Hi there. Good afternoon. Welcome to this KuppingerCole webinar today is supported by BeyondTrust. And we're talking about the identity and access challenges in a multi-cloud world. And I'm delighted today to be joined by Brian Chappell, who is the deputy CTO of BeyondTrust. And he'll be speaking a little bit later after my slides. So let's quickly before we get into the actual event today. I just want to draw your attention to some events that we're doing very shortly. So we have our KC live event, a virtual event, securing industry 4.0 next week, October 27th.
That's online only, and it's a free event. And then we have our hybrid event, which is so it's people can meet in real life and also online. And that's between November the ninth and November the 11th. And it's taking place in Berlin or more details are available on our website.
And you can register there for this webinar just to let you know that you as a listener are muted. So you don't have to worry about controlling that yourself. We will run a little bit of a poll, a question at the start and then discuss the results later on and talking about discussions.
There is of course the Q and a session at the end of the webinar, where hopefully we can get some discussion going between yourselves, on myself and Brian. And finally, for those of you who have partners or colleagues that wish to see this, we will record the whole thing and it'll be available very soon on the website. So let's just have a look at what we're talking about. I'll be talking about in a minute, how we've gone from cloud to multi-cloud and to probably multi-multi multi-cloud Brian we'll then look at a little bit more detailed, sorry.
And then we'll be looking at our IAM and Pam can help us navigate this new world. And then Brian, we'll also talk a little bit more about some of the solutions available to you. And then of course we have some Q and a, so just to get us going here is the poll. So we're asking you, what do you think is the biggest challenge to security in a multi-cloud environment or in, in multi-cloud environments?
So first choice, ransomware or other forms of malware, credentials, secrets or data left unprotected in the cloud, no control over privileged accounts with access to the cloud or poor cloud architecture design, and a lack of network hygiene. So we've got four possibilities there to, you might think are the biggest threats to multi-cloud security. So we'll just let you listeners vote and yeah, so they're voting away. So while you're doing that, I'll start my presentation. So cloud or multi-cloud how everything has changed.
So yesterday we had a picture of, well, perhaps not it a, but certainly things were a lot simpler than they are today. When we had, you know, we had networks that were constrained pretty much to the building. We had computers that were connected simply to that network. There was no such thing as the internet and everything was fairly easy.
I'm sure, probably in reality it wasn't, but compared to today, people would look back perhaps on this time as, as a lot easier to manage than, than today.
So let's quickly just out of interest. Let's see where a lot of people think that the cloud is a fairly, it was invented perhaps in this century. But actually if we look at this charter courtesy of the British computer society, they can see that you could be traced back to all the way back to 1960.
And for me, two of the highlights in this timeline as queen Elizabeth, the second sending an email in around about 1972, I think that must be which, which I'm quite, I didn't realize that. And then the white house installed his first computers, et cetera. But then again, the internet is seen as a, you know, late nineties post 2000 phenomenon, but the first computers connected to what was then probably called something different. But it's now called the internet happened around about the mid eighties. And then of course the big change the worldwide web happened in the early nineties.
And then the very first mention of the word cloud apparently was in an internal document now, default computer or PC manufacturer compact. So the actual idea of a cloud was, goes back to way back to 1960 or thereabout, but the idea of calling it something and marketing, it probably happened around about in the late nineties. But then of course we get into what you might call the, the era of cloud in, in the corporate and enterprise sense when Amazon web services first launched in around about 2005 or so.
And that probably was what changed everything and really created what we're now talking about cloud and environments.
And just for fun, I just thought, I'd show you this. This is a next PC or a next computer system, which was created by Steve jobs after he was fired from apple. And what's interesting is this was a late nineties machine. And then consider that in the nineties.
It says there's only 10 real breakthroughs and computers, and here are seven of them, but what's worth noting is next mail, which was the first well was then they seem to be a fairly progressive thing to have in a computer. So that's what computers looked like in the nineties.
And they were pretty much designed for closed systems to systems that, you know, client server that were connected maybe to databases or on-premise data centers, and no matter how sophisticated they were, they couldn't do much more than use the data that was based locally, but they could at least get on what was then the early internet.
And they could send emails. Next computer was a beautiful thing. It was sold for about, I don't know, something like $3,000 or even then, and it failed, but it was just a nice bit of history there for you.
