Webinar Recording

Controlling and Monitoring Administrative Access to Enterprise IT


Log in and watch the full video!

Managing and monitoring privileged access to Enterprise Systems has turned out to be one of the most important aspects of IT security for almost any type of organization.

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Register  
Subscribe to become a client
Choose a package  
Well, good afternoon, ladies and gentlemen, welcome to this. Keeping a cold webinar controlling and monitoring administrative access to enterprise it effective session management for privileged users. This webinar is reported by wall. This speakers today. My name is Matthias Ibar. I am senior Analyst at Ko, a Cole, and I will be presenting the first part of this webinar. In the second part. Chris pace head of product marketing at wall will join us before we start some housekeeping. And of course, some general information about Ko, a Cole as an Analyst Analyst company Ko a call is providing enterprise it research advisory services, decision support, and networking for it. Professionals. We do this through our research services where we provide several types of documents, including our leadership documents, comparing market segments, advisory notes, looking at various topics, vendor reports, executive fields, et cetera. We do this through our advisory services where we provide advisory to end user organizations and vendors. And through our events like webinars like this one seminars.
And of course our main event is the EIC, the European identity and cloud conference. The 2015 EIC took place in may, just a few weeks ago. And in case you've missed it, you can find all keynotes and some more material in the podcast. Section of the COA Cole website as videos, the next EIC will be held in Munich from the 10th to the 13th of May, 2016. And we think it will be again, a must attempt event with a large number of speakers and sessions in the areas of identity and access cloud and digital risk for our audience in Asia and Australia. The I C S the Asian identity cloud and security summit summit scheduled for November this year will surely be a great and highly valuable event as well. And please consider having a look at our agenda for all upcoming events, using the given URL, some guidelines for this webinar, you unmuted centrally.
You don't have to mute, unmute yourself. We control the mute and unmute features. We are going to record this webinar with the recording and the slide text going online on our website tomorrow. And there will be a Q and a session at the end of the webinar, but you can enter your questions really recommend doing this during the presentations already at any time using the questions panel of the go-to webinar software, or from depending on the language, your version, you know, you're using, please do so, so that we can start the Q and a session right away with a good set of your question, the agenda agenda. First of all, I'm going to start out with the Analyst view and introduction into the requirement and benefits of privileged session management. Then Chris pays from wall Alexei will take over and give us an overview of today's approaches for privileged session management.
And the third part will be the Q and a session as already mentioned. So that's it for the housekeeping for the introductory part. So let's start with just a few figures, which might be interesting, and a good start. I'm using the 2015 data breach investigations report as published by Verizon. And they looked at 79,790 security incidents from 2014 collected by, by a vast amount of, of organizations, security researchers. And when they analyzed this, they found clusters and 20.6% of all security incidents were classified as inside misuse and 11.4% were actually privileged abuse. So the abuse of legitimate, excess by users who did something with that they shouldn't have done with it. And 11.4% is quite a large number. And this shows that the privileged account management is something that should be taken into account when making sure that the company is working on its security.
If we're looking at privileged accounts, they are, there are usually, if you don't take any further measure, measures a vast set of challenges. First of all, they do have high privileges. This is the idea behind it. They have access to systems in a manner that allows them to basically to many things, if not all, from, from changing data, to find transactions, to deleting data, to starting stopping services or to shut down the machines. So this imposes quite a high risk for the, the, for the work with privileged accounts and requires people who really do know what they want to do, and hopefully they want to do what you want them to do. Usually these accounts are not in scope of the traditional identity and access management systems. So these accounts are maintained somewhere else, usually. And this is something that makes it difficult to identify the people who are actually performing the tasks that they're, that you are seeing.
So in addition to that, there is usually a lack of life cycle management. So there is no well defined joiner mover lever process for these accounts in place, as they are typically, not people accounts, but just technical accounts. Usually you don't have something like request management. The users either do have the access. They know the password and the login, or they do not have it, but there is no process which guides them through a live cycle of a user of an administrative usage. The main problem is that they are not associated with a real life person, but they are shared between many people, shared accounts is at that point quite an issue. And this means that usually there's no auditability on a person aspect, and there is no auditability in general, as once you have a, a rude account, this account is, or an administrator account or a DBA account within a database system, they are usually able to delete their traces if they want to, because they can typical requirements for the management of administrative accounts or privileged accounts on the one hand, governmental compliance requirement.
These are things that you cannot control. These are in place. Once you actually start business, you have to make sure that you comply to national laws, or if you are in the E EU, you have to comply with the legislation within the EU, for example, data protection laws. On top of this, there are sector specific laws and regulations. You all know of them. They are typically available for finance industry, for the healthcare industry and for the utilities industry, but many more are, are in place. And when you're, you are in the us, you all know about the regulations about saving sovereigns Oxley, which came into being after this finance issues at the turn of the century. And on top of that, we have industry compliance requirements, which are not really laws or legislations, but it's something that you have to comply to anyway, because you are working in an industry.
And a very good example. We will have a look at that later is P C I DSS, which is always relevant. Once you are pro processing credit cards. And another example for requirements that are usually in place. And sometimes your organization just wants to make sure that you are complying to them. These are frameworks standards and best practices like ISO 27, 1 COVID five, or it L as a real life example, what is really required to do. And I've mentioned it before PCI DSS is the payment card industry, data security standard. And once you are dealing with credit cards, that means you are offering an online shop or, or phone centers where you can, can order something and pay it via credit cards. Once you have a system like that in place, you have to comply to this because the credit card issuers make sure that you comply to that.
