Good afternoon, ladies and gentlemen, welcome to our call webinar challenges for managed service provider offerings providers offering privileged account management as a service making in CI right programs effective through proper management of privileged accounts. This webinar is supported by Aon. The speakers today are Oodle who's solution architect at ENT partner of Aon and Martin shell. Who's vice president business development at Aon. And finally, me I'm Martin Kuppinger the principal Analyst, copy a call before we start some quick information about co a call and about sort of the rules and the procedures of this webinar. Before we then directly dive into the topic, delivers a variety of services, specifically around anti cybersecurity, artificial intelligence, and other areas that are essential for being successful in the digital transformation. This includes our research such as executive views and leadership documents, our talks and briefings with vendors and customers, and a lot of events such as webinars, conferences, advisory projects, and other stuff.
And as I said, yes, we do advisory as well. In research, we have a number of formats. Some of the most important ones are our leadership documents, where we compare leading vendors and defined market segments. Our executive view reports, which focus on specific strengths and challenges of certain products, our advisory notes and our leadership brief documents, which provide a very concise information for decision makers. In our advice portfolio, we focus on strategy, support and portfolio management on the selection of certain technologies, and then identifying the types of technologies and supporting customers throughout the project. What we don't do is any type of implementation work. We just support in strategy and selection and road web and stuff like that. And then we have a set of upcoming UNS for this year. So in 2019, we have seven more events on site around digital finance, around cybersecurity, around identity management, consumer identity, blockchain, and AI.
Some of them take place in the us and others take place in Europe. So have a look at these events and don't miss them regarding housekeeping. We are managing the audio. So you are muted centrally, so you don't need to mute our mute yourself. We are recording the webinar and we will provide a podcast recording as well as the PDFs of the slide X use today, usually latest by tomorrow. And there will be a Q and a session by the end of the webinar, but you can enter your questions at any time. And the more questions we get throughout the webinar, the more likely our Q and a session will be that direct leads us to the agenda. And this agenda as usual, we have split it into three parts. The first part, I will start talking more focusing on Pam specifically. So what is it?
Why do we need it? What does it mean if we bring in that is the other part of it, which is then directly related to the topic of this webinar. What does it mean when we bring in MSPs? What are the risks who's responsible for? What cetera, after that, then Oodle solution architected Planto will talk about the future set and solution to design for Pam as a service from boost perspective to manage service provider and the customer. Then all three of us, Mr. Bule, Mr. Sherra and me will do the Q and a session answering all the questions you will enter throughout the webinar. And as I said, the more questions, the more likely, let me start with a important perspective. So a lot of the things, and also a lot of Pam projects, British access management are driven by compliance compliance. Factually means it's about meeting loss and regulations, but that's not all.
It's also about passing the audits. So the ability to prove that you do what you say you are doing, but then there are the actions and security, so compliance and audit help in moving forward in security, but compliance and audits themselves are not sufficient for what you need to achieve in security is really the actions, what you actually do. So compliance, audit actions together, then form and support your security posture. That is what you need to do. And so do Pam, not only because you need some checklist compliance, think about what do you need to do for security in this age of ever increasing cyber attacks, because, and that is what we're actually talking about. Access risk is business risk, and we need to be able to manage when we look at identity access management in a broader definition than Pam is part of this.
And here we look at the access risk. So we all know that fraudulent access imposes, significant financial risks, regulatory risks, and other risks, not at risk. These risks are part of our it risk analyzes. So access risks are some of the it risks. We have other such as cloud risks, business con risks around business continuity, etcetera. They are also relevant at the sea level because it risks are business risk and they can have a very impact on the business today with out address of data centers affecting the business, causing massive costs, even can drive companies out of business with financial fraud, putting massive risks. We have seen this on in various banks, etcetera, and factually it's something which is relevant due to that, to the shareholder because there's a cost associated. So look at the access risks and look at what does it mean? What do they mean to you? Go beyond trusted checklist compliance because even if you might be compliant, it might be not enough from the perspective of your business risk. That is where privilege access management. As one element of the solution portfolio comes into play. There are variety of reasons for having a well saw, not privileged access management in place. And one of these is obviously the mitigation of risks based on privileged access. One is the compliance I already mentioned. There are various regulatory compliance requirements around privileged access management. It is also the cyber attack resilience.