And again, I'm not going to go through every piece of this, but you can see how since 2005 it's really, really become complicated and an awful lot has had it is, has been happening right up. I mean, this isn't even up to date that was done in 2017. And just talking about next gen cloud things like Microsoft launching and undersea data center. I'm not sure what happened to that, but anyway, so that is the world that we are living in today. And there's no shortage of guidelines on cloud strategies, cloud architectures, how to navigate the cloud, how to build it.
And of course, how to create a secure cloud. I mean, this is just a selection of book titles that I Googled and you will find hundreds, probably thousands more. And the message here is that the cloud has become very, very complicated and quite hard to manage.
So we need to somehow make sense of cloud access because in the end access is the key word. There's no point in having cloud, unless people can do stuff with it unless they can actually access the things in it. There is no such thing as a standard cloud deployment.
You, you can't just say, well, just, this is the cloud deployment that is written down in a guidebook and it'll fit every organization because clouds, you know, that well, the illustration on the right is a, just a rough diagram that someone's done to build part of a cloud. And it's part of some kind of batch processing operation. And that's just a very tiny part of probably one organization's daily operations. And we're told now that organizations probably have 10 to 15 different cloud infrastructures is probably more than that network architects or good and bad, like, like the rest of us.
So some cloud infrastructures are better than others, but usually they are designed for access on speed of access, less. So for secure access and less so for managing things like privilege access. So securing that access is, is a major challenge and identity and access management has in that period. The post 2000 period emerged to help meet this challenge and privileged access management though has often been a bit of an afterthought, but both of those originally were conceived for less complex network operating environments than we have.
And both of them are now challenged to, to keep up with the cloud and multi-cloud environments that we are seeing, but let's just see how quickly how I am and Pam are important and what they can do for our business, because in the end, everything we do in it, everything we do in the cloud, everything we do, access management is not done for itself.
It's done for the business or the organization and the goals of that business and organization.
So to make the right decisions on identity, access management, and privilege, access management in the cloud, you need to understand what the can do for your business. And the four key things that we identify are access, compliance, security, and efficiency.
So access, as I've already said, is the lifeblood of modern business processes. And, and you need to manage an audit, those, the access for people and things to applications, services, machines, other things, databases. And this goes on all of which will now be found probably in some form of cloud with that. You need to ensure that the right people are getting the access to the right things and not the wrong people, getting the thing, access to what would possibly be the right things to them if they have the right privileges, but they don't.
And if you don't sort this out, then you're going to be in with regulatory bodies. You're going to be in trouble with privacy laws and things like GDPR or everything that you undoubtedly have heard of. And security. We talk about security almost on a daily basis. And sometimes we talk about it so much that it kind of loses its meaning, but it's still fundamentally one of the reasons why you need access management and that's to prevent unauthorized the malicious entities from gaining access to your secrets and your networks.
A lot of cybersecurity applications software can do a lot of that, but increasingly attackers can get beyond that and they can get into inside the networks, which is where the access, the privilege access is enabled. So security is, is, as I said, it's something we talk about almost glibly, but it's, it's fundamentally important. And then there's a, there is something else which is more related to the business, which is efficiency or productivity.
Something that we hear a lot about these days in terms of the economy, if you improve user access and data flows, you're likely to end to get productivity and efficiency gains for the business itself. So whilst compliance and security, other sort of things that you need to lock down at the same time I am, and Pam in the cloud will also should improve the efficiency of doing stuff.
And we we're covering a coal. We've kind of put all this into what we call the identity fabric. So this is a very high-level view on identity fabric is, but on the left you have our digital identities.
And as I said, these could be anything these days from machines to humans to applications may not necessarily be a cat, but you never know what the future might hold. And then within that identity fabric is our IGA systems.
Again, I am Pam identity providers and then things that provide access, which keys, biometrics, passwords, plus stuff that is coming down the line. And then within identify brick, we should then if it's designed well, give access to the right people, to the right digital resources on the right, and then let's have a quick look at what we call the identity and access management universe as use cases for IBM have multiplied.
So on top of that, I am has sort of mushrooms or allowed an ecosystem to develop around it.
