PAM (Privileged Access Management) has grown over these years to become a crucial set of technologies that addresses some urgent cybersecurity issues today.
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
PAM (Privileged Access Management) has grown over these years to become a crucial set of technologies that addresses some urgent cybersecurity issues today.
PAM (Privileged Access Management) has grown over these years to become a crucial set of technologies that addresses some urgent cybersecurity issues today.
Good morning, good afternoon. And good evening, based on where you are based. My name is Ann and I'm the lead Analyst at, and today I'm joined by Malik from IBM security for this webinar. And the topic is a pillar access management. And why products management is increasingly becoming the focal point of your IM today.
Well, the topic is very close to my heart and also very interesting because increasingly we are seeing that Pam finds early mention in organization organizations, IM planning and implement. So today we are going to talk about how Pam has become an, you know, important part of your IM. I'll also talk about some of the key dedication points of privilege, access management with your IM program.
And also, I, I will discuss some of the common risks which automations are facing while trying to set up their Pam projects. Malik will talk about why and how IBM security is trying to handle the previous access management. And also he will concentrate on focus on and the targeted approach from IBM around zero trust and least privilege. So when we dive into the topic before that, I will try to, I will try to give you a quick introduction of what Cola is. So we are independent, neutral and ly focused organization founded in 2004.
We have offices around the globe, and obviously we provide vendor neutral guidance, technical expertise, and thought leadership. As I said, we are very focused and provide research advisory and evens in information, cybersecurity topics, which are also focused on and access management governance, risk management compliance, as well as several other areas concerning the digital transformation. These are the key pillars of our services re brought it as content communities and coaching. But at the foundation of these three, we have got research evens and advisory services.
We have got research on all the major topics of IM of course the research is entirely vendor neutral, objective oriented, and always recent the events. That's again, a key business of copy. A call comes in forms of conferences, webinars, and special events that we organize.
We have also, we also conduct several other networking opportunities as well as meetings for the experts and an advisory, which is again, we, we try to deliver best in class advisory services, try to be your trusted advisory partner and also provide you, you know, advice in the, in the lines of recent digital transformation that we are seeing in the market.
This is just a quick direction of our advisory services to go in for the details as part of advisory services, we offer benchmarking and optimization to understand where we you stand today in terms of maturity of your processes, your deployments. And we also provide you with strategy support. If you need any help with direction of your future requirements, if you need help with can message to your board in a more precise and accurate way.
We also provide support for technology and architecture frameworks in terms of how they can be more concise and consistent in terms of development of your it architecture, provide you with selection of right technologies, right methodology vendors, as well as products. And finally, we can also support you in terms of providing you with special guidance, tailored guidance for your projects based on industry standards and what we see in the market.
It, these are some of the events that we organize and host around the world. I'm sure you would be already familiar with EIC, which is our key event. And then we have also got several other events throughout the year, catered to specific topics and focused on some of the very important digital transformation subjects Coming to the housekeeping guidelines.
This, this entire thing is simply muted. So you are muted and you don't have to mute and mute yourself. Does webinar recording will be available to you tomorrow. And also you have the opportunity to ask any questions to us directly, and you can use the questions featuring the good webinar control panel, and that'll be pop up a, our screen and we'll try our best to answer your questions, Come to agenda of this webinar.
I will, as I said, you know, I'll talk, try to talk most about the Pam, why, why you should try and associate Pam objectives with your broader IM and security objectives. And where do you, where do you find the most important key indication points to, to sort of associate your plan with your IAM to reach to the desired level of value? I will also talk about some of the common mistakes that organizations are making while trying to start on a Pam journey, or I would say a Pam program. What do we see as the most frequent failures for Pam deployment?
And, and after me, Malik will talk about the importance of, you know, choosing the right Pam solution, which can help you set up, you know, going, going fast and what are key features, which can help you to deploy a Pam solution in the required time with the meeting, all your, you know, Pam requirements. And finally we'll have the time for cushion answers, right? So let's have a quick dive into the presentation here. This is just a basic slide, an idea of what we see in industry and why project success management has become important in your, in achieving your IM objectives.
For most of you who have, you know, have studied signs at some point in time in their life. But no, it's, it's probably a diagram which, which we have commonly associated with with optics and, and, you know, the focal points for, for, you know, for, for signs.
But yeah, I mean, I've just tried to bring this message from the slide that most of your requirements across proof access management are tied very closely to IM we have got several unmanaged shared accounts, be it system accounts, software accounts. We have got a number of service and application accounts, including database accounts spread across your it infrastructure, which are unaudited unmanaged unaccounted for. And obviously we have also got several types of super user privileges or in fact root privileges on your systems, which people can use at any point in time.
