Event Recording

Filipi Pires: PAM: Is it a Culture? Project? Mindset or Platform?


Log in and watch the full video!

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Register  
Subscribe to become a client
Choose a package  
Guys, thank you for being here with me and thank you for having me the team. And today I would like to, to bring you some thoughts and I would like to discuss with you some, some things, but I have something very interesting because when I was preparing this presentation or this conversation, actually, by the way, I was watching to the, to the chat, my last, my right side here. So if you like talk with me during the, presentation's not a problem, this presentation is for, is to happen this way. So when I was preparing this talk, I was watching some videos and looking for some content and, and it's totally crazy. I, you mentioned with the big team because I have here that I am seeing the speakers that Joseph Carson I have in the end of this presentation, some Matthias from Joseph Carson. And it's, it's crazy, but because I didn't know that Joseph Carson, it be talking today with us.
So, but again, so let me introduce myself, and this is my contact in social media. If you have, you know, any questions or you like to follow me in the social media, and it's, it'll be pleasure to me to exchange some knowledgement with you, right? So I am secured research and advocate at innovation innovation. It's a, you know, it's a Brazilian company responsible to provide explanation growing actually, and the focusing developer guys. And I think in the beginning, Christopher mentioned about the DevOps team and developer guys. I think this is the good, the new change actually, because in the past, when you talk about the privileged access, usually the admin, I, it has the access or the, the main access, but now we have different teams inside the company. So in my company, for example, we have, I think it's at or 90% from developers.
So I can imagine, and the IM advocate from hack, not project. So we can see some information in a website after this presentation, because we don't have more time. And I'm staff of the Devcon groups on Paul team. It's a, you know, focusing community, as you can see. So I like to share this information with community about the security and something like that. And I'm security research and instructor for an security and writing viewer for this three magazines, by the way, it's, it's from pollen, this the magazines, right? So this is our agenda. So the first idea, the beginning to talk about what is threat, I probably, you know, and then have you heard about the least privilege? I think this is a good way to, to go, you know, and I would bring to you some brainstorm and let's think together. And after that, some question, if we have time, so beginning, I, I like to put everyone in the same page.
It's not my definition. It's cord, right? So what is threat threat? Because if you are talking about the privileged access, so we need, or why need, or everyone needs to protect about something, right? So the first we need to protect about what about the threat? So who is what is threat? It's a software attack it's clear, or it's a theft or intellectual property, right? Or identity theft it's, or maybe sabotage information stores are example and information security threat. It means all those things inside our company or inside our, you know, infrastructure maybe can be a threat it's mainly related and software attacks, for example, because you know, when you produce some apps produce some, you know, codes, of course, we have a developer who have a DevOps to build the, this in a cloud, for example, and you need to set some best practice of the security.
So this is the big challenge here, right? So have you heard of the least privilege? This is very interesting because usually in the past maybe, or the future of the pan, you know, the privilege access manager or EAM or, or the DT access manager. So what difference between and one of them and, and another, right. So, so first of all, would like to, to bring something to you. So information security's a simple definitions or computer science or other fields like, you know, engineering or something like that. So principle of list privilege also know has a principle of minimal privilege in the or principle of list authority. And usually when I made some presentations, I don't give any privilege to my users, even I, I, I using, for example, sometimes when I'm using, I need to request some password because this is the big point here, less privilege, because again, in the past, we implementing some VPN in your environment, but if they attacker get some access from this victim, and for example, the attacker has access inside of your environment, right?
Because they, he is inside your environment because they have the access through the VPA, right? So in this case, less privilege requires that in particular abstraction layer of the computer environment, every model such as a process, that's very interesting to talk about the pen, because we need to implementing this kind of process we need to implementing related to the users or a program. And of course, depending on the subject, but you need to have this ways or this things very, very clear to implementing the, this in, in our environment, right? So must be able to access only. This is a key, this is the good key, only the information and the research that are necessary for its legitimate legitimate purples, actually, because, you know, again, so if you are from team, so what is the necessity to have the access to the databases environment? For example, just, you know, think about that.
