Hello, all my name is unu. And today I'm joined by Dave Colson, VP of product ATS to talk about access management and the emerging needs of enterprises to manage security through Pam controls, which are increasingly not sufficient to manage a security risks in an emerging cloud models.
Well, as part of this webinar, we'll talk about entirely new approach, which, which is being seen, evolving to manage some of these security risks. Before we get into this webinar, I'd like to take you through some of the introduction about Ko, a cool and what Ko a cool does. So we focus on delivering content and services for IM cybersecurity and AI. These are some of the content formats that could provides through executive views, leadership campuses, webinars, and Analyst, briefings conferences, advisory projects, various meetups, and eLearning.
These are some of the research formats that I spoke about. You might want to refer them on the website or even download from this webinar content copy a call business campus is another format, basically new format that helps automations navigate across their business strategy. In the age of disruption, there is a KC strategy compass. There's a portfolio compass tech compass, and also project compass. With that. We have some of the events remaining for 2019, where you might want to network and also gain some insights into relevant topics for that are your interest.
Now some housekeeping guidelines for this webinar, everybody here is mute centrally muted. So don't have to mute or unmute yourself. They will be recording of this webinar, which will be available maybe tomorrow or short term, and also the slide decks that you can download. And finally, if you have any question answers during the webinar, you can enter them through the go to webinar control panel.
So for the agenda for this webinar, I will be talking about again, why Pam is increasingly important for organizations where the technology and vendors might be lacking in terms of being able to provide solution for the emerging requirements of organizations to provide security for their, for their cloud requirements, for example. And I'll also talk about maybe where the pan market is heading towards what are the emerging or evolving approaches in this, in this segment.
I'll also talk about why we seeing increased convergence of Pam and IG vendors, as well as privileged access governance capabilities. And for me, Dave will also talk about in similar lines and we'll talk on probably what are the challenges of Pam and how you should be able to provide solutions to help address those issues. And finally, we'll take the question, answer that you would've provided there in the code control panel.
All right.
So getting into the presentation here, blues management is quite challenging today, mainly because it's, it's presented as one of the key cyber security controls organizations to help manage some urgent cyber security requirements, which basically range from password management or password vaulting, which is generally called us for your very privileged credentials across the organization.
Be it across the network, be it in the cloud and across your applications for I administrators, or even for business users to managing session requirements, basically to audit and MI privileged sessions across organization. And we have also seen them moving towards, or also helping organiztions to manage endpoints by providing endpoint privilege management.
Well, through this technologies, Pam has sort of evolved pretty much and, and has stayed the course because it provided solutions in every sense of meeting the meeting, the primary forces in the it. If you talk about, for example, the cloud evolution, Pam has been able to provide most of the risks, especially when it comes to manage credentials and passwords, and also specific privileged access into is and past platforms.
However, if we see today, there's increasing need for nations to manage the assets, the application, their workloads through a hybrid cloud environment. So they have got private cloud presence. They have got public cloud, which also includes is and best infrastructure. And obviously they have requirement for managing credentials, service account software accounts, all of these different type of credentials that they know, or they may not know throughout the infrastructure.
So obviously as, as the cloud presence increase, our agents have this challenge to provide right P controls across their hybrid infrastructure.
From there on, we've also seen as you move to cloud, as our agents move to cloud, there's a need for Pam scalability. So your solution should be able to match the speed and the scale of your clouded option. The Pam approaches that most organizations have taken are even the, the products that are available market today. They do not cater to, or they are not probably, I would say, designed to match that speed and scalability.
Well, it, they can do that, but obviously there are some trade off in terms of resilience in terms of latency, in terms of overall cost benefits. So what are the emerging Pam requirements, or I would say Pam trends to, to provide some of those address those gaps basically, right? So I'll probably take you through a bit of what we have seen in the market. So if you look at most, and I think this is the thing of past today, the vendors who have been providing agent with architecture for Pam, they are really not very viable in tourism environment.
So, so obviously you have got it, administrators and, and business administrators who have been able to access the systems applications through to the agents which have been installed on these systems and servers. And these agents basically would talk to the centralized spam server to FA the required policy for enforcement.
