Welcome to the KuppingerCole analyst chat. I'm your host. My name is Matthias Reinwarth. I'm an analyst and advisor at KuppingerCole analysts. My guest today is Paul Fisher. He is senior analyst with KuppingerCole and he's working out of London. Hi Paul. Hi Mathias. How are you? I'm fine. I'm happy to have you today. We will be catching up on a topic that we covered in an earlier episode of this podcast.
We want to talk about privileged access management, but this time in a somewhat different flavor, you did some research and provided some research, um, recently, and you're currently still working on that for privileged access management when it comes to two dev ops environments. First of all, maybe a quick definition. What is dev ops when you're looking at that
DevOps is, um, basically just a quick piece. And so it's, it's, uh, a combination of what is be called development and operations. And the two had sort of different ways of working.
And then I think about 10 years ago, the culture arose in it circles where dev and operations started to work together, um, to share knowledge because before they had been working in silos and this was caused delays, et cetera. So the idea was to create a more agile working environment so that dev and ops would share stuff between each other and it's pretty much worked. And the reason why it's worked is because one of the reasons is that they have access to data and things they need, uh, much more efficiently, which brings us on to privilege access management. Right.
And, um, of course, dev ops always also is of high importance when it comes to software-defined infrastructure. So when you create new virtual computers, new systems, new containers in the cloud, um, and change these systems rapidly over time. And as you've mentioned, security often is the missing link between the dev and the ops soap. Many blog posts have been written about deaf SecOps.
Uh, so to really get to a more secure approach here, but when you you've mentioned already pre protecting privileged accounts, uh, what changes when you look at a dev ops environment, what, which are the privileges to protect
Here? I think that traditionally Pam, as we all know, has been for admin accounts and other high value accounts, uh, given out to certain people in the organization what's changed is that the of definition of what's privileged has changed. And the number of people that are using privileged accounts has escalated quite significantly.
And dev ops has contributed to that change. When you talk about, uh, software defined networks and the engineering that goes on almost every day in organizations now where applications and other pieces are updated, maybe even, you know, several times a day, uh, that's the speed that these people are working at, but to get to ensure that they actually get this done, uh, they need to access particular things like containers and they need to access code, and they need to access API APIs and everything else, which makes the whole thing work.
And within all that, um, isle secrets, um, that would include things like passwords, but also perhaps pieces of code that are needed to help, um, another piece of code, et cetera.
And it's become obvious that all that has become very tempting to cyber criminals, uh, or cyber attackers, because they realized that, um, this stuff is valuable if they can get inside one piece of code, um, they may find gateways into other parts of the network and what's been happening, I think in DevOps, is that because the guys working there are under pressure to deliver that they sometimes cut corners or they make secrets available to each other, um, without properly protecting them.
So it became obvious that these things would, would, we would define as privilege, um, needed protecting from privilege access management platforms. And so the research that I've been doing, uh, done a couple of papers, but also we've been doing a leadership compass, which is an extension of the privilege access management leadership compass, which we did earlier in the year. And that is focused on pan for dev ops. And we've looked at, I think, I think it's about eight or 10 individual vendors that we think are doing the best, uh, to serve this, this emerging market.
Um, okay.
I think when we look at Pam for dev ops, we get to a different dimension of Pam as well. On the one hand, we are typically talking about the admin accessing something. So having access to a root account to a highly privileged code repository. So this is really the human that is developer slash operation Skye accessing a system, but there is another dimension and that is the communication between individual building blocks within a software defined infrastructure, ourselves software-defined network.
So really some system accounts, some technical accounts that then often the clouds are represented by of course, usernames and passwords in the worst of all worlds, but maybe also API tokens or credentials or certificates, et cetera. Uh, the, the vendors that you looked at, did they cover both aspects or did I another aspect,
No, they covered the vendors in the report, which will be coming out early next year. There was different types of vendors within it.
Some are what you might call the traditional Pam vendors who are extending their functionality, cover DevOps, and also, um, other agile environments that even people using sort of multi-cloud environments, which have the same challenges that we've been talking about in dev ops. But we also included some vendors that wouldn't even be seen as traditional Pam vendors, but they do offer, uh, for example, volt technology, or they also offer certificate and passwordless based secrets management.
