Hello, and welcome to this latest KuppingerCole webinar with me Paul Fisher. Today is supported by Thycotic and we're talking about PAM and how to design and establish a mature PAM ecosystem to reduce risk in your organization. And as I said, that's supported by Thycotic today. And before we get going, just want to introduce you to a few events that KClive will be producing in the next couple of weeks. This week on September 3rd, which is a thirsty, we have the three fundamental fundamentals to enterprise identity success. And that starts at 12:00 AM.
Central European time, the identity governance and administration and net generation access KClive is the following week, which also starts, sorry, it doesn't also start, it starts at 10:00 AM, central European time. And then in October 1st we have IGA solutions for service now, infrastructures, which is something that I'll definitely be tuning in for myself, because that's exactly the kind of thing that I'm interested in right now.
So before we go to the actual presentations, just to let you know, a few housekeeping rules, you are muted centrally, and we control that.
So there's no need for you to mute or unmute yourself. All the slides will be recorded and the deck will be available to you and to other registered delegates after the presentations. And there will be a Q and a session at the end where I'll be talking to Joseph from Thycotic, and you can enter your questions for that, any time during the webinar using the little dialogue box, which you should see in the window on your left or your right, depending on how you've set up today's webinar for yourself.
So, as I said, we have a distinguished speaker with us today. We have Joseph Carson, who is the chief security scientists with Thycotic, one of the leaders in privilege access management. He's got 25 years experience in integrated security. He has won the information security leadership award in 2018, and he's also one of the top 100 CSOs in 2020. So I hope we will benefit from his knowledge today.
He's also, as you can see holding there, he's authored five books, including cybersecurity for dummies, these privileged for dummies and the latest privilege assets, cloud security for W's and cloud security is obviously something that we will be talking about today. So very warm welcome to you, Joseph. And they're looking forward to your presentation in a few minutes. So here's the agenda. I'll start off. I'm just going to do a, quite a brief presentation about how the power market is changing and how the vendors responding to the changing demands.
Then as Joseph from Thycotic will come on and he'll be looking at what you can do to improve Pam today and the importance of least privilege in Pam deployments. And then again, finally, we have our Q and a session at the end, whereas your chunks to all of us, either myself, or probably more likely Joseph, some questions that you may have about your own privilege access management experience.
So this first slide that I'm presenting called the new business and security landscape is one that I often use just to describe how Pam fits in to the security and business landscape right now.
And some of the driving factors within that. So we have business technology, business processes, security integrations, and security processes. I'm not going to go through all of these, but I will highlight some of them that particularly relevant to Pam and cloud cloud is obviously something that we've been talking about for at least 10 to 15 years. And despite the fact that we talk about it a lot, it's still tends to cause problems for organizations and it particularly causes problems for security.
A recent survey done by a vendor showed that 60% of the respondents felt that multiple cloud installations were causing problems, particularly when it came to Pam deployment. And I think we often forget that as I said, cloud has been around, but it's still fairly by the standards of computing, quite a immature technology in that many organizations have still yet to either deploy fully or even some of their infrastructure to the cloud.
But when they get there, they find that they do have the speed and the capacity advantages, but they still lag somewhat in trying to secure what's going in the cloud. And when it comes to Pam itself, there are some people that believe that putting credentials or high value assets in the cloud itself is risky. And some security managers would prefer not to do that.
Along with cloud, we've seen the rise of virtual machines and hybrid architecture, but we've also seen another thing or development that is kind of almost got ahead of the rest of the processes in business and technology.
And that's dev ops dev ops is now seen as a kind of savior of, of many organizations when it comes to developing new applications and new software and a new deployment within the organization itself.
And again, there undoubted speed and business advantages to do DevOps, but often within dev ops projects as is needed for the, for the sort of raw material and tools that those guys need to produce what the, the business is expecting them to have because sometimes privilege access management and, and they do need privilege access to an awful lot of things, including code and applications, as well as data, et cetera, but because they're expected to work quickly and in a more agile way, there's a tendency sometimes to cut corners and break ranks.
And they don't like security that gets in the way and quite often, Pam, and the way that we've done it in the past, whilst it fundamentally protects privilege accounts and protects passwords, et cetera, it doesn't always allow for these new flexible ways of working that business technologies as they are appearing really need. And that includes automation, AI, machine learning and IOT, which I've also mentioned that business processes.
Well, of course the biggest change that we've all experienced. And one that we're actually using right now is, is remote working and mobile working virtually all businesses in have been affected in some way by the COVID 19 pandemic.
And we've, we've had to shift to a fundamentally different way of working was overnight. And it's largely been successful successful in that we've kept the lights on businesses are running.
However, the impact for security and particularly for Pam has been that once again, the security of this has been slightly lagging behind what's been happening in the business itself.
And particularly when it comes to accessing privilege accounts where some way off from making sure that those people working remotely that need privileged access are able to do safely and securely compliance is another area which is impacting hugely on business insecurity and businesses now are under much greater pressure to make sure that they remain compliant.
