So some of this is pretty basic. I mean, privilege access management, most people understand what that is. But the key thing is that privilege access management has changed quite considerably in its scope what it does. So when it sort of first came around, CyberArk back in the early part of this century, you know, invented what we now know as sort of classic privilege access management. So it was a way of giving admins super users as, as they used to be called, access to stuff that they needed that other people shouldn't have access to.
And generally speaking, that was, tends to be kind of like access to remote desktops or other people's workstations, et cetera. So it was quite a limited function. But in the, in the 20 years that has followed, and especially in the last five years or so, Pam has really started to change and it's changed from the outside in as well as the inside out as we've moved into this, you know, multi-cloud and multi everything environment.
So Pam is now seen, and I'll come back to this in in a little while, Pam is now much more about giving access to all kinds of identities and a lot less about giving people privileged accounts and particularly standing privilege accounts. So the other one in this trio is the kind of new kid on the block cloud infrastructure entitlement management. And this has had, this has, you know, appeared in the last five years or so. I think roughly it kind of started off as people started creating these applications that would allow people to regulate what people had access to in their clouds.
And I have to say it was probably Gartner that coined the phrase cloud infrastructure entitlement management, but it's a pretty good acronym. You know, I have to give credit where it's due because that's exactly what it does. It gives people a way of controlling how people access stuff in your cloud, et cetera.
But what started to happen is that people are realizing that people are accessing cloud are also kind of privileged because a lot of the stuff that they need to get to in a cloud is, would be considered to be sensitive or, or secure or if he got into the wrong hands, would highly damage the company or it might get him into trouble with regulatory bodies. And, and so this is where the, the, the two concepts have started to collide.
So the idea that privilege access management was just for admins is changed because the cloud infrastructure entitlement management is giving people a new way of seeing what people are doing on the cloud, where they're going and where they've come from. So just to go to give you some background as to why we think there is a need for this, this is a survey that we did I think last year about the challenges that people have or feel they have or the problems they have in the cloud.
And you can see quite clearly that they're worried about credentials, secrets, et cetera, being left unprotected in the cloud. And that is particularly acute when it comes to things like DevOps. The people, people in DevOps tend to work in a very different way from other people. They don't traditionally, it's a bit of a cliche to say that they don't really like security, they don't like being told what to do.
Secondly, they, they feel that they have little control over privileged accounts that have access to the cloud, which is interesting because you think they would have a control over a pre privileged access cloud because they've already got a PAM system. But it shows that the, the limitations are of many PAM solutions that exist, not necessarily the ones that are on the market now, but the ones that are already installed across different organizations. They're also worried about poor cloud architecture and lack of network hygiene.
And that could be interpreted in different ways.
I mean the cloud architecture generally speaking would be down to the, the organization quite often that put it together. And that's the problem because different people are now adding clouds, they're adding things like AWS, they're different using different clouds in different departments. So you have this confusion or this of clouds existing that more increasingly the central IT department or, and especially IT security or whatever it's called, don't know exist.
So they, they are worried about that and they're worried about the lack of hygiene, you know, that's occurring.
Interestingly, right at the bottom though was managing multi-cloud and multi hybrid environments, which I would've thought would've been a lot higher considering what we've just been talking about. The poor cloud architecture is a direct result of multi hybrid and multi-cloud environments. So you can, this then shows why privilege access is changing in a cloud world and why the traditional version of PAM is not necessarily the one to help us.
The the third thing that's happened is kind of like the joker in the pack, I like to say I-T-D-I-T-D-R-I-T-D-R identity threat detection and response is even newer than Kim. And that's something that's really seemed to emerge maybe in the last two years. Now personally I'm not convinced that ITDR and also some of my colleagues, Mike Wando, who actually wrote a report about this feels that ITDR is an acronym in search of a market rather than an actual technology that has come about to solve a problem.
Because actually many PAM solutions, many Kim solutions will already do some of the functions that you will find in. So-called ITDR.
However, you should be careful because that hasn't stopped many vendors in the PAM space or traditional PAM space and also in the Kim space we're saying yes, we now do ITDR. So I I, but the jury's really out on that. I don't know whether ITDR is another, is a DR too far, but it probably doesn't matter anyway because as I'll show you, if you scan that barcode QR code, it will, and you can do this at home, right? On your own downloads.
But that comes up with a well known cloud platform and it shows you that even what you think is a leading edge advanced cloud platform, which isn't ServiceNow by the way, but something else, they actually haven't really thought about security too deeply because they're still using role-based access.
It's just, just role-based. Nothing else to grant privilege to bits of their cloud unchecked.
