So welcome to everyone here. We are also connected to a live stream and there are some people watching listening from remotely. So when there will be some questions from the audience, it would be good if you are using also a microphone. I will give it over then. Okay. So maybe a quick introduction. My name is Stephan Robin. I am the regional director of Warwick, a European French manufacturer of cybersecurity technologies, especially privileged access management. And with me there is my colleague Guido Craft. He is senior consultant and also ISMS and also ISO 27 0 1 lead auditor. And he was the main author for this risk class model that is based on the German BSI but also on the ISO 27 0 1. So what we have prepared for sure is three hours are a long time and maybe we don't need it fully. So I think we can see that after an hour or so we can maybe do a break.
Depends on you for sure. So what we have prepared, this is I just do it a bit quicker, so here, Okay. So we would like to introduce generally what is the nature of such a risk class model? So we are talking about excess management, so meaning the control of excesses, either human to machines or machine to machines. And how we can secure these connections will be managed with some policies that have been provided by the ISO 27 0 1 or even from the bsi it GOs. So we will then also show you the general architecture, how an access management technology could be implemented. Then we will really talk a bit in detail about the BSI and the ISO 27 0 1 and for sure you will also get a short demonstration to see that. You can see how this is then really looking in real life. And then for sure we were talking about best practices, how to organize, how to set up such a project.
It would be great as this is a workshop if there is a, if there is also feedback coming from you or if you have any questions that you are directly asking. So we are in a small round and I think this is okay, we have enough time and we are also flexible enough. Maybe you are here because you have chosen this, this workshop. Is there maybe anything would you would like to see, especially before we start any expectations? Quick question. Is it possible maybe to have another second microphone we can share when there is someone from the audience. Okay. Okay, anything, any requirements, any ideas or just listening? Interesting. Okay, here is the microphone we used and if needed. Okay, so then I start, interrupt me please when you have questions or when you want to comment something. Okay, so generally the main technology we are talking about is access management.
This is not just privileged access management, this is really access management for all types of accesses. So for sure the classical privileged access management is included. So how we can secure the access for users with extended privileges. So like administrators who have, at least because of their roles, because of their privileges are higher risk to damage a system than others. But we will also talk about standard access. And finally considering the endpoints, we will talk about accesses really on very operational system, near processes like application processes that are running on an endpoint. So why did we do that? And the idea, and again thanks to Gido, the ISO 27 0 1 lead auditor, we were, we were working at least in this privileged access management project space and we have realized at least in Germany, some other regions or other countries are a bit more forward Here we were realizing that several times projects have been moved or delayed. So at least we didn't come in many cases to a successful closing and it has been delayed and there were several reasons for that. One of the reasons is that there is still something we need to communicate. We need to educate the people what is really the rule. And for sure also the importance, the meaning of access management in the cybersecurity for sure.
If you are really want to control a rule-based concept with all your accesses, this could sometimes require a very complex requirements catalog. And this is also the aim, the goal of this workshop today, how you can really simplify that. Another point is for sure also that several organizations, the customers very often have very limited IT resources who could not also take care about such a project which is also very identity management driven. And last but not least for sure the expertise in such a project. And this is the objective even for today. We would like to show you really the rule and what we can achieve with access management in the cybersecurity and how you can really implement it. And this is what we want to tell you to show you to discuss with you this risk class model. And finally that we are also be able to using a cybersecurity technology indeed really to improve the productivity, especially when we are talking about workflows processes.
And here we will work with a standard, a standard business process, a production process that was, let's say officially designed by the bsi. So this is a standard reference business process where we have for sure a process chain where the different elements have to interact with it within each other. So for the main business process, we also have sub processes and for sure we have resources dealing with that. This could be the the machines, the materials, but also the users who have to interact. And for us, when we are considering cybersecurity or access management in the cybersecurity, it is very important that we have an understanding how these processes will work, how we can assess the criticality of each elements and how to ensure that the general workflow were really working fluent. And this is indeed as we can see we have machines in these processes.
We have applications, we have databases, we have computers at least we have also in the OT space, we have robots for the production. We have an OT management system like Escada, engineering stations, we have scripts, we have programs that are let's say connecting to each others and this is what we all have to consider, but it will be not as complex as you may see now. So what we want to achieve, the objective is absolutely clear. We want to have efficient business processes, meaning that we can also achieve a maximum level of optimization. Finally to have a total cost of ownership, which is ideal for an organization. So meaning we want to ensure that a process chain is really working fluent and also secure. And on the opposite we want to avoid that this process chain will be interrupted for some reasons maybe because of an incident or like an unauthorized activity between each other.
And this is for sure we want to avoid that this process chain will be stopped or killed for whatever reason. So the idea is to find the ideal balance between for sure the productivity, the profitability, the optimal total cost of ownership also versus the cybersecurity and the risk management. So considering this process, we first have to ensure that the main chains, the elements of the chains are really inter operating securely together. That we can also manage these interaction, monitor the interactions and mainly control these interactions. And that also means that we have also to look to the different machine to machine connections which are very often done by scripts, by applications where you have very often access data in clear text. Maybe if you remember September this year there was this hack of Uber. So this taxi, this driver organization Uber and they have especially been hacked because of a very, let's say harm harmless attack that non-privileged user accounts could been stolen and they were then be able to have access to the entire network.
Secondly, they could look around, could jump to another subnet and finally they found in an unsecured network segment they found a PowerShell script that includes administrator data in clear text and with this administrator data they could take the full control on Uber. And this is especially something what is happening here and this is what we can fully avoid with an API call with a real machine to machine connection that we will show you later. But this is just an example that this scenario is real life and could happen indeed, Uber is a good example from September. So at the end this is especially where we want to look to to the different interactions between the machines and then really to ensure for you, for your organization the full level of transparency that you are really seeing what is happening on my critical machines, who is working, who is interacting, who is doing what, and also having the control.
And this is why we are now talking about iso, about bsi, about let's say compliance authorities who give us a clear view what they see, where we need to protect the individual items of such an excess. And finally, and this is also important for the risk management or for root cause analysis that we can give you a clear audited path that you have every information of every interaction especially happening on your critical machines. Okay, this is the general introduction. Now what is the BSI saying on that? So the bsi, the German bsi more or less it is also based on the ISO 27 0 1, the basic is all the same. You know, you will tell later a little bit about that. But overall for the BSI it is important that they are advising that especially for high risk machines, for high risk elements, you need to have a higher standard of security and what type of policies requirements you need.
It is also explained in this standard 200 dash three and the BSI is having a general differentiation between four risk classes. So there is a very high risk and meanwhile they are saying normal risk, low risk I think is a bit misleading but this is still the official wording. But now they, they are talking about a normal risk. But the message here is that there are different policies, different security requirements, how to secure a digital device or a full digital process having on this risk class classification and the BSI at least is saying the risk class zero is the very high risk. So meaning here we need a very high level of security of protection while in the risk class three, you do not need to go that deep and this is something that could be fully built in an access management technology and this is the goal of the workshop today.
So to do that, and this is something that we have to do all the time, this is for sure a first classification and assessment of the individual risks in such a supply chain or even everywhere where we have digital machine supporting the business. And in this scenario we made just a classification just to visualize to see that some of the items have an higher protection approach and other ones, sorry that was the wrong dire. Nope bur sorry for that. Just want to show that some systems have a a higher risk and a higher need of protection while others in the same process do not need to be protected that deeply. This is something we have to do really all the time and I think there is really no way around but the majority of the organizations of the companies have already done this so far for sure we can help you at least also with detection response and automatic provisioning.
But this is indeed something it will not work without doing a risk classification when applying such a model. So what would we deliver? And here we are talking clearly about interaction roles. So how we can really implement rules for monitoring but also for an active control that we have the visibility and also a BSI or ISO compliant process. And first we are having the general, the basics rules. Here we are talking about the group policy objectives, the GPOs where we are going to find some general metrics more details later. Secondly, we have to enforce organizational measurements which is really about the access itself. I also show you later what I mean with that and LA last but not least, we need to have active policies for a session control, which is including authentication policies, session policies and also password policies. Password means not the password of the individual user but these are the excess credentials for the critical machines you have seen in the process.
Or this could also be a critical server or a workstation or a database, whatever. At the end we will have these policies put in a risk class and the policies behind will be always the same but they have a different parameter in the different risk classes. So on one point we need to have the ability to monitor and control and this is the native meaning of pump technology. You will see also later. And finally we need to have an audit trace that we can then transfer these access data to a seam technology into a SOC that we really have everything together that we can do good risk analysis and also root cause analysis to have full control and overview of what's going to happen. So these policies I just declared are divided in five main categories. The first category, the directory policies, the GPOs, they are really declaring how is the general architecture, how is the access generally organized so that you see that for example you have to go with a pump solution S the only SD one and only access control tool and you are not able to bypass it.
Also that we have to define allowed type of accesses, which which protocols are used, which clients are allowed, which machines will get the access. So these are some very basic policies we can work together because there are standards to implement that. The second one is the the access policies in general and here we are indeed seeing this is for sure also this this risk classifications what are the critical systems who will get the access based on the role model because you need this type of access. We are talking about the privileges itself that a user or a machine will get for it. We can also see that we can limit the access from dedicated location from dedicated timing, so geolocation and so on. We can also apply a risk assessment to ensure that always the right level of authentication will happen and the authentication can be declared in the authentication policies that we also can really build a risk based authentication for sure.