And generally they are unaudited and unmonitored. So how previous access management can help you manage these common, basic challenges and they, they are increasingly being tied to your IM objectives. So audit access management has never thought or never brought in some of these infrastructure or operations related security objectives within it. But increasingly we are seeing that Pam is trying to closely associate these objectives inside your iron program and all these technologies within Pam, that which are on the right hand side.
And obviously if you try to look into the, the details of this diagram, the angle for divergence, what you call is, is probably greater than the angle of convergence, which is again, some, some science scientific terminology. But yeah, I just tried to just try to demonstrate all the technologies of important technologies of P in this diagram here. So we have got technologies like shared account password management, which help you manage the use of shared accounts in your, your environment.
And generally that is achieved three use of password vaulting technologies, obviously to manage the super user and root privileges. You have control privileged, elevation, how you can control what people can do in your systems, across your privileged infrastructure and applications. You have got technologies like privileged session management to record and monitor what people are doing increasingly privileged access governance. And I'll talk about this in falling slides, because that's, again, a very key integration point between IM and Pam, how it is becoming important.
And finally, we have also got endpoint privilege management technologies that are acting as probably the fastest adoption point for Pam and increasingly they are becoming a very important technology to manage local rights and what people can do on endpoints, their desktop laptops, et cetera. This is, this is probably again, a very important point here to know that we are seeing more and more organizations are trying to start on their I journey with Pam tools. And we try to find out what what's probably the reason.
I mean, there are several reasons, obviously the cost benefits and, and the, the ease of deployment of Pam are among the key adoption points here, but can Pam be really the springboard to IM and that's what something which has happened. And we are seeing happening more frequently in industry. We are seeing more, more organizations are trying to adopt Pam, and that's probably the first technology for them to help onboard their IM journey in, in this slide.
Probably if you see, I'm trying to, trying to just present the, the reasons why organizations are trying to get onto Pam before any of the IM technology. And if you look at most of these IM technologies across the, across the IM portfolio, you would see that Pam has relatively high technology maturity, as well as if you implemented rightly correctly, you can achieve the right business value out of it as well. If you try to compare it with most, most frequently coded or talked about technologies like IGA and IDAs, Pam has, you know, significantly higher technology maturity.
And if you look at the size of this, you know, these, these technologies, they are, I'm trying to demonstrate the effort that is required to deploy this technology. So Pam is relatively easy to deploy as compared to idea or IDAs or even single sign on technology in the environment. So that makes Pam a very favorable choice for most organizations to start implementing it before any that I'm technology reason being, it's also very independent of several of these other technologies, which makes it again, you know, a good choice for you to start your IM.
And as I said, you know, it has got decent business value along with very high technology maturity so that you can justify the cost of your IM to your shareholders and say that, yes, well, we are on right track for IM and you can still get that level of credibility to deploy our technologies. And, you know, you get the continued support from your, you know, IM stakeholders.
So yeah, that's just to demonstrate why more and more organizations are choosing Pam to get onto the IM journey. Now, when we start talking about the Pam programs or deployment of Pam, we always see that while it can get implemented individually, and there are evidence in the market when we talk about, well, you can have a Pam implemented correctly within three months or four months, you can have all this, you know, accounts discovered. You can probably have a very smooth P journey if all your, you know, business stakeholders and, and other infrastructure units, they are in coordination.
They're try to understand objectives of, of what you're trying to do with that administrative privileges. And everything goes right. You should be able to get to a right level of Pam in three to six months of timeframe. That's what the industry average is, but the same time, if you're trying to achieve the right business value of it, you need to understand that there are right integration points with IM and how you can tie your Pam into the IM objectives, which are again, which should be aligned to your overall broad security objectives.
So in order to do that, I think Pam can, Pam can really derive some of the value from these integration points that we are going to talk about. And increasingly the first integration point that I going to, you know, talk about here is with the IGA and how Pam tools can actually benefit from consuming the right level of privileges to give right access for the administrators. So obviously when we talk about IGA, there are various processes where they derive the attributes from various applications, onboarding applications, or user management applications like your HRMS or other ERP systems.
And when all these attributes, and I would say entitlements are being used to create roles in the organization by system owners or application owners that are assigned into your IGA. There are several workflows where these business owners and application owners can use to create roles, especially to the users.
And for example, if I'm an administrator and I'm hired as an administrator in the company, I definitely have got these various levels of, of types of administrative privileges that should be assigned to my role, whether it's a business role or an application role or a system role I'm assigned to some of these roles, which, which de, or which demonstrate what kind of administrative privileges I have on certain types of systems in the organization, or certain applications in the organization, which are basically again, the, the user role and entitlements.