And based on that, the privileges were decided, and obviously this approach was had some over its in terms of cost and maintenance and administration, but also they provided benefits in terms of the detailed auditing logging, and also more fine grained control over the privileges. That can be escalation basically, that can be achieved by this approach.
But obviously, you know, with time, we have seen a great decline in an option of these kind of traditional agent based approaches, particularly because when it comes to extending some of these controls or some of these architecture to is and pass in the cloud, they were not efficient and not even viable. So they entirely, I would say failed to, to provide extension of your Pam controls to the cloud infrastructure.
Then we have seen the existing approaches, which are primarily proxy based, and this is a very common architecture, which most vendors are providing the approach based on there's a BA proxy, which generally takes care of takes care of routing the request to the relevant system or application, which is being requested by the user. And it takes care of injecting the credentials if needed and also providing session monitoring, recording, et cetera.
So this approach has been proven, has proven more beneficial and successful in terms of how Pam has sort of existed and established itself as a, as a mainstream technology within IM Excel proxy with architecture to cloud. Well, that has been done on, on, on to somewhat good scale, I would say decent scale. And it remains that, you know, there are certain limitations in how Pam proxy architecture can be extended to, to cloud based infrastructure, especially into is and pass.
They're obviously limitations in terms of how these Pam products can provide direct integrations into is and pass infrastructure, how they can manage credentials, how they can especially cater to the requirements of credential discovery. Whenever there are new instances, which are spun up in the cloud, how they can scan through those instances, provide required credentials to the administrator to access those resources. They're obviously limitations in terms of auditing and logging as well as monitoring.
There is some decent overlap with the CA visa as well, particularly when, when these parts have been trying to, able to manage Pam for, for cloud applications and, and infrastructure. And some vendors have also been trying to provide these controls from basically Pam based and cloud, but still having to manage credentials on-prem, but being able to provide some of the capabilities like session management and others delivered directly from the cloud for the cloud.
So now what are the emerging Pam technologies that have, that have sort of seen some demand to be able to manage specific requirements for organizations we have talked about, and we have seen this increasingly getting some attention. So privileged task automation is one of those technologies, and there are sort of add-on technologies for Pam approaches.
Well, PTA allows automations to delegate tasks instead of standard or, you know, individual privileges to the users, which can be decided on, or which can be combined together based on routine tasks, which administrators and users are executing. This kind of approach helps to eliminate the dependency on existing password vaulting techniques. So you can sort of for, for any, for any specific task that need to be run on a daily basis on a routine basis, you'd have to really require password vaults to, to provide the credentials.
And they can be sort of a code in the tasks as an embedded kind of a form in the applications and can provide you with direct execution rather than distributing privileges to the individual users. And obviously this kind of approach can help you provide better efficiency in terms of operations by sort of automating the routine previous tasks.
And then we have also seen increased option for on demand access provisioning, which basically means that if you're looking at more, a flexible kind of environment or dynamic environment, the PTR task automation may not be able to provide controls or provide enough control for the privilege credentials there. So on demand access provisioning sort of basically helps you to scale further up into, into these environments by providing just in time and fit for purpose access provisioning by.
So for example, assent has taken an approach initially in this direction and they help you to, you know, create a new doctor container in the environment, which, which allows you to access certain privileges. And once that's that that's done, basically it's, it's a transient process. The access no longer is standing and therefore it reduces any threat which might be associated with, with overstanding access for an administrator.
So transient or femural kind of an access access model helps here to provide the level of scalability that your core environment is demanding today.
Well, with that, I'll switch gears and come to the other topic that we want to discuss as part of this webinar, which is the convergence of IGA and Pam. We are increasingly seeing in the market that that organization organizations are requiring access governance for privileges, which is actually bringing Pam and IG closer.
We, we can see that there's a lack of required visibility in the state of privileged access. And these are some of the primary drivers.
Why, why IG and Pam are seen converging? So if you look at more spam solutions, you know, they provided the controls, but eventually your objective is to find out what's happening with my privilege access in my entire organization, across the infrastructure, across the applications, and with previous access governance, you can achieve that level of visibility in the state of privileged access across your infrastructure, across the environments, beat, even access by your external contractors or, or third party vendors to your, to your network.