So understand what is happening, monitor privilege to access, understand that things are correct. And that, that there are people accessing in a way which they shouldn't do it's about security. So in the broader senses and protecting against malicious use, including internal attackers, it's not only about the external attackers and a lot of this is really us about internal techers. It's about split responsibilities. So being able to assign certain activities, certain tasks, certain capabilities to different groups of use each year across the service and Porwal levels or operations versus administrators, it's about controlling an MSP to tenant relationship. So if you have a lot of MSPs, more at a level of SaaS services, etcetera, you might want that you should want to control what they are doing. That is another angle of the MSPs thing. So one thing is MSP operating the Pam. The other thing is using Pam to audit the MSP, the workforce enablement.
Also by, by saying you have credit tasks, you're only allowed to do certain things. It's easier what human error by restricting, what people can do. All these things are part of a broader privilege management perspective. And it's important to restrict the elevation of privileges. That is always a part of the entire thing. So restrict the permissions of users that something you can also do in your identity and access management by access controls, etcetera, the access to the systems, for instance, by shared account password management and restricting access to one, to using a one time password so that someone doesn't have recurring access to, to the systems, stuff like that restrict and monitor access to the system specifically, highly ed access monitor is what is happening, understand happening. And as I've said, when you are able to restrict things and to, to make it a little more granular, you also can restrict the human error.
And basically there, there are different levels where we can work. We have to share account password management, which is about restricting the, the, the reuse of passwords, avoiding the sprawl of passwords for shared accounts. And they are still shared accounts. Shared accounts should be avoided as much as we can because shared accounts always cause security problems, but there are still scenarios where we have these shared accounts. And if you can't avoid them, you need to at least deal properly with these it's about taglines. That's where identity governance administration comes in. So it's standard definition of static, entitlements control of these entitlements, stuff like that. It's the privilege elevation part, which is important. So focus on temporary privilege elevation. This is usually very system specific with more intrusion into the systems, because it's, for instance, about using different types of shelves, restrictive command lines, other stuff which helps to restrict the virtual ion it's thees monitoring, recording piece of monitor and record for I principles during a session, looking at what someone is doing, if it's a really, really critical thing, but also the, all the analyzes behind that identification of anomalies, stuff like that, that might go even beyond to saying, okay, how can you restrict also all the access to as UL as possible tasks?
Because if someone has limited rights, it can cause, or he can cause less damage. So this is basically sort of a, a look at, at a higher level. And when we then look at more the technical capabilities we currently rate by, by what we are doing around privileged access management, there are eight key areas. The one is to share the password management already touched. So really looking at how you deal with British credentials of shared accounts, then we have the session management piece. So managing privileged sessions, application application, password management, which is a little bit different than the shared account password management, because it's really about services accessing shared accounts and other services and avoiding that there are credentials such as username, password written into scripts, stuff like that, the monitoring piece of, of, of managing sessions. So recording, monitoring, controlling the elevation and delegation of, of privilege.
So how can you, as I've said, restrict for instance, what someone can do within a shell or stuff like that, that already goes into the task piece, then the abuse of behavior analytics piece of privilege management. So analyzing the behavior, identifying outliers, identifying where, where things are different than they should be and reacting on that for sure. What we increasingly see is an endpoint privilege management angle. So adding endpoint privilege management capabilities to the tools that that is something which is far more common these days, and there's an integration requirement into access governance. So this is at least an integration or an integrated capabilities, but usually an integration piece, for instance, ensuring that a shared account password man, a shared account has an owner, someone who's responsible for it. And if that owner, for instance, changes the job, so is the mover process within identity and access management, then someone else become the owner so that there are no accounts left unmanaged.
