Good morning, good afternoon, or good, good evening. This is annul. I'm the lead Analyst at KA coal. And today I'm joined by Carl Langford from Bakar to talk about the best practices for privileged I and D management, which is the topic of today's session. So in this session, we are going to talk about some challenges that organizations are facing when it comes to management of produce access across the it environment. I would say the hybrid it environment that automations are increasingly adopting as well as the various other challenges, which automations face when it comes to control of privileged information across their systems. So before we deep dive into this session, I will like to quickly take you through who we are. So copping a call is a company established in 2004. We are an independent Analyst organization. We offer neutral advice, expertise, thought leadership, and practical relevance. We provide and support companies, corporate users, integrators, software manufacturers with tactical and strategic advices, as well as we specialize in with domains of information security, including and access management governance, risk management compliance, as well as the areas concerned with digital transformation.
These are some of the business areas that we provide our services. So the three key pillars of company called business are research evens, as well as advisory. In terms of research, we provide research on all the major topics and they are tailored to the needs of your digital initiatives. The research is all vendor neutral, relevant, according to the times, as well as independent, we get it to the events. These are conferences that webinars and special events that are conducted. There is innovative leadership, future proof approach, and also great networking opportunities that you can avail at these events. Also the advisory part, which tends to be the best in the class. And we try to be your trusted advisory partner, trying to make your business more successful with the most current and relevant advice that we can offer you in the digital transformation with that. These are some of the cupping calls, upcoming events. The EIC is definitely one of the more known events that we have. We have also got consumer int world, which is coming up in September in USA during October in Europe, as well as in November in Singapore. And there is going to be also the cyber sector leadership summit in Germany during November next year, as well as us in February.
Well, the GDPR is certainly out already and you all might have made sure that you are compliant to the regulations as per GDPR, but if you are still looking for some help, there is a couple of calls, GDPR readiness assessment available that you might want to take the stand of what challenges that you are still facing in terms of being compliant and what might be the best ways for you to, to address those gaps. Some guidelines for the webinar, you all are centrally muted, so you don't have to mute and mute yourself. The recording for this webinar will be available tomorrow. And yeah, we'll have a Q and a session at the end of this webinar. So feel free to answer your questions using the, using the control panel for, for, for the chat session, right? So here's the agenda for today's webinar. I will talk about the challenges and the primary drivers for implementing privileged management solution. And I will also take some time to discuss how the technology landscape looks like. And finally, I will give you some recommendations and best practices as to what, what challenges you should be avoiding in terms of implementing a successful access management solution. After my, after my session, Carl will talk about the practical insights into how organizations should build a strong cyber difference behind the firewall within automated with it management solution. And finally, we'll have a cushion and answer round.
So diving into the risk topic, what are the primary drivers for our privileged access management solution? So the first one that we see across industry is obviously the views of privileged screen shields in the organizations, all our missions mostly have various privileged credentials, the use of credentials across the infrastructure, and there are various medium, or I would say ways that our administrators and users are abusing these credentials. So I believe to prevent any abuse of ALS, most operations are looking to implement a privileged access management solution, obviously that they don't have, which follows these, these abuse is something that, that most organizations have to also control and manage. So the data theft becomes another important driver for organizations to avoid with these abuse of shields. There are, there are certain regulatory compliance issues that ions can get into. And obviously there are several regulations around the world, as well as industry standards that mandate automations to have appropriate privileged access management controls.
Talk about regulations like B C I DSS, or HIPAA, even certain other industry verticals, including telecom banking and financial services, healthcare, they all have got certain regulatory compliance, which talks about how you should be implementing or at least monitoring that produced activities across your it infrastructure and prime mistakes is also another key driver for organizations to adopt a privilege to access management solution. Not so long ago, we had incidents in, in, in industry talk about, for example, Amazon web services, as well as an incident sometime last year with organizations like cloud fair, when administrators somehow had missed time, certain commands, and those commands had gas grid effects to shut down systems and, and made and made certain downtime for these organizations to their business, as well as had some penalties associated with them. So just those incidents, but eventually there are, there are studies that talk about how employ mistakes are becoming increasingly reason for organizations to implement a privileged access management solution.