The source for that is given below the PCI security standards.org website, make sure that you have all information at hand. And if you look at that, this is quite a large number of requirements, and this is difficult to, to comply to when you don't have an appropriate solution and the appropriate processes in place. What is mentioned with the requirement 10 says track and monitor all access to network resources in card holder data. And this is then specified as keep audit trails of all access and do the do that for all users do this for all users, including rules and administrators. You have to make sure that you are logging login attempts to identify, for example, BR force text for passwords. You have to make sure that you audit changes to system level objects, for example, database tables, especially when it's, when it comes to financial data.
And you even have to make sure that you have control over the audit blocks so that nobody tempers with the audit blocks and this set of requirements is quite a challenge for many organizations without any further mechanisms in place. And this is what we're talking about. We are talking about making sure that these requirements can be met in an appropriate way, but this is not the only reason to do this. We want to go beyond the legal requirements and the audit, and we want to do this for good reasons. First of all, your systems typically store your intellectual properties, your recipes, your, your blueprints for, for machines, the, the basics for your business model. And this is something that has to be protected. For example, blueprints and corporate strategies. Another point is confidential business data, actually the data you are working with from data to day, and this could be information about mergers and acquisitions, but also financial data, your own financial data, which is of course, something that you want not to be seen in public or the data the customer's hand over to you to take care of.
So your customer data also is something that is on the systems that administrators and route users to take care of and which they have access to. And another example would be protection of company, confidential communication. So all the information that runs, for example, by mail or by chat between the board between HR and the employees, or with illegal and audit and, and final point that you really want to take care of besides of the actual legal requirement is actually the, the infrastructure availability availability. You want to make sure that the systems are up and running, that they are performing in a way that you want them to do so. You want to make sure that there's no misconfiguration, either deliberate or accidental errors can happen, but they could be prevented. And especially you want to avoid the disruption of the service in general. The threat impact that that we are looking at is growing.
And this could be something that can result from misconfiguration from false behavior, by by administrators and privileged users, we are looking at something that could be damaged to people in physical equipment, because somebody controls operational technology as an administrator. And this could be really resulting in actual danger to people and your equipment. It could be information theft. So somebody gets information. He should not have access to. You want to make sure that your company asset brand is not damaged in its reputation. You, we have been talking about availability risks so that everything is available in the way that you want it to be lots of information in general. So if you're looking at, at information that is just disappearing from your system, because somebody just type the wrong commands, which makes sure that complete partition is going away. So you want to make sure that the information is there that is consistent and reliable.
Blackmail is special case of that. Once you are blackmailed, because somebody has access to information and just returns it to you once you've paid a certain amount of money or, or virtual money, and there are lots of other threat impacts that could be possible, and that should be avoided session management in, in the case that we are looking at. So as a part of privileged management is actually the, the step to, to make sure that we have active management of the accounts of their access of the sessions and what they're doing during, during their sessions and how they are recorded. So we do talk about surveillance and control. We look at the separation of user accounts and administrative accounts to make sure that no admin, no typical user has administrative rights just in case it cannot be avoided. So there are some systems that do really require that very important.
We have to associate the responsible account. So you have to make sure that materials was the one who used the root account. When this strange thing happened to this unique server, we have to have traceability. So we have to make sure that we can actually have a look at, at the complete trace of, of, of, of actions that were taking place. And again, accountability and responsibility, identify the people who did it, and who actually approved that this user had access to this system. Let's have a short look at typical privileged accounts to, to have a common understanding what these accounts typically are. And we're looking at the infrastructure that we do have. We're looking at actually our day to day work material, which is the desktop PC or the laptop with a desktop operating system like windows. We are talking about applications like SAP. For example, we are looking at database systems again, as infrastructure with Oracle, Ms.
SQL, and many others being in place server operating systems, for example, units, server operating system, like windows server or virtualization platforms like VMware or many others that allow for the concurrent execution of many operating systems at one time. And once you have access to such a hypervisor software, you of course then are probably also avail able to, to have a look at the machines that are running in there. So if we look at the typical accounts associated with that, that would be for the desktop. Yes, the, the local administrator, the database administrator for the databases and the administrator for the service and the service accounts for the server operating system on the windows side. And, you know, all of these other accounts, the sub administrators in, in S a P environment operator and the access right group sub all on systems you have, of course, the highly privileged super user route, but there are many other accounts that are not associated to people and have quite some privilege.
For example, service accounts like my as well, or the Chrome account running schedules, tasks. Finally, the virtualization administrator in the virtualization platform, you're using privilege. User management in general is comprised of many building blocks. And many of them actually have to do with session management, which Chris will talk about later. And first of all, we have the life cycle management of users of the privileged users. We have access request management. So that makes sure that once somebody wants or needs access to a system to a typical administrative account, he has to request this access. He probably has to send a, a business justification or technical justification, why he needs it. And it is sent to somebody who in the, for ice principle makes sure that this is checked and, and approved or, or not approved to make sure that the access is really valid and required.