So this is where integration for instance takes place. So right now, when we have this privilege access management, the office question for, I would say every sort of service we have in it today is can we do that as a service? Can we run that in the managed service model or even in the pure cloud or for, for highly sensitive things, such as bridge access management manage those models might be the lower hanging fruit. It might be the thing to look at first. And when we look at the different types of, as a service model, just as a quick rev up, then the Pam probably best fits into a platform as a service level. So we have software as a service, the upend things like office 365, etcetera, or SAP. So as for, as it's called today, we have the platform as a service, which is programming tools, APIs, but also additional tools.
And it's all the middleware stuff, as well as the databases to web server, stuff like that. Then we have the underlying infrastructure, which is network compute storage, which all is based in some way or another, in a physical infrastructure, in a data center. But basically, so we are talking about such as a model in some way. And the interesting point is that that is something we, I took from, from some of our standard reports and, and presentations and research around cloud security. And basically when we look at, at that in the next picture, the, the important thing is that the responsibilities of tenants and service providers differs in depending on the, on the, on the deploy, on the, the SaaS models of what we're talking about. And that is something you can factually just transform the same way to a managed service provider approach. So if you have managed service providers, you have the same situation.
You have a split between the service provider responsibility and the tenant responsibility. So the managed service providers, your provider, you are the tenant and factually the managed service provider then must ensure that the data center, physical server, stuff like that is running the virtualization layer in whichever way it's done, or the container infrastructure is running well for all the network compute and storage stuff that the database is required for the Pam tool, the application server, other stuff, load balances are running well. And then depending on your agreement, to some extent, he will care for the application. So this is somewhere I would say between past tenants and the SA tenants, because he also runs to some extent the application. But on the other hand, you have some responsibility also for what you do with it, depending on how large, the amount of services is, you, you buy from him, but there's always some, some part remaining at your end where you need, you need to look at it and say, okay, I understand what this service provider is doing. I have some control about it. So there's always some split responsibility. And then you go for such a model which can make a lot of sense, then check for that.
And so it's, it's really a mix of your responsibility defining the service control. So what do you need to understand that your MSPs acting correctly, understanding also the risks and require assurance for things where you say, okay, these are the, the challenging aspects of running such a model. An MSP probably is, is the one who's closes you because he does a lot of your operation. It just takes the workload also from your stuff plus running the environment. So it's probably closest to, to taking all responsibility, but at the end, you always have not only responsibility, but you have accountability. And while you might delegate responsibility, you always have to, will have the accountability. And so it requires you to have assurance. It requires you to have a, at least a basic understanding of what is happening. And so the same, what you do here for a cloud provider is basically what you should do for an MSP.
So understand what he's doing, having a contractual assurance, look at the independent validation. So which, which, which standard sort of audits has he passed going maybe to independent testing. It require depending on your, how big you are, how big the MSPs, what you can do, what you can afford and understanding where you need your own control. And you need to have some control. You need to implement some of these. So it is definitely something you can do, but you need to look at it roughly and understand what is happening and what you're buying and how you can ensure that you fulfill sort of your accountability.
So Pam from the cloud is something you definitely can do, but if you do it, do it right, and there are some rules for, for, for not failing. And it's the same Pam from the MSP, because this is just a, a blurring line. Don't take too much risk, define the responsibilities. And who's responsible for what look at the governance, the management, or risk management, security controls auditing. How do you keep a crib on that? Look at the operating model your MSP has, are there guaranteed SLAs, are there available availability, SOS, or definitions in some way, failover options, disaster recovery options. That is all his responsibility, but you need to define it. You not only trust you need to define it. Are there compliance, certifications? What are the functional capabilities? Yes. So at the end, it's always about is that server's good enough for what you need.
And finally, which integrations does your MSP deliver to all the other tools you have once you need to manage first, but all the other security tools, you're seeing tools, your identity management tools, all the other stuff, that is what you need to track. And then it is a clear and viable option with that. I go back to our agenda and, and over to carbu, who will talk about, or look at a feature site and solutions designed for Pam as a service from both perspectives. So what does it need and mean from a managed service provider and what from a customer, Kai, it's your turn.