Insider breaches. Obviously most of these administrators have got tourist rights and they can pretty much access information and systems without being monitored and audited. So insider breaches are also also reason why our organizations would like to implement bam solutions in the, in the, in infrastructure. Obviously securing the access to cloud is, is, is a key driver for, for making sure that you have the right visibility of operations into the cloud. So how ions should be managing access as well as making sure that administrators have a right level of authorization to conduct a specific operations into the cloud is, is, is in the driver. Why you should implement a privileged access management solution, BA solutions also help you to make sure that you're compliant with segregation of duties. So, or I would say separation of duties, in fact, for various administrators based on their roles, for example.
So if you are, let's say a level two UX operator, you should not be able to download a database. Versus if you are a database administrator, you should not be able to let's say, shut down a machine. So depending on your rules, how can you separate what kind of operations you should bring title to? And I believe ID ID separation of duties is, is a big issue for most organizations to be implemented and executed successfully, which spam tools can help you, help you achieve. And finally visibility into outsource it. Operations. Most organizations have outsourced their it operations to other vendors and third party solution providers. How can you make sure that they have the right level of access to your internal systems and you are in control of what information and activities that they are performing. So having the right level of visibility into outsource it, operations is another key objective of implementing BA solutions,
Right? So we come to, what are the latest types of privileged accounts in organizations? There are, there are administrative accounts, obviously there are generic accounts or non generic accounts, which most administrators would use to access the systems. Then there are system accounts which are sort of built in to various operating system software, as well as any of the services that you adopt. So these are the system accounts, which are shared across multiple people. These are also used for example, to sort of elevate the privileges for administrators to perform privileged operations. So talk about root on in systems, or even for example, run command and windows system. And finally you have got operational accounts, which are basically the accounts created for privileged operations across infrastructure to manage for example, applications or have elevated rights to conduct that in op operations in the, in the environment, the system accounts basically also include the application accounts or even service accounts that I use to perform closed operations or, or basically control certain other activities beyond the systems.
So here we talk about one of the various spam tools and technologies that we see in the market. So we have got obviously the basics of bam tools, which are, I would say the privileged shared account password management, the SAP M this basically is the, is the technology that deals with having a centralized password vault and storing all the credentials in the password vault. And whenever you have a need for a password, then the password is basically injected directly onto the target system. And you don't have the need to basically know the password. The other component is the APM application to application password management, which is basically when applications want to connect to other applications and they can connect to the vault and the vault will disclose the credentials to connect to the application. And then we have the C E P D C P E DM, basically the controlled privileged elevation and delegation management. This is a technology basically for elevating the rights for administrators to perform privileged operations on the systems. Again, for example, if you want to elevate rights to be a route user or super user, or as an administrator across all these technologies, obviously we have the authentication requirement for the users as well as services. And the privileged session management is the technology that allows you to connect to all the systems, authentication authorization, establish a single sign on session, for example, and also perform session recording and monitoring.
At the same time, we have also got EPM, which is the endpoint privilege management basically for help you for helping our missions to manage local administrative rights on the systems. And EPM basically includes three different types of technologies. One is obviously the right testing. So application white testing and black testing, to make sure that you have the right applications that can be executed in the system there's applications and boxing to ensure that the right applications are executed in a separate environment and they don't have access to, to, to local files information. So for example, users have been able to download certain programs from internet. Then if they're executed on the system, by any chance, they do not have access to the local files and data on the system. And finally, you have also got the, the third cable tier with an EPM, which is, which is for users to have the right level of elevation of privileges. So the users can elevate the privileges to the right level to ensure that they have the right to perform, you know, highly privileged activities. For example, things like you want to execute certain plugin in the, in the browser and, and other other activities which, which local users can execute locally on the, on the systems.