We need secure authentication. We have to make sure that the user who is actually accessing the system is securely authenticated. He is who he claims to be. This requires some portion of password management. So nobody should have the root account password in, in, in, in his hand, but there should be a mechanism that makes sure that you just have a, a, a way to, to log into the system and in the best case, without knowing the password, but the system takes care of it. The same is true for as keys when you're not using passwords and, but have gone a step further for security. Of course, we will have authorization, not, not everybody needs the full access of a rude account, but you prob you probably just need access to a certain part of the file system. A certain subset of commands. We need logging an audit.
We have to make sure that everything is that is done is actually recorded and can be checked later on or in real time for what is actually going on. Session management is, is a part of all of this. We have to make sure that we have clearly identifiable sessions, which have a start, which have an access request, which have an approval, which have a log and which have a defined ending session audit go, goes hand in hand with that. We have to make sure what happens in this session in real time. Can we have a look at it as a, as a supervisor, are there probably some, some mechanisms in place which make sure that there is some real time analytics off these sessions, and these are typical, not complete list, but a typical list of building blocks for privileged user management and for session management. And I think Chris will tell us more about this later on.
So from my Analyst Analyst point of view, session management is built from the following building blocks. First of all, the user, the administrative user, the privileged user sends an access access request. He provides some justification. He wants to make sure that he tells us that, that it's when it will be taking place. So it's scheduled and how long it will take and which access is required. We need the approval and have the four principle in place for some, for somebody who is actually responsible for this, for this session as at a, at a management level, as a line management or technical level. So he or she has to make sure that the request is reviewed and that there is appropriate documentation and audit of the approval. Then the user authenticates securely, we have to make sure that there's protection of keys and passwords. So nobody is able to get to the system on other ways than the way that we are wanting them to go. That is through the privileged user management system. And we have to make sure that there's a clear association of the admin identity to the session identity. So the user to the technical user, once this has been done, the users I've identified, we have secure author authorization, and only the privileges are assigned as requested and approved.
Then actually the fun part for the administrator, the active session. But we have to make sure that this active session is logged when it's a text message text session that it's recorded when it is for example, a graphic session. Yeah. A graphical user interface session that it's probably supervised by somebody who looks over the shoulder virtually with a supervision component within the privileged management we have, in the best case, we have realtime analytics that makes sure that no wrong clicks are done. No wrong commands are typed in wrong in the way of, in the, in the meaning of undesirable. And we have probably something like manual by the supervisor or automated intervention based on realtime analytics. And finally, we will have archival and audit, which means we have the possibility, first of all, to provide evidence what has been taken place. And we have the possibility to identify false behavior afterwards in that type of X post analysis, which is analysis after the session final slide for me, is it and business where basically I have been not talking only about administrative access by, by technical administrators except for this up users.
But in general, we are of the opinion that we have to look at both types of administrators, because I have been talking about administrators in it for the operating system for infrastructure on the network, but there is the other side of the metal, which is the business side and all these systems that are listed here, they do have highly privileged users and they do need appropriate maintenance and governance and, and civilians and control of probably real time analytics as well, to make sure that these highly privileged users follow the same guidelines as the it administrators do. So what we do think is that privilege management is one part, but it has to be a part of a bigger concept, which includes access governance, which is the typical IM discipline and a system, which is an on top of a traditional identity and access management. And probably some integration into a larger scale business size GRC system, either from SAP or other providers.
And that this is all built into one overall approach. And the privilege management is one important part of that, which makes sure that we have monitoring control and audit in place that we do have analytics and intelligence within newly built systems, which have real time analytics that we do have recertification in place. And we make sure that all access assigned is always subject to the check of the segregation of duties rules. And this is my last slide I would like to hand over to Chris, and maybe, maybe he can pick up on some of the, the points that I've mentioned and I'm looking forward to his part then. Yeah, everything's fine.
Perfect. Assuming that you can let's, let's make a start. So as Matthias mentioned, my name's Chris pace, I'm head of product marketing for WX is a provider of privileged user management solutions. And I'm gonna talk a little bit towards the end of the presentation about some of the, the, the features of the, the product, not in any real depth, but to tie up with some of the things that Matthias has already mentioned, but to begin with what I want to think about is some, some real world views about privileged users. I want to share with you some stories that come from CISOs and it security managers who I've been, who I've been talking to to try and give us a, an idea of what things are really like out there on the ground. So we are certainly seeing, well, everything changes in it all the time, but we are seeing traditional network perimeter certainly begin to dissolve.
We're seeing evermore it infrastructure being outsourced. Our concept of what privileged access, you know, even is as materials was explained, talking about businesses, you business users versus it, users, all of those concepts are, are changing. Business users are becoming as technically savvy and certainly as willing to adopt the newer technologies as your traditional it department has been. And therefore there is inherently an increase in, in risk. And that risk surrounds the data that you, that you may be responsible for, for securing or around the systems that you, that you manage. And then we throw into this mix, the number of the sheer number of different individuals and organizations outside of your own business, who now want to get access to your internal resources and perhaps even responsible for managing that infrastructure. If you have it hosted somewhere else, or you even have it hosted in the cloud.
