Trust No One, Always Verify

I'm gonna say think I, this is the toughest part of the day to, to give a presentation after lunch and, and early afternoon. I hope I don't put anybody to sleep or I put myself to sleep. That's a bigger problem. So my name is Armand Riano. I am managing director with IM team. And we are a professional service company. We deal with identity act management, implementations, and solution.

I've been fortunate enough to be part of a number of IM implementation the past 20 years and with government, healthcare and finance, and pleasure to be with you all here today to talk about a topic on privileged access management. So let's start the simple chart. If this goes, lemme just go.

Yes, not, I guess not sim not, not that simple. I think we can all agree that we live in a quite complicated world. The business today can, does require a lot of, you have a whole options of SaaS based applications. Traditionally have, you have your workforce going to the office, they go and do their thing, they log in. But in today's world, this business cannot really survive. And for you to succeed, you really have to look at the, the broader picture, other opportunities outside. And with that, you have just, hmm, you'll just do it traditional way. Click the keyboard.

So you have infrastructure on the cloud, SaaS service, and with cloud computing infrastructure can be hosted in the cloud and for greater speed to market business can take advantage of a multitude of cloud-based applications, from storage devices to HR on the cloud. And this opens a door to a lot of opportunities for people to work remotely and business to reach out to more customers and the business to collaborate with more partners and more service providers. But the challenge here is quite obvious, the safety of the internal network is typically gone.

You don't have that anymore because your data is all over the place. It's not just internal, it's all over the place. And so this guy gives a more opportunity for this guy who's just waiting there for the, for the opportunity to, to get into a weak point within your net, within the, within your data.

And, and so we gotta watch off of that because now we've opened the doors to more, to more users, to more devices. And your data, as I mentioned, is now outside of your internal network. Now those bad guys, those hackers, they would not look for a regular account. Guess what they'll be looking for? They would look for those accounts with the most power and the most authority. And those would be privileged accounts. And what are privilege accounts?

Well, privilege accounts are, well, you have in every system, privilege accounts are high level authority on any given system. Every system has one built in. And here are some of them. So you have all this privilege accounts in your environment and they are used by people. And as you can see, what seems to be the problem, there's one major problem here. Accountability. Who's using what and for what purpose. That is one major problem of, of having this multiple users logging in. Now did I mention they're powerful? They're not only powerful, they're also shared and they're anonymous.

Three, three words. Three words that should not be the same sentence when it comes to cybersecurity. And when they are shared like that, it opens the door to lack of control.

Now, a lot of companies would actually say, well actually I've disabled this account, this built in accounts, I already disabled it, which is great. However, I've been to one organization. Every admin actually has, its has his or her own privilege account. So what happens there is now that you have ex basically increased the number of privileged accounts in your environment and the more privileged accounts you have, guess what? The higher the risk. And it only takes one, one privileged account to be compromised.

And I will say when it's compromised, game over, because the hackers already has your privilege account. You can privilege, do whatever it wants.

Now, privileged accounts is always the first choice of attack. And you could see all the surveys here and you could see that a lot of people say most of those attacks are coming from people already inside the network. It's an internal. And so 80% of those from one survey were most of those attacks were initiated by a privileged account in one survey. The P one institute, it takes 277 days to actually detect and contain the breach. That's a lot of days, that's nine months enough to enough to make a baby there. So that's a long time to detect the breach.

And that includes the time to detect it and to contain it. And for the most part, it's also growing vulnerability because a lot of, a lot of organizations, they miss to take away those privileges, especially if a user changes roles. You keep those privileges. I've been to an organization, he's still a super admin on a unique system, even though he's the ciso, you don't need that, right? Because that was kept and it just grows and grows and it is quite expensive to to, to get hacked. That is a significant number. And that includes the, the amount to, for damage control and bridge containment.

Now, who are CISOs here? Security officers, CISOs, it's, they're hard to be, to get scared, but if there's one thing that that's gonna get them scared, it's this, Yeah, you tell them that everybody has an admin account that will really scare them because as they grow, as I said, the more privileged accounts you have, the higher your risk.