Okay. Thank you, Mr. For the very well done introduction, I would like to take the chance to introduce Preto services a little bit. You might have heard of preta. Preta is a specialized distributor with a strong focus on technology for it security. And we have started building up a special business unit Preto services, which likes to support our partners and their customers, but for the resources for solution design proof, concepts, and implementation. For example, if you look at new new products, you don't have the manpower to evaluate these by yourself and lead assistance. That's right. Where we come in, we will guide you through the four phases. We've defined, discover design, deliver and care. And yeah, like the little picture shows you can just wrap the lamp. The good spirits will arise and handle the chop discreetly and competent. And when everything is done, we'll leave again and come back if you need us.
So to go further to why someone would need a Palm solution, we still have the yeah, well known problem statement. Then three out four breaches in the sort of data compromised data is that whenever a breach occurs, it was done through a privileged account. Because if you think of what these accounts can do, you have access to nearly everything within the, within the company. Now on the one hand, the administrator needs this privileges to do his job. On the other hand, there has to be a way to control it. And this is exactly where comes, comes into place.
For what we want to have a look at today is the product of Arcon, ARCOM, Palm, like to give a short introduction here as well, Aon, which has, is headquarters in Mumbai is on the market for approximately 12 years now. And you can say it's a market leader in the Asia Pacific market, and also yeah. Spreading to the European continent. We as a ER, services one to help icon deliver its solutions and also are yeah, looking quite, quite detailed into the, the capabilities that the solution has to offer and which, which components of the solution are good to be used with an MSP deployment.
If we look at the company as a whole, as a circle, you could say the part where privileged accounts have to be protected is only a quite small part. So the, the, of the circle defines the, the sector, which we have to protect and right into this part, the Arcon will, will fit. Now. Not every company has the same set of no necessary protection. So for all companies, these are different. Everybody has different products, we have different, a different databases. And so if you want to, or, or need to use a Pam solution, you have to make sure that it's offering a lot of connectors. So with Aon, we currently support about 400 plus connectors, which are applicable to most known systems like windows systems, security, network devices, and even web applications for any, for all of the well known. And there's also option to where very well customize these options.
So if we look at the objectives for as a service, we have to phase three questions first, why would a customer use P a service instead of hosting the solution himself? He could very well do that, but this is the question of, of cost. The question of knowledge, etcetera. So why not use Palm a service as we already have many solutions of other solutions as a service, then there's the question. What does a customer expect from an MSP that is providing the, the Palm solution? We talk about integrity, security, or the thing that the Mr Kuppinger was referring to. So these are all things and MSP has to face when offering a solution. And the last question, what does an MSP have to consider when implementing these wishes?
So if we look at the first question, so why using Palma service and at hosting it yourself, if you look at the current environment, we have transitioned to the cloud, which is going on, but this will not be only one cloud provider or one, one service provider. It will be a multi-cloud multiple multi-site multi domain, whatever you call it, environment where the pump solution has to fit at any point. So if we look at the current state, we can see that there is often no willingness on our resources to operate systems on, on our own. This is relevant for normal workloads, but also for a pump workload. So why not do the same with a pump solution? And if we, if we go onto the question, what customers expect from an MSP offering the pump solution, most it's flexibility, because this pump solution has to be cloud independent.