So we've got extra applications or, and I'm not going to read all of these out, but you can see for yourself that we have things like security incident and event management, which helps us find out exactly how people are using IAM and, and by extension Pam. And also what happens when it goes wrong. And the added to that, we have user behavior analytics and so on. We have privileged, sorry, we have a policy engines and multi-factor access. So as the cloud has become what complex, so identity and access management has become more complex.
It's more complex because of all the things feeding into it. But those things tend to be not all of them, but they tend to be fairly essential, especially in more complex organizations.
Now we're seeing what we also have identified is, you know, much more dynamic clouds, more dynamic operating environments. So we have clouds being used, for example, dev ops and also for, for production purposes.
I mean, again, I've sort of drilled down on a very small cloud environment here where you've got different clouds, perhaps used for testing, coding, and orchestration, and then that's sent out to production. But access management is now sitting in a key role to allow access to these dynamic clouds. So the clouds on top of the existing clouds and the keyword is dynamic.
Again, it's about speed of access, but people are doing dynamic things and they need dynamic cloud access to get them done. So again, this is acting act more stresses on access management and identity and access management to deliver security and efficiency and, and business value.
And then finally, we also introduced a new concept or a paradigm, which, which builds on this. So we calling it dynamic resource entitlement and access management, which is a way of architecting, I guess, these, this environment. So we have the center of it or the architecture.
We now have a dynamic resource entitlement access management, but that includes everything that we've sort of been talking about. So within that we have policy management and enforcement and automation. I am Pam cloud infrastructure, entitlement management, which has grown also out of this proliferation of crowd and access government. So this is something fairly new that we've identified at.
KuppingerCole, we're going to be talking about it a bit more over the next months and years, but we do see that this paradigm really does work quite well with the new cloud multi-cloud dynamic cloud environments that are springing up all over the place.
And, and it isn't just for large and complex global organizations, although they are the ones that are probably in need of better control of clouds, but, but every kind of organization, even cloud native ones would do well to start thinking about how they can manage dynamic resources, how they can give and type of mud and access to them.
So that's something to digest a bit more when you get the slides, have a good look at our architecture diagram there, which funding you need to really, what do you want out of secure access?
So when you start reappraising, what you have out there, you know, thinking about the usage of it and list the applications, the services, databases, and other key components that you wish to be connected to, and think about all sorts of users, you might not realize that you have non-human users in your domain, but you probably do think about how well legacy architectures will fit with the clouds, how old devices old end points think about that as well as new new architectures.
And then you've got to start thinking about best practices, et cetera.
I'm not personally, I'm a technologist or a technology, the technology lover, and I believe in the power of technology to provide security and access without having to tell people over and over again about secure security awareness. But you do need to educate people about best practice for IAM and best practice, but I am in the new cloud environment. And then finally prepare a roadmap for your, I am journey.
Now, of course, those four things are very, very high level and very easy to roll it off on a presentation. And of course in reality, that process would be quite complex and would take some time to get right. But there are kind of like the fundamentals of it. So with that swift run through where we've come from to where we are now, I'll hand over to Brian, deputy CTO beyond
Hi, Paul, too many screens popping up there as we transition. So there we go.
Hopefully, hopefully people can see me now.
I can see, I can see your screen at least. So you see my screen, I think you've switched your camera off, but
I think it is on hopefully. So it should be there that people can enjoy the, the chaos that sometimes looks like my office. Thanks for, for, for going through all of that Paula and really good way of setting up some of the scenario. And I'll elaborate around some of the aspects there.
And obviously, you know, looking with a particular focus that privileged access management and you know, how our vendors like beyond trust can actually help organizations deal with this kind of multicloud world that we find ourselves in. And it's one of those interesting scenarios.
You know, I I've been around the industry long enough to, to remember some of that earlier timeline that, that Paul put up, I started in kind of like the mid to late eighties. And so I remember that evolution into cloud in the nineties and hearing about it and thinking, well, yeah, people are gonna end up with a singular cloud vendor that is going to try and lock them into using just them.
And I think what we've seen over this period of time, as confidence was still growing, that people have actually moved into more clouds.
And currently we see that it's normally at least three different clouds that are being used, and this is across different elements of the service. And if we think about just the classic software as a service infrastructure, as a service and platform as a service, then they've obviously they've often got pieces in, in each area of that. When we start going into all the other AAS provisions, this can grow quite dramatically.