Now, when we talked about the Pam tools, the administrative user did generally log onto PSM console. It could be web console or, or any the type of a console. And the PSM would generally, which is P session manager. It would generally fetch these entitlements from your IGA and remind what systems or what tools should be, should be provided to you to invoke a privileged session to the target systems that you're requesting.
So this is basically where you should be able to, to, I would say, integrate your PSM with the IG IG tools to consume some of, to consume basically your authorization for the user and provide the user with the right tool sets or the right console with the right tools for them to invoke the publications to the target systems or applications. So this is just one of the very common integration points that we, we look at here. This is being respect of time here.
I'll probably run this, run you through this quickly, but we also have got another key integration point for you, IM, which is around privileged access governance. And obviously we have got various business owners and system owners in agnation who have to do this periodic access certifications to make sure that the access privileges are up to date. They are according to the system, according to the compliance requirements or internal policies or security guidelines.
But yeah, obviously we do that probably, you know, once or twice a year or once in two years. But increasingly we are seeing that there is a demand by security leaders, as well as from the compliance and, and from regularly perspective to, to conduct priv certifications for previous users more frequently, which could be even twice in one ear.
So I think to achieve P access, manage previous access governance, you can try to tie your access certification process with them as well, where your certification process, while trying to consolidate all the privileges for the user is also able to fetch the privilege entitlements from the systems that the user has access to. And he has been provided access to, and the backend, those privileges can be consolidated and they can be presented to the user or the users manager or the system owner for them to attest to it or certified on a regular basis.
So that ways it helps you to, to achieve P access governance in a more seamless fashion in, in a short period of time and more effectively. So this is another key integration point where Pam can, can really benefit from, from the existing IM processes that you may have in the organization.
Well, with that, I'll quickly talk you through what are the common Pam design and deployment failures that we see in the industry today. And the, the first one that comes to that comes to our mind is obviously the lack of understanding of the objectives, as well as the scope of Phillip access. So increasingly we are, we have seen that in industry actions don't have, or they, they do not understand what the scope of previous access within the organization organization is.
So, first of all, it's important that you drill down the objectives of your Pam from your, from a security organizations, security objectives, that's one, and obviously try to not, not scope your previous access based on the vendor's capability that, you know, you have chosen to deploy, but rather understand that it should be just appropriate based on your previous access management requirements.
So don't try to narrow it down a lot, or don't have a very broad approach, but scope for Pam, I would say, you know, over ambitious scope for employee access management, but rather understand your immediate requirements for pro access management based on those secret objectives. And then try to implement that, obviously a lack of understanding of least principles and it's impact on your operations is something which is again, very important for you to understand. And I said, at least privilege is not one principle.
It's probably a set of principles that also tell you, you know, how you should be reducing the privileges on the various accounts to the minimum possible, how you should even, you know, limit the scope of each of those previous accounts, besides that you should also look at, for example, eliminating the number of the various produce accounts.
For example, a named accounts are individuality accounts that you have in the organization list privileges also also termed to the practice of reducing the amount of overall shared accounts that you may have in our organization, as well as it is also about how you should be restricting, for example, the time and duration, what users are using to have the privileged access for certain operations. So, overall, I'm just trying to, to mention here that it's, it's all about a set of principles and whichever applies best to your Pam.
You should be looking at implementing that also, when you try to assess some of these principles, what is the, their direct impact on your operations? Some of these may not be directly relevant to your operations, and some of them might even disrupt the way you are conducting your operations for, for, for a longer period of time. So she understand what the impact is and, and, and try to bring those list previous principles in operation or in practice.
Finally, obviously missing the session monitoring and activity requirements is another key or another very important requirement. And if you have, if you do not have the right understanding of what your session monitoring and activity review requirements are, then you may end up doing a lot of reviews.
You might end up storing a lot of video session recordings, which are never looked at, which are never reviewed, which are never co written back to the activities done, which are never reconciled back to the changes that your organization might have done into a change management system, for example. So, and this could be very much relevant to the, or, you know, I would say being in accordance to the risk of the activities, which are undertaken.
So do you have the right processes in place which define what kind of session monitoring and actively review requirements are there for these, for these operations, for the specific changes for the specific incidents? For example, very common thing that we are seeing in the industry is how these spam tools can be tied to your it service management tools like ServiceNow remedy, et cetera, and based on the, the severity of the incident or the risk level of the change that the person is going to conduct, the auditing of the particular activity is set, or the session management is set.
So for example, a very common development change can have just a basic auditing and logging just keys to logging is fine with it. But when you're probably trying to log to your system for connecting high privilege operation, or let's say a C one incident responding to a C one incident, then you probably need end to end video session recording, which can be correlated back to that particular change activity at a later point in time.