Also identity federation as a general concept. So when you have a secure lock into a machine to a system to a domain, you will have for sure always a similar sign on to all similar machines with the same security or a lower security level. And this is also then something that we can fully implement for user friendliness to have a full single sign on. But for sure based on some risk profiles we also have session policies and this is one of the heaviest and strongest ways how we can, how we can interact, how we can control a session. That means that we can really provide that level of access, that level of activity that it is really needed by the user profile. And this is also meant for machine accesses as well. So even if you are a big administrator or even if you are of absolute standard user, you will get the privileges, you will get the US independent from your main role which is declared in the domain.
You will get only this access you need doing your job in a productive way. And this is for example, do you have the access to a full service system or just one application? Is this application access restricted or can you do everything? Will you maybe have access to the application with lower privileges will be some system services available or not like the MMC or MTSC X that we can also control. Is this profile, if is in this connection allowed to jump to another subnet, to another IP address? Maybe a few selected IP addresses are allowed but generally you are not allowed to jump. Once again, this is the scenario of the Uber hack that happened. What is with the clipboard, can you fully use the clipboard? Is it restricted? Is it for example also allowed that you can do drag and drop with the clipboard of a remote machine?
What is about file uploads and downloads? Is this allows and if yes, is this maybe required that you have a direct connection with an malware protection technology using the ice? What is this the ICAP interface. So here in this session control you can do really a lot, you can really restrict but also enlarge the excesses for the different profiles and really independent from the normal role that the user has in the domain. And finally we have for sure also the password policies and the password policies or the access credential policies. This is really for those machines you are interacting. The idea behind is that no user is still able to know any passwords. So this will be all managed centrally with a password management system. You will see it later when we show the architecture how that can look like and here we can then also having based on the roles per risk class, we can give dedicated parameters.
How long should be the password, how often should it beed, how complex it should be, So how many special characters, upper letters, down lower letters, numbers and so on. What is the the the level of security the key, It's an RSA key it it is four ambi, two ambi encryption. This is what can all be put in policies and these policies for sure we can parametric. So the policies are always the same but you will see that there will be different parameters based on the risk classification of the target where such a connection we call it and authorization will happen. And that means that these risk classes can be parameterized for all of the BSI risk classes. But no worries, this is just a template. You can work with these four risk classes. You can say oh I just need two or I need eight.
You can really define whatever you need based on this, based on these templates. You can also adjust the parameters. You will see an example and this example is, I hope we can see it. This is just an example of a password change policy on the Linux. In this risk level zero with the very high risk for sure we need to have a stronger, stronger power meters. The password change must happen every 60 minutes. It should be 16 characters long at least containing this level of special characters. Upper lower letters, numbers, we don't have the German and we also need an RSA encryption with at least for ambit. And this looks a bit different if you go to the risk class two, the yellow one, it is fully okay when the passport change interval is happening every month the passport is only 10 digits and the encryption rsa but only two ambi.
And this is where we have done or especially Gido has done this work looking very carefully reading all the documents and then he was providing this level of policies and this is not something you can normally Google. So if you go to the BSI for example, you really have to pay a lot of money that you get access to this type of information. And this is what we have for sure also done for you and if you would be interested after this workshop to give it a try even you will see several demos today and more information for sure that you will get everything, all documentation for free. For sure we will have to sign an NDA because we also do not want that this type of intellectual property will directly go to our competition. But if we are having an mb, an nda, we can do everything for free believers. Okay, what's going to happen then we have the different roles parametrized by the risk level and this one we can then fully roll out, provision it through dev ops. In this example we are using an Ansible playbook and whatever you have done it is implemented even in a large environment between two or three minutes.
So what does it mean? Yes, we discussed for sure you have to do first this type of risk classification that you have an understanding what are your high risk, your very high risk, medium risk, low risk systems. I think that's clear. If you are not really aware, just put always a higher level and then you can still adjust it. So this is needs what really needs to be done first, but then it becomes quite easy and this is what you do not need to do again to describe and to write your own security policies, your own rights management. So the second thing is that you can also work with users and these are the users you can take from different sources like from the the L, the active directory from an identity management. And here you can really design very clearly every profile, every role of a user.
We have a full role based concept. So meaning that all these user groups can have different subgroups in a very deep hierarchy that you can really build every type of user. And if you have for example an identity management already in use, it's even easier. So in the access management we are generally dis differentiating between three main level of users. So the user itself, this is the user who wants to have access, who wants to interact with the systems. And this could be then the database administrator, it could be let's say the the owner of a full production plant in a in a, in a shop floor. So this is something you can describe very detailed. There are also two other roles you have in an access management technology. This is an approval rule and also an auditor role. And these roles are especially important when you have approval workflows.
Before that you can maybe only grant access to an external company, an external service provider and he can only get access to your critical systems when there is an positive approval workflow happening. And also you have a dedicated rule of auditors and these are the ones who then are really able with their privileges to audit these interactions to audit these type of sessions. And here we can also have additional workflows in the middle. For example in Germany this is very important that a workers council, a Petri Scott is also able to approve before a session can be assessed by an auditor. Because when we are talking about access management, especially when we are talking in risk class zero and risk class one, we may require a very deep level of control and monitoring so that we are maybe really having a full video of the session that we are doing a transcript even of the keyboard entries.
So you can really go very much in detail for the critical systems and for sure this could be misused for a performance monitoring of employees. Why is this administrator just doing 50% of the time then another one for the same level of job. And this is for sure what we want to avoid, we want to use it really as a security technology and this is why you can have for the audit also several control instances like the workers council that we only assess and audit such an let's say traffic when we realize there was indeed a suspicion, there is a vulnerability and there is a reason for it because it affects the security of the company. So we have now the machines on the right side, we have the users on the left side and once again user could also mean a machine user. And now, and this is then one of the biggest strengths of this technology, we are bringing this together and this is what you will see later when you are doing a quick demonstration.
We are talking here about authorizations and authorizations mean that we are able to define groups of users with groups of digital systems. We are able to canalize it that we can really describe under the authorization how such a combination should look like. We can do this really on a group level so that you do not need every user, every machine you can really do it on a group level. You will see this is quite easy and this is also the basis of our technology that you have indeed the users, you have the targets and you have the authorizations. And the authorizations declare the policies, the the parameters that needs to be put into such an authorization on a group level of targets and users. And in this example you would then see that only the users which are part of the group two will have access to these two high critical machines.
And instantly when this is applied, only the policies defined for the very high risk will apply. So meaning in this case passport change every, what was it, 30, 60 minutes And even what I promised to you, you will get a full documentation and here we may go but only if you have interest for it. We will go a bit in detail because this is also have been written by Guido where you see here, this is the the in the ISO 27 0 1, the exhibit A nine access control. And this is where we, if there is interest, we can go a little bit deeper and explain what the ISO is meaning with that, how you can implement it and what other technologies could be used as well like the parameters, vulnerability management, multifactor authentication, ZM technologies, ticket management, service management. This can be all included. And you will also receive a second documentation and this is indeed the policies with all the parameters in clear text so that you really see, okay, what is the rule, what is the parameter that you can really see and understand what is going to happen here?
But always these are just templates. Feel free to adjust it to your own requirements. The idea is that you get a concept that you can go at least to your own C or even to an ISO or an BSI auditor and say here look these are the policies I have implemented for the access on all of my critical machines. You can read it and this is absolutely conform to the ISO 27 0 1 and IS and BSI and also the sub authorities of it like B three s for critical infrastructures in Germany and so on. So you have everything documented and at the end the results should be that we have designed of workflow where the interactions between the elements of such a process are well secured and are at least repeatable and automatable. So what you would get from us, this is for sure when we would work in such a project, we will at least for sure talk about the security concept, talk about your individual requirements, but then you would get a real solution design.
We will do all the integration on in your existing infrastructures, the integration in the third parties, the integration into the different process elements we would implement and provision it even if you would like, we can run it. We also have an operation center to do so and for sure you will get the full and complete documentation. This is also still a living document. We are still improving it, adding new rules, adding new features, especially based on what's happening in the real world. And so this is also the updated from time to time and you can then yourself decide if such a new policy could be important for you or not. Okay, this was a general overview about the nature, the principle of such a risk class model. Do we have any comments, questions so
I give you the microphone.
So the risk assessment aspect where it goes risk level zero through four, right? Is that what Say it again please. The risk level access or the risk level from zero to four from prescribed by the bsi, is that also called like the protection needs analysis is? Hmm I cuz I'm an American living in Germany and everything gets translated and okay, what you just presented here made a lot more sense than what my colleagues been trying to tell me for two years. Oh okay. I just wanted to just verify that what that whole aspect was is what is sometimes referred to as the protection needs analysis.
Oh okay, okay. Okay. And for sure and for sure this is also something we can help you with some level of best practices, but the main structure is really what the German BSI has done. This is similar for the French or csp. I'm not sure if you have something similar like an authority like the BSI in the us do you?
Not to the degree of the bsi.