And, you know, a recent glimpse of McAfee study identified that over 1900 cloud services being used on average in organizations around the world. And we sometimes, I think forgets about all of those additional SAS based services, you know, drop box box service.
Now, Salesforce, that they're all services that are being provided and all this API APIs that are being used to pull data back, they're all out there, they all form part of your cloud strategy.
So it's, it's a really big challenge in trying to get your arms around that. Not least of which, because each one of those cloud providers has approached certain fundamental aspects of the cloud itself in different ways.
Identity is one that leaps out straight away as you have there as your a D AWS has its identity, which is kind of more old that based on Google identity is yet another, you know, just to pick out of those three. So you're potentially left with not only three different kinds of identity there or more. You're also got different approaches to the structures that go around securing those identities or empowering those identities for want of a better term. And the native tool sets that are out there as this slide says somewhat incomplete. There are still gaps. There's still other things you need.
Yes. They allow you to manage the infrastructure we're working with, but they're not really designed to help you manage the infrastructure that you use to manage the infrastructure that you're accessing.
And we're still finding organizations who are hybrid. And I think this is going to continue for a good long while that we're still seeing that, that people are keeping some things on premise. They're moving a lot to cloud and many are on a journey towards a hundred percent cloud. You may be one of them.
You know, it's an interesting phrase, a hundred percent cloud because you're still going to have a laptop or even a Chromebook or something like that to access it in the first place. So some of the infrastructure is always going to be local to you, but it may not be local to your office, you know, with the changes that we've seen in recent times, and this, this migration to cloud is, is changing the way we're working just generally, you know, with what's going on over the past 18 months, two years, we've, we've also seen changes in the way we work generally.
So, you know, pre-cloud, we were very much centralized. I think Paul talked about this saying things were inside their infrastructure. And even then things were beginning to get quite complex. As parts of our data center would effectively be spread across multiple sites. Then we start to collating them into data centers. But as we move into the kind of the post cloud scenario, as you'll see here, we see an expansion in some of the areas.
So, you know, we are using a lot more applications, but we have a lot less control over the actual implementation and operations of those applications. We're outsourcing that the infrastructure we're using, we've moved to virtualization a lot within our infrastructure. Now we're moving that virtualization up into the cloud containerization as well, has grown the kind of options we have for deployment quite dramatically.
You know, being able to spin up new VMs was great and would happen through a API is now we're able to spin up, you know, containers at a rate that is almost unimaginable, but on top of, you know, on top of that, or is it is here underneath that we have an explosion in identity systems and explosion in access control systems, whether it's our back a back or whatever new back someone's going to come up with, we get fragmentation.
We get this policy explosion where we're having to control all these different policies, all these different approaches I was talking about and how we actually access or manage access to the cloud systems. And then when we're trying to manage it across platforms as well, between on-prem and in the cloud. And some of those systems actually sitting with feet in both sides.
So, you know, you might be federating your Ady to your cloud provider. Now, you know, you've got that data about users sitting in a, in both locations, still some of the areas that this becomes a threat to the environment and the, the cloud security Alliance put together this egregious 11, and I'm not going to go into them in any great detail. I think it's just a great list just to see the number of items that are seen out there just as the top list.
You know, it's not a top 10, it's a top 11 in data reaches still a featuring up there in the number one position.
Paul mentioned, you know, some of the complexities in managing those permissions and those credentials into those cloud environments, still enabling data breaches and, you know, still forming a large proportion of them. There was a figure I heard quotes, I think also from the McCaffrey report with something like 80% of breach breaches, still being around access controls.
So, you know, it's still a significant concern. You know, cloud has grown quite organically for something that is at its heart, very structured. And so I think in a lot of cases, there's lack of clear plan as to how you're going to adopt these things and how they're going to benefit your organization. There's been a lot of trial and error has led to a lack of clear architecture and strategy.
And that then leads to, you know, like again, that organic growth scenario where we're, we're less in control of what's going on, insider threats, still a significant concern, you know, people with high access into that, those environments, because they tend to be web based. They're easy to get too often from outside of your infrastructure as well.
You know, leading to potential concerns there, we could control plane as part of that as well, not having the accesses and the controls set up well, not managing them well, not, you know, rescinding them when people leave the organization quickly. So hopefully there's a few things there that might spur some questions, some areas that you might want to know a bit more about later that we can address in the Q and a.