And if they do lose data, or if they do suffer a breach, then they're liable to pay big fines under things like GDPR and the California privacy act. And that's not gonna, that's a trend that is only going to increase, particularly in this post COVID world. More of us are working from home where we need secure access to all sorts of things remotely. We're seeing also other developments, vendor access the extension of businesses, as I said to sort of multi-cloud environments.
And within that, we have people all along the supply chain that are getting access to what you might call the host organization.
Collaborative working of course is very much part of the mobile working revolution that's happened in the last six months.
And again, whilst it is, this has been a success in allowing we've had the tools already in waiting as it were things like teams. And of course, zoom that have allowed us to work collaboratively and share files, but not necessarily securely. So we need to see more security integrations into this new business and security landscape. And that includes things like SIM better use of analytics, better use of multifactor access, single sign on identity, access management, and of course privilege access management.
And all of those in that third column are becoming vitally important so that we can secure this new landscape security processes also are becoming more acute and need to be done more professionally and the need to be done to best practice. And that means conforming to some of the ISO standards and things like nest as well, so that if bad things do happen and they will happen, unfortunately we've seen the huge increase in attempted cyber crime in the last few months on the back of COVID.
So you've gotta be ready to brush up and things like incident response, your app security management, risk management forensics, and of course auditing and reporting. So that's the background I think of where we are today.
So how does that leave the pan vendors or Pam itself? And I think that the, the successful development of Pam will mean meeting at least some of these challenges in the next few months, we seen how vendors themselves have developed over the years to offer a wide variety of, of suite products that will count, allow Pam to cover most of the demands on it.
So they've gone a long way from just being a, a password manager and a password vault and a session manager into much better, bigger insight doing analytics, privileged user behavior analytics, and other areas. But we might see maybe a, a sort of a split so that the, we might see companies continuing to offer these a wide range suites, but we may see smaller players with more innovative ephemeral tools. And the question to ask is, will we be able to get a right balance between features and speed in the Pam solutions that we choose?
We, we also need talk about what is advanced Pam. And again, vendors often talk about Vance Pam, but the fundamental technology or Pam is still brunch, pretty much wedded to volts, passwords, and session management. All we just adding more layers to Pam to try and every time a new risk or a new challenge comes up, then we develop an extra layer. And then that solves it. Does this make less agile, less able to cope with things like least privilege and zero trust, which is something that Joseph will be talking about in a few minutes.
So what I'm trying to get at is that we need really perhaps a kind of a split in the market so that Pam vectors, sorry, Pam vendors perhaps develop more for the needs of different sectors. So privilege accounts in the health sector, which is highly targeted by cyber criminals and privilege accounts in finance and manufacturing, maybe use in different ways.
They may not be quite as valuable as they are in some other sectors. So what about those very small, but very high value companies that maybe only do one thing.
They may develop a particular type of software that is used perhaps for intelligence or another perhaps very important government purpose. They would, excuse me, would also need perhaps a Pam solution, which isn't available off the shelf. And finally, as we move into a hybrid architecture and Pam and cloud architecture, how far is Pam going to protect the growth of hybrid architectures? How well compassion, protect secrets that might be held in the cloud should seekers be held in, in the cloud at all?
These are some of the challenges for Pam, and we might see another thing that happening is that we'll see Pam develop more as a service and more for smaller businesses.
So there's no at the moment, I think there will be no single solution for all requirements. So we might see it Pam suites, which include all those things that we just been talking about, shared account password management, account detection, by privileged account detection, account life cycles, application to application Pam, et cetera.
And then within that, they might get some more of the more especially stuff such as short-lived certificates instead of, of passwords and DevOps integration. And we've called out the broad functionality, Pam.
And then we w we get into something which is definitely a growth area, Pam, as a service where individual organizations, and they may be smaller and maybe bigger organizations that maybe go for a more hybrid solution where you have Pam as a service in one part of the organization, but then you might have a Pam suite looking after the other areas, but Pam is a service is just as likely we'll have a credential volt.
It may well have MFA for admins, and it will maybe have short-lived certificates and dev ops integration.
And you could chop and change a Pam as a service, depending on what level is offered by the vendor might also offer account detection or application to application, but we're definitely gonna see more Pam's and service and that's, we've called mid functionality. And then special functionality is what I was talking about just now. And one of the most obvious areas that's been growing in the last year or so is pan for dev ops or CII CD.
And again, it would have perhaps some of the things that you would find in a broader functionality, Pam suite, but it would very much have a credential volt. And it would very, almost definitely have some kinds of certificates and a DevOps integration fully, fully integrated with the DevOps process. And so we might see a DevOps working in the way that DevOps does so that they need access to secrets and they need access to code that may be embedded in containers and things like that.
So we're seeing power of developers develop dev ops developers, difficult to say in, in, in the way that Pam uses working in DevOps can access those things swiftly and easily. And without them seeing any particular blockage and stop them, trying to corners mentioned too much about this because I'm aware of, of the time. But I also think that we might see a reduction in our reliance on passwords, in privilege, access management. I call it the Pam pressure cooker POS was just like another areas of computing and security and mobile working are still everywhere.
And we still haven't yet found a suitable universal replacement. And the reason why Pam passwords keep increasing is because it volume keeps increasing, which, and then has an intern increases the number of privileged accounts, which also then Meads leads to the increasing demand for speed of deployment. And that can also lead to more passwords.