Also, we have seen that there is slow accumulation of provision entitlements by users. When users move between roles, especially between administrative roles, their previous access has not been taken away and they keep on accumulating privileges throughout their tenure. And that can be disastrous for organizations if, if the users who are not supposed to be super users achieve these privileges. And basically it's a sort of, again, principle to, to follow up, to, to avoid is, is it separation of duties?
So how you can comply with it, separation of duties, previous access governance can help you achieve that. Also that's another aspect of it is when, when you tend to keep on providing additional and entitlements provision entitlements to the atmosphere roles without monitoring them, without trying to find out what can be conflicting when you add certain entitlements to existing atmosphere roles.
So again, it's a principle to be followed here is the it separation of duties.
So any rules which are being created or which are being provisioned, or which are being modified, you should be able to scan through the existing privileges and find out if there are any conflicts or policy violations. As part of those actions, finally, provisioning of entitlements, the source, which basically is an access reconciliation requirement. So when administrators gain superpowers, you know, they can, they can pretty much do access changes directly at the source without being driven by the access policies.
So access reconciliations are important at that stage and PHR access governance can help you find out what are the conflicting access or which are differentiated from existing security policies and what needs to be done to, to address those gaps. And finally, which is probably the, the major driver here for, for IG and Pam is to conduct period access certification capabilities for privilege access. We have seen that standard users.
We have been doing that for standard users for a long time, but for previous users, that's again, something which should be done on a more frequent basis and on a more gambler basis. And as well as the lack of access examination workflows. So Pam tools today, they do not address this kind of capability. They don't allow you to solve of have access evolution workflow. So if you have certain findings as to what should be removed from the users, there's no workflow mechanism that can be followed to automatically remove those access from the users.
This, all of these, I think most of these capabilities have been offered by IG tools as of today, but that those are only targeted standard users, not for privileged users, not for privileged accounts, which includes software accounts, service accounts, any of the other operational accounts as well. So that's exactly where we see that there's a increased convergence of IG and, and, and, and Pam tools in the industry.
We are seeing some of the vendors trying to offer a certain level of integration between IG and Pam tools or IG tools or IG vendors who are trying to address the P capabilities and the vice where Pam vendors are trying to build some of the basic capabilities around previous access governance. Well, with that, I would like to hand it over to Dave, Dave, over to you.
So all just covered off on quite a few different domain spaces, and I'm gonna highlight some of those with, with this presentation, the kind of broken into three parts, right?
One talking about some of the gaps and limitations of existing traditional Pam and what I'll call even legacy Pam type solutions in the market space. Second is a focus on our go to market around delivery of, of how we interface with cloud products, specifically, things like infrastructure as a service and, and the need for a strong need for, for Pam and privileged governance there. And then thirdly, I'll talk about more specifically the savings approach as we focus in on the convergence of IGA and Pam.
So when we talk about privileged access management, as it relates to the cloud, there there's a lot of gaps in the existing product sets that are out there in the market today, right? So a lot of organizations are simply just taking their traditional Pam products and lifting and shifting them into the cloud. And there's some, some pretty major gaps there in terms of things like scale, and also being able to identify all of the particular privileged identities that may exist out there.
And again, when I talk about cloud, it's not just infrastructure, a service, it's not just software as a service or, or PAs. It it's thinking about things that we didn't traditionally always think of as privileged access, for instance, who has access to the corporate Twitter account, etcetera, right. And how that can affect brand equity and so forth. And then when, when we look at the solution of Pam overall enterprise applications, whether they be SAS based or on premise, Pam has Pam, Pam solutions have traditionally, largely overlooked all, all of those capabilities.
And in particular, we, we, we tend to look at E R P applications, HR applications like Workday and, and so forth how those things get manifest from a privileged access perspective, especially in production workloads. How do, how do we deal with that? And then another key area, which I is often overlooked by Pam, Pam traditionally has always been about vaulting credentials and, and allowing proliferation of, of credentials within privileged workloads.