So obviously you have to look at whether you have the capability of, of the right resources to sort of understanding the review requirements, which are associated with the type of monitoring that you are trying to conduct with with a P. And if that's something which you have, you have visibility into, then you can define what kind of session monitoring and activity, you know, auditing requirements you expect for your Pam to deliver.
Obviously, Pam ownership is another key topic that we come across often, and there are several, several types of Pam ownership details here, but obviously you need to understand that it's, it's very important that your Pam is in the right hands and people, for example, your system, administrators, or administrators who have access to the, the systems and on which Pam is deployed, have the right level of access onto the Pam systems.
And if, for example, cannot make any changes or activities, and simply can log onto Pam and delete the audit logs or, or, or, or the logging or the sessions for those activities. So generally we suggest or recommend that the Pam administrators sit on top of the it administrators, and they have the right privileges on the P tools to make sure that nobody else can temper with the Pam session recordings auditing. Obviously the other point where most submissions would fail in terms of Pam deployment is they, they do not map it according to the requirements for the auditing and compliance.
And sometimes, I mean, it beats entire purpose because, you know, that's something which is very basic and most, most of the time, you should also look into what auditing and compliance requirements that you are governed by and with the Pam deployment that you're aiming, would you be able to satisfy those requirements? And finally, they said, you know, previous access governance is something which you should be also looking at while trying to design your Pam solution.
And if you are unable to achieve that at the right level of governance, then you probably also are bidding the entire purpose here. So with that, I will try to hand it over to, I hand it over to Malik for, for his presentation.
Well, thank you. And you really provided some great insight into Pam solutions as a whole, what they should encompass.
And, and I plan on expanding on just that. So hopefully we can provide you enough information today that when you are selecting a, a Pam solution, you keep these things in mind, right? So from that just a very high level overview of, of what we'll be covering today. So understanding the zero trust privilege approach, the reason for this being is when you select a Pam solution, we need to ensure that it's going to fit in your environment, right?
So today we'll talk about the kind of perimeter security model that you are probably leveraging and where your Pam solution needs to fit in there, but also the zero trust model that it, that we're seeing organizations kind of progressively move towards or shift towards. So your Pam product needs to be able to adapt to both of these kind of network implementations for security. From there, we'll talk about why lease privilege should be the focal point of your Pam solution. As on Mo already discussed lease privilege is a very key piece or component to Pam products, right?
Without lease privilege, the Pam solution, isn't really going to be as robust enough and, or do what it's supposed to inside of your environment, and then considerations for a pan product. Again, Unal did a great job of talking about this. So we'll dive a little bit deeper into this things like scalability. Does it have the ability to work with your DevOps team today and so on and so forth? And then finally, we'll take a quick peek at the IBM security Pam portfolio as well. So we'll start off by understanding the zero trust privilege approach.
Now, again, the reason I'm bringing up the zero trust architecture is because we're seeing organizations shift towards us. So when considering that Pam solution, it's definitely instrumental to be, to make sure that it not only fits this traditional security architecture of today, but also adheres to that zero trust model that we are moving towards. So what zero trust aims to solve is the inherent problems in our, in placing our trust in the network. And the assumption that systems in traffic within the data center can be trusted as well.
So for that reason, and, and, and that the reason that we are actually shifting towards this model, we need to ensure that Pam can adapt without the need of customization, right? So we want to remove the required FTE to run a Pam solution organizations don't have the resources for another product. So we need to make sure that it's easy to use right out the gate. Number one. So if we just, it's a high kind of level set here and, and explain more. So what a zero trusts architecture contains and why we're seeing a shift to it.
This is also gonna help us understand where Pam fits in into this whole, into this whole architecture here. So on the left side here, you'll see that traditional network security architectures they're often broken out into different zones. So either they're contained by one or more firewalls, and then each one of these zones is granted some level of trust, right?
So, and this is, is gonna determine inside of the network resources where it's permitted to reach this model also provides a very strong defense in depth. For example, resources deemed kind of more risky, such as a web server that faces the public internet are placed in, in an exclusion zone, often called the DMZ.
And I, and I'm sure that people listening today have several of these exact same scenarios. So you got this DMZ where you, the traffic can be tightly monitored and controlled and, and that's, that's perfectly great placing stop gaps in the network like DMZs or security zones. It it's a solid step forward from the designs of kind of yes, or year, but it's significantly lacking in modern cyber attack landscape. So there are many kind of disadvantages to this current architecture here that you're seeing.