And then all of that is then quite often pushed through what we call legacy it.
So the, the tin that's been in the stack for for many years is still expected to process a lot of the privilege account management in the back back office as it were. So I think at some point we will see passwords perhaps will be continued to be used simply because some people like them, they like to manage them and they like a volt and they like to have password manager.
But I think if, if we are to meet some of the business and security processes or pressures that we need, and I mentioned earlier, we're gonna have to start thinking about reducing our reliance on, on passwords, particularly in privilege access management.
So how can we reduce that one way is to do risk management. We always talk about risk management, but it's still the best way of discovering those privileged accounts, which access the risk access most at risk data and services. And these are, we can describe as high value privilege accounts.
So not the traditional admin accounts, which is where it privileged account management sort of originated. We could do a sort of separation of duty who needs access to the most and who needs it fast. This is what we might describe as agile Pam. And so those people that need access fast and urgently may be offered ways where they don't need to have passwords. So they have just in time certificates issued or something similar when it's, I said, we can shift high value privileged accounts to just in time the femoral or password free access.
Can we develop some kind of Pam ops solution, which is a kind of theoretical idea so that we move the actual privilege access closer to the source so that we would use automation and AI tools that speed this access and speed access, which has already been cleared. So that automation has done the majority of the hard work in risk management and deciding whether the people looking for access are who they say they are. And so zero trust and least privilege, which is what Joseph will be talking about will also be applied strictly to high value Pam accounts.
So to close.
Then my section, here's some six possible futures for Pam vendors, prime suites, and more specialized solutions will sit side by side, but Pam obviously, however it develops the whole point of Pam is it still needs to be regulated and monitored. So I'm not for one moment suggesting that all those features that are built into the best pumps Swedes right now are no longer needed because they are, the Pam vendors may split their own suites, or they may develop specializations on their own, or they may acquire as does often happen.
Smaller vendors that come up with innovative technologies, such as perhaps a new form of encryption or data management. There will be greater use of AI. We're seeing that. And when I say machine learning and automation, and we're seeing it in a sense that it really actually provides value and use to Pam.
So for example, keystroke detection can tell whether a different person perhaps is using an end point that was before things like that. And AI will be used to look at to analyze log files, et cetera, to far far more quickly find anomalies than any person could.
We'll see more smaller businesses adopt Pam. And it will be part of distributed architectures so that a small company along the supply chain, which may need access to privileged accounts will become part of the Pam ecosystem.
As much as that of the host organization and organizations will need to start thinking about controlling the power overload, perhaps restrict users, as it goes back to doing a risk management and a survey of calm accounts and discovery of Pam accounts and to limit access to accounts and to do that separation so that, you know, what a high-value Pam accounts and what are not, we may over time see a phasing out of passwords or Alliance, and we've become much more reliant on ephemeral tokens or certificates, and one time just in time access to privilege account management.
So that's 1, 2, 3, 4, 5, 6 possible futures for Pam vendors. And I shall now hand over to Joseph
Excellent Paul many, thanks for the awesome kind of overview and kind of insights into Pam. I'm just going to go and share my slides. Awesome. So that was actually very insightful and it's just a great kind of introduction from Paul. And it's great to be here, here, and again, you know, really to share my experiencing knowledge with you. And also they get the most value out of pine and also things you can do today in order to really accelerate your Penn journey.
So one of the things that I find in recent times, you mean for all organizations will all experience over the past eight to nine months, that a big mess of shift in how we work. Now, the way I look at it is that yes, you know, it's probably accelerated the path and the journey we were already on.
I think, you know, many organizations were already shifting to cloud and digital transformation, and many employees were already moving to working remotely or working from home.
Maybe not full time as we were are today, but definitely kind of partial time. And over time, I think, you know, in five to 10 years, we would have been moving that direction anyway, but COVID-19 has definitely accelerated the journey and the path to work in remotely.
I mean, I've seen it in other industries, I've been working in things like autonomous shipping and minerals and mining. And I've seen a lot of innovations in those areas were actually employees that actually working in very hazard areas that they had been looking at ways in order to reduce the risk to those employees by actually allowing them to do those jobs from safe locations.
And that's what really was seen with COVID-19 now with that, a lot of employees have basically went into the office, picked up their laptops, desktops, whatever competing or whatever equipment they were using to do their job and may even be paper, but they're actually taking all of that data and information and devices and electronics and computing and taking it home.
And not only, you know, it that mean employees are actually working from home, but also means in a lot of organizations, data applications that may function or may not work outside the organization, they might require certain privileges, certain access to function. And we've also seen a lot of privileges leaving the organization where many organizations would have been dependent on the actual traditional perimeter of firewalls protecting those devices. And some organizations have even moved away from using antivirus because basically this saw that the primitive is protecting those devices.
And now with those devices, moving outside, moving into people's homes where it's less secure, less protected. And this actually don't, you know, most cases directly connected to public internet, meaning that those protections that the organization has perimeter would have been doing is no longer effective with employees working remotely. And that puts a lot of organizations at danger and higher risk over this period of time where people are working remotely.