I think from your side in America it's more matching on a nist. Yep, yep. I'm working on that. It's it's, it's the next project but yeah, version five. But it's a lot to do on on there because first thing thing I do with our privileged access management is to do a matching of our identity as a service solution of our privileged access management and our privileged elevation and delegation management to match it on all the controls, looking at the controls, see how we can manage something. Sure, we could not match manage anything on a control with only privileged access management or with an i IDA A S. But partially we match on this and it's, it's a combination of different security solutions that you bring together to match maybe a control against malware and so on and EPM PDM maybe could be a part of it this and, but if you have a look at a new list that it's around I think 1,180 controls overall, okay. There are a lot of physical controls and so that doesn't matter for us, but I think I have to do a look at around 400 to 500. It's
Similar then with ISO 27,001
You start section. Yes, yes, yes I do, I do, I do matching from ISO 27 1 to that. But that is, that is to, to do good work on this. It's, yeah, it's good to, to to, to search for this, for these mappings to understand it for me and then creating rules that make sense and where I can say this is okay, if you implement this rules for the excess of a very high risk system, then you are okay, okay. I'm not a uur person so I cannot stand here and say it's just just heuristic but from my point of view and every thing that I I know about that and the security rules, it is okay and you can go with it to be compliant on this is 27 0 1 B3 S and so on. Okay.
And what I just showing this is also a high level document which is, which is mapping the ISO but also the Ts a compliance and Guido is then also working here for theist directive and also with some description what you can do at least with excess management technologies. There is also a far more detailed thing. This is your huge approach on the cyber kill chain where you also talk what is the impact of other security technologies, how they interact with a pump system. But this is indeed something which is more or less also well described and we can help you to to really to to bring it into not just organizational but also technical measures
And for the interests of people I'm working on, on the mapping for the more technical guys on the MI attack framework to show how we can match on the, on the different parameters if someone tried to access your network and how we can match at which point on the Mitra attack framework and just for ISO 27 0 1 and for newest way for for the OT and ISO e E 62 308, yeah it's, it is a lot to do but to understand for you all privileged access management or an access management, you can buy everywhere we, we have several competitors but they will come to you and say you have here your privileged access management and you have to onboard your systems but in the next step, yeah, you have to do your own job. You have to to do your rules for the system and heat your brain about that. And that is the idea behind that to give you additional services that we say we have different they policies, different different ready policies, you can implement it and go on not thinking about month or or so on. So you can go straightforward with that if you implement these policies. That's the idea behind
It. Okay, so we have another question please.
So the whole concept that you described of the pan and then how you could actually integrate it, I believe that it falls into a CMMI scale of five right now if you try to go with that on the table or try to the table of a company, you are just basically going to kill them because right from the beginning is there a better approach where you could say, hey, rather than aiming directly to implement a very well mature structure program where you have your framework, your policy standards and and the large et cetera is there are like you start from cmm I one from a very immature step. This is your first step, this is your second, third, and fourth in order to be able to reach that. Because if I would have to implement that at my company, I would just create a chaos and it will take me probably four, five realistic years, right? So if I would start slowly getting to that level of maturity that that would be the ideal,
Yes, this is absolutely the point, but at the end this is at least an objective you want to achieve. The majority of the customers really have what you just described. They do not have the structures. We are even happier when everything is well declared in an active directory and you have at least the the availability of users and systems. But generally, yes we are, and for sure this depends really on the maturity level of the customer. We are really having, let's say dedicated, we are calling IT transformation services for customers where we are really looking together what are critical systems, what should happening on these critical systems. And we are then starting to implement part by part by part. Typically we are starting with a smaller environment but with a very high critical environment. We are starting with some first policies which are not really killing the access or whatever, but we are really doing this quite smoothly. But the end, and this is really something what a customer should realize, what is the end when such a system is really implemented that you have at least a technology that is ensuring this level of security requirements. But this is for sure going individually sometimes we can do this with customers within one week and sometimes we need six months. So maybe Guido, you can also give some
Good, good example is healthcare sector here in Germany is, sorry, I don't, I just only knew know the Germany words and the HE healthcare sector in Germany because hospitals, you have a main system called here in Germany, kan house informat system, central information system, key system central information system. Information system, yeah. Central hospital information system and on. And this is a very critical system and everyone from the hospital and it said no one has to access this system. Even if two or three people in our company say yes, you can access the system and if you access the system, they are these risk zero rules that you cannot put any files on the system during a drag and drop or download any content From there you have only a straightforward RDP access without any other interaction to the system. It is recorded, it is marked as critical system and the privilege access management.
So if someone after a approval workflow is moving to the system, you will be informed that someone is on this system and you can do a real time audit on on that session. So you in in, in regularly you will start with such systems like that. If you have a situation as you described starting point to say okay, you get started with a risk cloud class model like this and we take a look first at the very critical systems in your environment and then slowly move forward, move forward, move forward and so on. That's the idea behind. And that can be easily applied
Nongovernment regulated company that would perfectly fit for critical production like gas. Yeah. Hospital stuff.
So the idea is, the idea is really, and this is also an access management is in most cases not it's full potential. So only they're saying, okay, we want to connect to some RDP or SSH machines and we want to to monitor it, but they are not really thinking what you can at least do to protect the machines for misbehavior of of some users. And what we have done with that is just to say, okay, this is what the official requirement of BSI of an ISO even of list maybe are, but you are not, you are not enforced to use this all. You can just say, hey, I am just working on the critical systems with two or three policies. Many customers are just saying, okay, I'm using an access management, just have a secure connection that I'm able to monitor that I have maybe an approval workflow for some, let's say external accounts and that's it.
And even when we are seeing and talking with the customers, what is the potential, do you want to integrate with multifactor authentication? Do you really want to have a workflow that not everyone could just upload any files with an approval or with an anti malware check and so on that we are really going with the customers, Do you need this? Do you don't need this? And then you really get what he needs. This is indeed something you are fully right. Critical infrastructures hospital that leads to full thing. Other customers say, okay, for me just the transparency, a basic control is enough, so that's fine.
So but additionally it is more and more the situation that even smaller hospitals have to do that regulations that you find in the B three s because it, it tier, it tears down more and more and some of our customers are working for automotive industry and so bmw, Mercedes and VW said, okay, we are here ISO 27 0 1 compliant tza tza modern version for the automotive sector is the tza. TZA is more or less based on the catalog, ISO 27 0 1 and then you are small, maybe a small company that, but you are delivering for MAs or vw and they came to you and say you have to meet our, our policies on that. And so as a company with maybe 200 or 300 people, you will be advanced to to, to do these things in the future. It it comes more and more. And so even for that is a good idea too. But you are completely right. Critical infrastructure is is is special. Yeah, it's is another thing just like the normal industry really.
Okay, I think we have another question from that
Site. Yeah, I just want to head back to I think slide three or four where you said the projects are getting delayed because of missing time, missing experience, missing knowledge. So I really think that this is a, is a good point what you bring there with with the paperwork. But you said, I think then this is where it gets easy to find the responsibles, to find the right groups to find the right roles. But in my opinion this is where, where the, the real work starts for the business. So how do you cope with that? How do you, I mean I really like the, the approach to bringing like a standardized iso bs i T sucks and to bring everything in like one explanation and for one fits all approach. But after all, I saw ISO companies like three, 400 employees our existing since 30 years and they have like 40,000 active directory groups now they want to move to Asher. How how do you cope with that?
Yeah, for sure. Okay. On onboarding is a is another thing on on our system that is, that is not that what we've shown today, but you can onboard the systems and the groups from the active directory or CMDB or CSV as you want that, that's just another thing. But yeah, you could do that but you are completely right on your opinion. Okay, that is a lot of work to do. But access management is something that is yeah, straight in the, in the center of of regulations because if you have a look at these regulations, I speak about ISO 27 or one or TX and so on and you read it every second sentence you will read, you have to be sure that the access two is managed by and so on. So that is, that is why I do the matching on these controls with our product portfolio.
If I was working, if I will be working for a antivirus company, I want do not do that because there is only a little piece about malware and so on. But an excess management matches on so much points in these regulations. And so I go to the customer and said here, really you have not a risk management system implemented because you are small and so on. But this is a good way, way to start first, first start to get to, to get in, in, in that because access management is, will bring you a lot of these these compliance things for you and you, you can start with that and the first thing you do is maybe like Stephan said, to enter, analyze your critical system. And I think that is just one thing every customer is supposed to do to say, okay, yeah, that is my SQL server, that is my SAP system where very critical systems and and then you have a start first step to to to to analyze the very critical systems and then implement our rules on that, implement privilege, access management and from from there you go on and go on and maybe then the C of the organization said, Oh yeah, this is a very good start.
We can take a lot of things from there and bring it to our information security policy in the ISMS and so on. And so it can grow it. I think access management is a very good point to start on the task of these compliance regulations and and such regulations that, that that's not, that's one of the ideas behind
What you say then is the overall goal of yeah, of the approach. So you say this is a good start, so where are we heading to? Where do we want to go then
Like what is the great vision behind, so what, what would you like suggest where, where should like access management or identity management or like the security management, where should it have to?