So what, how can we mitigate the risk? Well, the first one is assess. You have to look at your privileged accounts. I always say do a privileged accounts account or privilege access discovery. That would be the first thing I would suggest. It's because you don't know what you don't know, what you don't know, and you have to figure out how to, how to remediate those and reduce your attack surface. And I love asking this question, how many privilege accounts do you have in your environment? Too many. Too many. That's right. And sometimes I hear crickets.

I don't, nobody could answer it, right? Because they don't know how many they have. And every time that becomes a, a concern in one organization that I've been with, they had 1,500 privilege accounts and they only have 230 employees. So the ratio is staggering. So with the privileged access discovery, that will allow you to determine how many privileged accounts, privileged accounts you have and are they even necessary? That is the major question. Are they required? And who's actually using them? And are they even active? Because if they're not even active, why are they there?

And, and then once you've identified how many of those are not required, take them out, delete them if you don't need them. Reduce your attack service and eliminate the ones you don't need and repeat that cycle because you, this should be an ongoing effort to do this.

Oh, once we've identified the ones that we need, the next part is to ensure that you manage those privileged accounts. And the first step is really to store this privilege account into what we call a credentials vault. Just make sure that they are all stored there and can be accessed. But having a credential vault, that's part of your privilege. Access management solution is not enough. You need something else. You need more than that. You need a secure interface so that admins can, can request for access.

You need a discovery engine so that your, you can easily discover existing and new privilege accounts and store them in the vault. The ability to have a process workflow. The process workflow allows you to manage approvals as well as password rotation. So those are key elements. And then access control. Access control is key essentially because of least privilege you should have that enabled within your privilege access management system to be able to control who has access to the system and give them the least privilege as possible.

And then finally, the ability to record sessions and to be able to audit logs, record all those mouse clicks every command so that you can always trace back what happened if in in case of of issues. Okay. And once that's established, the PAM solution becomes central in your security operations and admins, instead of going directly to the server, has the ability to to manage those, those privilege accounts. Okay.

Oh, one important aspect, and I'm pretty sure everyone here started seeking tired of hearing the word zero trust. I am.

But, but in the world of, of where you have users outside of your network, outside of your perimeter, zero trust, the way to go Now, zero trust is really predicated on two basic principles. One is don't assume that every user in your network or in your environment can be trusted. The keywords there don't assume, right?

They, they, they, if you wanna trust them, it has to be explicit. The second principle is always verify. Cause trust is never permanent. Always verify. And what do you verify? First is identity. So with identity, you know, multiply multiple factor authentication. MFA is so easy to implement. Now that is one way you could verify the identity instead of just password. Password is never enough nowadays. The next one is things, oh, The things which are devices. So sometimes we're too concerned about the people, but people have devices nowadays and it's all over the place.

You got an iPad, you got a MacBook, you got a, you know, a laptop. You need to verify device. If you can deploy some sort of a certificate on those devices, that always helps. And then finally, the context. The context is really the geography, the network, the time of day, the scope of transactions this person is working on. And that has to be verified as well. So example would be you have a, you have a user who usually works out of Berlin and he uses his, his laptop and then all of a sudden he, you see the user login from Hawaii. Well that is a change in geography that has to be verified.

So verify the identity, the thanks and the context. And, and it's sometimes funny that going back to mfa, regular users in some organizations have been, they're very focused on giving MFA to regular users. But they're saying, oh, we can't do MFA on, on privilege accounts, which is quite the opposite. Privilege accounts has the most powerful permission of all. So verifying who has it is, is really key. Now let me talk about now the common PAM use cases. Now this is, I don't have a top 10, I do have a top seven PAM use cases.

And something that you could take and say, if you're at the process of implementing a new PAM use cases or, or starting a, a new initiative, this would be the a good one to, to try out. So constant discovery. So the ability of the PAM system to be able to discover new and existing accounts, that is key. Pam is not a solution that you just leave and, and and forget. It has to be living and always looking for new privilege accounts, least privilege. I already talked about that. Being able to allow to only show to the admins the systems that they're allowed to use.

