KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Privileged user accounts are significant targets for attacks as they have elevated permission, access to confidential data and the ability to change settings. And if compromised, the amount of damage to an organization can be disastrous. No wonder that this is on the mind of our chief information security officers. Join our CEO Berthold and Rob Edmondson, Technology Strategist at Thycotic in this conversation!
Privileged user accounts are significant targets for attacks as they have elevated permission, access to confidential data and the ability to change settings. And if compromised, the amount of damage to an organization can be disastrous. No wonder that this is on the mind of our chief information security officers. Join our CEO Berthold and Rob Edmondson, Technology Strategist at Thycotic in this conversation!
Welcome to the KuppingerCole videocast on privileged access management from a CSO perspective. I'm Berthold Kerl from KuppingerCole, I'm CEO at KuppingerCole. And I'm very clear that I have Rob Edmondson with us who is technology strategist at Thycotic. Welcome Rob. Thank you, Berthold.
So yes, it's good to be with you. So a quick introduction to me, I've worked with Thycotic for nearly four years now. And I joined the organization when privileged access management was, was really just a fairly new term in terms of the wider realm of cybersecurity and enterprise software. I worked in the UK with a number of customers to help them define their power projects.
And I saw people really grappling with it for the first time since then, I've moved to really been involved in the positioning of our solution and understanding what exactly is it that customers really want from Pam solutions and what do they think they want from it in the future and seeing how best we can map our technology to that. So that's very much what my role is about. Yeah. Thanks. Thanks Rob, for being with us today. Yeah. And our topic today is looking at the privilege access management perspective from a CSO perspective, right?
And well privilege user accounts are, as we all know, significant targets for a tech, as they have elevated permission access to confidential data and the ability to change settings and, and if compromised, the amount of damage to an organization to an enterprise could be disastrous. So I believe no wonder that this is very much on the mind of the CSOs, right? At least it should be before we get started.
Rob, perhaps make sense to clarify a little bit as a provision access management. So what actually do we mean, mate? How about permission? Great question. Okay.
So I, on one level, we're really looking at what privileges exist in, in the enterprise in businesses that cyber-criminals might want to use. So if you look at it from a reactive perspective, then we're going to be looking at what credentials or systems or wherever the privileges are, could be used by cybercriminals. So that could be, like I said, a credential that could be a particular target system.
It could be certain application privileges, one end point, wherever those privileges exist, that gives someone more privileged than a standard user that's when you move from just talking about access management to privileged access management. So there's, there's that element of it, but in another way, privileged access management is built of components. So you've got a password management layer. And I think the reason for that is that credentials still to this day form a gateway. So many targets systems and places where privileges are used.
So you want to be able to manage that credential layer. Then you have elements of session management session recording, where you go beyond, above and beyond the credential. And you're performing the ability to see in real time what somebody is doing and to control what privileges they have in that session, in that web browser on that device. So that's a high-level view of privileged access management.
All right, Thanks. Thanks for this insight.
Well, what I'd like to do now is a little bit reflect on just what does pretty much accesses mean in the year of 2021. Right. And it's interesting.
We had, we had a session just a couple of weeks ago with a bunch of CSOs. And of course, what, what was on very much on their minds was the incident which was published in December around SolarWinds. And what do you think, does this mean from a, from a privilege access perspective?
Well, I can't pretend to be an expert on every detail of the breach, but one of the things that you'll generally see if you're dissecting breaches and reports on breaches is that criminals will start off at a lower level, right? They'll bell bell take that foothold in at some parts of the business. And then there's this whole concept of privilege elevation, you know, once they've done their reconnaissance and maybe some fishing or whatever those early stages are, and they've got a foothold, they then want to elevate the privileges.
So privileged access management in the context of the solar winds breach, wherever that occurred, privileged access management could and should have played a part in making sure that only the right people can access to those privileges. Yeah. And I think obviously my defector authentication is something which would have helped and wasn't in place in many cases, at least not with all clients who Weren't. Yeah.
Well, that's, that's, that's a very important part as well of like you were saying with multi-factor authentication the two go together. So well, because what we want to do is to provide a way that you can lay a multifactor authentication, not just on the access point, but for any privilege elevation that occurs in the enterprise. So that every time a genuine person or a cyber criminal tries to elevate their privileges, they're being forced back to that zero trust position. Yeah.
But another actual topic, obviously, unfortunately we are still in the middle of, of the pandemic and you and I, as we just have that interview are working from home, right. What does this mean from a, from a privileged access perspective? If not everyone, I guess also privileged users are working from home.
I think from a security perspective, what we're seeing, what we've seen over the last year is that there's, there's a whole new realm that exists between the systems and the networks that businesses are traditionally used and the users, because so many more people are now functioning remotely. It just means that we need to be even more careful than ever before about making sure that the person who says that this person or that system, or that application really is that person. So verification before authorization is, is critical.
