tactics used by attackers and the trends who the attackers were and who were the victims.
What commonalities were identified from analyzing the cross section of incidents and the data breaches. I certainly think it's well worth reading.
Secondly, we commissioned Vanson born to survey it professionals from different levels of seniority across the us, UK, France, and Germany. We asked them a range of questions about the usage of on premise and also hybrid cloud environments, as well as the security practices in place within their organizations, for correspondence of those organizations using cloud solutions, we uncovered some common issues, bad habits resulting from their access solutions. These are really important when you're considering privileged access management solutions.
Okay, let's look at what we find. You don't need these figures on the screen to tell you that nearly every enterprise customer across Europe or even the globe are looking at moving to the cloud in one way or another, not only are companies moving to the cloud, they're becoming much more sophisticated in their cloud adoption, which leads to a multi-cloud strategy. Cost is always a leading driver in every business decision and cloud adoption is no different CIOs get queasy with the, as the cloud adoption grows within their organization.
And then they see a significant escalation in annual costs. A multi a multi-cloud strategy can help keep the pricing honest also consider workload differentiation. For example, AWS may appear appeal to developers. Whereas Google cloud platform is particularly strong for data analytics and machine learning based workloads. Cloud providers have some unique selling points and the companies who are adopting the cloud are becoming more savvy in their decision making.
In addition, you may need to consider resiliency performance or data sovereignty to determine which cloud is best for your particular workloads. Also aligning with it infrastructure deployment techniques that are potentially more prevalent in the cloud. And on-premise so more and more companies are striving towards an immutable architecture or infrastructure as a code where systems are built and largely unchanged for the duration of their server life cycle. So what does this mean for privileged access management? You need a cloud native and cloud agnostic pan. What does this mean?
So cloud agnostic is simply your Pam solution needs to work with multiple cloud providers so that your privileged access can be delivered through a single common platform, user interface, or proxy using a single cloud provider access management tool set only solves part of the problem in one part of your environment. And this also locks you in to a single cloud platform, making it more difficult to move to another cloud platform, shoot that needs need arise.
Also your pan solution needs to be able to work with cloud native deployment techniques.
Being able to provide goal based access to servers. As soon as they come online using cloud APIs, embracing cloud native tools like host tagging to provide remote access without touching the operating system, as we would be required in an immutable infrastructure environment.
Finally, as you scale your cloud services up and on your pan deployment should be able to auto-scale with that demand. Okay. No real surprises on, in terms of the stats on this pitch, we, we can see that hackers love credentials, especially privileged accounts. And we see this in the sophisticated attack tactics that they use. For example, social engineering, where hackers find social media account passwords, and then attempting to use those same stolen credentials in enterprise environments. We also see more and more elaborate methods of targeting credentials.
For example, AI driven, credential, harvesting sophisticated forms of fishing, and also ran somewhere. We know that end users also knowingly share credentials to provide access, even though they know it's against corporate policy, we're seeing a dramatic rise in large and enterprise environments implementing password less methods in many of their use cases. And I don't see Pam as any different, what does this mean for Pam solutions? So by removing the passwords on the target systems, you're connecting to, we reduce the risk of password compromise.
And in order to eliminate passwords and keys on the target servers, we would advocate the use of just in time certificates, such certificates are issued at the time of connection. They have a short expiry and this significantly reduces the risk of password compromise. This also ties in with a highly scalable immutable architecture. This approach is not new Facebook, Netflix, Uber are all tech giants with vast amounts of computer state, and they've all developed their own ephemeral certificate solutions to provide system access.
I, I fully appreciate that there is a period of time that passwords will still be necessary. And of course those passwords should be vaulted, but I strongly believe that just in time certificate approach is the best way forward. In addition to moving away from passwords and target systems, we also see SSH key control as essential to any Pam deployment. SSH keys can be easily used to bypass your Pam solution. They have no expiry, they can be self-created and they're not tied to an identity. SSH keys have been iion for 20 years and have been largely in a largely uncovered way.
So as mentioned earlier, and they're used extensively for access and automation to privilege accounts. So I see SSH key management as a complimentary technology to any pan solution you put in place the stats here merely show that outsourcing and using third parties can increase your risk.