So, you know, I obviously haven't mentioned everything there. So feel free to go into the question section on your, go to meeting control panel and get some questions in there for us later.
Come on, move on. There we go. So one of the areas that is a threat in there is, is shared responsibility models. And I was talking to a customer just the other day about this, about that scope of when you are using cloud environments, what are you responsible for? What's the cloud provider responsible for? And it's actually generally balanced in your direction a whole lot more than many of us realize.
And I've had many conversations over the past, nearly 10 years. I've been with beyond trust where, you know, I've seen shocked faces on the other side of the table, as you explain the limitations of what some of the other clouds or some of the cloud providers are taking on.
But when you think about it, logically in what would you take responsibility for in that scenario where you on their side, you know, it becomes clear that not being unreasonable here, but it is vitally important that you understand within that shared security model, what is your responsibility and what the cloud vendor is providing for you?
So let's have a quick look at a couple of those couple of the big ones here.
So this is the shared responsibility model, and I don't know why it was picked here, but the Microsoft is actually the gray beyond trust is the areas where we can help you manage your, your responsibilities there.
And the, the blue areas of the areas where, yeah, it's either process or people or something else, an area outside of privileged access management, where, you know, the, the onus falls on you and, you know, things like that, the top one information and data, it goes without saying wherever your information is wherever your data is, you need to be responsible for that data and the access to it. Devices you have obviously going to remain yours. They're not part of the cloud themselves.
And the identity is, and the accounts and the permissions into them are going to be yours because your in control of those.
And if you think about this everywhere, you're configuring, what's going on is going to be your responsibility because no one's going to take risk. And no one service providers can take responsibility for you misconfiguring or breaking something and leaving the environment open and, you know, accounts and identities follow on into the identity and infrastructure.
As we start to get down into the core of the environment is where you're able to use tools for privileged access management that you probably already using within your infrastructure. And you'll see more and more of the orange coming in there, more of the gray beginning to pop in as well. But you know, when you come, when it comes down to it, many ways across those kinds of services, the software as a service platform, as a service or infrastructure as a service, it really is the very lower levels.
Those cloud providers are providing security around the actual metal that is delivering those service services, that virtualized environments that sit on top of them. But the moment you get to like a virtual machine where you're actually renting the virtual machine from the cloud provider, and you have access into the console, that's it, it's going to be the same kind of responsibility level you would have for a machine provided by your own internal it department.
So, you know, it's, it's vitally important that we're aware of. This is not something to be afraid of. It's not something to be concerned about. It's a piece of information that you need to be conscious of. And I want to stress that because, you know, cybersecurity for many years was, was kind of Marden, interference, certainty, and doubt. It's gotten much, much better over the past 10 years, but, you know, I definitely don't want you to feel that this is something to be frightened of.
It's just something to be aware of so that you can plan for it.
And again, you know, good security strategy, good architecture, these things will be featured in there and you'll know, and you'll be ready for them as you start. The idea, AWS responsibility model looks a little different, but actually when you look at how it's broken down, you know, the underlying infrastructure there at the bottom with AWS, they're going to keep the cloud itself secure. They're going to keep the services and the systems that actually provide the cloud secure. And then the things that sit on top of that are going to come back to being your responsibility.
So while it does say their operating system network, firewall configuration, obviously there's a, that'd be on trust box around that to show you where we can help you. But, you know, if you're using SAS, you're not responsible for this, for the OS and the network and firewall configurations, that will be another third party who will adopt some of those things for you.
But, you know, this really is just important. So that as you approach each one of your cloud services, you have a clear view, a clear model as to what's your responsibility, what's the cloud provider responsibility. And what's the service on top of that. If it's SAS, you know, if we're dealing with Salesforce or service now, or, you know, one of those kinds of providers, they will have their responsibilities as well. So there can be three or more people involved in that kind of responsibility matrix.
So looking in the ways that Pam can actually help you and know going on from those diagrams and expanding a little bit on the areas, we can help use seven key areas. And one of the big areas is discovering what you've got out there. If you are operating a elastic environment, then machines are coming up and going down sometimes almost continuously.
So knowing what's out there and being able to assess those systems out there and make sure that as they're spun up, they're automatically included in your privileged access management approach.