So for instance, a lack of intro zone, traffic inspection, lack of flexibility in host placement, both physical and logical and single points of failure. Now on the right side here, a zero trust model approach helps enterprises grant lease privilege access exactly what an UL talked about. If we are trying to reach the goal of lease privilege access, the zero trust model is, is, is going to be a pillar of that.
So what we're gonna do is we're gonna verify who's requesting access the context of the request and the risk of the access access in the environment, which all takes place through the control plane that you're seeing highlighted and read there. Once the control plane has decided that the request be allowed, it dynamically configures the data plane to accept the traffic from the client and the client only. Right? So in addition, it, it can also coordinate details in an encrypted tunnel between requesters and the resource.
This can be one time use credentials, keys, maybe ephemeral port numbers. So by implementing lease privilege, access the zero trust model minimizes the attack surface, it's gonna help you do things like improve audit and compliance visibility, and reduce risks and complexity and cost of for the modern hybrid enterprise. So in both of these architectures, the Pam solution selected must encompass three basic things, scalability, automation, and grant lease privilege. So why zero trust, right?
Why, why am I telling you about this today? The, the reason is that while we're seeing that shift, that I'm talking about with organizations moving towards the, the zero trust model, the Pam solution needs to be heavily leaned on in both.
However, zero trust is going to be much more prevalent in the near future. So that's the reason for this, a very high level overview. Let's define zero trust, what you're gonna be hearing and seeing a lot more of, I'm already noticing that it's, it's kind of a buzzword out there today, right? So just to give you kind of a, a definition of it and so on. So on the right side here, and, and if you're gonna, that is, this is, is really what a zero trust model entails, right?
So the one of the first key assumptions that we need to make, and, and it, and it's truly a reality are the top two are gonna be coupled kind of together. So the network is always assumed to be hostile and external and internal threats exist on the network at all times, right?
The, the traditional perimeter model doesn't have this assumption built in it. It's building zones. We're giving trust between let's say different host machines in the se in the same security zone, for instance, but that's how we're gonna kind of segregate out our threat scale, right? So we're gonna create these zones. The zero trust model is saying, we're already under attack. We've got attackers inside already.
And, and to that point, does your Pam solution, or is it able to actually mitigate this type of risk, right. Which, which it should. And that's kind of the, the points that we'll hit on today as well. Third down here, network locality is not sufficient for deciding trust in a network. So if we jump back very quickly and we look at this top use case here, remote employees, right?
One of the primary use cases of using a Pam product is for that contractor based in another country who needs to come into your environment and needs access to a privileged account, but then also to do their work at that point. Right? So in this case, what we're saying is a VPN or a virtual private network allows a user to authenticate in order to receive an IP address on the remote network. The traffic is then tunneled from the device to the remote network where it's decapitated and routed. It's it essentially, it's the greatest backdoor than no one ever expected, right?
With zero trust, we can remove VPN and lean on our, our Pam solution at that point. And then fourth down here, every device, user and network flow is authenticated and authorized, right? This is pretty self-explanatory. We need to ensure authentication is enabled, and we'll dive a little bit deeper into what that means on our, on the next slide here. And then finally, the policies must be dynamic and calculated from as many sources of data as possible.
So what this means is that we need to assign a threat score to a user that is coming into our environment and your Pam solutions should be able to do that for you. We should be able to provide the analytics behind, okay, this user is coming from this location, even though we're trying to get rid of network locality, but they're coming from this location on a Saturday at two o'clock in the morning, what should their threat score be? Right. A Pam solution, a, a Pam solution of today should be able to encompass this need as well.
So when we take a look at a pan solution, living in a zero trust model and, and kind of taking it one step further than that last slide and the five points that we just looked at, so number one is gonna be building trust. So attributes should be used as a Mo already mentioned as well. The attribute part of it should be used to build trust and determine riskiness factors for the access being requested. Something a Pam solution should be able to do for you. These attributes could be, let's say temporal.
So access from a different location than the user was less seen, maybe geographical access from a different location than the user was less seen, or even behavioral, kind of that two o'clock in the morning on a Saturday. So does the, does the user normally access your environment at that time?
If not, let's put a stop to it, right? Or let's prompt them with two factor if we can, or, or shoot off a ticket in ServiceNow as then mul mentioned the ITSM integration with your Pam product ServiceNow, for instance, is a good one. Can we send off a ticket if there is some risky activity, right. Second here we've got enable user and application authentication, right? We talked about this on the last slide a little bit.
So today identities include not just people, but, but workloads services and machines properly actually verifying who means leveraging enterprise directories, like identities, eliminating local accounts and decreasing the overall number of accounts and passwords reducing the attack surface overall. So when we identify the who and a user or application authenticates, it should only be granted permissions that are always required as opposed to sometimes desired, right?