So, I mean, I've been doing it for 15 plus years now. So for me, definitely in the pandemic, it is a very different experience because not only are you working remotely, but also your family and other people, and, you know, so it is a very different, I'd say it's, you know, working remotely with the chaos added into it. Now with that, one of the things that we definitely see is that I just want to step back and talk about privileges because sometimes we jump into really defining, you know, when I ask organizations, what does privileged access for you? What does it mean?
And a lot of cases, the response I get is, you know, it's into individual roles and responsibilities. It's the domain administrators who's working in active directory, that's privileged access, or as those who's working on basically access to cloud infrastructure and actually building out and running up services and web interfaces and so forth that they consider that as privilege.
But we have to step back and we have to look at the broader picture is that there was so many more privileged accounts out there and privileged access than what many organizations assume or even have accounted for.
And we have to look into a lot of those service accounts that are really in the background, running applications, doing automation, you know, along even helped us workers to access systems, to do troubleshooting to re-install applications, to apply security patches that even, you know, many of those cases, the non-human accounts, we should reload infrastructure and network resources to communicate. So we really had to step back and look beyond that, you know, privileged access, just being the domain administrator account or the root account.
There's so many more accounts out there in many cases, sometimes two to even five times a month. The devices that you have is approximately where you're probably looking for privileged accounts.
And also I say that almost all accounts are not becoming privileged. It's not just the, about the authorization or the privileges of the account itself, but it's also the data that they have access to. Meaning that you might have a doctor who has access to medical records of, you know, thousands of patients that's privileged access.
It may not be that they can do configuration changes, but they have access to sensitive data. And we're seeing that kind of rules and those types of risks increasing over time. So we had to really step back and look at this broader picture.
Most of us, as Paul had mentioned things like third-party vendor access is also increasing one area that I've seen definitely in things like IOT and industrial internet, is that even when you go and buy devices that, you know, let's say I've seen engines and shipping industry that the organization might buy an engine and they have access and they own physical engine, but the data that's being generated by that engine is actually owned by the manufacturer by the producer.
So they have to provide continuous access to those engines in order for the actually vendor to receive the diagnostics and data being generated. So they're also seeing a lot of complexities as more smart devices and IOT technology gets evolved. So this does create a lot of complexities now for organizations, how they traditionally protected this. And still today is through that traditional perimeter.
They're really looking at making sure that they have a fence firewalls network devices and really making sure that the attackers and those internet facing devices are secured impacts as possible. Now with cloud computing and mobility and increased means that we've also seen this perimeter starting to disappear and almost evaporate that actually up to 80% of the breaches are actually conducted by stolen credentials. So simply we look at, you know, how do organizations try to protect against us?
Well, those doing defense in depth, you know, 10 years ago, I would have came to you and be talking about doing security, like an onion, you know, putting additional segmentation, separation of duties, doing more layers of security to protect the more sensitive devices.
So ultimately your more critical devices became right in the center of the onion. And then as layers went out, basically they got less sensitive and less risk.
And therefore basically looking at doing defensive depth by putting, you know, trusted insiders data, into security volts, adding more layers of firewalls, segmentation of networks, B lines, also event loaders in order to be able to see what data and what's happening on the network. But attackers simply took the, they take the simplest approach, you know, like myself as an ethical hacker. What I ended up doing as I look for one is, is what's the least costly. What's the quickest method? What is the stealthiest method in order to gain access?
And in many cases, it's not going through the front door, it's not configured the web server simply attackers today take the most, basically least resistant path.
And that means stealing trusted insiders credentials, targeting at the people, asking people for their credentials and many cases, those victims are unknowing unsuspecting secondary victims in order to load that attacker to get access to the network, putting onto this skies is the employee simply putting on that employee's uniform is what it's like in real life in order to get access and walk through the security controls that organizations have put in place to any organization.
Looking at that it's an authenticated authorized access, but really the person who's doing it is not who they suspect or who they're expecting it. And also this means that not only are they able to access internal network resources, but they're also able to bypass and go straight to cloud services. And this cost causes a major challenge for many organizations. And it really means we need to take a different approach. We can't continue this path.
You know, even when we do cloud transformation, we can't apply the same security controls that we do on premise and apply it to cloud that doesn't work. And it means we need to take a step back and it means it really needs to focus and actually risk-based access. This is the direction we need to get moving to, to make basically much more adaptive and a low security that be really focus around what is the risk we're trying to reduce because that's ultimately what security's purpose is.
And for many attacks, many criminals out there, they're basically way of gaining access is simply through phishing scams, simply sending an email to employees that looks authentic. You know, it looks like it's from legitimate internet service and ultimately unknowing to the victim. When they simply click on the link, it takes them to a login page and they see this day after day. And even just recently last week actually did a live simulation of actually stealing cloud credentials.
And we'll also be doing another repeat version next week, where I basically set up evil, captive portals that was able to allow unsuspecting victims to access a wifi access point, throw them up, enable portal. They put in the credentials. And so they're giving me access to their email addresses and email accounts and their digital footprint. And this is basically the easiest way that attackers are gaining access, simply bypassing and getting the employees to give them their credentials in order to get access to all this.