Then there is obviously the privileged user behavior analytics and privileged access governance across all these functions, which help you to perform user behavioral analytics, to ensure that you can detect any anomalies and access governance, which can provide you capabilities such as providing access attestations for post access on all your systems and infrastructure, right? So coming to the best practices for the access management, the first thing that ions need to do is to identify the immediate Pam requirements that they have talking about all those technologies, which one is your immediate requirement. So I believe it's important that ions should conduct the proper scoping of their Pam requirements. So whether the need a shared account password management solution or an application to application password solution, or whether their requirement is for session recording and monitoring, Pam tools should be deployed based on the level of complexity, as well as you should be looking at starting with a small set of high impactful resources, to make sure that you can limit the complexity and establish the level of, you know, credibility in the organization. You shouldn't be starting to deploy tools which have high deployment complexity, because that might affect that might affect your overall credibility in the organization to begin with the P solution.
You should also look at how you can segregate P administration from generic it plastic administration. So how you can separate previous access management and the administrators who are managing Pam solutions from your gen it administrators.
If you're looking to implement application to application password management, make sure that you can perform adequate testing for it because that's something which, which can be very trivial. If, if you have not have not conducted enough testing for randomization of software and application accounts. So APM is also considered one of the tools which have a high level of complexity. So ensure that you have conducted enough testing in your pre prediction environments for making sure that the service accounts application accounts are all fine, and they have been able to release credentials from password wall based on the context that that are required to authenticate these services to the vault Harding of password vault is also a best practice, as well as ensuring that the application is secured across all your instances is, and the key practice that you should be looking to implement, ensuring high availability, architecture, and automate fill over. So most vendors provide in built high, high availability, but if that's not a scenario you might want to utilize other tools that can help you to provide high availability, for example, any other architectural deployments, which can ensure that you have the right level of high availability built into your architecture,
Make sure that you have established the process for fire calls, as well as any big loss scenarios are considered for, for emergency access management. You might also want to see if you can engage any professional services or size for initial implementation and personal training requirements that you may have both for operation as well as implementation requirements,
And finally make sure that you perform pure access reviews for privileged access as well. Standard use access has been a norm for, for a long time for which we have got I governance and administration tools, but, but privileged access reviews have been ignored, or I would say not a priority for many organizations for a long time, but it's more important and more urgent that we perform product access reviews for the users more frequently than center users. So I think, I think with that, I will like to hide over to call and he will talk about is that the practical insights of mission's can build a strong cyber defense with an automated privileged anti management solution. Who do you call?
Thanks very much. So good afternoon. Good morning. Good evening. My name's Carl Langford. I'm a senior solutions engineer at bunga, and my role really has been helping organizations from kind of small and medium size businesses, right up to large enterprise, have some really great security control around their privileged accounts and secure access to them. And today's the section of the webinar I'll be covering is sharing some of the knowledge that I found out the field, where I've been working with these different organizations and how best to enable security in your environment. Now, I think from listening earlier that finally the, the secret about passwords in enterprise organizations is finally out of the bag and that's, there's a lot of insecure password management practices that have kind of crept in as organizations have become more complex and they have more complex systems. And really what we're seeing around those kind of bad and poor management practices issues such as, you know, not changing passwords going around and having a spreadsheet or a text file with service accounts in and other non-human accounts that aren't used on a daily basis, as well as things like in imaging, when you are creating new virtual machines and you are bringing on cloud infrastructure, having default usernames and passwords.
And what I wanted to go through kind of in the webinar are some of the risks that that causes. And I think we'll see from the news over the next couple of days where we might want to think about Tesla and what's happened there with a rogue insider, who's had privileged access to different systems and shared confidential data to third parties thinking about former employees, as well as those then threat actors and cyber criminals who want to exploit all of these accounts. And they want to have this access into systems to take away sensitive data. A big part of securing. All of this is, is gonna be tooling. And I think, you know, looking at the best practices earlier from Mo is that a lot of these require you to have a tool to help you do this. And that that's really because of the complexity in organizations.