Yeah. And at the end this is, this is what we would like to to discuss and work with you on the last part here of the presentation of the workshop because this is indeed, we still should think, pun technology is for the moment nothing else and just a tool, stupid tool and but with this tool you are at least able to control and also to monitor some things. And for us it was, and that was indeed also this, this, this initiative mosquito that we worked on this risk class model really to give our customers a structure how to work with such a thing, which different steps you have to do and really to show at the end you now have control of what's happening in your infrastructure and you also can prove that this control is compliant to the authority you are responsible to. And this is indeed something that was grown as a concept, as an idea when we just did a normal pump sales in the beginning where the customer especially asked these questions, these questions to say yeah, where should I start?
I have then my Linux user group and we had also several times the situation that a project was stopped very close before signature because some departments were not really considered in the process or the workers council was not really considering that no stop. We will not do such a technology and when I'm not really involved, what does it mean? There is a level of workshops and this is what I said before, we call it a business transformation service. Yeah, business transformation service. But this is indeed the meaning of that, that we are helping the customers to prepare from the organizational but also the technical measures to consider and also what does it mean for the third party technologies, What does it mean for the firewalls? What does it mean for the network security? What does it mean for the vulnerability management? What does it mean for identity management mfa? It's a process. It's a process. Bruce Nayer. Okay, thank you. Any further comments, questions so far? Maybe from the remote audience. So when there are questions you want to see something, just write it in teams, I can't see it but the nice colleagues would then forward the question.
Okay, so we then can go to the architecture now we have one hour past we started at one. Would it be okay that we do after this one? A quick break? Okay, good. So the architecture and then we are coming indeed that you have an understanding how such a technology is built and here we are showing you, ah, okay, this is indeed a good example but I may do it in another way, which is maybe then easier to understand. Give me one second. So and now we are going marketing
Let's do it here.
This is the same graph but it's it's a bit more animated maybe for better understanding. So what you see here at the end when we are talking about access management, we want to protect digital machines, digital processes in the it but also in the ot. So here for sure applications, databases, servers, network components, whatever you have in your it. But also in the OT where you have the different OT layers where you have the robots in layer zero, the PLCs in layer one, the engineering stations in layer two that you can also make a secure connection even from end to end directly to production shop floor. And this is at least the first level of user we, we need to consider this is a standard user. This is not a privileged user because this is also part of such a model. Even a standard user maybe sometimes needs to connect to a business application, maybe not to a server, but for sure he needs to use his business applications to work with.
And here we are starting first with the general platform of our identity federation. Our technology is called trust alum. The name is coming from trusted elements, which is the nature of identity federation that organizations, domains, applications are trusting each other. And the idea is also that we are saying the first thing in such a access management cycle is for sure the identification of a user. And here we are saying we are doing first and this is what I would show when we later do the demo in real life, how this could look like. Also showing how you can combine this with a soft token. But here the idea is to say we have a general authentication just with the domain access credentials and if you then need to access maybe even to a critical business application like Salesforce or something or to Office 365 and some parameters are giving, you are not in the office, you are outside the firewall, you are here at the copping a coal event.
You maybe need asked for a second level of authentication maybe through a soft token. And then you have also a full single sign on access to applications with the same or a lower security level. This is what we are going to show you later. But this is a first and very pragmatic approach just to connect also standard users and then we have for sure the privileged users. And then we come also a little bit to the questions. We just have how to do this. We have here the privileged user, which is the administrator, the Linux administrator, the database administrator, and we have what we have shown before also the approver or the auditor rules when we grant access to this. And this is what you will also see later when we built such a connection that we really can individualize it, which is then a very smart of the full risk management or the risk class model.
But we can really go step by step up and forward. In this case you need for sure a machine that it is computing that is managing this type of access for us. This is the Wix ba, this is an appliance, it could be a physical, but meanwhile nearly everyone, everyone is acquiring virtual appliances. It is based on a T DB and 10 Linux on a hardened DB and 10 Linux and it has three components and here in these components for sure, the policies will be stored. So the first component is the session manager. The session manager is then responsible when we have the connection here that the session manager is able to understand a level of protocols that you can really see the connection string from the end to the end, that it can be monitored and the dedicated policies adjusted. The session manager is also responsible for the level of recording.
If you do just the meta data of a session or if you're really doing the full program with video and all keyboard entries and so on. This is what you can declare always here. And once again we will show you later. And the session manager is the basic component that you really need to to, to have installed when you want to control this level of interaction. The good thing is, and this is also a pretended solution from us, you do not need agents. It's fully ancient less. And this is especially when you are interacting with OT systems on an industrial PC or on an OT gateway, you are normally not allowed to install some things. So what we are going to do, we are just mounting a drive, which is running as a service, which is in permanent contact with the appliance. And if you would like to, to disable it or to to to change it, the system would be automatically killed.
So this is a way how we are handling the excess control without having agents installed. There is also for the password rules. And here we are really talking about access credentials. Here we have a passport manager that can create, that can rotate, that can at least set check in, check out passports for the machines here that the users don't know the access credentials. And finally the passport manager is responsible for emergency scenarios like a break glass scenario. And the passport world is an internal store where you can securely save these level of excess credentials. There is no need to use this Wix world for sure, it's part of the appliance. But if you have something else like Hashi Corp for example, you can integrate it. So this is, this is more or less the only real technology you need to have installed in your infrastructure.
This one can be for sure done completely high available setup. You can also really scale it that you are bringing more of these appliance together to a cluster, especially when you have several sessions in parallel, which is in large organizations. The case, what I had here, this is an optional component, but this is a component, the excess manager, which is really making the life easier for several users. You will also see then the excess manager is just a web Porwal where you can connect directly over https. You do not need VPNs anymore. You do not need dedicated clients anymore. At least you do not need a secured company environment like a company laptop with the security policies because you connect here just through https, this access manager will then retrieve your user profile and will provide only the access with the right power meters. You really need to do your job.
And you will also see that in the access manager. You can then have all the tax information, the power meters that are allowed or defined for such a session, at least even with the risk class we show you later. And there is another level of connection. It's not here. This is another level of connection and this is then the machine to machine connection. And here we have, it's not a real Porwal, it's let's say a piece of api, it is called aapm. It's for application to application password management. And this is also exactly the scenario when you have, let's say two machines talking to each others or a script talking to another one that you do not have stored the excess credentials at one part and pass it, then over that all excess credentials will be replaced by an API call through this aapm. So at least the application on the left side and the application on the right side, they do not know the excess credentials.
And this can be done completely automated. We also have, for a special level of automation, it's not not mandatory, but you can even do it easier, a dedicated file system. So then all scripts that are lo located in such a file system will then automatically replace or will have this API call automated. And there is no need anymore to store the credentials in clear text. And this is more or less a standard architecture, how you can do privileged or generally access management. This is at this point completely agentless for sure you can. And then we are once again in the, in the deeper in the expert configuration when we really go and want to use the full potential of such a technology for sure, you can implement agents at least for those machines, which are really critical. So at least in this security or risk level zero.
And here you have a level of access control really on process level that you can really organize your system processes running directly on the operating system that you can control and give parameters to. It can restrict excesses and you can really, let's say fully steer it, you can elevate or delegate privileges really on process level. This is a very, very granular tool and for sure this is for for real experts. But just to show that if this is used well, you can do a lot with it. Maybe we, when there is interest, we can show you some examples. But the idea is here also, for example, a ransomware attack is also, let's say happening or doing an excess on a process level, normally ransomware. So there are several types of ransomware. When we are looking to the typical WannaCry family that started with WannaCry, I think this is now how many years?
10 years, I don't know. But these ones started to be very clever and say we are not bringing our own encryption key with us because this is what the anti malware technology would instantly detect. Oh, this is an encryption key. This is something which is not allowed. So even these ransomwares that are based on this technology of WannaCry, they steal the encryption key what they find on the target. So they're meaning the first access they are doing is to the encryption library of the operating system. They steal a key and then start with the second access to encrypt several, Yeah. File systems and so on. So, and this is something what can then be easily detected when you have the control of your accesses even to say, hey, you have an access to the encryption library and yet then you start several encryption procedures, let's say within a second.
It's forbidden. It's not not possible because this is not an authorized process who is allowed to do so compared for example, to an acrobat program who also wants to encrypt the document. And this is what I just wanted to say. With excess management technology, you can really go very, very deeply on the different level of excesses. But here we are indeed talking about expert systems and normally we are working here also only with services to get it all up and running. There was an question before how to, to to, to forward this data maybe to a seam technology I used, sorry, I used also a European one because we are a European technology and lock point is also European. So this is why at least in the European markets it is, it is indeed a message to say yes we have also a European alliance because this is still something where meanwhile at least critical infrastructures are looking for.
This is just a sim, a simple example, how we can build a full action path from the data you gather from such an excess technology to a seam system. And the difference to, if you don't have this, you really have this in real time, you have this life and continuously, this is not just that you get some firewall data, some server data, some let's say data on the authentication server. You really have it on the access itself. And when you see an incident because you have a policy violation about one of the policies we we discussed before or even a ransomware applied, you always see these puffs and you can follow and you say which hosts are affected, What IP addresses, which applications, processes, which users are affected. And this is just an example. You can really bring in such a tool, you can really bring it together, correlate with so many other sources.
But this is really something what is a very, very strong data source even for a seam technology when it is used in the soc. And finally, I think before we go into a quick break, having the architecture, and this is for sure very high level, you have an OT world and you have an IT world here in the ot you have the different OT layers where you have in layer zero, the arm, the machine, the PLC in layer one and here you have the engineering station discard the ICS in the layer two all separated through firewalls and you have for sure the same on the IT parameters where you have your proxies. And finally you have your machines and your processes. So what do you need generally to do?