You, you could say so wherever I run my workloads, the pump solution must, must be able to, to connect and secure my, my workloads. So if we look at the classical features, the Palm offers like single Z on dual factor, password, wall, access control, and session recording. Future Palm service providers would also have to look at secure multi-cloud management and access, and also secure multi-site management and access because the workloads of the customers will, will be shifting today. We are running the service on AWS tomorrow, rather in Google or on Azure, or yeah. Which whatever comes next. So I guess the most important point is to be flexible with the, the Palm solution
Now around to our third question. So what does the MSP have to consider when implementing these wishes? We divide and do commercial questions and technical questions. At first for commercial site, it has to be a very simple consumption based licensing model. So as the, the MSP doesn't really know how much lessons he will need today, tomorrow, next week, next month, the model must be flexible. And based on, on a, on a re reporting level, you could say, then you have to see if there are any re reporting tool processes available so that the resources on the MSP side can, can manage this organizational, this organizational processes and reporting things. So if the license model is, is too complex or takes too much work just for the report, it's not a good business model for the MSP. And last but not least, you also have to consider licensing costs for necessary infrastructure services. So for example, every home solution also needs you need web service, you need load balances, you need databases, which clearly come into account. When, when looking at the, at the costs for the whole infrastructure, from a technical level, just the solutions support, multi domain multi-cloud. And does it provide a valid multi-tenancy? How is this multi-tenancy achieved that a separate databases? Is it divided on a permission level or the purely logical level, this taken into account, just a solution offer a single pane of glass for the administrator. If we look at, for example, 20 customers just can be handled quite easily, but that's a phase 200, 2000 and more customers. So future pump solutions need really to, to focus this, the single print of glass architecture,
Then there's a question of an automatic deployment today. We are used to yeah. Shop. You could say for resources, for services and workloads. If we look at AWS for, for example, so if the customer needs Pam solution, he just wants to edit into his basket. And the deployment runs automatically in the background.
We have to see the point that a lean architecture is, is necessary. So if additional jump servers are required by APA solution, we are right the question of a necessary infrastructure costs. And you have to make sure that the design of the solution, the access is, is designed very well. And that there are not too much, that there are not too much hops. I, I, I would say just to get to the management platform and manage your services. So this is also like say a very simple lean architecture is necessary to bring it to the point. Then we need to see the, the provider security. How is data separation between tenants done? Is that possible to bring your own key talent? So you, for example, have your own workflow HSM solution or so that you can make sure
If you look at the architecture of the pump solution, this consists of, I would say, in, in, on the basis of two service for once we have our application server, which runs standard Microsoft I service and provides access to the web based, the web based AR Porwal. On the other hand, we have encrypted database, which is from a classical MSSQL. This solution can, can also be clustered. So the, the whole Palm pump solution is available in ha model. Also do the, are, are available mostly based on standard Microsoft technologies and standard load balancing. The database we, we can see here is, is double encrypted by a standard, a code and a proprietary code, but you can in the most recent version, bring your own key so that you have the control over the data that is stored in the database. Because if we look at the combination of application and database, this makes up the, the Pam solution.
We have our services, which are encrypted our password world, and the secure single sign on this makes up our Pam solution and brings the, the security for the connected systems. In terms of the connected systems we have to divide between, I call them here onsite systems and remote systems, onsite systems means the clients, which connect to the systems have more or less direct network access from a security perspective. This can be a problem. And from a, from a cloud perspective, this is not always possible. For example, if you look at the multi-cloud multisite approach, onsite systems would be the systems let's say on AWS, we're also the pump solution could be hosted, but what about the systems on, on Google cloud? On, on, on Azure for, for this, we have a so-called secure gateway, which can be used remote or onsite and tunnels all connections securely through the target service. So you could also say the secure gateway is the only system that has network access to the target systems that do this wire simple firewalling and increase your security.
Oh, if we look at those different components, there's always a question where do we run these different components? Like I said before, you have the option to bring your own encryption key for the pump solution. So could suitable enough that you say the database is well can more as well run within the MSP environment, or you could run it on, on your own environment and just use the web service as, as a pump solutions over there, different approaches, which have to be, yeah. Have to be looked at. And F often let's say classical in environment, for example, still used on premise solutions. You could also very well use the, the secure gateway. This is your entrance for all environment. And when, when connecting to, to the pump solution to, to sum this up, when delivering Palm solution from, from the cloud, as, as Palm, as a service, there are still some tricky parts on the, on the placement for every component.
And you have to, to make sure that all systems are reachable and what to do in the case of, of a disaster. So for example, the pump solution goes down and you lose access to your service because there are no passports. There has to be an option, which you can restore these passports or regularly get them sent in a secure envelope or any other secure compliant, valid way. These are, these are points with which you have to, to consider when giving such a, yeah. When giving such a security product out a little bit out of your hands, I would say, okay, I hope I could bring this a little bit to, to your attention and yeah. Happy to answer any questions.