And many that I've seen this year, you know, simply asking for people's passwords is one of the easiest ways to get access and speeding tickets, being a form parking fines, health insurance has been popular. COVID-19 has also, you know, being significant increase this year and deliberately logistics information. A lot of people are buying things online. And these are a lot of methods that basically up there to try and trick the employee to giving up their good naturals. And it works many criminals are being successful at using this method.
And if you look at some, even the most common breaches out there is it comes down to per access controls, insecure application, API APIs, misconfigured, cloud storage. You know, human error is probably one of the biggest increases in the past two years over privileged users share credentials, a password being the basically only thing preventing a cyber criminal or attacker from getting access, shadow it, and third party and employee access.
And a lot of things that organizations have relooked for, we're always looking at ways forward, how do we reduce the risk?
How do we make security better? And this is sometimes it's a bit of a kind of a push and pull early for me.
Cause I, you know, zero trust has been one of the big popular items the last few years about how do we actually enforce and get better security. And for me, I think that we really need to take a different approach.
Yes, risk-based is the center side of things. And zero trust is really about making sure that you don't trust anything, even if it's already authenticated and connected. It's all as a button, continuous verification and continuous making sure that as a risk changes, user information changes where the location are coming to from what the vice or accessing from as all of that changes you continuously verify.
And we verify and refer a fly for them to continue getting access for me. I think we need, I don't like the term zero trust.
I think that we're in a situation where we need to make security usable. And by actually getting to really too much security is not good for the business. Ultimately, what we're trying to do is make the business successful, make the employees be able to perform the job. So it means that we need to take a different approach to zero. Trust is good when we're talking internal about security. But when we talking about the business security as a service to the business, to reduce risk, to make it more resilient, to attacks out there.
So it means that zero trust, as we start talking to the business of this term, I prefer to look at it as building digital trust. We need to make security, positive experience.
We need to make it basically something that helps the business become more business resilience, become, you know, better at reducing the risk. And this ultimately is a better term for me that I see zero trust is it's all about building that digital trust for me. When I think about board is privileged access management fit in all of this, where does it fit in that zero trust approach?
How does it fit into making sure that organizations become more resilient? For me, privileged access is almost like a continuous digital polygraph test for access. It's about looking at the different basically, you know, factors, outdoor, the different attributes and trying to determine whether it being human interactive or non-human interactive, meaning that you're looking at the environment, you're looking at where it's coming from.
You're looking at the time of day, you're looking at the type of day that's looking again, access to and bringing all that together in order to actually understand, is this something that looks, you know, authentic?
Is it something that is pre-approved so really getting into treating privileged access such as a digital polygraph test, and it means that we need to move to classifying trust dynamically.
I think it's really about really, I see security with the way it works for the business is about becoming like a living organism that really is basically being able to adapt and change to the different threats out there. And it really means that organizations so that security as, as the threats increase, the security fence can increase with it. And as those threats decrease, it can decrease.
So that, that friction and the ability for employees to perform their job, ultimately employees, you know, in many cases they have goals. They have performance metrics to meet. They have basically profits to, to do. And ultimately our goal and security is to help that employee be successful. And that's ultimately is to understand even here where I'm based in Estonia, we took a very different approach to how we do security.
We look at it from basically a service defined network is ultimately what is the service I'm providing to that user?
And how do I make security, agnostic and hidden in the background to make sure that we reduce the risk. And this doesn't mean that no matter what device the employee has, that could be BYO D their own mobile device tablets, whatever it might be. They might have a corporate device, which has a laptop, which is managed and has security controls and policy applied to it. And ultimately what ties those together is a digital identity. And this could sole also be a application. It could also be a network device. It could be infrastructure. It also can be machine identities that gets tied to that.
Ultimately there is a digital identity is applied to either human, human or non-human and all they need to have access.
They need to perform the job. So make requests into the organization. It costs to be into the cloud as well as cloud services in order to perform different actions and tasks. But ultimately you want to make sure you do continuous verification, but you also want to be basically, you know, not causing friction. So you want to look at this from different factors of risk.
So you want to make sure you do something like a multifactor authentication, but it might be if I'm coming from the same device all the time from the same location, the risk might be as not as high. And maybe that device changes IP address changes the browser type changes. Then you might have risk increased in there for justification to actually revert a fly that FN occasion from the user. And also you want to do separation of duties between the authentication and authorization.
And this is where privileged access management comes into it.
This is where you have that separation of duties between the authentication portion and the request to access to privileged systems or data or web services or applications. And this really allows providers access to be basically the ability to do that authorization separately, segregation of duties. And this can also be able to do from not only on premise, but also cloud applications, web services as well. And that means that ultimately an attacker does get access to a device or a password or credential from an employee.
It only allows them to actually compromise that specific device and doesn't allow them the abuser's credentials, again, access to internal systems. And this is really about securing access, not to just the on premise network, but also cloud environments as well, ultimately allowing the employee to access those from the vault into the cloud services to perform their tasks.
And this means that I think one of the biggest things I look at is that where does this fit in many organizations? So I developed what I refer to as the privilege access management matrix.