Normally you have just one, you just have one bus your for the OT or for the it and another one for the OT that should be separated but that's more or less all, you may still have to cluster it that it looks like a logical cluster that it looks like even one appliance. But this is not a big thing you have to do. And you have your access manager if needed just to control the access. And here you can have behind one access manager and bust yours. It doesn't matter. So you can also implement a full multitenant multitenancy infrastructure.
Normally I would do a a PowerPoint day, more of the excesses, but I think we are doing this better in real time and not just doing again PowerPoint. We have done already so many PowerPoint. So I would say we are quickly going back to the agenda. Oh that's the wrong one. We are going quickly back to the agenda. So yes, I would say we should make a quick break and after the break we will talk a bit especially about some requirements, some policies in general. But once again we are, we are working together. If you're saying, Ah, come on, I don't need all this ISO or BS is stuff, I have some real questions. What policies can be implemented? Let's do it like that. Let's be really pragmatic in the second part I think we can do similar for the demo I can show some use cases.
Gido can show some use cases and then we can talk about some best practices, what you all mentioned, how to set up such a project in a useful way. So my watch is saying it is 20 past two. What about starting in 15 minutes? 15 minutes? Okay, secret. Sounds good, sounds good. So five past half. So now we are starting with a demo part and what I wanted to show quickly first the general principle of access management and maybe we then have also time to look to such an admin interface, how you can create this level of authorizations. So what you see here is aas Porwal from us trust a limb is the name comes from trusted elements and this is something you can really use as an umbrella. You don't need it. But this is for several use cases I think really relevant. I will show you my productive environment. So this is not the demo where we are going later. So this is really my real interface in my sales manager role in Wallick. So meaning I can go in the morning and have this Porwal and here I have just to authenticate myself with my domain password, nothing else, the domain password, this is what I'm doing now and then I have access to all of the business application that are relevant for the role I'm responsible. You are laughing.
Okay? So here you see a set of applications you I can use, but you see also there are some locks on the top right corner of some and that means these are critical, more critical applications and for those applications the domain authentication is not enough. This is also a risk based model. So meaning the policies for us for Wallick is then if I would be in the firewall, so inside the firewall in the office, I could then directly access to all of these ones. So these are not the real critical ones. Once again, I'm a sales role but here being outside at the copping a call event, the domain authentication is not enough. And this is why when I go there I will be prompted for a second factor of authentication. So let's take Salesforce and then I have on my smartphone I have a soft token and here there is no request set to my soft token and I can directly go there and I open my soft token for sure.
I can also use a time-based authentication code. But here then I see the request from firstname.lastname@example.org from an IP address in Berlin from the workstation I'm coming from. And he's saying that this access is required. I can, with my soft token I can accept or deny, let's accept it. And then my access to Salesforce is directly granted. So this is nothing, this is nothing really extraordinary. This is what you may all know. But here going back and I do a quick refresh. So you see that these locks on the top right corner have been completely disappeared. So meaning I have now single sign on access to all of these applications that have a same or lower security classification than Salesforce. And that means once locked in, I have now a single sign on to everything. And this is indeed something where you can do also a quick connect for standard users. And this is also something at least for applications at least when these are web applications, you can directly provide to your users what they need doing their role. So quick example on that, but then let's go here. Salesforce sends me already a reminder, forget that we are now having a quick access as a privileged user. So now we are going to connect to an Azure demo environment.
This Azure demo environment is also protected by a ba. I do that quickly. But you see we are using our own technologies. I just connect to let's say this Windows client system do that like this. But this is just a demo access. And then in this day more we are representing a Windows 10 client system where I would start as a worker, as a privileged user to get access to to to a critical device. So let's just see that the demo is available here it is, this is a normal client. We have over 80 use cases implemented here with our technologies but also integration with other technologies like it service management like zm, Splunk, like, like yeah. What is now I think is is integrated. We also have done a beer filling factory to show that we can also have access to to OT environments. And so there are several scenarios that are well described. If you are interested you could all have to stay more for free for sure. What I just wanted to show you a very simple use case. I'm a user, I'm a privileged user, I'm opening my browser. So we are doing this connections through the access manager when you remember where is my browser, okay, because it's the update, it's the thing in the cloud. Everything is back to standard.
Okay? So this is pre course, it is currently doing an update. Normally this is going faster but this is the cloud environment and it always starts from from factory default. So the browser is now open console and I can then say okay, I connect to the access manager, this is this user Porwal here I have for demo several domains, I'm using just now a default domain and then the access manager will be opened. The excess manager is a very simple one but you can fully customize it even with your logo, with your corporate identity, with your colors, with your font, whatever. So this is just an example logo we are using here. Normally I would connect with my username with Han, but for the DMO proposes we only have roles and here is a set of different roles that have been implemented in this demo o organization.
And in this scenario let's let me just connect as a privileged user. So meaning an administrator with extended privileges, let's do that and then I'm connecting to the access manager. This is also still with the normal username and passport. But if needed, when I'm selecting a critical target, I would be asked also for another level of authentication. This here is looking very, very simple. It's just a table where I see myself, I'm the privileged user and here I have my authorizations. And this is exactly what we can really build that the user only see this connections that are applied allowed for his role or for the group he is in. And this is why we can really cascading these roles and saying okay, we can apply an access to the top level of a group and then we can automatically provision for all members of the group the same rule.
So you can really work on a hierarchical hierarchy organization. So this is for sure a very simple view. I show you also an extended view. This is the tech explorer. But here for now my authorizations in this demos are organized on the type of access, so line access, windows access, application access and also how we can do some third party integration. Let's go for simple reasons just on windows. Then I have all my windows accesses that are allowed for this role as a privileged user. The big thing is here you have the name of the resource for sure because this is a demo. These are all the same Windows 10 clients and all the same windows 2019 solvers. But it should just show that you have different paths to access with different power majors. And here you see as an account, when I would use this connection, I would connect to the window system with me as user because here I am the privileged user here I am the privileged user, but I can also do a connection with a shared account that I'm even, I'm here to use Stephan Raden but I'm logging to this system, this authorization I will be locked on as an administrator but still the policies applying for the risk classification or at least the policies that are applied for this combination of user and target.
And I can also have a more complex view and here I can give let's say a lot of tax and parameters declaring and excess that you can really have further information what it is included, that it is required an extra level of authorization. And also the risk class here is is mentioned there that you will see okay, this is a midsize risk and the midsize risk policies will apply. But this is just a quick side step. I'm going back to the standard view and now I'm the user I have connected with my credentials and then I now want to to connect as an administrator on the window system. I just click here and then single sign on I will be directly authenticated and I have the full access. This window is in Europe mandatory because this is saying to be GDPR compliant that this session could be recorded or could be audited and you have to accept it, otherwise the connection will not establish.
So let's quickly do that. And then I have the full windows access but in a browser context because I was coming through the access manager, no and needed, I can do the full actions on the server but it is happening in the browser. I don't need to go that way. I can still use the existing clients like Puti, like an RDP client that you have the session running natively. This is all possible but this is more or less for the lazy guys and this is also a level of user friendliness that you can do this all with the graphical user interface and then I'm connected and I can work as normal and maybe quick show before I pass over to Gido that these sessions can be really monitored or audited. And this is why I'm now making this a bit smaller because we only have here one window and I'm opening a second session.
So and in this second session I'm now connecting with another rule and here I do not go through the access manager, I go directly through the bus door and now I'm connecting as an auditor. This is a complete different role. I'm logging now and then I'm here as an auditor. I go to the audits and then I see here the all the sessions that are for me, for me as an auditor for the systems I am allowed to audit. I would see them all and can have a look on them. This is what I would see here and then I can let's say go to the to the different to the different sessions and I can get all the information and I can create an audit, an audit file on that. But this is not what I wanted to show. I want to go to the current session and this is currently my session.
I have opened with me as the privileged user on the window server 2019 and I could then either as an auditor I could watch it so I can really monitor this session and this is why we had at the beginning this message, yeah the session can be monitored and that meaning this is my monitoring window and make it a bit smaller and when I'm doing something here, I see it on the other window too. So let's go here. So I have a direct recording so I could see what, let's say someone who is working on the machines I am allowed to to audit is doing. And you can also do that. Normally this is a different role but for simplification reasons we put it here in the auditor role as well. You can also do a cooperation offer session. So this is a real session sharing, so let's just kill the other is this, which is the monitoring session.
Let me see, I think that's the system monitoring session or is this the original session? That's the original session. Which one is then the monitoring? Ah here, okay, I killed that one. But I can also then cooperate with a user. So meaning I can, similar to team viewer, I can really work on such a session to gather with the difference to team viewer that also all the activities will be recorded and stored individually for both users. And this is a very, very important point for compliance. So here I get the information that the user needs to accept me sharing this session. So I just get gave the approval, I put that away and then I get here the same message. Yes the session can be recorded, blah blah. And now I have two sessions open. So this is a little bit another scaling here but now I can really work together and when I'm not saying here, let me, let me open, let's say notepad.
