Paul Fisher and Matthias Reinwarth continue talking about privileged access management, discussing the core capabilities of modern PAM solutions.
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Paul Fisher and Matthias Reinwarth continue talking about privileged access management, discussing the core capabilities of modern PAM solutions.
Paul Fisher and Matthias Reinwarth continue talking about privileged access management, discussing the core capabilities of modern PAM solutions.
Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth. I'm an analyst and advisor at KuppingerCole analysts, I guess today is again, and I'm happy to continue a series on privileged access management. My guest today is Paul Fisher. He's an analyst of KuppingerCole acting out of London. Cool. Hello Mathias. Great to be with you again. Great To have you again and great to continue our discussion on privileged access management.
We had one episode some, some weeks ago, and we discussed the characteristics and the, the specifics of privileged accounts and how we do identify them. And today we want to have a look at the technologies that solutions for managing privileged accounts adequately, how they provide functionalities and what are the building blocks around that? And maybe you can, we can start with looking at managing the privileged accounts in general. So maybe we start with the privileged account data life cycle management, or what is behind that long acronym, PADLMS.
So PADLMS is really the, the tool to manage your provision account management system itself so that you can see when changes are made to the system when perhaps different services or data are added to it, or where, where people might be added to the privilege accounts that you have. So it's, it's really just an effective kind of maintenance tool, really. And it's also useful for compliance purposes, so that you have a record of when things changed, perhaps when the system was upgraded or perhaps when you even switched over to a whole new provider. Right?
So it's also the place where one would assume that the criticality, the, the associated risk of a privileged account is actually identified and documented so that you can make sure that each, each privileged account is understood with regards to complexity to risk, to, to criticality. Yeah, I mean, that's a very good point.
I mean, I've been thinking a lot. I mean, I spent a lot of time thinking about privilege account management and the more you sort of get into it, the more kind of complicated it becomes When we talked about privileged accounts, we identified one key characteristics of many of these privileged accounts is that they are shared accounts so that they have the characteristic that the account credentials are known to more than one person, so that, or that they need to be known to more than one person.
So if we think of a root account, an admin account in the cloud, or who to count on a unique system, these are accounts that are used by many persons or need to be used by many persons. And nevertheless are very strict and not very elegant when it comes to credentials management. So I assumed that is of course, one of the key functionalities that privileged account solutions need to provide.
Yeah, for sure. And I think we said that shared accounts in an ideal world wouldn't exist, but we don't live in an ideal world. And so many companies or organizations will have privileged accounts that are accessed by many uses and the mail will also be accessed by applications or machines, and then even be accessed by external partners.
So what, what we need in this an ideal world is a shared account also with management. And I would say that the shared account password management is one of the most important features of any privilege access management system, because shared accounts are not gonna go away overnight. The point is that if, when choosing a privilege access management system, it's essential that there has SAP M built in, and then you need to go a little bit further.
It's important that you check with your vendor, that whatever vendor you thinking about choosing, or if you have an existing vendor, how well that they actually managed shared accounts and the only way to find out that by asking them. So, but I think I'll just repeat that shared account password management is one of the most important functions of any privilege access management system. Okay. So What, how can we, how can we imagine how that really works? And I think the concept of password rotation comes into play here.
And also that only makes sense when there is a session management and no other access to the system, then via the privileged account management system, Absolutely session, sorry, rotating rotation of passwords is, is one of the most fundamental ways of, of, of controlling, shared access to privilege accounts. They're all some areas now where some vendors give one time only access to a person or a thing that wants access to certain privilege account. This is also sometimes called just time.
This actually gets over one of the problems of a shared accounts where you have too many, perhaps too many users accessing a shared account. And some of those only really needed on a very irregular or even a one off basis. So you can see that if, if you weren't able to give a person one time access and then delete their access, you would end up with a risk in that you have that person being able, having access to that account still in place. And an attacker could potentially find that and get access to that privilege account.
So that's, that's two ways of, of, of, of controlling shared accounts, right? But to, to achieve this, there needs to be a, a safe place for storing the passwords, the credentials in general, within a Pam system. So there should be something that really is as secure as possible because there will be the shared passwords in general, where you can extract them and use them for this one of purpose that you've mentioned, and then afterwards change them at the source of truth.
So there, there is a safe place for storing credentials within a Pam system, Right? Yeah. Traditionally privilege access management will have a goal of volt. And then effectively is what it sounds like. So like a bank volt keeps days would've kept cash safe. So a digital vault is where passwords are generated and, and kept, and these automatically generated.
But we were also saying some people even feel that that is a security risk because you still got a place where passwords are kept, okay, they're encrypted and they're hidden from view, but we all seeing volt lists systems starting to appear again, where passwords are not stored or kept, but instead people are, are issued a one-time sort of certificate, and this is known as the femoral access. But again, you have to have to balance convenience and security. The reason why passwords are stored and kept involved.
And while we have shared accounts is because for a lot of organizations, it's, it's convenient. So Joe, Joe Smith, and in whatever department, he works in HR, but he, he often needs access to certain employee files or company information. Then he knows that he basically will always have the access because the privilege access management system has already set it up. It will allow him in, by generating a password and any, any goes to make femoral systems and certificate certificate systems work.