But, but there's been no focus on reducing the attack surface as well. And then finally, you know, all and above risk in terms of how that access is being used. And the governance and oversight thereof has always been kind of an afterthought. And what I mean by that is, is that this whole notion of IGA and Pam converging really has become integral to a, a proper strategy of security within the organization, because you have to look at both how the access is being used. And then who has the access and why was it granted for how long, and is it being used appropriately?
When we start to look at workloads in the cloud, some of the things that are really a challenge for traditional pan products is the fact that cloud workloads themselves are ephemeral, right? They're they're here today, gone tomorrow.
They're, you know, 10 servers serving a, an application today. And then because of seasonality of my business, there are a thousand servers tomorrow. So the whole nature of having scalability and the need to support dynamic discovery of what's going on in my infrastructure services, my what's supporting my workloads, et cetera, is, is critical. And ultimately traditional tools take a long time to bootstrap and roll out the integration with these workloads.
And so the challenge continues to become that, you know, again, a lot of the classic Pam tools have been focused on classic data center type infrastructure, unique servers, window servers who has privileged access, service accounts, those things all important.
Absolutely all important.
However, we, we absolutely also need to be focusing on things like enterprise apps, the ability to be able to support softwares and service accounts. And then the fact that, you know, tools that lend themselves to be more cloud native, you know, from the cloud for the cloud type approaches are, are much better focus point. And then finally, as we, we, we looked at the way these things are audited audited. There is no ability within a lot of these traditional tools to, to drive preventative risk awareness, right?
So what I mean by that is looking at things like Al talked about segregation of duties, even within the privileged world, there is very clear and distinct lines for segregation of duty that is needed. And, you know, whether that's at the point of access request or whether that's through break glass approval, all of those things have to be addressed accordingly.
So let's just take an example of talking about infrastructure as a service for a moment, right? So when we talk about things like AWS or Azure instances, the biggest and most challenging piece of that is the visibility, right?
To understand the, the complexity of what's going on from a, you know, when, when you're at the management console level, what's going on in my environment, the fact that there are both separate IDs for you, normal user access and privileged access becomes an ever increasing requirement within the solution.
And then there, there's a notion of trying to understand the fact that when you have all these instances, and again, as I said before, you know, whether it's 10 instances or a thousand instances, depending on the ebb and flow of the workload, supporting a particular application or set of applications within your infrastructure, the attack surface becomes quite extensive if you're proliferating user accounts at the local operating system level.
So how do you minimize that? How can we do a better job of mitigating those, those controls?
And, and so one of the things that when ENT recently and introduced the cloud Pam product that we brought to market a couple weeks ago, one of the biggest things that we provide as an integral part of this notion of just in time that Mo's talked about toward the end of this presentation, where we can provision a user to go do a specific set of tasks within a workload production or non-production. And then when that user leaves his, his identity, his account leaves with him, right?
The, the whole nature of just making identity as ephemeral as the workloads themselves greatly reduces the attack surface within, within your cybersecurity approach and, and reduces the risk of the overall organization.
When we look at things like serverless, you know, in APIs, the, this becomes just an order of magnitude more intense, right?
So when we start to look at things like the fact that serverless functions, you know, when they go out there and they do a specific set of tasks where they're scripted through some sort of DevOps process, you know, whether it's human users or the services that are consuming things like Lambda functions and, and the equivalent from, from things like Azure and so forth, the reality is, is that we have a big challenge in making sure that we, we keep all of these capabilities under a critical set of controls driven off of, you know, things like keys rather than IDs and so forth.
And then when we look at APIs, the fact that we push, you know, keys out into things like GitHub and stuff like that in a, in a semi-permanent basis creates super high risk within, within your application space. And it gets really, really challenging to understand, you know, what is the extent of the leak who had access to my keys and for how long, and, you know, what did they get when they got there?
Continue on down.
As we talk about things like cloud databases, you know, whether it's Azure or Azure SQL or, or AWS RDS, it, it's very difficult to manage in the long term basis, the life cycle of these privileged identities, right? We we're finding ourselves challenged to deliver the right level of access over time, but also the need to increase, you know, the appropriate access and minimize our exposure for cloud databases in particular.