No, yep I can do that here and I can do this here on the other side as well. So I have really the ability to work together in a team and this is even one of the strengths of access management that I'm applying the security controls but I also have the real possibility to monitor and audit. I'm not sure, is this something for your interest, do you want to see this one deeper or should we No go more to the to the general, let's say policy levels, how you can set this up. What what do you want? Would you prefer? Okay, maybe ghetto. I know passing over to you talking about, I think we had the question or several times how to set these up, how to define the roles, how to start from zero. Maybe you can can can do a little bit more on that direction.
Speaker 10 01:35:03 Yep. Okay,
I give you my mic and
Just a moment.
Speaker 10 01:35:13 Here is the power cable.
I have to search where's my connector?
Speaker 10 01:35:25 I
Hope it will be there.
Speaker 10 01:35:28 I know I'm not here
The other side. Okay,
Speaker 10 01:35:39 Smartphone here. I'm taking a microphone for questions
But now I have to try here. What's the second monitor is it's a little bit, okay, I have a look at me. So okay, have it not here on that screen. Mirroring here Caron.
Speaker 10 01:37:14 Yeah essentially,
Sorry, sorry, sorry for that.
I now go forward with the view that you had. When Stefan target it's, it's just the same demo environment you have here and you see the wall ba, he showed it you and on the other side, now I'm going back here on my personal system. This is a virtual machine not in the cloud. This is a virtual machine here on on my system and here is applied that what we told you about the risk class model. So as you see in the, in the demo from Stephan, there were just only normal connections and normal connection policies and you see here that is marked as a risk system, risk zero, risk one, risk two or risk three. And now I'm moving forward and give you the idea behind that because everything you see when what Stefan presented you have to do on your own. So you have to onboard systems to your privileged access management.
You have to go forward and have to do rules on this. And if you implement our rule set direct here we are ible, you have the rules direct in the system. The name of the rules are just as we said it in the Ansible scripts for the connections you can choose every name you want. You don't need to have these, these names you see here I give it to you because you can read it as this is a risk zero RDP connection policy for the global domain zero. We have four domains here and I marked it so that that you understand what I want to tell you with that. But let me begin with the targets. You have to onboard devices to your system, devices gets to groups, these are groups of devices you see here and you see we have a risk zero RDP system, risk zero SSH connection system down to risk three for RDP and ssh.
So these are the computer groups, you may name it in another way in your organization but it's good to set the risk class before you name it. Maybe you will call it risk zero SAP system or risk zero SQL systems. That's on your way. But just to show you here I will say this is the risk zero group for systems you will connect via RDP like Windows server 2019 or 2020. So if you onboard this systems here, you every time need for every system wants a connection policy, you need a password change policy. If you want to change the passwords of the accounts that will will move to the systems like the administrator's account and you need an authorization. These are the three parts you need. An authorization is saying who can access which system under what circumstances. I will show you later. So we take a look at this system here we have a risk zero window system, very high risk just with an ip, it is an MS SQL server and you see here, there is a service on that system. The service is rdp.
So if I do a click on that, you see we have arranged in in here the connection policy for risks zero RDP systems that what I show you before and you see here you have no chance to use the RDP clipboard on the on the system. You can not upload or download files to the system. You cannot connect to smart card audio input output and so on. Everything is going away. So if you connect to that device, you have strict only rdp but you cannot interact with that system. So if it is a, if it is a person that may on a criminal way and want to steal data from you and think he can drag and drop folders or files from the system and download from the system, it is not possible. There is no interaction possible and that is a BSI rule for interacting with a risk zero systems.
That is not possible that you can upload or download files to such a system. It's the definition of a risk zero system. And maybe I speak sometimes to customers and they say, Oh yeah Mr. Craft, this is a risk zero system in my organization it is very risky but I want to have the chance to that the external person can upload a file to the system because he needs to update the system, needs to upload an update file. Then I have to say to the customer, no, if you say okay you have a system and you want to upload files to the system, it is definitely not a risk zero system and is maybe a risk one system but not a risk zero system. A risk zero system. The internal stuff has to give the update file downloaded to the system and if the external people arrive, he found that one file on the system and everything is okay.
That's for a risk zero system. And so if you take a look at the devices and I go through on the risk risk one system maybe and you see here a risk one system, they were able to, you can upload the file, you can upload, you can use the clipboard for upload but you can't download anything from the system. That's the definition of a risk. One system upload is possible but no download is possible. But if you say okay the upload is possible to this system, you need to do other things that I will show you in the next way. So we see we have these connection policies to this dedicated systems or system groups and if we now go to the connection policies that are the RDP policies I speak about and you see here this is the risk zero connection policy for rdp.
And we have a look at this and I don't know if it's big enough, I think I can maybe go a little bit bigger here. You see different things. So if someone connects to this system via rdp via the access management system, he's not able to do password mapping on the system. So he cannot, cannot use his own account to get to the system and say okay, I'm GUID Craft and now I'm on the access management and try to go to server as GUID craft is not possible. You cannot do an interactive login into this system because maybe someone knows the credential of another administrator and say okay, I use the administrator, I do not use the SQL admin, I use the administrator because I know the password and I do an interactive login on the system. It is not possible in this rule set for zero systems you can only use the password vault, no other way to connect to this system. And so you do not know the password if you are connected to that system.
Other thing I scroll down, we have here session probe. Session probe is our technology. We have, we are agentless but the session probe technology allows us to control access to different network sectors and access to processes on the system. So here this is more a customer specific specific task. So we have to speak to the customer and if you say okay, are there some things you want to stop on that system, which task are there? But one thing is directly pre in this rule to deny MSTs eer. So you with this connection rule risk zero connection rule, you are not able to connect to a to a to a server open MSTs EER and jump to another system. It is not possible for for outbound connection monitoring rules there is nothing in here because every customer is different. So it is not, it is not, doesn't make sense to put here any rules for subnets in there because this is customer specific and that has to discuss with this with the customer which network subnets he, he he don't want access to.
So on another thing we go to the file verification. I say okay we can't do any connect to this system. We can't upload or download any files to this system. So we have no, no checks on the on the check boxes here because we don't need to a file, we don't upload to the system. But if you are going back and have a look at a risk one policy and you see it is different, there is upload, anything that has to do with upload says that the file needs to be checked because on the risk one policy we say okay upload is allowed to the system so we need to check the file on the system and that's go direct to the ICAP of the, of the antivirus of the system. So before a file arrive on the, on this target system, it will be first checked by the antiviral system if it has an icap, an ICAP interface.
So what you see and what do you see here is only RDP connection policies. So bear in mind we have a preset built up for ssh, it's not here because I want don't want to show you just the big mass of of different connection policies here. So I only enable here the RDP connection policies. We do the same for SSH connection policies for SSH key rotation as password rotation for users and so on. But I wanted to keep it a little bit clearer so that that you don't see a mass of connection policies here. So I show you only the IDP connection policies and further it goes that we have on the password side and the password management password change policy and even as said before, we do the same for as H key rotating. We have a look at a risk all password change policy Stephan show with 60 minutes for a customer.
I showed this with 15 minutes here. He wants more actions on this because he said okay, minimum session length is 15 minutes and after 50 minutes latest I want to have a password change on the system. But what we do here is lock enabling. Lock enabling means if someone connect to the system, the time he spent on the system, the password will not be changed in the background because to make sure that there are no errors arriving. So we do a password lock but at the moment he went away from the system the password will rotate in background automatically in in that second he closed the session, the password will be changed in background. And you see here we have 16 digits and we have four special characters. We have lower case four, we have other upper case four and four digits. So very high security on that.
And if Stefan told this at the beginning that is based on PSI best practice, it means that is not hardened and stone because yeah you maybe arrive to a customer and the customer said yeah this is a great password policy but I don't have allowed special correctors in my organization, no passwords with special correctors. Then you need to be able and say okay, you change it and you do no special characters zero but six, six and six upper case, lower case so that you get high to 24 and have the same security level. And so the BSI is not here and say you need to do a possible change policy exact with 16 digits in that way. But you need a security level and this is the same security level if you need do not take special characters on the system just only uppercase, lowercase and digits on that and that we do as special here.
And you see at risk one just lower one password change a day only. And but what I wanna show you is that risk class three. So the normal is even that what the German BSI set is set as a base because they say eight characters and every three months changing the password. That is the basis from BSI to say that is the minimum. And so the minimum is here for the risk three systems. Maybe there are systems like terminal servers, RDS servers where you are where you need to interact with the sessions on the on the system where you have to upload files on the system where you restricted the system on group policy level. And that is what I what Stefan said, our system is not a thing you can manage anything met with because you have the situation. Maybe you are an administrator of an organization and you say okay we have a privilege access management in our organization and now I use this access management to connect to a target system but I am the administrator of this organization, why do I need to use the access management?
Yes my management say please use the access management to access the systems. But if I say nope, I'm typing MSTs E x, I'm typing one ninety two, one sixty eight, ten five going directly with RDP to a target system, I know the old admin 1, 2, 3 plus 1, 2, 3, 4, 5, 6 and then I'm at an administrator on the system and you can nothing do against it with a privileged access management system. So that is the idea behind to say is that it has to work together, it has to work together with every security operation you do in your company. So what you can do with a gpo, you can say in your in your environment, I fix the remote proxy with a gpo, Microsoft GPO and then everyone on this personal computer open up MSTs e Xer and you go on the on the last column and you see okay there is the wall best IP or FQDN insert and I can cannot, I have no choice to to do another thing on that.