So lease privilege again, the, the, and in this route, the potential for abuse or misuse by a user or an application are greatly reduced at that point. And then finally enabling device authentication. So this is really a combination of user or application and the device being used that determines the privilege level granted. So by actually joining the privilege of a user, to the device, being used to access a resource, the zero trust model and your Pam solution with this kind of type of lease privilege are able to mitigate the effects of things like loss or compromise credentials, right?
So all encompassing things of what a Pam solution should be able to do for you today. So if we kind of take a step back and just level set here and, and discussing what lease privilege is lease privilege is as a concept is, is a lot more common than you might realize, right? So think of kind of a physical access controls at your office, kind of different levels of users have different access rights, of course, and to get access to certain areas you must request or, and, or be approved of that request. A Pam solution with least privilege should be able to do this for you again.
So this is all very well and recognized in the physical security space and the same logic applies to logical security. So it applies when granting granular role-based access to privilege resources. Another kind of objective to granting lease privilege is to limit lateral movement across the network, in terms of human or application accounts. This is definitely a kind of a primary way. Attackers get access to sensitive data. They start in one location. I start moving laterally until I find what I'm looking for at that point, right?
So when we, when we visualize the perimeter or the net perimeter or traditional security architecture, what, what we saw previously was that each host can talk to each other in their zone, right? And, and that inherently just creates a vulnerability there where you've got trust between two hosts. This makes it very easy for me to move laterally from one machine to the other. I can sit there passively on your network and just sniff packets until I find some credentials that I want a Pam product should be able to mitigate that type of risk. Right.
And why we're talking about zero trust today as well. So one of the things we really need to focus on is, is human users should spend most of their time executing actions using non-privileged accounts, right?
A, a Pam product can enforce this type of action. So when they do need to elevate privileges, the user needs to execute those actions under a separate account with higher privileges. So that privilege account that you're storing inside of any Pam solution today, we need to ensure that obviously no one has access to it unless they're supposed to. So our back controls, when they do have access to it, things like UN mentioned, session monitoring and recording contractor comes into your environment, needs to work on a DC. We need to be able to view them in real time. What are they doing?
Let's capture key strokes and metadata from that session. If we weren't able to watch it in real time, we need to go back and, and remediate something that occurred during their session, right? Session recordings gonna be very important here. And we need to ensure that we're pushing out, lease privilege with our pan product. Let's skip over here. And we'll take a quick peek at the IBM security pan portfolio. For starters, we have IBM security secret server. So what secret server essentially is that its very core is a password vault, right?
It's, we're a place where you're gonna store your privilege account credentials, and then we're gonna hand them out or we're gonna share access to these privilege accounts here. But it, it can actually do much more than that. And it's much more robust. It has a very extensible framework with the APIs that are out of the box with secret server, as well as the use of custom scripting for things like PowerShell SQL or SSH to do things like we've got privilege accounts that aren't just in active directory. They're not just Unix Linux. I have let's say an essay account on a database, right?
A privilege account or a administrator account on my Palo Alto or some sort of firewall or networking device. We have that extensibility with this product to use PowerShell SQL or SSH to reach out to those areas and find those actual privilege accounts and pull them into the vault. So what you're saying here on the left here, initially, you're gonna start off by establishing a vault, right? So encrypted, you're gonna encrypt encrypt all of your credentials inside of this vault. And then you're gonna start passing out permissions for this who can see it.
I'm gonna create a folder for just for contractors. I'm gonna put in the one or two privilege accounts that they need in that. And they can't see anything else inside of my vault. So that's gonna be establishing your vault run discovery, kind of talked about this already active directory, Unix, Linux, networking, equipment, databases, whatever it might be. We need to be able to uncover all of these privilege accounts, right?
And, and for instance, if there are backdoor access accounts in your environment today that you don't know about the discovery tool and secret server and, and other Pam products, you should consider should have that CAPA the capability to do that, to run a discovery. Once we've got those privilege accounts inside of the vault, we're gonna do things like store and rotate these passwords on the accounts, essentially handing out one time passwords or the checkout workflow that it's called inside a secret server contractor comes into my environment. He needs access to a credential.
So I'm gonna enable checkout on that credential. So when he uses it, but then he's done using it, it's gonna automatically rotate the password on that account. So helping you mitigate things like pass the hash attacks or that contrast, contractor's trying to write down a password on a sticky note. We can help protect that as well. And then obviously delegate access talked about that a little bit, but role based access control secret server does have this built in functionality, but most, most Pam products should, right? And then controlling sessions.