And not only within the database, when you look at a lot of these database technologies, because of a lack of maturity or whatever, don't even have the appropriate access rights within them to talk about things like a row and table level access privileges. When you get into things like command line, then you really start to get into, you know, real challenges and, and in more than anything, trying to understand, you know, how do you deal with, you know, things like key keystroke monitoring session recording, how do we know what individuals are doing?
And when I say command line, you can insert, you know, SSA, shell RDP, those kinds of things. As we talk about, you know, command line considerations for infrastructure as a service, the reality is, is that, you know, it leads to major monitoring challenges and the fact that we need to understand how, how we minimize the, the, a tax surface across that.
And, and so largely largely what we're seeing is, is this major need to understand, you know, when users are in, you know, what are they doing? Can we restrict what they're doing? Can we do things like limit commands by policy and so forth, but, but on what scale, right?
And, and when do these users need access to, to, you know, should a shared account like root be used. And, and there's a lot of argument out there for, you know, why, if ever something like root should ever be shared as an account, especially for dynamic workloads.
And at the end of the day, one of the things that we've had a number of customers come to us and talk to us about is, is that, you know, Hey, we're making this huge change, digital transformation change.
We're, we're shifting all of our workloads to the cloud. We're adopting DevOps. And at the end of the day, a lot of these DevOps tools like chef and puppet, et cetera, Jenkins, they're, they're leveraging these, you know, privileged credentials to push these workloads out, to automate these workloads, to automate the elevation of product evolution within the service offering that a particular, you know, client is, is delivering to market at the end of the day.
What, what we're finding is, is that more and more these organizations are finding out that they don't have any control. They have very little control, very little optics or governance across the breadth of, of their DevOps approach.
And so, you know, finding out who has access to, to not only how the scripts are changed, but also to understand how organizations are, are managing the workloads themselves and, and how those scripts are accessing privileged capabilities within the system. Is it, you know, traditional username, password credential base, that's hard coded, is it key base that's harder coded or does do those things need to be, you know, vaulted and, and managed appropriately. And then again, you know, very little of that is steward under a, you know, proper governance review process.
So when Sapient looked at some of these challenges, right, we, like I said, we just brought a product market literally a few weeks ago called cloud Pam.
One of the things that we, we certainly recognized was that there was this need need for temporal or time based access, elevation, and privileged ID assignment in a, just in time manner, meaning that the ID gets issued, the credential, whatever it may be, user password or Keybase gets, gets pushed down to the workload in, in that moment in time when the access is needed, versus having that be a continuous attack surface that's available within the workload. We also recognize a lot of our customers coming to us and saying that, Hey, listen, we have this, you know, hugely dynamic workload.
You know, I I'd said before, you know, it's 10 servers, one day it's maybe a hundred or a thousand, the next, how, how do we discover that, you know, workload change and how do we make that, you know, auto registration process happen, put, put, put those, put those workloads, those privileged IDs and capabilities, those task based functions, as I'm all put it.
So wonderfully, I think earlier in his part of the presentation, how do, how do we make those things available dynamically within an access request system, we have to manage things like SSH, key distribution and credential vaulting as part of this and, and make it just kind of core to the service. Fundamentally, we believe that, you know, credentials, username, password in particular are becoming very passe and something that is not going to be around for very much longer.
And again, this goes back to two different things. One is, first of all, passwords to RSA from many years ago, passwords are stupid. And then the other piece of it is, is that, you know, there's no reason for anything other than the required basic service accounts that have to exist in a given system workload to be able to, to run services and so forth. Should they ever exist?
If you're a privileged user coming in with a privileged ID, that's not necessarily shared your account should only exist for that moment in time, we have to, you know, integrate into all of this, this notion of service account life cycle, and, and making sure that we have the ability to be able to govern, you know, who is the owner of these service accounts? What do they have? You have to have some sort of session management capability within the platform, which, you know, we certainly have addressed our, our solution uses a web-based technology for session management.
You open a session through the same browser. You request the access through. You can manage the session for time extension and so forth through the same browser and through plugins available in the product. And then ultimately at the end of the day, this whole notion of life cycle management for service accounts is also so critical, right?
So, you know, as workloads change as, as the infrastructure expands into tracks, you know, through its need to support your business at the end of the day, we need, we need the ability to be able to assign owners of those accounts, understand who has access and then do periodic access review as, and all talked about earlier as well. So when we look at the solution that Sian is delivering, so we're eliminating things like the classic jump box architecture. So Sian cloud Pam uses a dockerized approach. So each session is its own unique.
