Event Recording

Marcus Scharra: Why PAM is crucial for DevOps security compliance

Log in and watch the full video!

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
Right. Okay. So hi everybody. My name is mark Z am the co-founder and CEO of Saint SIU. And Saint SIU is a pan supplier Penn vendor. And today I'm gonna talk about the experience we have been facing last few years when we start to deploy pan op environment and what we have learned and how we have addressed this demand and this needs, and this special environment that we understand as a different environment and not traditional use case of pan. And first after thinking about that, we understood with few years that the main correct risk of DevOps environment is the speed. And today the news show that leaders that use op they deploy 200 times faster than other than other leaders. That means that for business DevOps is a great solution and ability to address the innovation needs. And as innovations is the key element for any company today being fast is really cool.
It's really relevant for the business. But also when you think about velocity, you need to think that you have another maybe consequences that you need to deal. And if you look to DevOps, you see that today we have been facing a lot of leakage, very critical information, being licked through the opps environment. So we can send GitHub every day, secrets and access keys, been licked and many different kind of attacks going through dev op infrastructure. So the pop has come as a solution for innovation, but at the same time brought new risks that we need to address. And Penn is a core functionality to address these risks, especially in terms of privilege and access. So I'm gonna talk today about how dev op is changing the pan scenario and how we need to think about pan in terms of DevOps. And to look to that, I would like to start look to this table.
This table is very interesting because it showed the number of different tools you can see in the, in DevOps environment. So we have more in 100 different tools and these tools brings to the VO a new scenario, and that is what these tools, you can use the same tool in different use case. So it's very common when we go to a customer that we find they use a specific use case like cover nets and it's different from another customers. So we see the same tools being used different. So when you start to talk, how to deploy pan, you need to address that. You need to understand that same tool can be used different in two different ways. And that brings for pan a lot of difficults, because you don't have a simple use case that you can address with one single solution. Also on top of that, the combinations of tools that's much about DevOps is different.
So you can have the same two, same tools, two different customers with different configurations and different ways to enter, operate and integrate it. So this brings a lot of complex to this environment. And then when you look to pan, you need to deal with more privilege, more integrations. So it's quite different than a traditional pan user case for infrastructure. But if you move for the next type and look to the Voss future, and it's important to understand that it's a future, it involves and brings together people. And what we have seen in these years is that people starts to code. So we have been seeing people from business departments, for marking department, deploying their homes, scripts, they all technology, they are all APIs integrated and connected data and developing their prop code. And all this requires more, more codes, more, more access to, to allow these people to run the, your code, moving around.
If we go to the VO and you can see the process inside the V future, you have a lot of different process that were designed to make agile. And when you create these new process, connecting tools and allowing people to do their job and creating new scripts, you have more connection, more integration, more complexity. So process and develop words, create new use case and more ed that need to be managed, right? So if you look still in terms of culture of develop, you see technologies dev op brought up a lot of new technologies that are coming, but put together into the box words, create a new scenario. And now you have where you should have only one premise infrastructures. Now you have on premises, you have on cloud, you have a public cloud, private cloud hybrid environment. All this create a new complex set of technologies that need to be addressed in terms of the box.
And all these technologies are evolving and changing fast, especially when you talk about access and identity. So when we move from privileged access from a traditional infrastructure use case to cloud, you have a new access paradigm. So new clouds, new access, paradigm, new models, entitlement completely different from one vendor to an order. So that brings a lot of difficult and again, more privileged to be managed in terms of cloud. So putting all this together and think about this characteristic of DevOps future, we understand that now, when you go to DevOps environment, almost all the privilege, all the, the access are privileged access. So management privilege and access and develops words and develop infrastructure with developers brings new scenario where almost all the privilege, all the access are privileged and well. And how does this fact pan, you know, so this creates a new pyramid. That's what I was trying to show and all this vertical.
So we put together tools, people, cultures, and technologies together, and create a new use case for plant. And that's what we have learned in the last few years, how to deploy pan inside the environment. And when you look at the new sparing, you see that. And I, I have seen something about that in the sections that we have a new par. So before you would, you used to have credentials. Now you have secrets, you have access keys. Then you have people in the traditional infrastructure. Now you have machines and you have device tools, devices. Now you have a lot of tools requiring privilege to run, to integrate. And also you can think about codes and applications. These are completely different concepts. There are being, there was created DevOps word that needs to address APA, and that needs the pan adoption to be adapted to this new scenario.
Right? So all this together create a new tax reface that requires almost access as a privilege access in this scenario. Right? So, and what are the risks? The main risks we can see inside DevOps that's may be the core part of the deploying. APA, what are the risks are the tread model we are trying to, to address in this, this scenarios. And I could share with you, maybe just control, which applications are running with APIs are running with codes are running, where are they in the pipeline, how they integrate each other is just one important question that Penn needs to address in order to manage properly the privilege, but also the codes, the passwords hard codes and shared access. So we have seen a lot of cases of violations based on the shared credentials and access keys, like mining Bitcoin inside an infrastructure based on the shared access key from public cloud.
So this new risks are coming more relevant. And this surface tech, this develops environment is becoming target a very valuable target for techers and hackers. So this new critical, and I'm sorry about the, the problem here, the sound that happens, but so we have new risks and to critical information. So, but coming back to the, the theme of our, our, our speeds, then when you think access and all this compliance real, you see that access control is a core functionality in terms of managing this controls for compliance. So access control is in the middle ISO 27, GDPR PCI DSS, all these regulations require you to control. And that means that privilege access is a core point for addressing regulations questions. So addressing all this together creates the demands for us to, to take care of privilege, access as a core function analysis for compliance.
What are the approach we have been using in the last few years? And we have experience with so many customers and that help us today to understand how this technologies, how Penn can address this questions of managing the privileged access to support compliance, and support business. And our approach is based on what we call privilege by design. And I have seen in the previous talk, talking about privilege, access, manage the culture. I can affirm it's a culture, but I can say that it's a really very important concept that we need to address as key concepts in terms of security. So it's very important for us to understand the nature of a privilege, how it is born, how it evolved, how it's used and how it's died, because managing the privilege is not easy function. It's very complex to, to manage this life cycle. And as the, the security risk is increasing, and we have been more and more security attacks, cyber security attacks, we understand that more and more privilege are key concepts in terms of defining the security and creative, very strong security approach for managing and dealing with privileged and protecting companies.
So this concept of privilege by design is the idea that you need to understand clear how privileged are born, how they evolve, how the people inside your company understand the privilege, where are they really necessary? And what we have seen in this shift in terms of development teams that were more resistant to adopt pan, that they are open to this concept, but at the same time, they suffer a lot of pressure from innovation. So business requires they to develop faster and to address new innovation issues. But it's very important that they are accepting this concept, but you need to address it with care. Take, spend time with people in process in order to guarantee that concept of a privilege, how manage it. It's, it's how to deal with that is really important. So we have been using this approach and what is interesting that 74% of these breaches are privileged are based on privileged credential abuse, right?
So before I go into the end in my, my, my final slides, I would like to share some takeaways that I think's important and, and key. And if you are, if you understand that the op and pan is a critical control to implement in the VO and I'm can guarantee you, it is, you need to understand that traditional use case of pan are not the same in the ops words, the op words, bring new concepts, new ideas, and you need to understand that the pan is being changed a lot cause of DevOps ops word. Well, second point is pan is crucial for compliance and also is crucial for DevOps environment. So dev op is creating a news surface tax and pan is central aspects of any regulations, any aspects of the business that you need to address in terms of cybersecurity and with, if you can address and correctly, you address a lot of risks practice.
So you make business more reliable and create a very secure environment for op environments, right? And understanding the correcter risk of dev op. You will see that DevOps op infrastructure is very dynamic and Alaska. We have elasticity and flexibility. So pan approach needs to be adaptable, adaptable to this environment that is very flexible and at least adapt a privilege by design strategy because privilege are not simple to understand are not simple to people to manage. Usually we traditionally have been using privilege in, in a easy way, standing privilege for a long time, making easier to manage. We have been concerned about how to make my life easier to manage a privilege, but now we need to change it. We need to think first in security. And the reason why we see that because we have been shifted from cybersecurity to being a compliance issue, to becoming a business issue.
So before moving to the, to the, any, I would like to, to come back to my first question, why pen of ops is crucial for security and compliance and the enter, I will would say if we looking a tactical perspective and you can see the graph, the fine is growing very fast in terms of GDPR fines from 12, 2018 to 2021, that the key hole of pan for, for crucial, for cybersecurity compliance, to prevent privilege abuse, data leaks, and comply with industries regulation. But this is a mindset that we have to have, but it's coming from the past where cybersecurity was just a compliance issue, more than a real business issue. But I would like to offer you a second option that if you look in a strategical approach for business, what would be, why pan is so crucial and the reasons that pan creates reliable layer of infrastructure, make the business reliable, make the business able to adapt all these chains that are happening faster and faster. So think about brands that have been attacked and how they lose money in value. So delivering pan correctly in the DevOps environment is a business issue. And we, as a security guys need to think as we were called to participate in the business the last two years, and we need to address this not only for comply regulations, but to protect our brands, our names, our company, against the cyber attack. So thank you very much. I will be pleasure to take any questions and be with you in the launch. Bye. Bye.