And Mo did a great job talking about this adding session, launching proxy monitoring and recording. So built in things like giving your end users, Microsoft RDP, launchers, or a custom putty launcher for SSH connections are gonna be built into secret server. We're not limited to just those two types of launchers either, right? So we can create a SQL server management studio launcher or an Oracle database launcher.
Again, not very limited here as to the types of launchers, we can give your end users when they use secret server. And the next one we, when we talk about IBM security privilege manager, this is really focusing on the actual end points out there, right? So you've got a vault. That's great. You're storing your privilege accounts inside of there, your rotating passwords, your monitoring sessions, but we still need to ensure the activity on the actual endpoint is being captured or, and, or being limited to again, to enforce lease privilege. This is a must with, with your Pam solution.
So what privilege manager really allows us to do is to make least privilege adoption, easy through application control policies. And these, these should be seamless for users and reduce the actual workload of your it or desktop support privilege manager is agent based, which allows you to discover all local users and local group memberships on your endpoints. And to kind of even take this a step further, it can also help manage. I'm sorry. It can also discover an inventory, any group that is local to your endpoints out there.
So it can be remote desktop users or any other group out there that are local tier machines, let's inventory it. And then let's lock it down from that point. So these five domain users should be administrator on machine X, Y, Z, anyone else that is added to that machine. They get removed right away. This helps you mitigate risks with malware, with ransomware and so on, right? We wanna make this very easy for you guys.
So while you're building out these policies, we also need to ensure that your end users that are needing to actually run applications, even down to things like system settings, that they need to install on their own machine drivers, printers and such. We don't want to create some sort of stoppage in their workflow. So we have to increase productivity, not decrease it. And privilege manager helps with that. The kind of second piece of privilege manager is gonna be the application control piece.
And, and what this allows you to do is create a white list blacklist and a gray list of policies out there. So if you have an idea of the actual applications out there that are running and, and those applications require administrative rights to execute a big use case of why people are, are made in admin on an end endpoint, they need to be able to run these applications that require administrative rights, what we do with privilege manager.
And, and again, since it's agent based, we're actually never gonna change that standard user to an administrator. We're gonna keep them in the standard user context and we're gonna actually elevate the application, right? So we're gonna kind of spoof the token process of the application this way. Standard user stays standard and we elevate the application. Let's get rid of all of your users that are in the administrative group right away. So that's gonna be IBM privilege manager there again, my name is mal merchant.
I, I am a senior cybersecurity specialist. I appreciate your time today. So thank you. Thank you, Molly. Those were really great insights on, on specifically your zero trust approach, as well as the least privileged principle for, for Pam. And those have been quite effective in, in how organizations can start to, to design their Pam solutions.
Well, with that, we have, we have some time left for question and answers and I would, I would you to clean some questions there, if you want to ask us directly, and by the time you do that, we have some questions here, which will like to, to answer directly here. The first question that I have is how do you force adoption or adoption to a Pam solution that will inherently change the workflow for a lot of admins Malik? You wanna take that? Or should I start with it?
You, you can take it and then I'll, I'll follow up with on It. Sure, sure.
I, I think that's, that's that that's a very, very valid question. And most of the time it is very important, basically. I would say it's, it's, it's, it's really important that we make sure that we preserve the administrative experience for the users.
It's, it's even increasingly important because most of these administrators, they say they are very clever and they know their way out. And when I say they know they out is in a sense that, you know, if you try to put a lot of controls and security in their way, they might find a back door to access these systems, which entirely beats the purpose of having a Pam solution in place.
So in order to do that, and I think that's how most the Pam vendors have designed the P solutions and increasingly they are putting a lot of emphasis on making it more easier for administrators to consume the entire experience of connecting to the systems without making it a lot harder for them also it's it's so that's the technology part of it.
And also there's increasingly we are trying to associate the, I would say the socializing experience of, of Pam solution with the idea admins, to make sure that they're aware of the entire objectives, why Pam solution is being rolled out in the organization. So it's the, it's the awareness part of it. You should try to socialize the, the importance of a Pam solution and why and how it's going to enhance the security posture as well as the overall efficiency of administration for administrators. So that's the, that's the training and awareness part of it besides the technology.
And as, as I said, you know, most vendors are offering you a very seamless experience in the form of technology and the kind of approach through of this architecture where they can simply preserve the existing experience, or even I would say they can enhance it going, going forward. Molly, you have anything to add there?
Yeah, I, I, I would completely agree. I mean, a, a Pam solution needs to be easy to use. Number one. So things like when they log into a Pam solution, are they given a, a very kind of confusing dashboard, a gooey, right, a graphical user interface right off the bat.