So it shows you, I, I was quite surprised by this because you think that a modern cloud would have more, more sophisticated, more advanced ways of controlling access to their own cloud rather than just using stuff that sort of dates back sort of 25 years or so. But you can look for yourself on that and discover which cloud it is and how they do it. And I took that, that actually takes you to one of their technical support pages.
So it's quite a huge, so to get to where we are right now, I mean I've said that the market's changing, we have different vendors and different types of technologies and we have this kind of confusion of technologies. But let's step back. And I have to say that this term, the path to privilege, I wish I'd thought of it myself, but I have to say it was in a, a briefing with BeyondTrust who came up with this.
So I'm not gonna claim it, but it is actually, I thought a very useful phrase to describe how we look at privilege access management and how we go through a path or a workflow to grant access. Now we, I have traditionally given the privilege to the identity, which is, you know, a human user or a non-human user for the last 20 years, we've always said that people and other identities can have privileged accounts. They're given the privilege. So the privilege lies with the identity and it's also bound up in their role, hence the last slide. And they tend to keep that, that privilege.
So we have these what what we call a standing privileges, which is a lot of the problem with traditional PAM solutions in that the users have these standing privileges but they don't often use them. They might even leave the company and sometimes the, the account is left behind and that's why some of these attacks that are happening find these accounts.
So what I'm saying is you don't begin with the privilege. We need to rethink how we look at privilege. So the privilege is no longer here, but it's here. 'cause everything in what we do is about connecting identities or things with stuff.
Basically that's what computing is. Every time you log onto your machine, every time you log onto an application, you'll essentially putting yourself in a place where you can access either data or applications. So you mustn't begin with the privilege, you've gotta start thinking about the privilege lying in the resource. So we need to move to a sort of zero standing privilege position, which you've obviously heard a lot about, but it's a lot harder to to get there. But this is a start. So you don't have any, any identities that have privileges when they're static.
And it also, we need to move to a just in time model so that again, you don't have privilege until you need it or until your employees need it or your machines, et cetera. So we move to no privileges standing and also you give them that privilege to get to that resource just when they need it.
So you might think, okay, that's great. So what do we think about protecting first? Because we have always thought in privilege that we should identi, sorry, we should protect the identity, we should protect the account that belongs to that identity. And that's where the the risk is. Okay?
So, so that's where ITDR is. I guess ITDR is actually kind of backwards because ITDR is actually saying, oh look, that identity has something's happening to it.
We, we need to protect it because that identity has got a privilege attached to it. Well then why maybe we should protect the actual access, which is kind of what Pam has done. So Pam is taking that identity and then says, yeah, you can get a password from this vault. And then yeah, off you go. So do we protect that? Maybe we protect the data, which is where I think we should be starting to think about.
So this is where the Kim model starts to become more appealing and whether you call it Kim or whether you call it protecting cloud infrastructure access or whatever you want to call it, but you could call it this. So instead of talking about privilege and talking about Kim et cetera, you could have a new access paradigm, which I've called DAI.
So what I, so I've taken the Department of Defense US definition of basically everything that we do. I said that things matching things with stuff is basically the same as what they're saying. You need to secure limit and enforce person and non-person entities access to data applications, assets and services das. So that gives you a rather clumsy acronym. So you've got das ai, but I think what I'm doing there is putting the data first, then the access, then the identity. So the identity sort of comes last in this, in this model rather than first.
And I know that goes against everything that we've been talking about in the last few years. As about everything being identity first. Well kind of, it should be data first I think. So this then is where we are kind of now. So we have our identity types. So we have, generally speaking, there are the identity types that most organizations will have, including customers, machine identities, non-person entities, et cetera. And then we have our classic, our three classic access management tools, including, sorry, two classic ones plus Kim.
And then I've put ITDR in there as well, just in case something happens and it becomes very popular, but I don't think it will. And all those connect to repositories where all the data is. So the stuff on the right is basically the, the das that I talked about just now. So you're taking those identity types and trying to get 'em to data.
So actually this, this whole chart could be the other way around. And then underneath I put the architectural elements that support this framework.
So zero trust, zero standing privilege policy is code, which is a whole new area which people have been talking about at at this conference. But policy is code, is, is, is sounds quite exciting to me, but it's a, if we can merge policy as a code and advanced ways of putting policies into identity and access management, it'd be great. And then most importantly though, I've highlighted data governance because for me, data governance is the one thing that is often forgotten about in the whole identity and access process that we'd be talking about endlessly at this conference.