So that's point, that's a good point here when you need to apply this. So let's think together, or let's be a brainstorming here. So first of all, I need to underst we need to think about the insider threat. So who is the insider threat? Because usually we think about for example, and attacker or threat actors outside from the company. But if you read in some research, I think it's 80%. I don't have the, the reference now here, but 80% of the attacks happen because the insider threats inside their threats. And if you see the last top 10, for example, you have the misconfiguration with another very high problem with the, when you our software. So we need to pay attention about the insider threat. And usually we have the, the privilege access usually in the past, or maybe now is related to the AME it team, right?
But now we have different teams in our environment, right? Or you are manage the C level access because usually the C level of the C level board, the, the board team needs to have the same access to the same programs, to some apps. And, and usually the it team give this kind of privilege to the C board, the C level. Why? Because they need to access because they probably, they need to have something very fast, right? So now we have in the middle of the pandemic and many people work from home. So about this remote workers, how we can apply the privilege access manage correctly. Do you remember about the list, the less privilege you need to give this kind of user, just a few access. And of course you need to have a process. Do you remember that all those stats, you need to have a process politics and something like that to apply correctly.
Right. Another interesting point. I think Joseph, we talk about this in, in, in their talk it's about cloud access because today many companies are, you know, created in the cloud environment already. It's not in, in, in a, in virtualization environment, in, in this cloud access assets. So, and so what would be the risk impact? If I have my, you know, if my dates, it was, you know, exposed in the internet, so what would be the risk of this impact? Right? So, but now how this works, because, you know, we have many challenges here inside there, privilege access. We have a, you know, C levels work from home cloud access. But now how this works because we, we, we have now developers team developers team needs to access many applications inside our environment. The op team needs to access many different systems in our environment. And if you see it means, you know, all those guys needs to have the access a particular environment.
And if the guys are creating some software or some apps in their environment, probably, you know, they need to be, they need to receive an security educations, or they need to have the, you know, the security chambers inside the teams, or to be part of these teams to help, to help them to increase the security inside the team. The database team need to be accessed. You know, it's not, it's no more related, only admin it teams, but now we have a different team is inside the company, clouds teams, and another thing. But of course, when you talk about the cloud, you have the, some, you know, configurations or sets to making in a AWS or Azure, or, you know, GCP or wherever service service cloud provider, you have been used you, but you can apply something. But the point is the privilege access, how I can imagine it, right?
Oh, another, you have you, sometimes we, we have in our company, our leaders of the businesses business units. So this is a, another challenge. So as we can see here, even at least, you know, five teams like teams, but you can multiply these teams for many other peoples, right? And this is a big, big, big challenge to apply. So we need to look inside this. If you are a manager, if you are a C level, for example, you need to pay attention of this because here is not in the guys, but in the process, you know, in the politic is to apply. You need to apply the security policies here. This is the good point, but you have different teams and you have different privilege access in your environ. So let's think together guys and privilege access has a traditional being categorized under the umbrella, you know, the identity and access management, right?
And another point is density access managing is evolving. And two conventional approach revoked around the users and digital identifiers such as email address or devices or data birthday, or, or then in password for verification, right? So it means it's EMI, right? So in your increasingly quality oriented digital environment, the old ways to become less effective, why, because you, as I mentioned, we have different teams across your environment, you know, and across your network on different layers in different ways, right? So the user password comes that provides security and privates just a few short years ago are useless and many cloud environment, right? So for this region, reason, EAM and plan best press have evolved to a point where secure professionals prioritize secure voting of what credential for a privileged accounts, in this case, the object and secure access to the privileged data and a system and infrastructure tructure in application, this case is the target, right?
So this is a good way to think to the future. Perfect. This dynamic now holds through all users, scenarios and any operations eventually. Right? So, and now a good point because that's the challenge. So here, as I mentioned, the beginning of our talk part of this talk, I, I read in this definitive guide to secure privilege access. It's a free material from the.com and from Joseph Carson, it's awesome material. If you would like to read, because it's three material, I would like to share with you here. We have many guidance to, to open your vision, open your mind, to apply the best secure privilege access in our environment. Right. So I finished my presentations here, and I hope that we finishing inside the time and thank you, the staff team to having me again and see always a pleasure to be here. And if we have any questions I am available here, or, you know, in the network launch or in the social medias, whatever.