It's all about asking the right questions, but understanding what is unique to the business. And I also look at this, I developed this from my experience being a domain administrator and a data center. And I looked at this from basically from a classification perspective, is that it's all about classifying risk. So look by creating things like risk registers as not all privileged accounts are equal. So this is really, really, but asking the right question. So for organizations, why is privileged access needed? What are you using it for? Is it to do configuration changes? Is it the room backups?
Is it to install software? Is it for, to access specific data?
Is it to actually deploy patches or is it interactively to interface with applications and gooeys new eyes? What types of privileged accounts are out there? Is it the top level domain accounts, which should be very, very locked and secured and under Vertiv are basically, let's say controls versus those privileged users are servers accounts and so forth. As I mentioned, not all privileged accounts are equal.
So it's really important to understand that each of those have a different risk classification applied to them, but understanding what types of accounts you do have. And I do recommend labeling them as things like shared labeling as human interactive, our, our, our system accounts, having them be labeled correctly to what is the interaction between them who uses them? Is it your IOT device? Is it a light bulb connecting into the infrastructure? Is it some type of automation of production line?
In my case, is it a autonomous ship that's connecting to your infrastructure?
Is it basically developers doing code or dev ops? Is it applications third-party contractors really understanding who's the classification who uses them, where are they found? And this is a very complicated earlier, where is it on premise? Is it in virtual machines is a part of infrastructure hardware, is it in the cloud? Is it hybrid private? And also how did they get used the interactive side of things? And then also what more importantly is what security controls are applied to them. And then you get into really understanding the bug. Is it password satisfactory?
Do you need to have things like analytics launching into the target system? So the user doesn't really have to type in a password or even know a password. Are you doing this in time interaction or just in time was access and then understanding ultimately, what is the risks, if compromise, what are you protecting against?
Is it about malware? Are you worried about financial fraud? Is it a data breach or taser poisoning, insider threats?
You know, what are you really looking to reduce the risk from? Because ultimately my job insecurity is not the dude's security for the sake of it.
My job, when I go into organizations and do in my advisory role is looking at how do I reduce the risk to the business? How do we make them more resilient? How do I actually make employees successful? And this means that we really need to get security. Work is all about, you know, the secure way. She'd be the best way and the most easiest way and usable way for the employee to be successful, not putting up barriers and controls just to, you know, be secure because ultimately employees will find ways around it.
And this means that we need to actually get the point where yes, zero trust as a methodology, but in order to achieve it, but also make sure that, you know, building that digital trust is all about applying the principle of least privilege, meaning that you get access Jefferson time when you need it without having to go through major policies and controls.
All of that can happen on the background.
And for many organizations here, you know, I was even over in the common practice many years ago as a data center admin, I had two accounts, one account that I would use day to day to access email, to do different day to day jobs and interface with the office applications and so forth. But for me to log into a system with, let's say, you know, was it open view or it was doing configuration management or system center. I would have a domain account that I would use for basically more of those administrative tasks, but ultimately that was a risk.
It means a risk of when I'm using that account, I have knowledge that I could share that account with others. And that means that losing controls and losing visibility and protection, it does expose organizations to create a risk.
So Mo most organizations have moved more over to the privileged management side of the faulting side of things, which really by putting those into volts where you check in and check them out, you know, the digital security controls, authorizations, and checks and so forth. But ultimately you want to get to the principle of least privilege.
This is really where employees can actually perform their job, basically be able to access systems at ease, but also making sure that that access is limited to just the elevation that's needed and not just giving a user here's an administrator account to do that job. And that, I mean, account can do many different things from change configurations to installing applications, et cetera.
You want to limit it to basically just the task at hand and with the principle of least privilege, it means that when a user comes in and they need access to a system that will make an authorization or a connection request going into a vault and saying, I need to access this system in order to do this service desk or help desk ticket, to do a vulnerability scan, to do an application, upgrade to, you know, make a configuration change in the service to add new functionality.
And that will actually check and verify and make sure that I am who I say I am.
They will look at the risk approach, making sure that I'm coming from an approved location on loan, proper device. I've got the right browser running. I may have a VPN connection open. It might say that, oh, I'm in a different country today. Therefore it might require an access workflow. Meaning one of my colleagues has to go and approve my access into that system. It might say that actually this is a very highly sensitive system. So therefore we'll apply session recording and monitor your access.
So really getting into the checks and balances about making sure that I actually should be allowed to access that system. And then ultimately after those checks, it gives me a connection to the machine or to the application, but not necessarily giving me an administrator account saying that you cannot log into it.
You have an interactive shell or an interactive or a remote desktop, or you're logged into this web application, but you're not as an administrator. It's only the tasks that actually looks at because elevated. And this is where application control gets applied.
And really what we're looking at is, you know, the principle, these families privilege, you can apply every word. I might be logged into a web service as a user or even a cloud application. And I might be able to, rather than doing rule-based access where it's really about having different roles, which many applications out there don't have enough definitions or role customization to meet your needs.
This allows you to principle, these privilege allows you to block out certain requests or certain buttons on the interfaces to say that you need to request authorization, or you need to provide additional security controls in order to get access to that button.
