Wow, great to be here. Thank you. Very honored to be able to present to you guys today on governing privilege, why Pam and IGA should go together, or why IGA and Pam should go together, depending on how you look at it. So there's a, there's a premise here that I must admit to. I'm not trying to identify that there is a need to make these two products. One product coming from a software vendor. I'm a practitioner for 20 years in the industry and just recently came to the dark side, the vendor side.
So, so I have some experience about this, a little bit to talk about, and they call me an evangelist at open tech. So another word for that is this guy likes to talk a lot, so bear with me, but I do have a clock, so I will stay to it as best I can.
So in this dynamic landscape that we live in, in this cybersecurity space, a combination of governing identities and managing privilege, it, it's not a concept. We do it today in most organizations, at least leading organizations, right? They're doing it every day, defending against insider threats, that sort of thing.
And controlling and monitoring. These are controls that we have to implement in the, in the organization. As we navigate these digital complexities though, this gives us the opportunity to take charge of the environment you're, and build your cyber resilience as you go along. When you start thinking about putting these two things together in a more holistic fashion, think of a comprehensive portfolio of your identity platform that not just includes IGA and Pam, but you know, the other things that you would want to do in your enterprise, right?
And we can go through and name those, but we're focused here. Again, I gotta stay focused on governance and, and privilege, but the time for action is now.
So let's, let's work together. And I challenge my vendor brethren that are here.
You know, we can work better to work to make this stuff better for our customers, those folks who are customers in the audience. So this is supposed to advance to the next slide. Somehow I'm pushing the button and I'm not seeing the slide go anywhere. Do I push the back button? There's no back button. There's only two buttons on this.
I want to touch the screen. Is it a touch screen? Can I touch the screen? There we go. Thank you. So imagine if you will, this, this picture, right? This sprawling landscape, all this chaos about your identities, and it's like the security gates in a castle.
So I'm gonna follow this castle theme here for a minute. Just bear with me. Giving you the right access to the right information, the right data, the right applications, at the right time for the right reasons. We'll come back to that in just a second. Now it's advancing too many slides. I identity governance, wrangles this chaos.
It's, it's this automated security gates granting the right access at the right time for the right reasons. Now imagine the keys to the kingdom, right? This is your privileged users, these are the people, and I'm not talking about normally necessarily humans.
I'm talking about non-carbon life forms as well. Your service accounts, your tokens, your client access tokens, those types of things. Think about those in this context of privilege, right? 'cause they also have privilege. So privilege account management is this elite guard to your castle, right? Strong authentication. This is your MFAs.
This is your biometrics restricted usage hours and monitors everything that that privilege user might be doing and granting only access needed for the time it's needed at the time of authentication, at the time of authorization. Think about those types of contexts. So governing privilege, why IGA and Pam should go together if it's not kind of sinking in right here, it will in a few minutes when I get to the next couple of slides. But this is like a point in the presentation where I say, this is really why I'm here.
You talk about what you're gonna talk about and then you talk about what you're gonna talk about and then you end with talking about what you're talking about.
So just to, just to understand that we're very, it's a very important distinction to make that if you're, if you're doing governance of identities today in your organization, you're really governing the privilege as well. So this privileged account management concept is really no different in that, in that respect, right?
But it adds this other layer that allows you to be more data informed about who can access what applications and systems, operating systems, servers, whatever cloud entitlements as well. So now let's think about this for a second. This is what it does. This is what having them together does for you.
Now, I can list a lot more than this, but again, I'm restricted on my time. I have to be very succinct here. So it limits privileged access from the start by limiting from the start and better decision making and approvals. The business gains a better visibility into accessing sensitive information. Not just data and applications, but other, other resources. Sensitive resources, we'll just call it that in the organization as well as the controls that are necessary to reduce the blast radius in the event that there's something bad that may happen.
Privilege escalation is a technique this used by attackers to gain access to different things, systems and networks and, and your environment is not immune from this happening, right? So this gives you this capability to do this. So it's effective and consistent access control policies for everyone and everything, all your internet of things, all your humans, all your partners, all your third parties, all your consumers streamlines this compliance audit.
I know how much we love compliance, but when I was in industry, the audit people were my friends because that's how I was able to get money to buy software from these vendors, was to show them that here's where my gap is and this is how I close my gap. So these attacks can be simple as exploiting stolen passwords, right? So you use this as an account, compromised stolen passwords. So think about insur, ensuring the privileged users are properly identified, authenticated, authorized to access sensitive data in these systems and reduce the security incidents resulting from unauthorized access.