You know, really important, really useful. You know, visibility continues as is always to be a fundamental need. If you can't see it, you don't know about it. It's probably where you're going to get breached. Being able to find those systems as they come up is one thing. Being able to know what privileged accounts are on those boxes and to bring them into management as they get spun up again, vitally important.
You want to make sure that your teams, as they come forward to manage this environment, have access to all the systems that are operating, that they should have access to and in the right ways, so that as people are coming into those consoles to manage the environment, accessing systems that might be out there in the environment, you know, any kind of service on the backend that it's done through a kind of a brokered and orchestrated scenario, so that you're in control of those accesses and those accesses and not, you know, enabled from just anywhere.
You've got some kind of centralized system through it. And that's that third point of securing brokering and auditing that access. So wherever you can recording, what's done in those sessions, not for, I gained, I want to stress this, that we're not coming along. It's not big brother watching you. You're not going to be picked on kosher.
You know, you shouldn't need, didn't move your cursor for half an hour. It's really about those scenarios where something goes wrong because like Brian typed a thousand, or when he should've typed a hundred and bought the network down, we can quickly find those scenarios. We can quickly remediate against those scenarios.
And Hey, you could even use the recording for new people coming on board to say, you know, here's a good reason why you just need to be that extra bit more diligent when you're doing stuff. But you know, for me, auditing recording sessions is never about blame.
It's always just about improving the ability to mitigate. Cause you know, we're all human at the end of the day, at least privilege is one of my favorite things. It's something we do at the operating system level. It's something that we can do at the cloud level as well.
And the idea here is really going back to something, a guy called Jerome Saltzer I think first said in 1973 or 74, depending on which document you read, which was the, each user and process should have the least privilege necessary to execute. I always paraphrase this and say to be productive because that's what we really want at the end of the day. And this isn't about taking standard users and enabling them up for the periods that they needed to do things rather than trying to take an administrative user and restrict them down.
Because, you know, while these systems are hugely reliable, what you want is your safety net, your default position to be no privilege, because then, you know, you're always safe.
If somebody shut down the privilege control system have no access to anything.
If, you know, while it's working, they're very tightly controlled to the things they can and should have access to. So vitally important that dev ops CIC D I kind of see it very much as a part of the same suite, very fast growing, very fast evolving. And in those scenarios, the gang get a little wild west and, you know, we have to then pull back and, and try and gain control. But if you are moving down those lines, make sure those scenarios are secured as soon as possible.
Leverage Pam systems to broker the access is those tools need into other systems, even to the point of brokering the sessions for them through API APIs or at the very least making sure that the credentials of the used the keys, et cetera, are stored within a secure store.
So they're not just sitting around in scripts and, you know, source code files where they're relatively easily accessible monster manage every session that's going on. And by monitor that really is primarily recording.
Just making sure that we've got a record of what was done within those privileged sessions, certainly as highly privileged sessions, like the, the, the admins into the cloud consoles, themselves, those sorts of things don't go overboard because you'll just end up with thousands of recordings you don't look at, or we'll never need to look at, but, you know, be considerate of it and, and target the things that the highly important and, you know, with a good system, you can also define like times of day when recordings might happen, which groups of systems recordings will happen for and whether or not, you know, if you were coming from a network address within your network, assuming you've got some good zero trust going on, you could say, okay, well, they trust that scenario.
If they're coming in from home, then maybe I'll record it just in case. Cause we've got a little less control there and having kind of like a unified approach, across least privilege, privileged password management, secure, remote access, all of those kinds of things. Having a unified management approach, a unified approach to implementing those solutions within your environment will help you. You don't need to do them all at once.
You don't need to do all of each of them at once, but you know, having a flexible portfolio of those tools will make sure that you can get the best coverage across that space. And if, you know, it's all coming from one vendor all the better.
So bringing it all together with this kind of unified multi-cloud management, you know, having a single solution, that's going to help you control access into all of these things. We'll just pay dividends. You won't have to deal with each of those clouds, individual access mechanisms or, you know, privilege scenarios.
You'll be able to make sure that those are consistent as they need to be identify the outliers, but most unfair or first and foremost, being able to control a users, access into these systems without necessarily ever giving them the direct account access is into them and being able to record what's going on with, in each of them while they're being used. You know, just being recorded will drive people to be a little bit more diligent than they might otherwise be.
