One PAM - A Holistic Approach to PAM for the Shift to a Zero Trust Model

So my name is peterle I from Broadcom software, just a short introduction for those that do not know Broadcom software. I know in Broadcom as a hardware company, yes, Broadcom was usually in the hardware business, but few years back Broadcom acquired company called CA or provisionals as computer associates. This is where I come from. I've been in the identity and access management area for more than 20 years. So even before I, I got to CA or computer associates and then through different set of acquisitions through CA and, and acquisition of CA by Broadcom, I ended up in Broadcom and Broadcom currently has a large software division because Broadcom did not only acquire CA that that was a large software vendor having many security solution in identity and access management space. They also acquired Symantec later, one of the biggest security players. So now Symantec security solution and CA security solutions are in one group that is a Symantec division vision, vision Broadcom software. So me that previously competed against Symantec as a big competitor, is working on with both XCA products and Symantec products. And we are having a broad portfolio of security solutions to offer to customers and help help them and solve their needs.
So privilege access management and challenges of privilege access management today. So privilege access management started as a, as an area 10, 15 years ago. And when it focused mostly on password vaulting, but it became more and more complex due to extension of enterprises into different environments. Building hybrid environments then include data centers consisting on mainframe systems, legacy mainframe systems, typical onsite servers, windows system. But now most of the technologies having something in the cloud, Azure, AWS, Google cloud. So privilege access management needs to face those synergies too. And it's not any longer, only about users accessing systems, but more and more about non-human access to those systems. So this can be an automated task running that needs privileges to access to some database, to perform some reporting. This needs to be also managed through privileged access management, and there are many regulatory compliance issues that come into the play.
Many mandates that ask you, or di direct to protect, monitor, access, to privilege accounts and, and closely monitor it. Both. We also need to bear in mind, and this has been mentioned many times today, already, and yesterday that you have to always assume that there will be a bridge or you are target of an attack. So every company can be attacked. If there is enough interest, then there is enough resources, there's enough money to do it. And it's very likely that your company might be target of, of a successful attack sooner or later. So you always have to go and follow the zero trust approach. You trust do not trust anybody. You always check. You always control. And based on the needs in real time, you allow access to the system and privilege accounts in this case. So what are the critical capability of privileged access management that you need to be looking at when implementing a solution in this area?
Maybe probably the core and, and most traditional part of privilege access management is privileged credential vault. So this is the traditional storing passwords of privilege accounts in a password world, sharing those passwords, initiating sessions under, under those accounts, giving access on the, on the users that need access to those accounts, but then what you also need to do. And this is either mandated, or it is a best practice too, is that you need to record monitor those sessions. So you do text recording or video recording of those sections. Then you, those recordings you might need later for investigation or, or proof what was happening on the system. You need to have auditing. You need to be monitoring what's happening in those sessions. If there are some activities that needs an other to be generated and all this needs to be needs to be done in zero drives, trust principle in mind. So you have to always check who is coming. You need to authenticate the user properly. You probably use multifactor authentication to, to detect who is coming to the system and authenticate the user properly.
Usually the monitoring of the user and authentication of the user using some predefined rules is not enough. Any longer. You need to have some intelligence in there. You have to have some automation. You have to have some mission learning capabilities that would allow you to detect some unusual, not normal activities. So it's usually hard to say what is going to be the way of attacking your privileged access management in future, because the attacks attackers are learning and moving forward. So a machine learning an intelligent detection of animal would allow you to block activities that are suspicious later. You might, you might find out that this was a normal legitimate activity, but you might want to block it and investigate later, because this is something that never happened in your system before this kind of behavior. And then if something like this happens, you might want to trigger automatic mitigation actions.
So session would need to be authenticated. Session would be discontinued session would, would be, would be recorded if not recorded already or other actions that might be appropriate for a specific alert that is generated on top of all of these. And this, this is something that wasn't previously power of privilege. Access management solution is what we call fine grain access control. So you do not only control who is allowed to use a privilege account. Let's say route on a system, but you want to also control what is this user allowed to do under route? Not to, not to just give him open door to, to the system and maybe women from the system to other system. If there is some single sign on capability between the different servers, then him and jump from host to host. So you really need to control what this user can do, regardless of the privilege account. You sign him this. So we just do not open the door for the user trusting. He would do what he needs to do, because it doesn't need to be malicious activity. Even an error can cause a disaster than running under privilege account on a specific system.
And as I already mentioned, it's not only humans accessing the system. It's more and more DevOps activities. It's utilities, it's, these are some robots it's, it's automated processing backups. And so on utilities that need access to systems that need some privileges. And you need to provide those privileges to those routines in the secure way, on the fly, you need to re rotate passwords. You do not want to have hard code it's passwords in some scripts or stored in the database that are rarely or never rotated because this is a big security problem and can be, can be an, an attack attacked in, in future. So these are the main and critical capabilities that you have to be looking at in privileged access management solution. But of course it's privileged access management solution is not a standalone thing. You need to always link it to your identity management and governance.