A good friend of mine gave me a good analogy. If, if you don't want your teenager to drive your fancy sports car, hide the key. That is less privilege in a nutshell, right? And we've all been there just in time privilege. This is something you, you've probably heard about. It's about integrating PAM with an IAG solution, being ensuring that the privilege accounts are not on all the time.

It's, it's default, it's off by default and it only gets activated when required. And we've all been there. Privilege escalation. It's all about enabling end users to be able to do something on their own system, like their laptop for example. Giving them that permission. And then Password rotation is, is an interesting topic, especially for service accounts. I've been to one organization, they say, hey, a reverse frequent regular user, every, every user should expire their password every 90 days. Perfect.

But for, for service accounts, no, you can't touch those. Those are untouchables because in what moment you change the password, the application will break. Well that is quite ironic. Now your PAM system should be able to, to reset service accounts and privilege accounts. And we talked about this strong authentication, this should be central to your PAM system. And then finally, my personal favorite. Eliminating those, those hard, hard-coded passwords in scripts and applications. Your PAM system should be able to programmatically retrieve credentials from the vault and use it in the script.

And so these are my top seven and I think if you can look at this, if you are implementing today an i a PAM system, then this would be a good set to have highly recommended and ensure that you have the, the process that privilege accounts are minimized. Don't let it grow to a crazy number and then minimize and, and then monitor privilege access.

Okay, I'm just gonna go through this quickly. I added this very last minute, but this is one example of a use case that we're, we're, we've been using for a lot of the implementation. You have a user on the left hand side, Steve and he needs to access to server as an admin now without the PAM system. Steve has the password for admin and we just log in directly to that server with the PAM system, you would have stored that credentials in that vault and the user will request for the session. It'll ask if it's authorized to even use that.

If it is, then it'll start the session without even exposing the password to, to Steve and they will log in and optionally you can start session recording, do Steve does his stuff and once it's done, it'll exit the session. It'll stop recording, change the, change the credentials of admin and then store it back on the credentials vault. So the beauty of this is that Steve doesn't even know what the password is and he was able to log into the server as an administrator. So as a summary, I'd just like to leave you with his final thoughts.

If you kept track, there's the three mss, minimize, minimize, assess your privilege accounts, look for the ones that you don't need and disregard them because the whole idea is to reduce your attack surface. Second is manage, we talked about those use cases that you can use in your environment. Always keep in mind least privilege and always verify who has access to your privilege accounts. And then finally monitor. Having a session recording in place, auditing the logs is, is key.

All right, in one final words, I was scoring through social media and found this is quite, I think it's finely untrue. Admin rights are not human rights. It's not something you get by default. It is something that should be given out carefully and only to those who have a compelling business need.

Okay, so on that note, I still have like, alright, one minute and thank you so much. Thanks Very much.

A any, any questions from the audience? Anyone?

Okay, so no came through on an iPad, so thank you very much. Thank you. Thank you.

Oh, sorry, I did actually have a question, sorry. So there is some discussion going on in the market that with fine grain access control we can actually deliver or so the industry could actually deliver the capabilities of our criminal success management system without buying a separate pan by delivering it through zero trust architecture. We still need a vault to be a, it would have to be, which is probably gonna be protected with five grade access control As well, Like administration. You obviously still need the recording capabilities and a few things like that.

But what do you think of that? The thing, do we, does the industry still, is there a still a, a, a demand for separate privileged access?

Okay, quick 30 seconds please. Well, no, sure, well I think there is because they think there's that conversion convergence between a PAM system and iga.

Well, IGA would actually do the provisioning and with IGA you have that capability to find grain. It's not just roles you even have, you could actually provision it based on an attribute that becomes the fine grain component to it. In most organizations, role is not sufficient. You have to look at the location, the department. And so that's where the fine grained authorization comes in. So I think there is that. Great. Okay.

Sorry, you, you've gotta stand here. Have you, so you can always connect later if you wanna dis carry out on discussion. Gotta go move on. So thank you again. Thank you.