So this is where we're kind of looking to be the complete piece of security across your entire environment.
So whether you're going from on-prem all the way through to cloud, making sure that those privileges and those accesses are secured across all those environments, as well as your on-premise, you know, having one to do all of that, having one consistent view, knowing that the person's role on premise is the same role that they're being applied up in the cloud as well.
And being able to work with the other tools that are in your environment, integration is always vitally important in ensuring good cohesiveness, but there are scenarios where layers of security can literally just abut one another and you'll just be next to each other. And they layer up to provide you with more security. So try and find the tools that will play well with each other, you know, good Pam platform should not just give you great Pam.
It should also give you benefits and things like your, your SIEM, as Paul mentioned earlier, because it's lowering the noise, that's there in the system. So, you know, it's, it's, it's good to look at that. Be careful, be considerate, don't fall into organic cloud growth if, if you can and make sure that, you know, you're following a strategy, think about the business benefit of each piece you're adding and moving forwards. So I'm going to say thank you at that point.
Cause I do want to allow some time for some questions if we have them,
I'm actually, I'm just going to ask you a quick, I mean, people buy might say, is it really possible to have a single Pam that could manage all my clouds? W which is, it's a good question.
We, we, you know, which, which you've alluded to there, you know, someone has said, is it, is it actually possible?
Well at various levels, I would say, yes, it's, it's definitely possible, you know, the cloud access or access to the cloud, kind of configs, cofaq environments, sad dashboards, et cetera. They're invariably done through, through a browser with an identity it's being provided up to authenticate you into that environment and privileged access management solutions. This is what they do. This is their bread and butter.
And being able to manage those credentials that are out there, you know, being able to then establish sessions through browsers, to those endpoints, record everything going on during them and going, even beyond that, you know, we're seeing an increase in what might be called cloud privilege, project protection, sorry, I get my wrong teeth in today where, you know, you can go and monitor the permissions that are being assigned to the various accounts that are out there across the cloud platforms.
And just make sure that, you know, as I mentioned earlier, there are no outliers within that scenario. Brian doesn't have access to a system that nobody else who, you know, seems like Brian has access to. And those are often, you know, really good indicators that something malicious is happening out there in the environment, somebody got into an account and managed to give themselves or somebody else more access to something they shouldn't.
But yeah, certainly the technology is there. The one good thing about clouds? I say the one good thing. The best thing about clouds is they're nearly always API driven as well, which makes it very easy to build new integrations as those new cloud environments come up and are available. Yeah.
You've kind of answered another question here, which should, you know, what are the advantages of standardizing and consolidating privilege access across multicloud environment? So I guess you sort of kind of answered that, but
It's all sorts of stomped over it a little roughly perhaps. Yeah.
I mean, I think it comes back to talking about earlier with the fact that each cloud provider has often taken a different view or approach one to how they've grown their cloud services, but also within that they've chosen different ways of providing identity to begin with. You know, if we think of Azure, it's no surprise that they ended up with something based on active directory that was already their fundamental, you know, identity provider internally, Google was already providing, you know, services like Google's mail and Google docs and all their applications.
And so it made sense for them to take that identity provision and build on it and expand it as they expanded their services. And similarly for AWS, I'm pretty sure most of our identity started with buying books, but you know, again, it's grown as they needed to.
And the permission models that sit around, those have all evolved as those services have evolved.
And, you know, it's a, I think there is an, an old joke among architects and that applies to so many different professions that if you get 10 architects into a room, you'll get at least 11 opinions about any particular scenario. And I think permission models is not unusual in that. So when you, as a user come along to this, especially with three or more clouds on average, that's an enormous number of things which could be, you know, a 90 degrees to one another to, to try and deal with, to try and work around where you are trying to control people's access out there.
And especially when it's in, you're letting individuals get out there. If you take a step back to shared access and broker the access into those shared accounts, you have far fewer accounts to deal with far fewer concerns as to who's got what, and it's much easier than to, you know, to ensure that you're keeping it down to the liminal level.
And so, you know,
It wouldn't be it if different companies come up with their own standards for everything. I mean, that's why we've ended up like that, that second chart that I put up, you know, the, the cop, how it suddenly exploded. And you made a very good point also.