It needs to be something that we can present users with with something that's so simple that they don't see it as a burden to use, but obviously the purpose of getting them to use it for audit and reporting, but also to take it one step further, we can, we can tell our end users that, Hey, you never have to, to remember a password ever again, right? So let let's hide the actual passwords for these, for these credentials, from them, and just give them these launchers that I talked about.
So RDP, putty, so they can hit the resources that they need to hit adequately and, and effectively in a timely manner. But, but drive the adoption of this as in Mo mentioned as socializing this actual Pam solution and, and why it's being used inside of the environment, I think are very key and important features, Right? And then we have other question here, which is if I have a PCA requirement, how will a Pam solution help me manage it? That's a very good question. So a Pam solution, again, needs to be able to spread across our regions in your PCI environment, your security zones.
We need to have that scalability, scalability built into the product. So with IBM secret server, we have this thing called a distributed engine where it allows you to drop an engine in your PCI environment, but then talk back to secret server in a, in a secure fashion, right? So you can imagine all the ports that are required for a Pam product to do things like remote password, changing account discovery and, and most Pam solutions in the, on the market today, do these things in order to talk to that PCI environment, we drop an engine over there and it only requires two ports to be opened up.
So 4 43 and 59, 72, I believe is SSL, but this way we can, we can use all those Fe features and functionality in your PCI environment. So we can run discovery. We can start rotating passwords of accounts in your PCI environment.
So you, one of the things that definitely consider is the scalability of the product that you're, that you're picking. Absolutely.
And, and I think, I think besides those very important points, there are also some, also some mandates around, around changing the, the default system accounts and also other security parameters within the, within the, within the, you know, the software system that you're consuming they from the vendors. So Pam tools definitely provide you support for, for ensuring that, you know, those kind of system, you know, accounts are identified and they are brought in inside the inventory of your, of your Pam to, for, for proper rotation on a period basis.
So, yep, absolutely. Those are some of the very important points as part of, of you managing PCI DSS requirements. This another key question, other important question here and that us, can you please provide more details on secure VP and access versus benefits of using Pam?
Well, that's a good question. And, and I, I, I think traditionally we have been trying to provide security through managing and erecting, you know, different types of VPN solutions when people are trying to access systems from D Excel, you know, from Dal network.
Well, that approach hasn't been very successful over the time. And there's a, there's a huge lot of difference between the scope of what BPM solutions can do. They are primarily providing you remote access into your internal network, but the Pam tools, the scope is quite broad here. They can help you manage not just the access to some of the infrastructure components internally, but also can help you manage passwords. They can help you to record end to end session providing you session recording, monitoring cable.
And besides that, as we talk about, you know, they can provide you with a controlled privileged elevation kind of capabilities and, and whatnot. For example, endpoint privilege management. Those are some of capabilities which, which increasingly are being, are becoming a part of the Pam portfolio. But if you just look at some of the VPN solutions, they are primarily targeted at providing secure access for, for external connections into your organization.
And as I said, you know, they can be very limited in terms of scope, as well as you can't keep creating new VPN policies for every different type of access. And they don't have that level of ity or authorization, which Pam tools can offer you in terms of accessing a specific system or resource.
So, yeah, those would be the key benefits of using a Pam solution over your VPN solutions. Well, there's another one question and we have got two minutes left, so I will just quickly take this up. The question is isn't the Pam solution considered a honeypot for attackers, and what recommendations do you make when establishing such a product?
Oh, well, that's a really good question. And, and that's something for most band vendors to actually think about.
And, and they are technology in the market, which also, you know, help you to, to consider what we call is also a, a honey trap. If you want to probably, you know, a build that across your network for actors to sort of, you know, invite them to get onto a honey honey trap. But obviously besides that, there are recommendations around how you can harden the systems, how you can provide a high availability and fill of capability within your Pam tools, especially trying to locate different type of requirements for hardening and securing your password vault. Anything you want to add there, Molly?
Yeah, I think definitely one of the strong considerations should be a two factor product that lays on top of your Pam solution. Right?
Of course, it's, it's gonna be viewed as one of the most, most vital softwares that you're using inside of your organization or a mission critical software inside of your organization. So layering two factor on top of this should be a mandatory requirement to stop and from, from actually entering in the vault itself. Absolutely. I think that's right to authentication. And I think you also talked about contextual authentication, so that obviously is going to help in providing more stronger authentication and assurance for users to access, you know, Pam tool.
Well, with that, we almost come to end of this webinar on, on the, on the screen are some related or relevant, copy a call research to this webinar or this subject that you might want to access. Most of these will request subscription. And with that, thank you for joining us on this webinar and all the best. Thank you.