The Path to Zero Trust by Securing Privileged Identities

Well, I, I first have to thank everyone who still sat here because it feels like you have been through a marathon today and apologize to all of the non-English speakers in the room that I won't be doing this in German today. It was suggested by one of my colleagues, but then I wouldn't be here for my session tomorrow because I'll be deported for murdering the German language. I'll I'll also have to admit I came in by playing at lunchtime.

So I'm, I'm a little frazzled myself, but we will do our best to get through this in 20 minutes, cuz this is a 40 minute presentation when I get going. But you, you don't wanna go anywhere and eat or drink or do you all good stay here. Cool. Right. This is me not really very exciting. I'm I'm old. I've been in the it industry for well over 30 years now. And I've been in senior roles on your side of the table and my side of the table and somewhere in between with some SI work as well. So I've got a good view on the, the end to end operation of most aspects of it.

I've also had roles in just about everything you can imagine. It sounds terrible. It sounds like I've jumped from job to job, to job, but I've been in many of them for a good long period. I've been at beyond trust now for 10 years. And we got a book coming out, short equal cloud attack vectors, which is the fourth in a series of attack, vector books. He says losing his voice. I think you've probably you probably zero trust out, which is a difficult one to come in in the session and talk about it.

And I'll try and follow on with, from the previous session where we're trying to talk a little bit more practically about these things and I can wholeheartedly agree with the statements. So if it's not something to be afraid of, it is a journey we're gonna go on. And like so many it journeys. Are we ever gonna finish it completely? Probably not, but we're gonna get as good as we can, but we only get there by starting. And the first piece is zero. Trust is just flooding the market. Now I'm sure you've had a dozen different definitions of exactly what zero trust is today.

And so that makes it difficult for us to even know where to start and we'll come, we'll come onto that a little bit. We, we go with the nest definition of zero trust and, and it really is just about making sure that when somebody presents themselves to access a resource on your network and resources can be data, there can be systems. There can be anything really that you're gonna validate that they should be there, that they should have access. At that point. We're not just gonna trust that they were authenticated this morning.

And so they sure still should be the same person today or later today. I dunno. How many of you out there have struggled with things like Microsoft group memberships, where you take somebody out to the group membership till they log out and log back in again, there's nothing you can do to stop them, which is no fun at all. So it's really just about being very focused in that aspect of it. Zero trust, I think is sometimes a little bit of a misnamed thing. It's not zero trust. It's about applying the trust at the right point.

And it does mean reducing the spheres of trust that are out there in your infrastructure. A little aside around 2000, I worked for a company that was doing satellite internet and we were streaming Usenet and all sorts of things. We had no firewalls on our network. Never did. Every machine was secured in and of its own, right? It's possible. We did it back in 2000, except for the one idiot who was configuring a windows 2000 server put SQL server on it. And before he'd rebooted it, it had COAD on it. And we were attacking some external organizations and that's where my phone rang.

And I got told off for doing that. But anyway, we can all make mistakes. The main goal is to be granular about what we're doing, you know, and I, within granular, I wanna be clear on that as well. It's not about defining every single little thing.

You know, if we think about the smallest scope of privilege, we can a allocate really. It comes down to a person or an identity within the infrastructure, but we don't employ well, we do employ individuals, but we don't employ them to be individuals. We employ them to do roles. So we come up a layer.

So it's, it's, you don't have to get into the absolute weeds, but you are gonna look at what does this role need? What do they need access? How do they need access to it? When do they need access to it and get those kind of granular controls? It's not necessarily about the, the, how small you go on your virtual parameters.

I said, validating and authenticating everything. We've got that piece done. And zero trust architecture.

I mean, if you haven't got the next document, 802 0 7 2 7. Yeah. So grab that. It's a great framework to get started with and does lead you through. There's also a great CIS document that actually talks about implementing as well. There's lots of great resources out there. And I always, I often think of it in terms of what I describe as my big ball of string problem. And I use this in everything which really annoys my wife. She comes to me and says, I have this big problem with the business that she runs, oh, I dunno where to start. And it's like, yeah, it's like a big ball of string.