So all of those changes that are happening all of the different ways in which we're seeing it being used inside businesses is entirely changing our, our view around, around privileged access. So just to, to, to tell some stories from the, from the CISOs then, and I used this quote, we had a, we went to a conference recently where a number of CSOs were all gathered together. And one of them was working for a very large communications company here in the, here in the UK. And I've quoted him directly here. He also mentioned that this is the thing that loses him sleep at night, but he, what he said was privileged access is the beast. We still haven't obtained. And I want to try and explore a little bit why that might be, I think much of it is to do with the organic kind of the organic growth of infrastructure.
If you like, what we don't see in businesses, and you don't see in your network is you rebuild the thing every week. That's not how it works. It, it develops and it grows and it expands. And as it expands, it becomes ever more untamable privileged access to it. Infrastructure for it. Admins was, you know, way back when we all started out in this business was a necessary evil for a long time. You know, I have to give it admins access, you know, privileged access to all the systems. It's not so very long ago that organizations were using a central domain admin account, you know, for most server access. And very often that admin account had a password that was, might have been guessable. And it didn't usually change. Even if someone who had access had perhaps left the organization, then what happened was businesses developed to a point where individuals were given their own domain access and it was personalized, but then certainly the idea of monitoring, monitoring or auditing access would not have been a concern.
It wouldn't have been something that we were bothered about. Visibility of active sessions would only ever really have been a concern around, around resource or performance. Why are we having this network issue? Why is this server not working properly? Then we might have been interested in auditing, but now it has to be a concern we take seriously because we're, we're considering data security and we're considering compliance. Actually it's the advent of compliance and the risks to data that are increasing that should be transforming all of our attitudes and causing us to think seriously about how we can vouched with the safety of that data. Now, Matthias already talked in quite a lot of detail about how strict the requirements are around securing systems that deal with payment card data and the ordering auditing and monitoring of privileged access is certainly a key to being successful in that area to ensuring compliance around around PCI.
And that would bring me back to, to, to talk more specifically about privileged access. Whilst I agree with Matthias, that we have to look at privileged access as part of the identity and access management challenges that you need to address that. I think the worst thing that you could try to do would be to try to wrap privilege management up with IAM and run some enormous projects to deploy it into your organization. Actually, you can start to deal with privileged user management really very quickly, and you will see it as a fast route to compliance, particularly when we start talking about, about PCI and payment card protection, because you, you are aware of where that payment card data is. You are aware of the systems that deal with, with those particular types of data. You can begin today to start addressing the privileged access management concerns you have around those particular, those particular systems, other concerns.
I think that would come out of this transparency in terms of what's happening with your cloud systems. Perhaps one of the reasons why you are, you are not quite at a point where you are ready to take the step right out into the cloud is because you don't think you can see enough of what your cloud provider is doing. In fact, the cloud security Alliance recently ran a survey and released a report that said that 80% of those people surveyed, who are it, security, who are it? Security professionals working in finance had concerns around auditability and transparency when it came to cloud services, privileged access management and privileged user management can help you with that. Also, this is a bigger issue than just simply privileged users inside your organization, or even privileged users that are third party service providers or contractors. The fact is, is that the goal of every malicious outsider, whether that is somebody who is, you know, a hacker who is targeting a particular business, whether it's an advanced piece of a piece of malware, whether it's a vulnerability that someone is looking to exploit, whatever it is ultimately in order for that threat to be successful, it will need to use at some point privileged a privileged account.
It will need to get elevated access. And that's what every one of these threats is looking to do. It's looking to, once it gets inside, increase its privilege in order to be able to move naturally across, across your network. So we need to think about the management of privilege to counts, not just as something separate to do with IM, but we need to think about it as part of the entire security posture. If a hacker gets in, they will take advantage of your failure to secure privilege access. I can give a recent example of this. We saw the venom vulnerability, which has been heavily branded and, and, and a lot of PR done around it. And we've seen a lot of press coverage, but actually the bottom line when it comes to venom, as much as it is a concern for those who are running virtualized systems, is that if you are securing privileged access, then venom stops being of, of a concern to you.
It can only move naturally with elevated privileges with root access. And that's why privileged user management solutions can begin to address some of these outsider concerns to become a part of your entire security posture, not just something that is about managing, managing it, it admins. And just to talk a little bit about that, I was talking to another CISO last week who had tasked red team. I dunno how familiar you are with the, the terminology around penetration testing, but a red team is essentially a, a team of penetration testers who work together in order to attempt to gain access inside to, to, to the organization in, from the outside to, to get in. And, and one of the things that he shared with us was that actually, if you put some very simple blocks in the way of gaining privileged access, that will very often be enough to deter even the most determined hacker from the outside.
It's another thing to, to bear in mind by investing very simply in, in, in privileged access management management, you can begin to reduce some of your other risks as well, because you may be investing heavily in lots of perimeter security and all those kinds of things, but actually it could be that the, the, the softer parts inside your organization where you are not securing privileged access, that might be where a hacker will ultimately will ultimately get in. And I'll talk a little bit more, more about that in a moment. So just to give you an overview of what our product wall Basian does, am I gonna do that first? And then I'm gonna give some just a few very specific scenarios where our product can help and, and line it up with some of the things that Matthias has already been, has already been talking about.