And really the, the brilliance of Pam is its flexibility to deliver value in situations like this. So we've got many customers who were very easily able to upscale their existing solution, which would maybe functioning from an on-premise kind of office and network management perspective. And suddenly they're able to support their remote users, provide VPN access and make sure that they're applying zero trust in a remote working context.
So in, in the context of the pandemic, I think Pam has been tremendously helpful to, to people who have gone down that path and has shown more value. Yeah, Yeah, yeah. Thank you.
And, And I guess another up-to-date topic talking about 2021 has been, and is the cloud. So in the past week, so much talked about risk, new risk cloud computing brings with it. But I think th th the new normal I believe is, is hybrid environments. So people are using multiple clouds and are using, continue to use on-prem software is coverage, access management prepared for such a, a complex environment. Yeah. Everybody who has a interest in the cloud wants to know how Pam can help. And the wonderful thing is it's, it's really straightforward. It's not really, even that complex.
The fact of the matter is that the cloud has changed things. There are some things that are continuous, and there are some things that are changed. One of the things that remained the same is the role of, for example, credentials, that is a particular place where people perform privileged access. And so Pam, you know, very easily can, for example, with our solution, discover the credentials associated with a multi-cloud environment, the root accounts, the consoles, you can then deliver a role-based access control experience. So each user has specific access tailored to that.
You can record the sessions and even provide advanced functionalities, like filtering exactly what a user can do in a web browser. So the capabilities of Pam are really well suited to managing across this hybrid environment. And one of the things that we see from CSOs and from customers who use the solution is they appreciate the consistency, offers them during a migration at a time of change like this.
So rather than depending on, you know, managing privileges, you know, within, within the on-premise environment itself, and then using a different capability associated with the cloud environment, they've got a single pane of glass for access management and privilege management across this, whilst that transitioning and customers really appreciate that. Yeah. Yeah. Very true. Very true. So I think in the early days of permission, access management, people were thinking of a privileged user along the lines of a system administrator or a database administrator, et cetera.
So two about who should we think when we talk about a privileged user in 2021 is the still these guys or have more people come, come. So to say in our, in you view. Yes. Yeah. Yeah. It's a great question. I think one of the reasons that so many of us are focused on privileged users or power users for so long or more more when they're focused in the it world is because that's really the first place that people think about. And given the privileged access management is an emerging technology and an emerging requirement for businesses.
People always start in the place that's most obvious and most obviously need to help, but you're, you're right in suggesting that this is changing in 2021, it's changing in two ways. Firstly, we're increasingly seeing that this, this sort of delineation between a business user business and then a privileged user is, is pretty useless because actually privileges rights and all of this exists on a spectrum. So by splitting these into two groups, what we're doing is we're preventing organizations from truly being adaptive to requirements.
So we've really adopted this perspective that when we talk with customers, we want to understand who their users are, what privileges they access and what the customer thinks they need to do to respond to that. And then you can map this and show how the technology can assist with each of these use cases.
Now, on the other side, there's also an emerging conversation that's been going on for a few years, which is really focused on the role of applications and service accounts. Now, this has been important in Pam for a while, that, that we appreciate that there are machine identities, right? So privileged users, aren't just people anymore. They're not just increasingly business users, but they're also non-human users. And in the number of customers that I speak with now, where I'll ask them, by the way, are you running robot process automation? And they'll say yes.
And you realize, okay, so you actually have a lot of different types of users. You've got business users, privileged users, you've got your finance team, and now you've got bots and service accounts and all the other stuff. So the question of who is a privileged user is broader than ever. And the requirements of the technology to solve this from a single pane of glass.
Well, that's more challenging than ever, but luckily there are solutions that can do that. Yeah. Yeah.
That's, that's an interesting, so, so, so that, that brings me to the next question, which is if opposite, if there, if there, if an organization is not yet using a privileged access management solution, then it's, it's really time to think about it. And those are those organizations who already have it. They may need to think about expanding the scope of it to other, other Rouge, access users, et cetera, right. To other use cases. So what comes to your mind?
What can you recommend to a CSO, how they should actually effectively prepare for, for the next step on, on, on privileged access management? Definitely. I think you're, you're, you're right. That many people who are already using Pam solutions will have a need to expand because of some of the things we've talked about, you know, some of the breaches that have been going on involve credentials in places that previously Pam solutions might not have managed, like being written in code and in conflict files, for example.
So yes, whether you have a Pam solution or whether you don't, there's a need to figure out how can I deliver pants, my organization, because that's an ongoing discussion in terms of how a CSO can effectively prepare. There are a number of things that are really important. So when I look at the feedback from our customers and their experience and their journey, there's a couple of really important recommendations that they make. So software like Thycotic for example, is going to be fantastic at automating a lot of stuff, you know?