However, the real story I'm providing remote access is affecting us. All right.
Now, the fact that we're all working in an, in a virtual environment right now, where once we would've been in an office or in a conference room is a reflection on the new normal. We now live in providing access to third parties, contract workers or internal employees all need consideration when deploying Pam solutions using a VPN to open up your network for remote access often provides too much access. Additionally, you should want to avoid your VPN being so overloaded that providing privilege access to critical systems is prevented.
So a Pam solution for remote access should be flexible enough to be deployed where you need it either in the cloud, on your perimeter or on premise, remote working or third party access should require granular role based control to your target servers and privileged accounts, context based alerts and heightened authentication challenges like two factor authentication should be activated when needed personally IC AI driven user behavior analytics integrated with identity management systems becoming much more prevalent in the next few years, user behavior analytics can be used to reduce the authentication levels required for everyday work and then increase them for second factor or biometric challenges for unusual activities.
So prior to working at SSH, I had a number of security and engineering roles across some global financial institutions like Lehman brothers, Deutsche bank, and UBS. We also at SSH work with third party systems integrators globally to deploy our software at customers. So I've seen firsthand how long it takes to get new access and changing role within an organization often leaves behind the access from the previous role.
Also when someone leaves the organization, their downstream privileged access should be completely removed in an instant, essentially your joiner mover lever process within your organization needs to be tightly in sync with your provisioning and deprovisioning of privileged access. We would advocate that privileged access is best controlled within the user identity attributes or group membership. Every access must be identified to an individual, whether they are internal employees or external contractors. This is typically what people refer to as, as zero trust.
And you can take this a step further with having no access to privileged accounts on any target systems. And then if you integrate your Pam solution with the ticketing system to only provide access to the right people on the right server at the right time with a valid ticket, I know this doesn't work for every use case, and sometimes you do need to provide access without a change ticket or incident ticket, but this approach is worth considering for privileged access to your critical infrastructure.
The main point where advocating here is that you ensure that identity authentication happens on every connection attempt.
The stats here reflect the age old wrestling match between security and operations operation teams, support teams want to help their internal and external customers, no matter what and security teams want the same, but also to ensure that the right systems are being access and everything is audited. And no doubt, this is a difficult balance balancing act.
So CIS admins, DBAs and app support teams are the superheroes within their organizations, helping systems keep up and running, adding new systems for capacity, making conflict changes for improved performance. Getting rid of old legacy systems. The people in these roles just want to get their job done with as little complication as possible. They want to get their managed hosts, apps and data in the most efficient, yet secure manner. And if the security controls are cumbersome and slow, then the end users will just bypass those controls and give themselves direct access.
I don't know how many times I've heard, just let me do my job. Just put my key on the server, just change the password and I'll fix your problem.
So your Pam solution needs to speed up access, not slow it down. Having a really intuitive user interface that simplifies the connection process is very important. End users want to be, to get to their target system in a couple of clicks. They want to see the systems and accounts that they have access to and regularly connect to.
They want a consistent and intuitive user interface implement single sign on where you can to authenticate to your Pam system to avoid multiple unnecessary authentications. That said, if a user is attempting to do something outside of normal working practice, then introduce higher level of challenge. Whether it be a one time password or a biometric challenge. In many cases, the users will want to use their native SSH and RDP clients to make those connections. So it's important that your pan solution will work with these native desktop tools without too much modifications.
Sometimes the cost of operational change is greater than the cost of deployment. So your pan solution really should try to speed access up and make it easier, not slow things down and make it more complex.
I'll just quickly recap on some of the main aspects that we think you should consider when thinking about a Pam solution.
So the solution that works with all the main cloud providers and uses native cloud tooling eliminate shared or static passwords on your target systems use just in time certificates and bring your SSH keys under control, ensure that your pan solution works and has the same user experience for both remote access and also office based access implement zero trust, authenticate, every connection and aim to provide privileged, secure access. That's fast and easy for the end user. So I hope I all make sense and give you some food for thought. Thanks again for your time today.
And, and joining us. I look forward to virtually meeting you at our launch later today and feel free to connect to me directly on email. Thanks very much.