Because if you don't govern the data, if you don't govern all those files, apps, workloads, et cetera, if you don't know what's there, then you don't know what's privileged. You don't know what actual stuff you need to protect.
So again, you need to think about the data and I put privileged data in there, but privileged data can be, you know, amongst files, uploads, workloads, et cetera, everything that you wanna access. So you need to start thinking about data governance as a part of an identity and access and management and a privilege access and Kim process as much as a data governance is for just doing things like regulatory compliance, which is its kind of traditional role. So there it is again, DAI.
And again, if you scan that later, I found that, I mean, you know, it doesn't matter but you know, the, the US authority like NIST and Department of Defense, I have to say, tend to write or produce the best kind of standards and advice on how to implement things like zero trust, et cetera. And I think that if you read that, you'll start to get an idea of what I'm getting at. But to get back to what was supposed to be this sort of workshop question, do, do you need all three types of technologies to get where you wanna be? Okay? So the answer is no, you don't.
You don't need to have Pam and Kim and ITDR, despite what some vendors might say, that we now have a platform that has IGA, it has privileged access, it has ITDR, it has Kim. Okay? You don't necessarily need all those things 'cause it really, really depends on what kind of business you have, what kind of data you have, and what kind of setup you have.
Whether you just have central employees, whether you have lots of third parties, et cetera.
You know, basically, I can't tell you right now whether you need either Pam Kim or ITDR because that would be like a massive piece of advisory. But what I do know is this, that you, you need to think about that this is, this is a bit of fun. So I basically asked Chachi, bt, you know, what it thought about implementing these things? And it was, yeah, it was quite interesting that it came up with what you might call would be the standard answer. So you need, it says that if you don't have Pam and Kim and ITDR, you've got gaps in your, in your organization, in your security.
So you need a holistic approach, blah, blah, blah and so on. And you need to continuously monitor all this stuff. The thing is actually increasingly people are finding they don't need to continuously monitor what's happening.
They don't actually care that much about session management, they don't care too much about logs. But what they do care about is getting stuff done and making sure that people have access to privileged assets. So you might find that a particular PAM solution, a particular Kim solution, will do everything you need in terms of providing access to privileged assets.
And you don't need everything on top. Some people do, some organizations still prefer to have everything, others will have things like, you know, they, they're quite happy to still run standing privileges because those standing privileges have access to maybe things that are not as as sensitive or they just like it. Okay.
But, and then finally it says user education, which is another bug bear of mine because I've always thought that cybersecurity awareness and awareness programs tend to be patchy at best. People tend to tend to remember something that they learned, you know, in the last 10 minutes and then forget about it.
And also it puts, it puts everything back onto the employee or the user or, or third parties. Like they're responsible for security of the organization.
So basically I'm saying that if you choose the right solution, you should choose one that actually does the work for you and don't blame your employees. So there is no 10 step plan. That's not something like the typical kind of analyst slide where it says, if you do all this, you'll get here.
You know, you might need a combination of these tools or none at all. You might not even need, some people don't need, I mean there's a surprising amount of organizations actually don't have any kind of privilege access, but they, they seem to survive. So you need, but you need to think about, you know, what worries you most, what your obligations are. So that obligations could be to your partners, obviously to your customers, to your legal requirements, et cetera. And then think about, you know, what is your actual business and how does that affect your choice of access tools?
So finally, you'll be glad to hear at Friday at 10 to three that you need to just start working backwards. Think about data first rather than identities need to be protected. There's no point thinking about which identities should have access if you don't know what they're accessing and even what there is out there to be accessed. Think about policy, think about new ways to write policy that you can attach to your data. Think about the authorization technologies as much as authentication, and of course think about identity management.
So I'll stop here because I know it's, and I could certainly do with a break, but I, this was just a bit of fun. I I, I dunno if any of you're a Game of Thrones fans, but you obviously know Aria who took up with the Chen, Hagar, I think his name is, who was a man who, they call him the many face or they served the many face, God.
And it just got me thinking like, because what she does is she wants to carry a task, she assumes the identity of a dead person and then uses that identity once. So I was just wondering, maybe one day we can separate identity completely from credentials.
I don't know. It was kind of a late at night thing. It was this, this, this, this, this, this originally was supposed to be in a different time slot, but actually it is just way too late to start thinking about this stuff now. But I just thought it was interesting that she, she actually used the face of, you know, these, all the dead souls here. So the identity gave her the credential as well to go out and kill someone, which is basically what she did.
Anyway, thank you very much. I hope you've enjoyed the conference and let's hope safe travels home. Thank you.