I mean, managing passwords for a large number of privilege accounts and ensuring that not only people, but also applications and services that depend on them are able to do so on a daily basis is, is a very complex undertaking. And understandably, I think that's where the reluctances come in with many it administrators that they, they really want. Don't want to take steps to try and protect these credentials and make sure they are up to date for fear of sacrificing availability to business operations or having an issue which causes them to be in the spotlight for having some, a big impact in the business. And so where we're gonna start really today is to share some of those best practices and hopefully call you to action, to start to implement some of these in your organization. And we've broken these down into six simple areas. So the first area, and we're going into these in more depth is to discover your privileged accounts automatically.
The second is to continuously change these passwords of these privileged accounts. And the third is once we've got the passwords under control, and we've thought about the basics it's to go beyond that and look at other types of credentials and other types of solutions that have privilege that we should control. And that then falls into additional accounts that might be used by applications in the organization, as well as people. And we think then about session monitoring analysis of people's activity and what they're doing, and then finally securing access into the organization for both vendors and for your insiders, who need to really look after these systems and have those higher levels of access.
So discovering privilege accounts automatically. Now, I think it's, it's quite known that organizations have limited visibility into all of the privilege accounts in their environments, because right now we've moved from, you know, simple infrastructures to very complex, very dispersed systems, across many, many different environments, with many different levels of access. Now, the problem with this is this creates security vulnerabilities, and it doesn't take much to come from just one system compromise to your entire infrastructure, taken over and sensitive data exfiltrated. And so what we're looking to do is find all of this information. Now you can do this once in an organization and you go out there and you say, okay, I have a picture of where all of these accounts live. I understand who has privileged access to which of my systems today. Now that information is really only valid for a short time period.
So most organizations are very dynamic places. They have new starters, they have people joining the team, people, leaving the team, new systems, coming on board, new applications, being brought into the business and with that comes change. And this is the reason automatic discovery is very important. So having that point in time capture of events is great in understanding that picture on day one but day two, it will be very different. So when you're looking at solutions to help you with this, we really should look for a solution that can leverage automated discovery. So this means it's going to continuously find all of the privilege accounts in the network across any different platform and then bring those under management automatically. So we don't have to worry about the environment changing. Once you start this project, it, it means that you can actually go ahead and complete this work and have a, a program of work that's gonna continue going forward and support the organization without an overhead of having to run this every single day yourself as a person to secure the environment, the less best practices.
Once you have an idea of where these credentials are, is to actually start to change them. And a big part of this is gonna be the continuous change. And when I talk to organizations about this, so I like to use the analogy of the bank. So to access money in my account, I have two things. I have a card, which I can use at a cash point, and I have a pin number. Now, if someone was to come and take my wallet and they have the card and they know the pin number, the first thing that a bank will do is remove the access. So they take away the card and they issue me a new password, a new pin number for that card. So that if any of those components are used, they then useless to the criminal. And this works in exactly the same way with passwords.
The life cycle of a password is very important because once that password is compromised, it it's valuable to the attacker until it's no longer correct. So if you are continuously randomizing credentials for every account, even just on a schedule. So this could be anything from a shift change, right? The way through to just meeting compliance requirements every 30 days. And then you can then automate a response to an attack. So if you have some behavioral alerts from your SIM tool, or you've received an indicator of compromised, you should be able to automatically go and change all of your privileged credentials to ensure that the scope and control that the attackers may have is massively reduced. And you mitigate a lot of the risk of continued access. As soon as you take that away from them.
As you said earlier, once you've started to secure passwords, you then need to start considering other types of privilege. So passwords are really only one area of pin risk exposure, and you should really be also thinking about the way that people log in and use privileges as part of your PIM tool. So when we start to think actually there's equipment that doesn't even have passwords, it may be networking devices that have things like SSH keys, or you may want to control some entitlement to ad group memberships or even simple things on Linux or unit based devices that use sudo and say which commands a user is allowed to run really as part of that discovery. And as part of that control, you should look to find all of these areas and bring them under management and make sure again, they're continuously updated aggressively to ensure that everything is correct, if they are compromised again, that that scope of damage is really minimized during that time period in a similar way that passwords are, you know, used by people.