So for that kind of user, then they're going to have to be, as I said, almost invisible to, to the end user. When I say end user, I don't mean the administrators working on empowerment itself, but actual the employees, they need to be able to do that job as seamlessly as possible. And I don't think that the ephemeral technology, or just in time or one-time passwords are quite there yet. You Have mentioned a really an important point because I've talked to many organizations and the employees and the admins within these organizations when introducing Pam solutions.
And it was always about convenience and admins refusing to accept such a solution, but they are not asked anyway, but rejecting that because they get taken away a bit of the convenience because they were used to knowing the password too, in the worst case, even having this route window on that desktop, always open to, to just check the machine or work on the machine. And that all goes away when we introduced the concept of Pam. So this convenience part is really an important step, no matter where we implement that.
And maybe it's also, we should look at, at the, at the actual session management, now that we learned that we have a lifecycle management for the accounts we manage the shared credentials, be they use certificates or passwords.
So the next step for the admin still getting access to the, to the target system that they want to administer would be then the, the session management, I was talking to a vendor a couple of days ago, and they would demonstrate their product and they made big efforts to, to make it the interface or the UX far simpler than, than it has been traditional in, in privilege access management. And I think that's an important trend and more and more vendors are doing this now.
So that for admins, they get a, a more friendly consumer style interface that, that you probably would associate more with consumer applications. And I think, I think that because techies, like sometimes it happens like almost sometimes I like a bit of complexity and I think we have to kind of pop out a little and consider that is it is in the end, a business tool. And it's about effectively delivering privilege access to employees that genuinely needed to do their jobs.
And in a world where we're talking about digital transformation and agile environments and dev ops and API APIs, microservices, all that stuff, the speed development and the speed that companies are expected to react to changes in the markets and changes in demand is, is much higher than it used to be in. I think also the lessons of COVID has shown that companies of hot to change the way they work very quickly. And also we've seen how, for example, companies like Amazon have seen 40% increase in, in, in demand and traffic, et cetera.
We've see now delivery companies have had to step up to the plate and behind all of this is infrastructures where privilege access is playing an important part. So I think that ease of use is not something I think I've used this phrase in a report. It ease of use is nothing to be scared of. It actually is an important part. And the more that privileged access management vendors can hide the complexity of things like certificates in significant generation, and also make it much easier for admins to see what's happening in privilege accounts by pressing one button.
And I think that's, that's all good. One additional aspect to look at of course, is the aspect of, of governance and tough compliance. So using privileged accounts comes with of course, high privileges with the name, but also with high risk and the risk management control of risks to having adequate controls in place to make sure that these privileged accounts are well controlled and monitored. And well-documented, that is also something that is around this, the session management.
So when we, when we understand what the criticality of an account is, when we know how to manage the credentials for these accounts and to apply the right mechanism for rotating and for retrieving the password for such a system, the next step of course is then to, to apply for such a, such a session for such an such an access and to have somebody approve it. And then you get that access as simple as possible as you've mentioned, and as elegant and as transparent as possible, but well-controlled Yeah.
And a session and recording and session recording management is, is another area which actually, when you think about it, the amount of information that a privilege access management platform might be processing each day and in a, in a larger organization where you might have a hundred thousand users of privilege accounts compiling, and then you have maybe a security incident or a, what does it looks like a breach of a privilege account. You've then got to prove to investigators or to regulators that you did everything possible to protect that data.
Then you've got the task of combing through all the session data, all the session recordings to see how and why that incident may have happened. And that actually is a pretty big task if you think about it.
And again, it's not something that privileged access management vendors have perfected yet. And they, they do obviously have integrations with SIM appliances or vulnerability management to help, but it's still a complex, but hugely necessary.
In fact, essential that any previous access management system, everything is recorded and everything is accountable. Otherwise you're going to run into big, big problems with compliance. Exactly.
So, so Today we've looked at at various very basic core functionalities of privileged access management. And I think there is a lot more to look at, especially when it comes to session recording and monitoring, because you've mentioned, of course you need to have evidence what happened in a privileged session when it is really highly critical.
So having recording in place is it's required and it's a protection order for the admin, so they can prove they have not done anything wrong, but to, to extract the information at real time or afterwards, ex-post to look at these recordings and to identify the actual deed, if there is one that requires some additional functionalities that helps you and assists you in, in analyzing what's going on, be it graphical sessions, or be it text-based QE sessions for sort of the traditional route account. So I think that's it for today's session around core privilege management functionalities.
We've talked about the life cycle management of privileged accounts. We've talked about the credentials vault or password vault, where all the critical information is stored, especially of course, passwords and start there safely and securely. We've talked about session management, so applying and having them sessions approved, and we've quickly touched upon session recording and monitoring.
There's much more to come when it comes to privileged access management, especially when we look at the more sophisticated more state of the art solutions, which provide highly fascinating functionalities there as well there's room for one or the other additional episodes. When we try to explain what modern pump solutions look like, anything you want to, as of now, Paul.
No, no. I just think, as I said, I think at the start that the more I learn about previous access management, the more kind of fascinating it becomes and the more challenges there are within it. And as we'll hopefully talk next time when we start talking about some of the critical aspects of transformation that organizations what to operate then, but we can talk more about that next day. Right? Exactly.
And we will understand also that that really prom is an enabler, a business enabler, because many organizations just cannot do their business when they do not have Pam in place, because it's a requirement for achieving compliance to the regulations. So thank you very much, Paul for today's session, always a pleasure to have you here and looking forward to the next session. Then when we talk about more sophisticated functionalities there, thank you very much, Paul. Thanks. Thank you. Bye. Bye