It's lots of loose ends everywhere. Grab the first one, do something. The ball gets smaller, do another, something. The ball gets smaller. It was about picking those small wins and making progress. The more you do of that, the more you'll get through, but you do want to end up at a hundred percent coverage because there's that simple truism, wherever you are not secured is where you are going to get hacked.

You know, self-evident, it's not a scared tactic. It's a risk. You have to understand and accept as you're going through the process. So why now I think Moton castle or fortress mentality, as I might describe it as had its day, we can't just keep building these big walls around things, or even within sections of our infrastructure and hope that it's gonna protect us and that everyone inside there is a good person.

You know, I don't think any organization or any large organization is really above getting somebody employed in your infrastructure to get access to information. They really, really want it. And nation states I'm sure are doing that all the time. We need to come down permitless is, is how it's described. But I would say the perimeter just gets smaller. It gets around each system and device each trust zone, if you want to call it that, and those are getting smaller within your environment. The most important piece on this slide, I think is assume breach.

And again, it's not to scare you into anything. You know, the, the chances are that if you don't think you've been breached in here, you've got kind of lucky and they didn't find anything of interest. Pretty much everyone has got a good chance of having been breached at some point, or it's gonna happen in the near future because there's so many drive-bys going on. There are so many vulnerabilities being identified every year, trying to keep on top of all of that is pretty hard. You can get a lot of the way towards it just by doing some foundational stuff, but assume they're in there.

You're already winning at this point because now you're defending all of those individual systems. Cause they're already inside your perimeter. You're already thinking in the right way. I mentioned the nest provides a clear playbook for adopting these kind of things.

And it, this is one of the good opportunities to take cybersecurity lifted into where it really should be, which is business continuity or business resilience. Because if we don't do it well, the business can't carry on doing business because it's scrabbling around trying to pick up the pieces of being hacked and actually work it into the fabric of your organization.

You know, cybersecurity is everyone's responsibility. I'm sure you've heard that a dozen times today, but we need to make that a reality. And part of how we do that is through privileged access management, which you'll come to in a second. Are we doing timewise or goodness, this goes quickly. There's a simple look at zero trust said for zero trust, a lot in these three slides. So require the access, keep everything secure. Every communication even within inside your organization should be secure, no more HTTP N points with APIs on them.

There should all be TLS secured data when it's at rest should be encrypted. Even if it's on an encrypted volume or an encrypted database, just encrypted somehow. So that if somebody takes that, that information away without the keys, you're at least stopping at that point, adopt a least privilege model. At least privilege is one of those things that we've talked about or I've talked about for 10 years with beyond trust.

It's one of those phrases that always astounds me that the first time the principle of least privilege was mentioned in writings or, or communications of computing was the ACM in 1973 by a man OME Saltzer, who's one of the architects of the Malix operating system, which is sometimes described as the grandfather of Unix. So this is how far back it goes. And it was that every user and process in the system should have the least privilege to execute. I kind of manipulate that and say the least privilege to be productive.

Because as was mentioned in the previous panel, productivity is one of the key things, least privilege also allows us to start winning users over. And I will come back to that and log everything. These are the kind of areas that you're gonna be looking to implement zero trust again, across.

So again, it's not one big thing. You can take slices out of this. Even within these layers, you can still take pieces out of this start somewhere because otherwise you'll just be an analysis paralysis forever and you will never get to start. And that will be a shame because we don't want to see you on that front page. So there are a number of what I would call fundamental parts of cybersecurity, and they are the underpinnings to any strategy that you take towards cybersecurity, but they dovetail nicely into zero trust because they're all about gaining control over privilege.

And if you think about it, every access you give a user above what they got when you created their user in the system as a standard user is a privilege. So just about everyone in your environment is a privilege user in one way, shape or form, even access to a share. That's a privilege. Those are the kind of things we need to be thinking about and controlling and not just doling out wildly to, to various people. But you need to make sure that the accesses you put in are appropriate.

And this is one of my bug bears, you know, to come in let's, let's see, what's, what's the most secure we need to be. And let's fly that to everyone. And within seconds, the CEOs on the phone saying, take this off of my machine. I can't work. Or somebody is saying, this is stopping me doing my job. I've used it. It's gotten security turned off. It works. It hasn't worked in beyond trust yet because I'm the one defining it. But that's, that's another problem. And it doesn't really matter how the perimeter's been defined because you are not really thinking about the perimeter here.