And this is really word deny, allow, and restricted listing allows you to really do this on demand elevation real-time on demand that allows employees to still be successful during their job, but reducing the risk to the organization, becoming more resilient.
So having that balance between yes security, but also business, having the balance between that and making security, also being a positive experience is one of the crucial things that we need to get to and ways to get there is really the seven steps to success. This is what we refer to as the Pam life. And it's one of my earlier books.
It was, was privileged account management for dummies, and it's really about defining privilege. Access organizations need to have a bar, a good definition, and a good policy around privilege access, really understanding of what's acceptable use. And then you really get into the next phase, which is the reality check that I prefer to is discovering those privileges out there.
Not just the ones on premise, not just the ones in virtual environments, on the ones in hardware and the ones in IOT devices, but also in cloud, basically understanding across that hybrid multi-cloud environment, getting visibility into what's out there and not just the ones that domain administrators are looking admins, but also the ones that have access to sensitive data. And then the next thing you get into is really about what security controls understanding about what controls are there today and where you ideally need to get to.
And potentially also what's your gap in things like compliance and regulation. Do you have a gap? You might say that these people's accounts were actually required by PCI compliance or ISO or GDPR, but you might have a gap in the controls. That's not there yet. And therefore, a low privilege access to help you put the right controls in place, automate a lot of those in order to make sure you get a fast track to compliance as well.
And then it's not just about getting the controls in place, but understanding the usage and access, making sure you're actually monitoring the access, making sure you'd be able to alarm and alert when things look like, you know, abusive are suspects suspicious. So really kind of not just monitoring the access, but also then going to the next stage, which is alerting the business owner, loading the privilege account owner or the application owner when there's activity that they might be able to determine whether it's actually approved or authorized or something that needs to be investigated.
And I can tell how many times that obviously an organization's not having privileged access integrated into their entire response plan. When I get called in for an instant response or digital forensics. And I started investigating when I get given an account to do that audit log gathering and reporting what ends up being as you get accounts, which are already compromised, which contaminates the evidence gathering.
You need to make sure that you have a very solid Pam response and Pam readiness.
That was actually part of our response plan to make sure you can actually respond effectively and make sure that you actually have the count that doesn't contaminate the log files, and also allows you to quickly eradicate and get back to productivity quicker. If you actually have a very solid as response plan with the privileged account management integration and this isn't the checkbox, this is a one-time only thing. It's a basically a process.
It's a way in order to make sure that as new systems are deployed as new, you know, let's say innovative solutions are actually rolled out privileged access management. Once it's done, w can effectively end early.
It allows you to accelerate many other actually processes and innovations even here in Estonia by actually really looking at and making sure we actually do it from a service defined network and a service to find proach and also building in that digital identity into the core element that allowed many digital automations to be actually innovated around things like voting and health and tax returns, all were able to be successful resulting from having privilege access, having digital identity and a really good continuous process for that.
So this is something that you do continuously over time and improve, but it comes a very core part of physically success and things like identity and access management and success and vulnerability management, threat analytics and cloud transformation. So ultimately Thycotic has a few products to really help you. I'm not going to spend much time in here, but really secret server is where we have the ability to allow you to get kind of the base vaulting rotation, visibility discovery.
And then we have privilege manager, which is really the ability to apply the principle of least privilege to end points. And then our cloud access controller is ability to apply built principle of least privilege to cloud applications and SAS applications and databases.
So really kind of these three solutions companies and together is really helps you get that very strategic, the principle of least privilege, and also getting into privileged access management and really going beyond zero trust to a much more adaptive risk-based approach to access to your organization and to really help you kind of get there and more educate and shares on my experience and knowledge.
I offered my latest book, which is really about can a privileged access management with perimeters really going beyond the traditional perimeter and also how you're gonna apply privileged access to multi hybrid environment and really get good control and visibility. So the latest book pro is access to cloud security for dummies is available and, you know, I do recommend going and downloading it and giving it a read. This is something I do kind of was it spent a lot of my time to really making sure that from educational to help you and become better aware and knowledgeable about the topics.
And also my last statement that I always say is understanding hacker techniques and the processes is really the best way to defend against cyber attacks. That's the best way to understand where the attackers are going to come from. Where's your weaknesses, where you need to have better visibility.
Where do you need to emphasize and maybe put controls in place where you might need to do awareness training, but at the end of the day, everything we do is about helping the business. So focusing on business risks is your best way to get security budget.
That's ultimately what really helps your organization be successful. So ultimately at the end security needs to be usable. It needs to be something that actually helps the business be successful. And that's what security basically is around the innovation. And that's where the future of security is, is where we actually have a better return of investment, but also I'd better positive experience for security. That's the path and that's a future path. So at that time I will open up for questions, Paul, if we have some questions coming in.
Yeah, I, I, thanks Joe Joseph, that was excellent. Really, really good points. I really liked the message about the business. It's all about the business. It's not about just putting controls in the way for the sake of it. And I think that's it, if not, I mean, you know, those hundreds of great messages in there, but that was one and also the continuous review and update is that, that line. And your second last slide is, is vitally important. So we do have some questions.