I think what sort of become apparent to me looking at this, this area is the Pam for dev ops or, or other agile environments or other environments that I have access to. A lot of secrets is kind of certainly from what we might call the traditional area and which you talked about, which is protecting admin accounts and the more kind of static area of Pam, Pam, Pam for dev ops is really dynamic.
And that I think that the vendors, um, that we've covered have realized that they can't just say, well, our existing Pam platform, it can manage with dev ops.
Um, they can't just say that without actually adding new technology. And some of them have acquired smaller, uh, sort of startups that have enabled that and others are developing it in house. And the other thing is that I think we're seeing part of this emerging is a sort of hybrid Pam development so that you may have organizations which have already Pam in place, but they may think about deploying a nother faster dynamic Pam, purely to help those in dev ops and those in application development, et cetera.
The, the, the critical thing though, is, um, that I don't believe that you can have one without the other, just because Pam for dev ops works extremely rapidly and people need to get to secrets so they can get their job done.
There still needs to be a system of record, and this needs to be a session recording of the management, and then you still need to know who's doing what.
So it comes down to some kind of Pam or hybrid Pam or an existing Pam with the new dev ops in it, or a dev ops volt, or a certificate based system that works with existing Pam, but can also integrate with those so that you have a record of what's happening for, you know, GRC reasons. So that that's, that's critical.
I don't think what should happen is organizations that are perhaps almost wholly based around dev ops or other, uh, agile means of development would, would not bother with the basic tenants of pan all the, which you can, you know, you can read about in, in any of our documents on Pam,
Right?
And I think as you've mentioned that finding the right balance between enabling people, doing the job and providing the adequate level of security, compliance and governance, when dealing with highly privileged accounts and the elevated access that lies behind that, that is really crucial because the last thing that you want to do to your developers and operations, people doing this incredible, um, agile work is to hinder them in achieving their goals.
But nevertheless, when you are the Cesar, when you are in an audit legal compliance team, you need to make sure that these highly critical systems that they are dealing with a building and operating on a daily basis are well maintained. And well-governed. So I think this balance is also highly important to have a Pam solution that is up to speed to their processes.
You're absolutely right.
And I think that's where convenience versus security is something we talk about all the time in security, and it affects not just privilege access management, obviously, but even fundamental things like logging onto your email. Uh, people need to do that as quickly as possible. And that's why we have all those authentication standards that, that make that happen.
Um, but I think DevOps works at such a speed and in such a different way to perhaps other parts of the organization that it's, it's crucial in there. Um, and also something else we haven't talked about is passwords. And you just mentioned it. Passwords are still very much part of Pam, and I think they'll continue to be so, uh, particularly for like the more basic areas of Pam, but I think within DevOps, we need to have passwordless systems, which, uh, use things like, um, authentication keys or certificates, et cetera. And just in time, so that Pam becomes very much a one off sort of operation.
Um, so that every time someone in DevOps wants to access some secrets, so they get a certificate, they get it just in time and then it's deleted so that once they finished that work, so you don't have any problem with sort of orphan accounts lying around. And I think that's another difference between what's happening in DevOps and, and the rest of the organization, right?
One very important type of accounts that comes to my mind when we're talking about dev ops.
And of course cloud deployments are the, the, the root accounts that you get when you subscribe to a cloud service provider, say AWS or Azure, um, where you really are at the driver's seat for all the instances, all the software defined infrastructure that you have in place, um, are these solutions also capable of maintaining these very simple, but very, very powerful, um, rude or basic accounts when it comes to the AWS main account?
Well, there is a problem that some Pam needs because all Pam providers, AWS is your et cetera.
They all have their own, uh, different standards and different controls and some Pam solutions, yes, they can do that. And actually AWS has, uh, a very, uh, small piece of privilege access management built in.
Um, but that's another story, but most of them will work with all the leading cloud providers. But then again, this is where the certificate based or a passwordless base has a strength because it's cloud agnostic. So therefore you can have a Pam system which will work with virtually, well, it should work with any cloud system. And although, you know, AWS has, has, you know, a large share of the market. It's not uncommon for companies to have as you're an AWS mixed and, and indeed other cloud platforms within your organization.