Microkernel Docker container spends up within a few seconds, checks out the keys from the vault, pushes it down to the host, opens up the shell and, you know, whatever the user needs to do during that is fully session managed, session recorded, keys to prevention. All of those things become kind of a core capability.
There's no need for things like a, a thick SSH client like put, or, you know, classic RDP type tool. There's a no need to have a separate, I, I, GSS is a market leader in the identity governance administration space.
So it's a core capability to be able to do things like privilege, access governance and so forth. And then there's no need to have persistent accounts.
If, if you have a need to create a ID that's done as a, just in time function, as the request is made, when it's approved, the account gets provisioned, the user has the access. And then integral to all of that.
Again is, you know, governance is built in so D is core to the solution in terms of a policy basis driven and risk base driven sod. And then finally it's, you know, from the cloud for the cloud. So it's cloud native we're cloud native technology we're delivered as a service and so forth.
So, you know, I wanna touch on kind of this last point as Unal talked about, which is, you know, IGA and, and Pam are absolutely converging. And this is something that I've observed. And I've been in this industry close to 20 years, as both of these technologies have evolved, they continue to move further and further toward each other closer to each other, right? Because O of these things, right, one is, is that there is this absolute need to reduce the overall attack. Surface ID based account are becoming, you know, very passe. They should only exist for the moment in time they're required.
And things like 80 group and LDAP group proliferation has become in many cases, a lot of the, you know, traditional Pam solutions are bound to these technologies for group based access. Why not make that, you know, a role within your core IGA solution and, and let that drive the access and then have all of that kind of encompass within another kind of key point here, Pam is expanding beyond classic data center function, right?
It's not just about the servers and the routers and those types of technologies and, and who has access to those things. Those are absolutely critical.
Don't get me wrong, but it's, it's absolutely also imperative to understand that there are both enterprise apps like SAP and banner, if you're in the higher ed space, epic or server, if you're in the healthcare space, these, these, you know, huge enterprise applications that require different levels of privileged access. And then as we expand out our footprint into the cloud interfaces, into the consoles for the SaaS applications, as well as infrastructure applications is hyper-critical.
And then within the workloads themselves, one of the things that we've been asked numerous times, and this is whether we're integrating with a, you know, a third party privileged access management solution, or, you know, now implementing our own is, is talking about the account ownership or stewardship of, of, of privileged accounts, whether they be service accounts, whether they be shared accounts, or whether they be named ID accounts.
The fact auditors need to understand based on regulations, not only who has the access, but you know, who ultimately takes responsibility for the privileged access as well.
We're seeing more and more, there are requirements around very complex workflows and approvals, and even time based bounds on how long somebody should have access into a privileged set of tasks within a given workload or, or the data center or wherever there is an absolute mandate by most enterprise organizations that we need to centralize the request of access for all access, not just privileged access, not just generic access, but all access in one place. And this lends itself very well to the traditional IGA space, same thing around roles and policies and the audit of that access.
So, you know, having everything in one place from requests to delivery is becoming ever more apparent and not something that traditional IGA products and traditional Pam products separately do well. The integration thereof, I'll talk about that a minute can be brutal. We also need to focus on applying risk scores and analytics to privilege use.
So, you know, just because I have the access doesn't mean I'm being forthright and, and, and behaving with that access, right?
So how have I used that access over time, who from a peer outlier outlier perspective has the same access I do based on my role within the organization and what my responsibilities are, and then understanding from an Analyst perspective, you know, how to manage that appropriately over a spectrum of time, over a expanse of time, we absolutely have to be able to do access review on a periodic basis, but more importantly, on an event driven basis, especially when you talk about things like brake glass, or firefighter type access. So I have a production workload that's down.
I need access to a critical system. I come in, I may not have the same workflow controls, approval controls that are in place as I would through a traditional privileged access request.
I gotta get in there, get it fixed and get out, and we still need to review what happened during, and again becomes even more critical to make sure that we have an IGA solution kind of integrated in that.