And the first one is actually, I mean, I, I spoke an awful lot about passwords, et cetera, but do you think biometrics will help us in Pam
Or not? I mean, absolutely biometrics have a place in, in, in the authentication side of it and in our future. Absolutely. We've seen the adoption definitely in things like mobile devices and even in later later laptops and so forth that have all had biometric integration, but it's really important to step back and understand where biometrics position in all of this is.
And there's always a misunderstanding that I've always heard that quote and, and, and even, you know, some, some great speakers at KuppingerCole event have also kind of stayed at this, is that we have to remember that biometrics do not replace passwords. And that's, that's a miss kinda understanding a miss kind of determination.
But yes, what they do is they reduce the interaction between humans and password entering. That's definitely what they do, but actually we're biometrics. And what they do is they replace the username portion.
Biometric is an identifier, not a secret passwords or secrets usernames, or identifiers, biometrics, or identifiers to identify people, but they do have better security attributes than a username. And that's really kind of where we look at biometrics being is a much better security control at a username replacement.
So where we do see things like, of course, biometrics is it reduces that interaction between the human and the device and ultimately where users don't need to create passwords or interact or type in passwords. It reduces that threat landscape of password compromise. So biometrics will actually replace a using importion for sure, but ultimately you still need to have, you know, passwords are the secret, but what you refer to earlier, but, you know, is it multifactor authentication, which augments the P the, the biometric, is it a pin? Is it some type of push?
Is it some additional authorization that is an extension of biometrics, especially when we talk about privilege access. So biometrics are great to reduce in that interaction side and button. They shouldn't be seen as a security control replacement as a password.
Well, staying on that subject, then where does Pam fit in, in a password less world? I mean, I made a great playbook, you know, it's, it's where it's going and passwordless authentication is growing, but where does Pam fit in?
Absolutely. A great question. And that's something, you know, even you highlighted as well.
And I, I agree that I think sometimes we, I, you know, I've had numerous discussions with Ian Murphy on this and then other journalists and analysts as well. And one of the things is that I think sometimes we miss the word passwordless is misrepresented. I think it's about not password less. It's about less passwords. I think we need to put the lesson in front of the password. What is it about the less interaction it's about reducing the human interaction and the locations. We also forget that, you know, the non-human side of things, there's still passwords as contained in beta databases.
There's still application passwords, there's authentication authorization that happens in the background. When we really do talk about that password list phrase, it's all about the human interaction side. It's about me going to a, you know, let's say a web service or remote act that access and not having to in a password and or some type of, you know, looking at, you know, either a push notification to my mobile device, either some type of access workflow or some type of, you know, biometric or some additional orientation, but it's all about that human interaction.
It's about me interfacing with technology. And ultimately, yes, it means that I have to enter the password in less, but at the same time, there's some type of password exchange in the background, whether it being a certificate or a pass application, password and so forth.
So for me, it's about, it's not password less, it's less password interaction with humans, and that's the path we'll get into is that the less we have humans creating, entering, and generating passwords, the more secure we will become. Sure.
I like less passwords. That's a very good way of putting it on the question here from, from a delegate is that says that my environment is a mixture of on-premise cloud, SAS and virtual while he's got everything. So how would, how does Pam help in, in such a hybrid environment, which is becoming more common?
Absolutely.
I'm in a lot of organizations as they did that digital transformation and adopt the cloud and, and, you know, went to the virtualization path and also to deal with different types of remote users, third party contractor, sense of systems. What I do see is that in those very hybrid environments is privilege. Access is really kind of what actually brings it. It removes the silos privilege access. As I mentioned earlier, it's really that ability in order to actually bring, you know, integrations and, and authentication and access between those different environments.
We're really acts as let's say an access proxy that really allows you to have better visibility across those multiple departments, because that's one of the challenges is that many organizations, they will have one solution that solves the own premise and one solution to solve the virtualization and another solution to solve the cloud, ultimately having three separate solutions, but losing that visibility, transparency. And I think privileged access is really were that, can I say a holistic view of access laws in those very complicated hybrid environments?
So I do see privilege access as being that holistic security view for access in a multi environments hybrid scenario.
Okay. We're running out of time. So I'll just make this, the last question. Can I start a Palm project at any phase of an identity and access management project?
That's quite a long question, but I've heard of that. Yeah. I've heard of that question many times. I'm one of the things I do say is that yes, you can start a pilot project at any time, you know, before or after my recommendation is the earlier start, your privilege access management journey.
It can actually make your identity access management journey better and more successful. So starting PEM after, you know, you could do it at any point in time, but doing it first will accelerate your success with identity management, for sure.
Okay. That's great. I think this is actually been one of the most well attended webinars I've done for KuppingerCole. So congratulations Joseph, on your pulling power.
Also, I think it was, you know, really, really good explanation of the issues while you're a bit was, I'm not gonna say that might be worse, but, and I would urge anyone listening in to get their colleagues to, to listen to the recording of this. Cause I think it'd be a highly useful thing to do. All it leaves me to say then is to thank you again, Joseph, for your contribution today. Thanks to Thycotic for supporting the webinar and thanks to you for listening and hope to see you again on a, on another webinar. Thank you. Likewise. Thank you.