Thank you, Kai. That was very helpful. So let me make myself the presenter again.
We are right now at the beginning of the Q a session, we have already a couple of questions here and like how you already touched some of them, which are from my perspective, very important questions such as how do you connect to all the systems, regardless of where they run in the cloud on premises, they might also run at the MSP. And I think you already talked a lot about the, the potential or the way you use you work on with the secure gateway. So is, is there anything, maybe as one question, anything involved for a customer to, to, to, to do on that gateway, is it really something which just runs and he never needs to care about it and maybe where does it run? Exactly.
Yeah. The, the gateway is, is quite simple. The gateway is just a normal Linux system, which runs an SS H demon. And this is HD one for services, Y equipped SSH protocol. So you can harden the server, you can secure the server. And the only thing you have to make sure is that the client connecting to the target system and Theon application server itself can reach this system. Yeah. Via T C P I P. This is, this is everything we, we have to make sure. And you have full control over this gateway system, as you set it up with ever the distribution you want.
Okay, good. Another question I have here is how are encrypted credentials or by the client to password management,
The encrypted credentials are store in, in the database. So what is basically done a uses different approaches when connecting to the systems? For example, if we do a normal RDP connection, we have an exc file from, from Arcon, which does a direct query to the database, gets the encrypted credentials and passes them through to the RDP session. So there is at not at any point, the credentials are copied into Ram or by clipboard. So you could have the chance to grab those unencrypted credentials when they are, when they are passed. Okay. And yeah, different other, and we have different other approaches for, for example, if we have a third party tool, then there are certain rapid deal else, which retrieve the credentials and pass it to the third party tool. And we can also use APIs together this, but it's made sure that through and using the, the double encryption that these credentials are retrieved always securely from the database.
Okay. Yes. Other question I have here in front of me, can the client be first to use a connection through the secure gateway?
Indeed. It can, can be forced to use a secure gateway as Aon is working with the so-called lbs line of businesses, which could also be called a domain group or whatever you would call it. And the connection to L B for L B to secure gateway is 1 0 1, 1, 1 to one. So if I configure a secure gateway for an L B, all connections are forced over the secure gateway.
Okay. Got it. Then we have one more question. So, which is currently, so if you have more questions, please enter them. Now. Then one question is which databases are supported
Currently. We only have the Ms. SQL database supported. There are discussions about other databases on, on the roadmap, but currently for, for the solution, we only have MSS.
Okay. I just got another question. Is there an agent required on the target systems, on the managed systems
For the, for the basics basic com solution? We don't need agent there a secondary there's a secondary security measure which can block processes or commands for window services. There is an agent needed, but for the basic and simple pump functionality, no agent is needed.
So actually, as I've also said, in my part, in the privilege elevation piece. So when it's really about managing this, this, then you're usually more intrusive as, as all are while while other features don't require such agent. So when you look at this MSP solution, maybe this is a question more towards Mr. Shera, but also maybe you can answer it. So who, who do you see as the, the target customer or from a size, maybe from an industry, from a geographic perspective,
The, the target customer from the size can be, can be any, so you could say you could start from, let's say, five administrators and 10, 10 target systems to a hundred administrators and 10,000 target systems. The solution is quite flexible also in the, in the pricely way. So there is no high entry point to the solution.
Okay. And so that means that, that you really support the, the SMB, which has a concrete challenge in Pam. And this is relatively small, which also might require even a little bit of bigger set of, of managed services. And on the other hand, you support the, the large businesses, which say, okay, I, I need need more off data.
Yep. Definitely.
Okay. Let's quickly. Wait, if there are further questions as of now, I think we are already done with that list of questions. So if there is no more, if there are no more questions, then it's up to me to thank you very much, Mr. Sher, Mr. BELE, and to say thank you to all the participants of this cold webinar. I hope to have you soon back at one of our events or other webinars. Thank you very much and have a nice day. Bye.