So Wallam Bastin is a privileged user management solution, and it gives control monitoring, reporting and auditing all in real time with access to servers and other devices across the network. And one thing I'll, I'll take an opportunity to say at this point, a kind of technically specific thing, if you like, is that one of the real advantages that we consider that we have? Well, I'm gonna, I'll say two of the advantages that we have in this particular area. One is that because we don't install agents onto target devices, we act as a gateway for a user to go through and access a target device that removes a lot of the overhead on the systems. And it also means that we can do a lot more in real time. And that's the second advantage. The fact that we can provide information back to it security in real time, if you need to intervene.
When someone, if someone, for example, is doing something, they shouldn't, it's that four eyes principle that that Matthias was already talking about. So where are some of the areas that we are able to help and how can we help having visibility of changes made to servers and other systems makes change control and security better? So what we do is we create a single gateway for access to those resources. This means from a single location, you can easily define access to the right devices, or applications or servers for the right people. You, you can move away from sharing accounts or passwords around what WX will do is it will connect to those devices, encrypting the credentials as Matthias already mentioned. So keeping those root or admin credentials away from the end user and passing them anonymously and encrypted through to the target device. So the user only ever connects using their username and password.
And again, to talk about the, the lack of agents for a, for a moment, because there are no agents to install and we're using a standard protocol to connect. That means that it's almost completely operating system agnostic. So it will work with both target Cisco devices that have got command line interfaces up to windows devices. And it can also be pointed at specific web applications. For example, if you want to use it in that way as well. So the lack of an, of an agent makes it much easier for you to connect to many different kinds of devices. Then in terms of meeting compliance, I've already talked about this a little, but the root of most compliance requirements lies your ability to prove that you made the efforts necessary to secure the data on the systems that you are responsible for. And this is where wall ability to provide extensive control over access and fully audit those sessions beyond simple event, logging can bring huge advantages and could really provide you with a very fast group to compliance, as I mentioned.
So it's really simple to begin managing session activity on servers that you have identified our other high priority. You can begin to do that within hours minutes, and that's a real advantage where you are looking to, to, to find the fastest route possible to ensure that you are compliant, putting a system like wall in the way of access to those devices will help you to achieve that much more quickly than relying on the inbuilt security in the, you know, in the particular, in the particular service or devices that you are, that you are using. So that becomes a, that becomes a distinct advantage.
And then finally, and very briefly just to talk about third party providers and contractors, we are seeing increasing numbers of individuals or companies having access from outside your own organization. And very often businesses and organizations have no way of ensuring that those third parties and contractors have the same level of security or are, or are controlling access to systems and data in at the same level as, as you would really, you could and should do that as a minimum. We've seen so many examples now of businesses who have given third party access via VPN accounts, which aren't necessarily monitored. They aren't necessarily managed, but they are required in order for that third party to be able to do the work that they need to do. And one specific example that I can think of here is the target hack, which was one of the, the biggest, we heard a lot about it at the time.
And it turned out that one of the problems there was that VPN access was given into point of sales systems. And of course, what happened was that the, the organization at the other end, the third party, they turned out to be vulnerable. And once someone was inside there, they found that they had simple access to all of the point of sales systems across, across target. And that really impacted their business in a, in a big way, the CEO of target resigned. That's how big a deal that was. What we want to give you is the simple way to force secure access from these external providers. That's the first point. And secondly, and maybe even more importantly, though, to give you visibility of what they have access to and what they are doing with that access. And just one difference to point out between for example, event logging or SIEM in versus privilege, user management and monitoring and auditing what we provide you with.
And again, this is because we use an agent, the system, and we act as a gateway to the device. We are able to provide you a log of what actually happened during that session, not just an event log, but a, we use optical character recognition to capture the activity on the screen. So if somebody clicks to open a command line and types in commands into the command line, we will capture and store what they've typed in. We will capture and store what they have clicked. We will capture and store the applications that they've opened. And what that enables you to do is it enables you to look with much more clarity at what's happening on those systems. And it also means that it's much easier to revoke access in the event of a change of scope. So for example, this third party is no longer responsible for that particular action.
So therefore we remove that, that ability for them. And also if, if staffing changes. So if somebody leaves that third party organization, or you decide to no longer do business with that 33rd party organization, you don't run the risk of them remaining with access to your, to your systems. So all of those, all of those things are a, a big advantage when it helped. And, and there's so much more outsourcing. Now, there are so many more third parties who have access to these systems. It's vital that you have a way to, to, to monitor. And it's vital that you have a way to appro, as Matthias talked about, to approve those access requests and to give the right people, the, the, the right access to the right systems whilst maintaining that four eyes principle, because ultimately it's you and your business that is responsible for that data.
It's not the third party. And that's why you have to do as much as you can in order to secure monitor and in the event of the worst happening and, and something getting breached that you have an audit that you can return to, that will give you all of the information that you need. So just in, in, in summary of, of everything, really the, the point that I want to make is that I would be disappointed if there was a feeling access management or privileged user management was something that you can only do with a large scale project or a, or a, a, or a big investment, or, or a huge army of project managers and, and, and outsources or system integrators, because that simply isn't the case. You can target your high priority systems. You can target the systems that have the most sensitive data.