And then finally, and I talked about this a minute ago, the field integrations today, because of a lack of APIs, a lack of standardization around that, you know, whether you talk about, you know, kind of the, the big players in the pan market and the big players in the IGA market, which we would include ourselves in that space as well, find ourselves in a, in a challenging position where the solutions from an integration perspective are brittle.
And, and for the most part, very time consuming to manage the integration, to, to ensure that, you know, as these workloads expand and contract, if we're talking about things like infrastructure as a service, all of those things are, are, are managed within the construct of that.
And so, you know, we fundamentally believe that saving it, that, you know, this integration is more than just an integration. They really need to be an amalgam. It needs to be something that is come together.
Cohesively is one single solution where IG and where IGN, Pam really function together as one unit, even though one's more focused on access, access management, the other is really about the governance, but, but we're starting to see that, you know, based on some of these things that I've talked about, that they're inseparable in their nature. And with that, I will say, thank you and, and turn the floor back over to NAL for questions.
Thank you, Dave.
So we, we have some good time to, to, to take the question and answers here, and we have a couple of questions. So I'll take the first one. Here it is. What is the mechanism used for workload discovery and auto registration that is our agents installed on hosts at CTRA?
So, well, well, I would say that in terms of a workload discovery, there are solutions, especially Pam solutions, which can help you to monitor the workloads. But then again, some of this based on configuration specifically at specifically for either triggered discovery and some of them also offer OUS discovery of new workloads in the, in the environment. So primarily because they are targeted at discovering provisioning of new accounts and credentials, Indian infrastructure, they can be configured to sort of scan for the newer workloads.
Again, as I said, there'll be difference in terms of, I would say in the capability of capabilities of how these vendors are addressing that particular requirement, it could be either on a product basis on a scheduled basis to trigger the scanning.
Versus there are vendors who can provide the technology to do a continuous scanning of new workloads that might be provisioned and also inventories any credentials, which might be hard coded within some of those, you know, applications which am written in the, in the workload as part of registration of those, that is something which might have to be, which have to be done manually. Mostly as of today, most spa vendors do not provide you with the cable to do auto registration.
Some vendors are particularly working on these kind of account lifecycle management approaches, where they can provide you automated registration of accounts and can help you manage the entire life cycle of these accounts, right, from provisioning to, to, you know, password changes until the deprovisioning or decommissioning of these accounts. So I think, I think that's, that's what is meant to be the answer for you. Our question here, Dave, you wanna add anything here?
Yeah.
I just throw in that, you know, when you look at how we've approached this, and again, your mileage may vary by infrastructure provider, right? Because the APIs are definitely, there's a myriad of maturity across the API sets, you know, API, AWS probably being the most set, most mature set of APIs, Azure, Google, you know, cloud and the like generally speaking, don't have the same level of capability they're certainly heading in that direction.
But, you know, from an AWS perspective, the way our product works is we're, we're in Locky with the AWS system manager. And so as new C two instances or new RDS or S three instances are, are brought online, we get near immediate notification of that. And we can integrate with both your DevOps tools, as well as the core AWS technologies and Lambda functions to support bootstrapping those instances and making them nearly immediately available within the access request system.
And so not necessarily the same case in all infrastructure products.
So, you know, AWS is, or, sorry, Azure is probably a little bit closer to what AWS has, but still not a hundred percent there. And then GCP is probably behind the eight ball a little bit in, in that approach as well.
So, but, but, you know, again, we're working very closely with, with those infrastructure vendors to make sure that the required services are available to be able to do that level of discovery and bootstrapping, but it is an integral process. And, and certainly we can look at it as a scheduled function or a realtime function or near realtime function event driven if you will, depending on how you wanna manage your particular workload.
Perfect.
Thank you, Dave. And we have another question here. Let me quickly go to that. So if Pam and IJ are truly converging, why are we not seeing better APIs and integration points with best of breed vendors?
Well, in my, in my understanding, there are, there are probably three reasons to that. So the first, when it's obviously that there is a lack of lack of proper and misunderstanding of the, of the business value of, of, of access governance requirements for, for, for Pam, PHG what we call us through governance.