So we can't rely on either the cloud to protect privilege accounts, and we can't necessarily allow, uh, rely on password based systems to protect privilege activity in the cloud. Okay.
Uh, I understand that you've mentioned that, and I've had a look at that already. We, that we have quite some research already around that topic. We have the leadership compass coming out early next year, as you've mentioned where our audience can then have a look at the individual products and vendors that are available on the market.
Um, when we want to close with, say some 3, 4, 5 key recommendations that you could give for somebody who is currently looking into the market of Pam solutions for dev ops, what would that be?
Well, um, the first one would be to wait until our report comes out.
Um,
If that is not an option,
Uh, and, uh, but perhaps more seriously then I think obviously what will, hopefully that our report is a good start, but, uh, also do research yourself. First of all, you, you need to understand what is happening in your organization. You may have DevOps happening and not really realize it because some software development teams maybe working like this, and you don't know that.
Uh, so it's important, like in any, any, uh, pre deployment to do a audit of what's happening in your organization, if you already have Pam, uh, installed, and there's a good chance that you do then obviously, uh, get in touch with your vendor to see what they're doing, to provide for this sort of new age. And, and finally, I think don't panic.
Uh, I think at the moment, um, there is a risk, there is a security risk in some of what, of what is happening in DevOps.
But I think that it's still time to manage this and, and to look at the options that available on the market, but also keep, keep up to date. The Pam market is changing all the time and the solutions that have been coming out for DevOps were probably didn't even exist maybe 18 months ago.
The other thing I would say is understand the choice that you have, that, you know, you may have multi clouds working, uh, and you have, uh, obviously legacy operations are happening at the same time, but Pam as a technology is becoming a multi-faceted as well. And you may want to investigate what I call, you know, the multi-cloud solutions, so that you have a very agile and speedy, uh, version of Pam that works for your DevOps developments or your DevOps teams rather, and your teams using multi-cloud.
Um, and they also work with the existing sort of legacy Pam.
So the good news is I think that there is more and more options now for privileged accounts. And I'm sorry, I've I think I've done about six points, but the other point is that don't think that privilege accounts are just, as you mentioned, just, uh, root accounts or admin accounts anymore, even Thycotic talking about all accounts being privileged accounts.
So that might be a little bit of marketing messaging there, but it's kind of the way that everything is going, but because of digitalization and digital applications and the way that companies are changing, the, the, the idea of what is privileged and what is not, is certainly blurring a lot more than it used to. So you might find also that ordinary end users and of course, applications themselves and the internet of things and other entities also, uh, napping thrown into the mix. So lots of, lots of, uh, things are happening.
But I think that the good news to sort of sum up, I suppose, is that the Pam vendors are keeping up and they're keeping up really well.
Yeah. Good to hear that. And I think, yeah, that Pam for dev DevOps is one important facet as you've mentioned, but it is just one of the overall Pam landscape that an organization will have to maintain, to stay secure, to stay compliant, to, um, make sure that that business is running in the way that they can serve their customers and rely on a security operations here.
I think for all of those of the audience who are interested in learning more, of course there is already quite some material available, a white paper that you did around the management of privileged accounts for multicloud in dev ops environments. There is a leadership brief around already just go to our website, use the search engine type in dev ops and maybe Fisher for, for your surname to get very quickly to these documents. If there are any open questions, please feel free to reach out to us and just send us a question, get in touch with Paul and or me.
And, um, of course this leadership component will be the comprehensive work when it comes to assessing and identifying the right products. And we are happy to help as
Well. And of course the leadership compass, the main one is already online as well.
So that, that would, although it's not focusing on DevOps, but it still gives you a very good idea of what's in the market. And that was only published, uh, sort of June this year. So it's still pretty up to date.
Great. Thank you very much, Paul, for sharing your insight on that interesting, um, aspect of the Pam market, looking forward to having you in a future episode soon.
Thanks. Very much pleasure to be with you.
Um, have a good day.
Thank you very much. You as well. Bye. Bye