Stay Connected

KuppingerCole on social media

Related Videos

Webinar Recording

Championing Privileged Access Management With Zero Trust Security

A modern approach to securing privileged accounts is to apply the principle of Zero Trust: Never trust, always verify. While Zero Trust is not an off-the-shelf solution, it is modern vendors of PAM solutions that recommend using this security principle to cement the technical capabilities…

Analyst Chat

Analyst Chat #156: CIEM Is Entering the Privileged Access Management Market

The PAM market is changing and expanding. Paul Fisher talks about the latest trends for Privileged Access Management, the role of CIEM, mergers and newcomers in this important market segment.


Continual Access Control, Policies and Zero Trust

Trust no one, always verify. We know that Zero Trust phrase already. But this principle is rather abstract - how and where exactly should we do that? Martin sits down with Jackson Shaw, Chief Strategy Officer at Clear Skye to discuss one very important part of Zero Trust: Identity and…

Webinar Recording

Implementing Zero Trust With Privileged Access Management Platforms

Among the many approaches to do that, Zero Trust is one where organizations apply the principle of “never trust – always verify”. Since Zero Trust is not a single product or solution, implementing processes that work accordingly can be a challenge to IT teams that want to…

Event Recording

The Future of Access Management: The Role of Contextual Intelligence, Verifiable Credentials, Decentralized Identity and Beyond

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00