I mean, I was, when I said 10 or 15 cloud, I was just talking about cloud infrastructure. So they might have AWS and Google and several others, but of course that doesn't even begin to take into account the number of cloud applications that we're using, which is hugely important to, to, to talk about, you know, like Salesforce, like service now is like virtually every application that we use these days. So hugely complex picture, I think.
Yeah.
Just one thing on that, I kind of alluded to it in the, in the, in the slides, but yeah, the McAfee report that I referenced was actually two years ago, which highlighted 1,935 separate cloud-based services on average being used in organizations. I mean, that's for me a mind blowing number, but you can, you know, it's so easy to see how quickly those can grow. And I think you were talking about it with the accessibility of those cloud things.
It doesn't have to come through it anymore to get to them, anyone with a cloud, with a credit card and the expense again, pretty much to sign that to whatever they want.
Absolutely. Yeah.
And, and of course not forgetting all the cloud services on their mobile devices as well. I just wanted to, we hadn't mentioned the results of the poll. Quite interesting, actually, nobody thought ransomware was a biggest, the biggest challenge, 56% said credentials secrets or data left unprotected and 33% said, no control over privilege accounts. And then only 11% of poor cloud architecture.
But I've, I've been surprised that no one thinks that ransomware or malware is, is a threat to the cloud.
It's, it's an interesting one. I guess we haven't actually seen very much in the way of run some way directly affecting the cloud itself, thinking that the cloud providers are doing pretty good job internally of ensuring that the system's providing the service to others are isolated, but there, there will be connections.
And, you know, I, I can't imagine that, you know, with databases, a service out there that somebody wouldn't quite happily get a suitable account that had read-write access and just go through and encrypt key data,
Maybe we should have wrote the question. So is rent, is the cloud a good way for ransomware to enter the organization because that's a different sort of scenario, a different question.
And so,
Yeah, and I think in that regard, absolutely, it's, it's a, it's a bigger risk. I mean, I would say that I would consider update services that I, you know, each of us has probably got a dozen or more on our workstations already. Those are cloud services really, you know, updates being provided from a central location and we've seen through the not pet. Yeah.
And more recently a solar winds kind of attacks that those things were fundamental to the delivery of those, those attack vectors, which is a, you know, let's face it any, any time, it's the same kind of some centralized amalgamated collection of something valuable, the hacker's eyes just naturally drawn towards it and they will keep hammering away at it. We just, in many ways, lucky that a lot of the cloud providers that we have started life, you know, as large corporates already who were already being attacked.
So, you know, maybe we've got a little bit of benefit from that, but they're not going to give up.
Would you say that, w where do you think we're going with identity and access management and privilege access management? Do you think that that one day the two may become indivisible, they may be just, we just talk about access management role, secure access management, rather than because there's so many new types of privileges now, it's not just as, you know, we all know it's not just admin accounts anymore. It's people needing access to all sorts of things.
So we'll prevention, identity, access management kind of merge.
Yeah. And I think in, in some areas, they, they are already, as you say, you know, there's, there's many more privileges, but when we boil it back to the, the authentication and authorization kind of approach of things, identity authentication is proving who you are, your identity, your authorization is giving you your, your privileges on the backend of that.
And, you know, those two things are so intimately linked. It's it's, it makes sense that at some point there will be some convergence. I think there is still some benefits to having some separation between them.
But, you know, we worked very closely with a number of IAM vendors. The Skimm interface, you know, is providing mechanisms while you have different delivery mechanisms, you are IAM can now push the configurations down to your Pam environment and you can have your attestation in the reverse direction so that, you know, you, you have full visibility of what was assigned, what was given, you know, and you can correlate the two. So they're kind of almost together just coming from a different specializations at the moment.
Okay.
Well, we're nearly out of time, it's been a fascinating Chat. We do, Brian really enjoyed it, and I enjoyed your presentation.
As I said, right at the start. If any of you have colleagues that wish to see this, it will be up on our website very shortly. And if you have any further questions you wish to send to me or to Brian, please drop me a line at the email address you can see in front of you right now, and anything for Brian I can forward on. But in the meantime, let me say, thanks. All of you for joining us today and a special thanks to you, Brian, for, for joining us as well on the website now.
Absolutely. My pleasure, Paul, thanks for your presentation as well. Always. Good to talk to you.
Yeah, bye. Now.
Bye-bye.