So when you have a lack of understanding in the market as to what you can really derive from, from privilege access governance, how can you support some really important access decisions related to privileged it and business users and their access to some of the most important assets and, and, and data in the organization, you tend to, you tend to deprioritize perfect access in the, in the value chain of Pam.
And when that happens, obviously, you know, the security leaders and arm leaders, they are left with, you know, no choice, but to push it back in the list of priorities of, of Pam.
So, you know, there, there obviously a good enough reason for that as well, because if you look at most organizations, you're trying to achieve the immediate value, which you can get from the Pam controls, like, you know, password vaulting, password notation, ion session management, these are the basic capabilities, and obviously they can help you get those immediate business values when it comes to privilege access governance, it's more of a, a continuous control rather than a detective or a preventive control.
And so, you know, there's not enough motivation for security leaders to actually put, produce access governance on the priority list at this point in time. But then obviously as we see the requirement, as we said, demand as the compliance pushing it, we'll see that happen very soon.
So that's one, the other thing which I would say why we still see don't we, why we still don't see that level of integration is the lack of Pam maturity, or I would say the privileged access governance requires a certain level of Pam maturity to be implemented successfully.
And once you, once you, for example, if you don't understand the entire scope of access, if you don't understand what's your privilege, access certification requirements, your role governance requirements, what are your privileged reporting and auditing and dashboarding requirements? What are your compliance requirements for privilege access management, implementing privilege access governance may not be very helpful.
So, and that, that has also been derived from a lack of collaboration between it teams and operation teams in the organizations. So we have seen that there is not enough information exchange and collaboration between it teams, particularly secur and operation teams to really help Shap up the PS governance requirements from the beginning to build a more sustainable privilege access governance model.
And I think the, the, the third thing, which, which is also there and which, which sort of provides the reason for not enough integration points between the two right now is the, is the technology support. So we see that, you know, IG tools, they don't support are managing privileges as part of all of their governance capabilities while they can do everything targeted at standard users and the developments, but not so well enough for privileged users and present developments.
And obviously the Pam vendors, they are, again, not very valid equipped to sort of manage the basics of access certification, life cycle management sector. So I, I, I, I think that's probably the reason why, why we are not seeing those enough integrations, but obviously as we see the Ture increasing, as we see the compliance, demanding that, and finally, as we see organizations understanding the, the value of produces governance, this would change
And well, I'd, I'd throw out a fourth thing, right?
Which is the economic buying centers within enterprise organizations for a privileged access solution and an IGA solution are different. And so I think a lot of the point product vendors that are out there that are selling in the domain space, whether they be Pam, whether they be IGA centric, right, are selling to different economic buyers within the organization, driven off of a lot of reasons, right? The end game goal is still the same. They wanna improve security, reduced risk. They want to have better governance across the breadth of their portfolio.
But in many cases, I think, you know, we're seeing at least this notion that organizations spend differently, they budget differently for these solutions. The, the decision makers are a different team of individuals, many times for Pam solution, for instance, it's audit driven, but it's the it organization.
That's making the decision for an IGA solution. It's a combination of HR organizations and potentially audit risk compliance teams that are driving the decisions there.
And I think until those organizations become a little bit more synergistic in, in their overall approach to, you know, governance and, and security risk, a posture for the organization and, and treated as kind of one bucket of money, I think that's going to continue to challenge the, the point vendors that are out there at least into developing a more robust set of APIs to drive integration.
And we, we know we've done integration with things like skim to a lot of the, the classic Pam vendors that are out there for doing the access governance piece of, you know, a periodic access review and those kinds of things within the solutions. But, but we could definitely have a better state of APIs. I think if we were to focus on that better, or simply put, you know, our approach is just, you know, combine the two and not have to worry about doing integration at all
Sounds app.
And I think with that, well, there's another question, very interesting question for, for management of social media accounts, which, which is also a very important aspect of, of Pam, but unfortunately in the interest of time, we have to, you know, end this webinar now, but we like to follow up and help you answer this question. So we'll probably try to reach out to you, or you can also drop an email to us with a question and, and we'll, we'll try to, to answer it, but again, once again, thank you so much for joining this webinar and we hope that was helpful.
Thank you once again and have a good day.
Thank you.