You can target the systems that I would say appear in your highest tier of security. And you can begin to address the privileged access challenges around those devices and servers today, and you can do it very quickly. And that means that you can, you can reduce your, your, your biggest security risk in the shortest possible time. And that's a good place to start when it then comes to looking at the rest of your identity and access management challenges, but privileged access to this kind of, you know, high priority data must be at the top of the, at the top of the list. And don't let it end up on a big list of things that you feel you can't achieve. If you target this as a problem to solve quickly, it will enable you to move sort of on the, on your journey in identity and access management. And that was all I really wanted to say. So I'll hand back to Matthias for the Q and a a
Yeah, thank you, Chris, for this great insight into your current experiences from implementing such systems. And now we're coming to the, to the Q and a session. And again, I want to ask our participants to, to add their questions for this Q and a through the questions panel on the go to webinar panel. And first of all, I want to start out with one question you you've already touched to, to security information at event management systems. And I think they are in place for some companies already. Is there a way to, to get to a, to a joint solution, to a common solution where information from your system is fed into the scene system and analyzed there as well?
Yeah, and I think this is one of the, where we have one of the big advantages with the way that we're able to not just produce an event log and say, well, somebody logged on and they logged on for this amount of time. And then they logged off again. What we really want to do is to see, well, what happened during that session. And so as all that information is available through our system as a CS log file, we were to push that clog information into, into an IM solution where it can be where it can be analyzed in exactly the, in exactly the same way. Of course, the advantages really is that it's is it's in plain English. It's not a, you don't have to decipher an event, log it, it will show you, you know, this person opened the control panel. This person opened the command line and they typed this command. You know, that information is much more useful if you are not an S SIEM expert, or you're not a, you know, you're not a, a it forensics professional. And that's why it's a good starting point for some businesses to be able to begin with the privilege session logs and be able to see exactly what happened on systems. If they're looking to deal with either a, a problem or, or look to investigate after a breach.
Okay, thank you. Are there some, some, some typical findings that you, that you have when you go into an organization and you said you are, you are easy or quick to, to deploy such a system. Are there some typical findings that you, you, you come across every time you, you visit such a company and which probably even surprises the, the, the management on the administrators, administrators.
Yeah. One. Well, there are those things. I wouldn't say there's necessarily a trend of things, but one of the things that we see a lot is that after a little bit of analysis, businesses become aware that their admins, and very often they're, if they're using a managed service provider, very often their managed service provider is spending a lot less time logged into systems remotely. Now, I think that's probably because they now know that they're being monitored. So that means that they're much less likely to log into a system and do whatever it is they need to do. And maybe they accidentally leave it logged in, or maybe they, I dunno, maybe they just take longer to do whatever it is they need to do. But certainly we've seen customers who, who have seen an increase in efficiency from their, from their service providers, because now they know that the customer is able to go into the system and look at what that, what that service provider was doing on their system over, over a period of time.
So that's definitely a, a trend that we see. The other thing of course, that we see is they begin to realize how many people were using different accounts to access servers. So once they begin to remove the ability for a person to use an admin account, or perhaps a super user account, that's been floating around for a lot of time, and suddenly people are coming to them and saying, well, I can't get access to this server anymore. And a lot of people are coming to them and saying, oh, I can't get access to, to this server anymore. They begin to realize how much kind of UN unmonitored, you know, not audited access to these systems was happening. And that's where really, you know, we're looking to, we're looking to help it security get, you know, and, and, and governance and compliance to get better visibility of what's going on with those systems that have got, you know, precious data on them.
Okay, great. Great to hear that, because I think, yeah, there should, there should be some quick wins and I, I expect them to, to be there. Another question from, from the audience is compared to conventional ID governance practices. How do you feel privileged account should be recertified? I think the question's probably also about, is there a distinction between the actual technical account, which is maintained behind the scenes and the actual access by the, by the personalized administrator? What, what is your feeling about that?
Yeah, and that's a very, that's a very, very good point because of course, but I have a feeling that as far as any regulations are concerned, as far as any compliance criteria are concerned, all, all they care about is the definition of credentials as something that give access to a system. So I don't think that for example, PCI would make a distinction between a access through a privileged access management solution, for example, or access directly to, to a system. I think that's only because that the, that the number of businesses who are using privileged access management or privilege user management solutions today, aren't big enough for that to become a concern. But I think as we see more businesses beginning to enable that, I think the compliance criteria will catch up. And I think they'll begin to start defining, you know, if you have systems that are, you know, contain XYZ kind of data, let's say it's payment card, for example, it must be accessed through, you know, a solution where activity can be monitored or, or recorded. So I, I think today it prob there probably isn't enough of a distinction, but I would hope that ultimately there will be a distinction between, between access via privilege, user management and access directly to a, to a target system.
Okay. Thank you. Probably one question, the, the effort needed to onboard an administrator to his system. How big is it? So to put it the other way around, if I have an, an external contractor who wants to install an update or install it a piece of software on the box. Yeah. How long does it take to, to get him into the system and to have him monitor it appropriately?