And so there's tons of things that you don't have to worry about that you did with old solutions, but there are still some things that you have to think about. So firstly, from a permissions perspective, what do you want as an organization? At some point, we need to stop looking at the tools in which one that you prefer for your organization and ask yourself, okay, with this tooling, what do I want to do with users? What groups of users are there? How do I want to split this up? Do I want to integrate with a directory and all of this?
And then how do I want to map these to the privileges and how can I do this in a way that's scalable? And we have plenty of advice on that. But at the end of the day, there are some things that no matter how many consultants, partners and people that you get, some questions, you do have to answer yourself. And that's one of them. The second I think is even more important in some ways. And that's asking not only what users do I have and what privileged accounts systems and privileges exist.
But by far, the most important question to add in there is where do my users currently do things if you've got a hundred users, what does that day look like? You know, when they use privileges and privileged accounts, where do they go? Are they opening a web browser? Are they looking for access through a mobile app? Do they have a specific connection manager, like a remote desktop aggregator that they like to use? Is there a database management platform that they use? Because one of the downfalls of traditional Pam has been that we force users to go to a Pam tool.
We force users to change their behaviors. And actually what we really need is the pan to come to the users. And that means that we resolve one of the biggest concerns that CSOs and high-level stakeholders have when they look at pan. And that is how can I be sure that my users will do this? That's especially in a challenge for, for CSOs because obviously they, they are, they have to justify a new process and you the usage of a new tool. And if then the CIO comes to him and say, look, my people now have much more work than before then. He's under pressure.
Obviously she has to make sure that that, that there, that, that obviously use your user behavior and experience is great because otherwise it's, it will either lead to non usage or to more work. Right.
And both, And it's, it's, it's a, win-win on both sides as well because yes, the organization then gets the adoption rates that they want. The stakeholders look great. Everyone's very happy. But then of course, for us, as, as a technology provider, we want to deliver that excellent experience, the better experience that we deliver to our customers, the more they want to use our solution, the more conversations that we get to have, and the more we get to work together.
So we've really, I think, changed the game in terms of delivering a Pam experience that is transparent, that comes to the places that the user would go to and adoption becomes very seamless. So they want to think about adoption, not to worry about it. And the key thing is to ask where do my users currently access and then make sure that you'd speak to every vendor and say, can you bring Pam to this place? And if not, what's the yeah. Yeah. I think that's the, that, that's also an important aspect.
So, so we, we discussed various use cases now. And of course everyone would ask the question, all right, is there, is there just one tool out there which can cover all these use cases on the one hand? I think the other question also is people may have already some sort of identity access management solution. In-house how well do these tools work together, right?
Yeah, yeah, absolutely. So this is a great question. And it's one question I wish we could talk more about with everybody. Many people are focused on their current requirements and that's very important, but sometimes you need to ask yourself, what do I want for the next five or 10 years in terms of password management, privilege, access management, identity management, and making sure that the tool that you choose can really scale up in a way that's effective.
So, great question. Is there a solution that can do it all?
Well, there are some solutions that can do more and there are some solutions that can do less. Okay. So if you look at the major vendors that are out there, we're all able to deliver capabilities for the majority of the key use cases that our customers are going to have. And so in many cases, customers come to us and they say, I feel like I'm just looking at the same solution. So we need to then start to delineate and say, okay, what is it that makes us different?
And one of them is this Thycotics secret server, which is really our flagship solution can, can deliver so much value across the different parts of an attack surface from one solution. You know, whether that is the non-human machine identities, the cloud on premise, whether that is securing business users, it's all possible through a single solution. That's licensed in a very simplistic way. So if they go down this roadmap, they're going to find that solution can provide tons and tons of value for the vast majority of use cases.
So in other solutions out there, they may have the technical capabilities that they weren't wrapped into that initial solution. So you ended up deploying multiple different solutions to solve them, you know, the same number of use cases and look, you know, that's a different approach and some customers may end up making a decision based on some of the factor that, you know, isn't in that anecdote. But in answer to your question, some can do more. And I think that's where we sit and we're very proud of that. Some can do this.
Yeah,
There are. I think we, we, we basically discussed that condition. Access management is one of the, let's say basic controls, basic measures everyone should have in these days. We also discussed that it actually provides great answers to recent challenges such as
Well, thank you both all, thanks so much. It's been a pleasure speaking to you too, and hopefully we'll get to do it again. And to everyone who was listening to us, I also hope you enjoyed our talk at least as much as I did. And I'm looking forward to see you in one of our next sessions.
Again, thank you very much.