I need to go, if I use RDP on my my system here inside the the organization, I need to go through the wall express that is about integration and as I told risk three is maybe an RDS server, a terminal server system. You can manage a lot of things on this target system with GPOs, with Microsoft GPOs. But the other things I manage with the privileged access management system. So that is the system, the idea behind that. And if I have these rules on my system, we replaced it with Ansible here with Ansible playbooks we can do a full blueprint of your organization. So we have a lot of Ansible cris, so we can do more just like only these password change policy authorizations and so on. We can also do computer names, group names, etcetera if you want it or not. You can, you can choose it and what you are able is if you on, if you have these rules inside that and you onboard a target, we have here a discovery, this discovery you can search your network, search for computers, search for systems and you can onboard the system directly here and then you can say okay this is my IP server and now I put this connection policy on the system.
I put this password change policy for the for the target account on the system and I take this authorization and the thing I need to show you at last, we go to authorizations.
So we have the authorizations here and here is example for a risk zero system access and authorization. And you see here, okay, it is marked as a critical target. If a system is marked as critical target, you will always be informed when if someone will access the system, you have only one hand an approval workflow for the system. But maybe someone say okay, I need an approval for in two weeks Saturday at nine o'clock in the morning to 12 to 12 and you approve it and some of your colleagues approved this too. And this morning in two weeks at Saturday at nine you will get an information that someone has locked on the system. So it is, it is marked as critical target session recording is unable, so does so every session on this system will be recorded. The file, the recording files are stored in raw files so you cannot manipul manipulate it.
Password checkout is allowed on the system but every time after you you check out a password, you check in the password it will be changed in background. So you can do it only for for actual activities on the system, you need an approval workflow for the system. And so every security parameters are set for risk, nu risk zero connection and I show it to you and you see here, like I show it before, you have only rdp, every other things you can do with RDP are not on that side. You can do only bear a RDP on the system and you have an approval workflow enabled. So you have to best approve group that is, that are the approvers and here are set a minimum of two persons in business times and allow timeframes just a moment or three people outside allow timeframes that has to say yes if someone do an approval workflow to that system and say okay, I want to go to that system. Three people minimum or two people in business time need to say yes otherwise he had no choice to get to the system. Okay,
Maybe, maybe two questions first, like how does the proof of workflow look like? Is it like coded? Is it like no code, low code? How can I set up the workflows, the proof of workflows,
I show it to you. So we are back on the online environment because the other environment I show you where I place my, my rules is it's, it's not ready configured to the end. So we go back to the online demo and the risk class model will be enabled on the online demo and the next version will be arrived next month. That's the old version here. But I do log in here as I have my glasses not with me today and I log in as a contractor. Contractor, typically external people. And this contractor now wants to access systems. So he has as shahan show you here connection to Linux systems to Windows systems. And if he said okay, I need connection to this system here, he click on it and here you see something like in the risk class model, he has only the choice to upload to do an S upload or do an SSH session on maximum you have five things here, download SFTP and remote command.
Additional to that, what do you see here? But he's only allowed to do STP upload and if he click on it and want to connect to the system, then this arrives. So you need to say, okay, I want to go to hows on the system ticket reference. We have no ticket system here in our demo environment, but every ticket system that speaks restful API you can connect to and work with a ticket system and you need, that is a small spark here you need to do a command. Okay, I think, I think I say patching system and say okay, validate and now the approval request is sent out to the approves because I'm only one person here. I have in this case only one approver because it is two, just two more and now I can go here, let me show
You get notified to Yeah, but how is it set up the so, so how do you
Like how do you set up the workflow in the in in when you integrate the solution? Is it like a standard workflow?
Yeah, yeah. The approval workflow standard. Standard. If you, if you, what I show you before, if you have just a risk zero authorization that we have even as templates too, you can do it on your created on your own, but you can choose our our templates, then the approval workflow is checked and if you checked it, this will arrive. Okay, It's the only thing you need to do
Nothing more. So, but I'm only able to use the standard, I cannot change the workflow as I want to have the workflow.
What do you want change
Approval, Approval of groups or something? Or maybe, Or maybe speaking of roles I have like an external and an internal access and the external access is
Approval. The internal
Is not, Yes, these just, just some small examples here. You can do everything you want on that for internal external with approval without approval and you can additionally say I have zero
Approvals. Okay, maybe, maybe other question can I do it or do you have to do
It? No, you can do it. The
Administrator of the technology. If you are let's say in your organization being the IT administrator setting up these rules, this profile is able to
Do it. Yeah. Okay.
So you have, you'll have generally you have four rules, okay? You have the user rule auditor and you have the administrator. So if we are doing let's say service the administrator rule, this is what we are doing. So connecting targets, setting our policies, heading, changing and on. But if you are saying I want to do this for myself, you have all the rights to do it, you can then also give the privileges and rights for all the other user
And you are able to specify special approvals to special authorizations. If you say okay, these are the authorization for my OT environment and there are my OT administrators or maybe someone who works at the machines and in this part he's maybe the second approval for that he get the approval workflow and has to say yes. So you can do it as you want and structure your whole company in the roles that the different people has and what makes sense. And you can do it in a very easy way.
Has the palm administrator have to have like coding capabilities then, or is it just like a click and draw or we see V like workflow engine or like approval engine. So how can I change? Change the workflow as an administrator but
You can generally, you can generally do this all on the,
Okay, so that
You're really saying you design the workflow, you design the approvers, the groups, you say if there are several you can clicking doing with with the mos, but if you want to do some kind of optimization and so on, you maybe need to to use the API for example if you want but the the standard set up you can all do.
Perfect. Thank you.
Yeah, no problem. And I, I show you. So you see I I say okay, now he can connect to the system on SSH connection. You can things like additional, let you say I do in a scenario. This means what you see here, the person is now on the machine at the user day beyond is a root user on the system. But maybe you say okay, this administrator needs to access the system but he only needs to administer the Maria Day B on the system, nothing more. Then you can do a scenario and it's not complicated to do that. And then he will like this going on the machine like Dian route, but in the background he's in the next step as a root user on the Maria console and then he can work on a Maria debut consul but only there, he's in a golden cage.
So he can do everything on on this command line, but if he say exit and want to go to the normal Dian account, the connection is closed. And so you can set different things on the forbidden list like RM minus R, so remove all on the system that are commands you can set in the privileged access management. Okay, if someone typed this there, it will not be accessed and he will be informed. It's just one thing or he's directly cut from the session can say if someone tries to remove all the files on this system, he's directly off of the system and he has no chance to get back on the system at all. That are all things you can do there. Yeah, and these are the things and if you try to implement what what you said, I think if you wanna do onboard a system, we are on the way SQL server and you have our preset rules, you onboard SQL server, you said this is the connection policy, you said this is the password policy for the target account and then you need to do an authorization that what you mean with approval workflow, Let me do that.
Add an authorization, You choose the group that can do that. Like Audi rdp, the target group is applicative access, we give them a name, ah, do blah blah blah. I say this is a critical target. I want only r p for this connect, no interaction. We want session recording and we want to enable approval workflow on the system. We have no ticket system here, but we say this is man, this is mandatory to give a command on the system and who's the approve? This is the approve group. Maybe we need here the approves said that here said minimum in it authorized timeframes. Timeframes is a thing like business time. You can set a time where you say, okay, between nine o'clock in the morning and 80 16 in, in the evening, the people needs only one approval or two a minimum of two approval. But if it's I can, I can have more than one approval as well.
Yes, yes. Okay, perfect. Yeah, just more you can can have 2, 3, 4, 5 on risk zero system. If you use our predefined things, two approves minimum for risk, zero system. It is not enough. If you have only one person that said he's responsible for for risk zero system, then the BS, John B as I said, no, no, no. There are minimum two people that have to give access to that system. So and then then you can say okay, we have here a minimum of two outside, we have a minimum of three. We say, okay, single connection. Single connection is a very hard checkbox because single connection means someone access the system, he's working on the system. Then he say, Oh I've have everything done on this. Get away from the system in this moment. Oh I forget something too late. Single connection means single connection. So if you have someone to who do needs to do a reboot of a system, he need to access it twice a time to check if everything is in is okay.
So a hard check box. But you can say okay, and you can say, okay, in approval timeout, the approval needs to be done during three hours, maybe after three hours too late the approval has gone away. And then you say in the next step apply and all you are ready. So if you use these templates for the risk class model, you onboard a system say this is your connection policy, this is your password policy. Now we do an authorization, this is your computer group, maybe five minutes you are done. Thank you. Okay. That's from my side a short view on on the on on the risk class systems
Speaker 12 02:12:04 Have good question. In a zero trust era we are in what you think about just in time provisioning
Then just in time provision do you mean
Speaker 12 02:12:16 Mean the account is created when the session is is started?
You you, you mean that there's just only a count that exists for the time of the session? Yeah, it's deleted possible.
Speaker 12 02:12:34 Hmm, sorry.