We also have many, many scripts and applications in the business that use these credentials and a common credential that's always been sought after is something that would run, say a vulnerability scan. So if you have vulnerability scanning systems in your organization, the credentials that are used to perform scans on each individual system have a very high level of privilege. And these accounts can be used by attackers to access almost everything from your network. And quite frequently, you'll see that some of these accounts very rarely change because it's, again, quite a big business impact. If these were to be changed and a system is taken offline and perhaps this could be for a payment system from your website. So it's hard coded in a web server that this is the information that I need to log into the backend database. And to take that offline for even a short period, could cost, you know, thousands or hundreds of thousands of dollars for just a few seconds or few minutes of unplanned outage.
Now, as we're moving into automated infrastructure and orchestration, you'll see that the tools that support that also require privileged credentials, and again, best practices around this are to get these into a solution that can change them frequently and ensure that actually a lot of this ongoing maintenance and support is automatic. And so you can then have true visibility of everything in your environment. And again, with a reduced scope of human activity to keep managing and maintaining these, the next best practice that we've worked with, a lot of organizations for is around session monitoring analysis and recording what people do. And when we talk about securing privilege access that often a lot of the things we'll hear is this is great, but I still need people to do their day job. I still have to have people come into the environment, access my systems with a high level of privilege and go ahead and perform this activity.
Now, this is true for both internal employees and contractors, outsources, third parties that your business might work with. And we sin is a pattern that connections for vendors and outsources to come into the environment should often be very different to that of an internal user. So you may want to apply more granular control of how they get there. You want to record what they do, because they're not at the same level of trust as your internal users. And they may, you know, intentionally or unintentionally cause an outage in the environment. And we're often find that where people don't perhaps understand the infrastructure. So again, thinking of those outsources and third parties, and you want to be able to understand their activities, get them in at the right time and control their access and launch them into that audited and recorded session.
Now, when it does come to securing those pathways, one of the things we do as an organization is our annual privilege access threat report. In this year, interestingly, over 60% of organizations said they had definitely, or possibly suffered a breach due to these third party inside of threats. And most of the organizations had very limited visibility into how employees and vendors use their privilege access. And as I started to mention earlier, a big part of this is about the way that they're bringing in these vendors into the network and applying the same security controls to an untrusted third party, where you would perhaps give them a VPN, tell them a username and password, and then they have their access immediately past all of your perimeter defenses. And they have that direct socket connection to your network. Now we've seen in the past that this has caused issues.
So thinking way back to things like the target breach, where it was a air conditioning vendor had a direct connection into the target network. And ultimately that led to a large compromise, lots of data exfiltrated around payment information purely because we applied the same technology to perhaps someone where it was inappropriate. And so what we're looking to do is, is break that connection and ensure that third parties and vendors they're coming to somewhere where they can safely work, you can record and monitor their activities, and actually then enforce that lease privilege. So take away access to applications that they might not need, and ensure that they're logging on only with an account where they don't know the credentials. And again, having that separation of duties is gonna be very important to ensuring your ongoing security of your organization. Now, those were the kind of best practices we shared from the field. And really now I wanted to open up the floor for any questions or anything that you might want to know around this space. And think's gonna jump on as well and answer some of these too.
The first question that we have is how we can help manage shared account password management. This is a big problem for our organization.
So one of the things we've seen there with shared account passwords is that actually a, a lot of people need access to perhaps a system where you cannot add more credentials. And what lose is that individual attribution of who's done what with that account. And so when you start to think about a privileged identity project and start thinking about that session management, what you would really like to see is that an individual user has to authenticate into the solution. So you understand that it's this person accessing this privileged account to perform these tasks. And so whether that's then a shared account or an individual privileged account, you'd have that end to end visibility that this person was using this account at this time and give you back some of the auditing and reporting that you lose when you use those shared account passwords.