Now again, there's can be a lot more benefits, but I wanna talk about the capabilities a little bit. Matching them together again, so that you see what the distinction is between IGA and Pam and why they should work together. Why should they should go together. If you're an organization that has PAM but you don't have a governance solution, think about an IGA solution and vice versa. If you have IGA and you don't have a privileged account management, think about it.
'cause they work together, they're they to make it better, to make the security better, build the resilience that you're looking for in your organization. There there's the list of some key capabilities. I have more that I could talk about obviously in this context.
Just, just keep in mind that there's, there's this very much the similar capability, but it's talked about differently, right? You could talk about identity governance being just in time provisioning or just in time access.
And then remove it as soon as they're done using it. That could be considered privileged account management as well, right?
I don't, if anybody would like to disagree with me, please raise your hand and we'll talk later or come see me later on the show floor or the booth. But I think that's, it's important to understand how they come together.
So again, identity governance must include privileged accounts. This is not just human accounts, this is non-human accounts.
This is, it's a necessary part of good security. Thinking about, I have to throw a architecture type of slide in here with arrows and boxes and stuff just to make it, you know, complete. But think about how this information gets curated and how it moves through the organization. And there are components to this about who is responsible, who's accountable, who's informed, who's consulted. And you know, you could follow their cybersecurity frameworks from from NIST as well as you think about identify, protect, detect, respond, and recover.
But now we have governance in the NIST framework.
So think about that. And when it gets to decide at the business manager in the lower right hand corner of this slide, there's also this concept of purpose. What is the lawful legitimate purpose that this account, this user, this identity has access, needs access, should have access to do that? What is their, what is their purpose? Why are they doing this? You have to answer the why. So in the decide function, we do that here, right?
We say, why does somebody need access to this? And give us some plausible explanation as to why. And I'm not talking about a freeform text field. I'm talking about policies that enforce it, right? So if you work in finance or say you work in development and you want to access a finance document, what is your lawful legitimate purpose for accessing that?
Same thing goes with true with customers. This is how we help protect customer identity and protect personal identifiable information and help with GDPR and other privacy regulations is there's the concept of purpose.
You have to have a lawful, legitimate purpose for using my data as a consumer. If I'm using your website, your application to do whatever I'm wanting to do, buy tickets online, go shopping, whatever the case, buy an airline ticket. I'm sharing my identity with you for what purpose? What are you using it for, right? So this is where we help the business take some accountability for what the data is being used for or what the identity is being used for. So here we go. Call to action. This is the time.
I mean, I'm telling you, if you're not using both of these together and they're not married together or they're not complimenting each other, let's talk some more about that. I'm happy to have that conversation. The safeguard identities fortify your defenses against the bad guys and all these ever evolving threats. And of course the OpenText slide, I have to throw that in there. We have this comprehensive platform to do this. So find us at the booth. We're downstairs on the second floor, happy to talk more about it. But that's the end of my presentation and I thank you very much for your time.
Thank you very much. You're welcome.
Well, we've got a couple of questions here. First one is, if you consider moving IGA and PAM together, don't you also need to consider moving the IGA solution in a tiering model to Tier zero?
Sure, absolutely. Great question. So this goes back to my statement at the very beginning that I'm not implying that we make these two products one product as a vendor, right? I'm not saying that we're gonna come now with a new product called, I dunno, what's IGA and Pam together? What do you or or Pam Aga. We're not creating a product called pga. I'm just saying if you have the two together, they should work together in concert with each other at this layer zero.
Okay. And then how should organizations measure the success of integrating Pam and IGA?
So what key performance indicators or metrics are the most relevant?
Yeah, great point. Great question. In the industry working as a practitioner, these key performance indicators were in very important to me and my team to measure how well we were doing. So one in the, in regards to Pam and IGA is the time it takes for that user who is requesting a privilege access. I'm talking about the user now, right?
The, the we're taught system administrator, for lack of a better word, from the time that they're requesting the access until they're done with it. What was the time that that account lived as a privilege and how long did it take the, the accountable responsible manager to attest or certify that A, that access was given and re removed as well as the separation of duty capabilities there, right? So in an IG solution, you have this concept of separation of duty.
And so now this person who's requesting this privileged access to get access to something, are they stepping over the boundaries of separation of duty before the IG solution platform says, yes, you can have this access and the manager says, approved.
Okay, thank you very much. That's great.
Yep, thank you. Appreciate it.