Speaker 13 02:12:36 So
Yeah, so the general principle is for sure that the users who need access to the to the system are known to the system. This is clear, but there is for sure also scenarios when you work sometime with subcontractors where you don't know each individual. So we have also a self-service Porwal where an unknown user can request access. So there is also an approval workflow then going, so you have to identify via over your company name, whatever. So there, there is a need of identification and then once again the system owner could then say, okay, it's allowed. And then the system will create adjust just in time, one time user access to this target defining the power meters as you have seen here, he is only allowed to do it for three hours between Sunday 2:00 PM and 5:00 PM whatever you can, you can do it whatever you want. But you can also say if this is a new user, you can also give him permanent access and then he is part of the official user group. So you can do this all
Speaker 14 02:13:59 More question on this? No, can I give back to Stefan? Yeah, the was
Okay, so time is, time is running fast. I didn't expect that. 20 minute. Yeah. Ah,
Speaker 14 02:14:22 Here you go.
Speaker 15 02:14:23 Thank you. And how do you think of changes in the system? So if I'm an administrator of that system and I want to change something, but I need up for our principles to change the configuration of the system, right? Yes. How will it work? You use your system to monitor your system for or changes for example. So let's say that I want to configure to change the configuration, say that now I want to have three people approving something, I will have to enter the system and change it, right?
Speaker 14 02:15:10 Right.
Speaker 15 02:15:12 But editor would like to see the change. No made the change and so on. So you use your system, there's change tracking
Speaker 14 02:15:22 Process. Yeah.
So do it in the microphone. Yeah. So there is a change tracking process included, so you can for sure also see what the administrators have done and you can say, oh, this was a mistake and you you you have to to to bring it back. Yeah. But yes, for sure watch is the watcher.
Speaker 14 02:15:45 Yeah.
So we still, the audience become a bit smaller but still some people here and officially still 20 minutes to go, we can either stop for now and say, okay, it's done. Or we can still still do some use cases for you, some demonstrations or even show how maybe how to start a set. Such a system. So flexible up to you. We are here, we have booked the time and yeah,
Speaker 14 02:16:26 You best practice practices,
Best practices. This is, yeah. Yeah, so, so the idea was generally how you would really go forward. If this is from interest, we can, we can do this, but also really only four people here, we can also something what you would like to do to, to have individually up, up to you really.
I would be interested to best
Practices. Okay. What
Your standardized working.
Okay, so maybe then I still pass it over to you, Gido especially. So do you have a dedicated scenario in mind where you say this is the, the customer scenario, How would we process in such a scenario? Yeah, Okay.
I mean basically you said it's, it's a good starting point. So how does it get, get into, I mean you show like how we can set up the workflow, how we can access databases, service, et cetera. What would be then your next step as you say like then the easy part coming, like finding groups, finding responsibles, finding processes. Because in my my opinion, this is like a crucial, crucial step where you move from it or from the technical perspective more to the business perspective. So how do you follow up on that?
Hope I understand to what you, what what you ask me. Okay. The, the in principle, the most, most of the customers I have, I do in the first step a demo to the customer. Then we say, okay, we are running a POC generally in his own environment means enabling the wall expression and, and, and the access manager and so on. And then we go to only in a, in a first step, very basic use cases so that the administrators understand how the solution works and how they can enable it. Second step is more a process.
So maybe, maybe, sorry, be more concrete here. And this is really a standardized scenario here as well. What GUID is saying, yes, normally you are doing a DMO and showing what it's in, in such a technology. And then when we are talking about proof of concept or even a proof of value that we are really having an installation in a customer environment. It could be OnPrem or even in the cloud. And then, then there is a huge list of use cases. Yeah. And this is exactly where we go then with the customer and say, okay, what, what type of profiles you have, what machines, what cert party you want to connect? Do you need approval workflow? So this is also based on a questionnaire and based on the answers, we are then preparing the proof of concept with these type of excesses for sure. In a, in a proof of concept, which is free of charge, you cannot do everything.
So normally we are saying it is between five to 10 use cases. We are implementing it, this is normally half a day or three fourths of the day, and then the rest we are still doing some kind of education. And then the customer can play. If you really want to say, yeah, I want to have the full productive environment, then this is also indeed a service I discussed with the colleague here before, but once again, we are going to define what needs to be done, let's say to address even to third party, to third party technologies like the, the integration in an identity management and so on. But this is really based on some questionnaires and for sure several customers have their own, let's say legacy applications where they say, Hey, can you create a plug-in for it or can you help us to, to, to do this integration directly?
And then yes, you need to understand a bit of coding when you do, for example, this type of third party application integration. So the standards SAP is all known, but if you have any old one or so, we, we are helping the customer step by step. But this is also something what I mentioned in this business transformation workshop I, and still a funny name. We, we, we are really at least sitting together with the customer, talk about the organization, talk about the rules, and maybe also help them to, to optimize the rules at least that we can really build it better in such a system. What are the top level, the levels below. And it is for sure easier if the customer has already done this, but if not, we can help. We also have autodiscovery services that you can see, hey, which privilege accounts you already have, You are maybe not aware, do you really want to onboard them or maybe some we deletes directly at the beginning. So this is for sure a living process where for sure we try to follow standards, but at the end it's an individual conversation to have the best understanding what a customer wants. That's the normal
Thing. We go through that. And on the other hand, if it goes extensive and we implement our professional service, do these things, and from my side now and in the future, more and more, I'm, I'm here to be on the side maybe of the se of the se have the ability and say, Okay, we need Mr. Craft here to discuss the risk class model and we sit together, you can book me to just like a professional service, but not on pure technical way, more organizational way.
And, and, and one second. And there is also a managed service we are offering for customers who really want to outsource the operation. So for sure, part of this managed service is that we have, let's say the use cases, the, the integration is done as the customer wished. And we then say, okay, we sign, this is fine, we are happy. And when this managed services is then starting, the customer can always come and say, Oh, now I have a new user group. Can you please implement this user group? Oh, this user group disappeared. I have a new set up of a new set of targets, a new subnet. Could you please integrate this? How can I do this integration automated? So this is also that we are helping the customers on the operation process when they say they would have change in their environment. Normally, if the system is set up and running and you do not have so many, let's say changes in policies, in users, in targets, you can leave it as it is, but if there is, you can just open a ticket and we do that for you.
You say you have like identifying of of of already privileged access integrated. Do you also have like a mechanism or like an algorithm who can also like, based on the use of find applications, which are not in the scope, like shadow IT or something?
So indeed we have, with our endpoint management technology a way to, to to, to see the assets on a, on a local machine and then really see what is installed is, is really allowed. And because this is part of the endpoint privilege management that we are normally saying, okay, this is your set of official applications. You have a dedicated user profile, you can use these applications, you can download and install these applications, but they will only run with the privileges that you are entitled for. Even if you are on the machine, a local admin or just a standard user, you will get the applications only with that privileges or with that context needed for the role. And we can for sure also then let's say declare policies for other application that are not officially allowed to say, okay, some are completely forbidden, some can only really restricted in a legacy mode, for example. So when you say, Yeah, I still have a legacy application, which is maybe creating some vulnerability. It's not official, but it's fine, but it has to run with the lowest possible privileges that it could not harm the infrastructure.
Perfect. Thanks for the information.
It's, it's more on our privilege elevation and delegation management. We call it privilege elevation and delegation management on server systems.
It's a Gartner name. E e
Yeah. EPM on on on the normal endpoint. And there we are able, if we implement this to do it in a real structural way and say every process I have a look at, that is what we called, well what I called application access management. And the other thing is privilege access management, more user interaction with the system. And here it's application, application access management. What is the application able to do on the system in the context of which user is locked onto the system. But it is real. You need to understand, we don't do anything on, on, on user rights. We, we do anything effective on the rights. The the, the, the user has if is locked onto the computer, but it is only applicative access management. It's not based on the user rights, it's just switched to the user. But has nothing to do with health rights in the, in the active directory system or So
Would you have theoretically integration or like an API for policy based access control so that you can give the entitlements
In Yeah, yeah, yeah, yeah, yeah. Policy based, we can, you can create policies for, for system, do a rule set for them and say it is directly, if you use active directory, most of the customer has that you can do it directly on the structure of the active directory. You can say this container, these are the laptops from the internal it. And now I link the rule set for these machines, direct on this container. And for the sales people, just other rules in another rules set and so on. That can do.
Perfect. Thank you. Yeah.
Quickly to show, this is, for example, just a huge document with many, many use cases. Here you see SS hs, RDP access remote application, then the universal tunneling. So this is an end to end tunneling on all TCP based protocols like mobu, ProNet, so also auditing, approval, passport management, service account management, and so on. So this is a real huge set of use cases. We are going to discuss with the customer what is really relevant for you, what are then the profiles you, you, you need to create. And here we sometimes also help and say, Yeah, maybe we create a new group and put this all together. So at the end it is working on a, on a questionnaire to to, to bring together what it is really needed. And once again, with this risk class model, we just wanted to show that there are at least already policies available. Giu have shown you can switch it on, switch it off, change it. But indeed you have something you can use. That's the idea. Anything else?
Speaker 14 02:29:25 Thank
You. Okay. So thank you very much. If you want to get,
Speaker 14 02:29:30 Thank you.
So if you want to get a demo or also access to this platform, just send an email. This is gay craft wal.com or I am s robin wal.com. We are still here today and tomorrow we can organize this also with the colleagues in the United States where we are located in Boston. Good. All right. Thank you so much for your time. Enjoy the event.