That's right. So I, I think you're right for my shared accounts and the way those should be managed by operations have to ensure that you have been able to scope the requirements, software managing shared access across all the various types of infrastructure that you have within organization and, and also the types and the risk, which is associated with each of these shared accounts. The other questions I have is how is it different from anything like sale point?
So, so when we start to think about identity and access management as a whole with solutions like SalePoint, they're really there to take the mass of your users and say what their entitlements are. So they'll say, you know, my user a has access to my internal SharePoint site. My user B has access to email and the SharePoint site where this comes in is to around the kind of even administration of those types of systems. So it's really the, the next level up of user access. So when it starts to become to critical systems, infrastructure support the, the, the engine behind supporting all of these solutions, that's where privilege access management takes over. So it might be that you already have an identity and access management project to, to help, as I say, the majority of your users decide what they have access to and what they use in the organization. But we should really start thinking with privileged access around the administrators of that system, how they use it and starting to perform some of the separation of duties there.
Sure. Thank you. And I, I think, yeah, you're right. P access management is different from, from sale point and sale point for example is primarily IGA tool governance and administration tool, which helps you to manage the energy's lifecycle across an organization. They provide capabilities like standard user provisioning de provisioning certification while they Azure tools. Mostly they don't, they don't manage privilege to access, but, but obviously there are certain integration points between IGA as well as privileged access management solutions. For example, Palm tools should integrate device versa for, for roll based access control, as well as even most Pam tools, they do not offer support for certification, or they don't have their own workflow management for certification. So they can integrate with tools like sale point, which an IG solution to perform a privileged access certification campaigns, which is, which is increasingly an important use case for most operations to have to conduct, I would say privileged access governance. Yep. I think we have one more question here. How helpful is the two FA to the privilege to access problems from your experience?
I would go as far to say, as it should all almost be mandatory. So when you're thinking of the level of access that your administrators and privileged users could have, you should really, really ensure that it is actually the right person using those tools. And that's where the multifactor will come in. So we can, you know, ensure that it's something you have as well as something, you know, validate that administrator is who they say they are. So, yes, it's a very, very important part of the solution.
That's right. Carl. And I think just to add to, to your answer here, I, I think not necessarily a two FA it could be, it could be MFA or generally counting factors is, is, should not be associated with the, the strength of authentication. There might be one factor which is more relevant and can provide you higher assurance than even two or three FA in some cases. So understanding what's the, what's the assurance, which is required for an administrator to log onto a system. At what point in time, some previous access management tools they provide, they provide you with authentication from factors of their own, but some would require you to integrate with third party authentication providers. So making sure that you have, you understand that assurance requirement of the use case of example, where is the adminis logging in from which device he's using into log from what types of devices he is logging into as well as what tools that Mr are using to connect to those devices, all of that would constitute particular assurance requirement for you to understand what is the risk, if an authentication goes wrong.
So understanding all those various, all those various aspects would help you to find out particular level of assurance that you need to associate with the strength of authentication. As again, as I said again, you need to make sure that you are not overburdening your administrators with, with authentication. The objective of having a produce access management solution is to ensure that you balance the security with the efficiency of administration, administrators are, are quite smart people. And if you are, if you are, if you're overburdening their experience with authentication or any other kind of inconvenience, people can try to find workarounds, which is obviously not a recommended objective for, for a Pam program. So overall, I think it's very important that you, that you implement authentication, but making sure what kind of authentication form factor you are using, is it relevant to the use case? And also you might want to use adaptive authentication approach, which is offered by most vendors today, which allows you to combine the authentication form factor with a contextual information such as you know, whether the user is logging in remotely, which IP address, what date and time, et cetera. So all those contexts can be used to derive a risk score, which can help you in the overall authentication process.
Yep. So having said that, I think, I think we don't have any more questions here. I'd like to maybe ask if you have any questions, please, please put them in the, in the chat window here. And we'll, we'll, we'll address those. If not, then you are very much welcome to send us an email and we'll try to address your questions. Well, with that, I would like to thank you for joining us for this webinar. I hope it was helpful. And thank you to Carl as well. Thank you and have a good day ahead. Bye.