So you need to do access certification. You need to manage identities of the users because project access management is there to manage privileged access, but iden you need to help proper identity management to first give enough access to the users. And only if you cannot give the users appropriate access through their own individual accounts, then you go to privileged access and then access management and share some accounts. Sharings accounts is the last resort is not the goal identity management, the proper identity management and account certification and governance is important. And also your privilege access management should be linked to identity management and manage from there. And access governance and certification should be, should be done against this privilege access management system.
So traditional privilege access management, how, how this work or, or how, how it worked. So we have a user connecting to privilege access management solution, getting some identity user password or, or in, in another way. And based on some policies and access, right, you would be connected to target device. Let's say to simplify a server Linux server, running some application. When you have an attacker, what attacker tries to do to gain this super user or shared account privileges is trying to attack the PE solution. Try trying to authenticate somehow break the authentication, get to the user that has access to some privilege identities and go to the target devices and create space there for, for some malicious activities or some sabotage is where your thread analytics and behavior analytics and risk based authentication can help you to detect this malicious user, trying to misuse some authentication or break some authentication routine.
And this is where you can stop the user. But yes, this is this only words. If the user malicious user is coming through Pam or even a normal user. So what if the user is connecting directly to the servers? So you we've heard today already about some attacks that happened recently and to major companies worldwide, none of these were done through attacking privilege access management solution. All of them went directly to the system through zero day vulnerability or deploying Trojan on those systems through legate software that was running there. Their privilege access management is out of the game, unless your privilege access management is also controlling direct access to the systems and your systems are being protected.
How do you protect your systems? Your mission critical system, where the data is from the direct access when somebody bypasses Pam and somebody, Pam is bypassed, even for estimate purposes, doing some administration upgrades. And so on very often, you do not go through Pam. We at Symantec are having a solution that is Symantec privilege, access management solution, that the privilege access manager that is giving you all the components to build and implement your privilege access management infrastructure up to the end point. So we have privileged credential vault. We have session recording. We have user behavior analytics that can analyze who is coming to the system, and that takes suspicious activity. We have management of secrets for DevOps or non-human access. We do it all for hybrid environments. And so it doesn't need to be on-premise. It can be in the cloud, it can be mixture of the two.
It can be hardware, it can be software based implementation and important is fine grain access control. So is the protection down to the endpoint. So even the direct access to the server is still controlled and we only provide or make sure the only privilege is needed and legitimate privileges are provided to the end user, all these through manage through unified console policy management auditing. As I mentioned, it can be V12 physical appliance and cloud native, and we can scale easily to thousands and tens of thousand concurrent sessions. Step by step as the customer is growing or deploying the architecture. So just some more details about five grain access control as this is a, a unique solution. It's not something new that we introduced recently. This is something that has been available for more than 25 years originally developed by the company, Manco in Israel, then acquired by some company called platinum technologies that I've worked for then acquired by CA and, and now owned by Broadcom and being in the Semantech portfolio. So this was there in the days where this area wasn't privileged access management or wasn't code lighted. It was just security. It was just access control. In the days of CF to intoxicate from mainframe, there was this solution available for units and windows that provide capability similar to those mainframes modules. So in this case, if you connect to the system, being a Malian user or even standard user, the system is protected by an agent. If you try to run an authorized command, you are, you are blocked from running it.
An example of, of the capabilities is that fine grain access control, always that takes the original user identity. So here in case I logged in as Jeff Andrews, then I, I, I was provided identity of Oracle operators through Pam solution in this case, but I still under operating system. I monitored as Jeff Andrews audited and I, my rights are based on Jeff Andrews or operator is just my identity for running operating system task. But all the auditing and access governance is still under Jeff Andrews. So it is not to give the user all the privileges with the shared com, but just enough privileges. The user is needs in the time to perform the duties. So it I'm giving or operator I giving root, but with limited privileges, just enough privileges to do the job. Another example, Onix I can ask you to root. I am rude. Normally I can do anything I want, but you can see, I do want to catch some files, see some file. I get permission denied. So I just need get the needed privileges to do my job. Not more. I, I do not open the doors wide to the user and give all their eyes unnecessary rights.
Just as a overview of the architecture. As I mentioned, it's all appliance based. You drop an appliance in your environment or in your cloud. You put more of them to achieve high and disaster recovery. You have one side in the Europe, in one in north America, one in China, then you cluster them together. All this is included in the product. All this is covered by, by our components. No external software needed can be connected to Symantec, VIP for authentication Symantec, identity governance for identity governments, or this can be third party solutions that we have connectors for. So what we believe is that our Symantec privilege access management solution is very efficient because it's integrated proxy and agent based platforms. So limiting user on the network level, but also on the device level. And it's all managed and outdated from single console. Total cost of ownership is low because you do not need any additional software. You, we provide you an appliance that you deploy no installation, no difficult integrations needed, and it can be also integrated closely with other solution from Symantec that, that create our integrated cyber defense platform for.