Okay. So this there's sort of two ways of doing this the best way to talk about third parties, let are to go back to access requests. You were talking about access requests in your part of the, of the presentation. So let me talk a little, little bit about access requests. And I, I hope that will give an answer to the question. So in the event that somebody is looking to access the system for the first time, and let's say they're a third party or a contractor. You would only need to give them in permission to log on to the Wallack solution. So you can provide them with access to the wall solution inside there. They will see the list of available resources. Now it may be that they currently do not have access to a number of those resources. So if they click one of those resources that they do not have access to wall X will ask them, do you want access to the system?
Why do you want access to the system? Do you have an associated ticket number to that? That goes with a, you know, that goes with a, a change management request that's already in, in progress. For example, for you to access this system, once the contractor or third party enters that information, it will then email, email a, a security admin or someone responsible for managing the Wallock solution. And, and that person will be able to get instant access to that system. It doesn't use any, you know, proprietary installers. It doesn't have to have its own application or anything like that. It uses the standard protocols to connect. So as long as they have a web browser and they have VPN, in fact, they could do it all through a web browser because we also use an HTML five web browser, web browser for access, if they want to.
So they don't even have to install, you know, a VPN or remote desktop. If they, if they don't want to, they can do it all through. They can do it all through a web interface. So it's, and just a couple of other things to talk about around access requests as well, before I rang this up access requests can then also be configured for either what we call dissolving access, which is basically it logs you in once and you don't see a password. You don't have to enter a password. It logs you in you, you click a secure link and it logs you in, and then once you log out, your access to that system is removed. So that's the dissolvable access. The other way that we do it is with a, is with a one-off password. So you can type in a password. That's a one-off password that will work for a set number of hours or days.
And then the other thing we can do of course, is give them access to that system through, through wall X permanently. So there are lots of ways of managing that third party access, importantly, and I think the thing that, the thing that a lot of our customers, like there are lots of ways to drive down the amount of access, because that's where the real concern is. The concern is that every time you give someone access to a system, the concern is that they hang onto that access and they may be continuing to use it when they don't need to.
Okay, great. When, when talking about security for, for the, for the, yeah, for the authentication part, you, you mentioned that everything can run within a single browser session for, for security. Do you also provide multifactor authentication? Is this possible to make sure that the access to such a system is better than just route plus password?
Yeah. It will tie into, it will tie into to third to two factor authentication systems. Yes. So if you want to enable it to use tokens or whatever, whatever system it is that you're using, you can, yeah. You can absolutely enable that.
Okay, great. Probably one last question. We are almost close to the end of the one hour slot. What if I have a, a, not only an on premises solution, but also run cloud services, can they be integrated just as if they were on premises or do you make a distinction at all?
We, we don't have to because this, because, well, it acts as a, as a gateway to any systems that you've got in any network, you can place a virtualized version of, of the system ahead of your, either your hybrid cloud or your private cloud, or if you're using public cloud services, really, however you want to. And it will work in exactly the same way as if it was as if it was inside an organization. The other thing that we make available to, to cloud service providers or to manage service providers is this is, is Wellex as, as an on demand solution. So if, if you, if you've got a cloud provider, then you could, you can ask them to, to place it ahead of your, your own infrastructure. And that's a lot for visibility and for your own security. So it means, you know, exactly what your cloud service provider is doing, you know, exactly how they're accessing your, exactly, how they're accessing your infrastructure. And that is a, that's a, we're seeing cloud providers now looking to take that up because they recognize that their customers want visibility of what's going on with the infrastructure that they've put into the cloud.
Okay. So probably we have time for one more question, short answer, when you're provisioning access to new privileged user, this, it refers to your, your form answer. Wouldn't a preset role based access list. Be more efficient than a request based one.
It, it, yes. And it could be configured to be, to be done that way. There's, there's, there's no question, but I, what I said right at the end of the answer was the thing that we find is really important to customers, which is trying to drive down as much as possible, who has access to what? So whilst I understand that often for the third party or for the contractor, perhaps it becomes more onerous than they would like to have to ask for permission to access a system. The better thing is that they only get access to the systems that they need. So whilst you could, pre-populate, you could, pre-populate the system with a whole set of, you know, as you say, role based, you can, you can create roles and you can create groups of systems or target devices within those roles. That's absolutely possible. And we have lots of customers that have done it, it that way, but, but with third parties and, and, and contractors, particularly the real advantage is the limited time access or only giving them access to the systems. They need to do their particular job for that particular time period.
Okay. Thank you. I think that, that, that clarifies that as well. So I think that's it for today, for today, I would like to thank Chris for his presentation and for the great answers to the questions and the great Q and a, and maybe give you the chance for some, some final words, Chris.
Well, I already made this point a couple of times, but they say you should always make a good 0.3 times. So I'm gonna make it for the third time. And that, and that is that we, I think the, the, where we've arrived is that privileged user management identity and access management generally are seen as being hard. They're seen as being something that we have to invest a lot of time and effort in. We have to have big projects. We would encourage you to look at solutions that you can deploy quickly, that will help you to deal with things like privileged user management. And, and you'll see, you'll see the extraordinary benefit of that. You'll see how quickly you can get to a more compliant posture. And that's, that's what I would want to encourage more than anything. Don't be daunted by. Don't be daunted by the idea of managing privileged users, because it's something that can be done and it can, and it can be done reasonably easily. We, we have enough, we have enough customers who will, who will vouch for that.
Great. Thank you. Okay. I would like to thank the, the attendance for listening to this webinar for contributing their questions. And thank you. Hope to have you in some other webinars or probably in one of our seminars. Thank you very much and good.

Stay Connected

KuppingerCole on social media

Related Videos

Webinar Recording

Championing Privileged Access Management With Zero Trust Security

A modern approach to securing privileged accounts is to apply the principle of Zero Trust: Never trust, always verify. While Zero Trust is not an off-the-shelf solution, it is modern vendors of PAM solutions that recommend using this security principle to cement the technical capabilities…

Analyst Chat

Analyst Chat #156: CIEM Is Entering the Privileged Access Management Market

The PAM market is changing and expanding. Paul Fisher talks about the latest trends for Privileged Access Management, the role of CIEM, mergers and newcomers in this important market segment.

Webinar Recording

Implementing Zero Trust With Privileged Access Management Platforms

Among the many approaches to do that, Zero Trust is one where organizations apply the principle of “never trust – always verify”. Since Zero Trust is not a single product or solution, implementing processes that work accordingly can be a challenge to IT teams that want to…

Webinar Recording

Implementing Modern and Future-Proof PAM Solutions

Privilege Access Management (PAM) is changing, driven by the move of most businesses from on-prem IT applications and infrastructure to the cloud, resulting in a multi-could, multi-hybrid IT environment. This has resulted in a proliferation of privileged identities that need to be…

Event Recording

Expert Chat: Interview with Denny Prvu

KC Analyst Paul Fisher interviews Denny Prvu, Global Director of IAM at Royal Bank of Canada.

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00