You're thinking about controlling access to every system in your environment. You're already down in that kind of very segmented, very controlled way of thinking. And zero trust success requires Pam. It also requires good configuration management, vulnerability management, patch, management, change management, all of those underpinning things that will help you implement a more secure environment are all part of the things that will contribute to your zero trust success, because they give you visibility and they give you control.

And when you're in control, you can actually implement simpler cybersecurity models than you can when you just go crazily all over the place. So getting control will actually make it easier, not only to implements trust, but also to look to the next thing and the next control and next system coming in, cuz you'll have the brain space cuz you are in control. And that's a fundamental part of it. The a long eight ways here. And I'll go through very quickly knowing what you've got out there first.

And for foremost, having tools that go out there and find what's on your infrastructure and can tell you something about them, even just knowing that there is a big thing, I dunno about you. I'm sure you've never watched around your office and found an odd carb or box under, under a desk, forwarded out to find a server behind it, which no one claims to know anything about just being able to discover that there, even though it's not connected to your ad, they go, oh, it's not on the ad. It's it's not, not a concern.

It's like, yeah, there's there's eight hackers sitting there monitoring the network. Great continuously enforce your adaptive just in time. Access controls, no standing privileges anywhere. Everyone logs in using a standard user account, everything else is gained through some kind of other control. It's not on their account and we can control how, when, where why, and even have another layer of authentication, maybe an approved ticket or something before they get access to the thing they want enforce credential security, best practices, change passwords regularly, make them along.

And if you use a good Pam solution, like a privileged password session management solution, they never need to see them or type them anyway. So go for OS max length, max complexity. I still want to hang a server on the internet and just go, go at it and try and break the password on that. Cuz it's not gonna happen cuz you won't get close. And by then I'll have changed it six times anyway. So you know, that kind of control. Take those things away from the users needing to work with them, apply, lease privilege.

We have the ability to say for every executable, somebody fires up, I am going to apply certain privileges to that executable and that executable alone and contain those privileges within that executable. So now I can say to you, you can install iTunes on your desktop and you can have the apple update running on it because I'm in full control, cuz that's all that's gonna be elevated on your system. Now I'm the guy who says yes to you rather than the guy who says no all the time.

And I'm beginning to win over the hearts and minds of my users as I enable them to do more and more in their roles by giving them more and more capabilities, segmentation, micro segmentation. Yeah, I know it's pain, but it works.

It gets, it gets through, it gets the system isolated. It gets systems isolated, but don't go crazy with it.

You know, think about what you need to contain within each sphere. I always think of them as bubbles out there, secure remote access, nobody coming into infrastructure. I hate VPNs. Nobody coming into infrastructure, using VPNs or RDP or SSH directly. There are great solutions which will sit on the edge of your network with a, a network interface that way a network interface that way and software in the middle that makes the link happen. Nobody gets direct access. No one has access to the credentials because they're all being managed by your privileged passwords system.

I can chaperone them in. I can invite them without even giving them a credential, have a one time token that brings the vendor in so they can do the maintenance on my system and I'll watch them while they're doing it. I can do it for my users as well. I can give them that kind of access back into the environment, no VPNs, because it doesn't matter where you land that VPN in your infrastructure. It only takes one zero day on a firewall, one misconfiguration. Now somebody has a direct IP route into your infrastructure. It's a horrible idea. Lift your control, planes up if you can.

So you know your management networks, the systems that are talking to each other, isolate those on, on VLANs within your infrastructure, keep them separate and continuously monitor. You've gotta watch what's going on, but you're gonna have less noise in your system because we're not watching what Brian's doing with his admin account every day because Brian doesn't have an admin account. Brian has access to some accounts which have some privileges through lease privilege, but they're only the things that I need him to have access to. So I'm not really concerned about when he's using those.

All I wanna see is when those things happen, when I don't have a corresponding authorization on the back end, and this is where then you get more value out of your seam and your U E B a because they're not listening to all that noise and trying to pick the rubbish out when something unusual happens, Brian's logged into the server, but there's no release on the privileged password environment. It's immediately bad act. So this is again how we lift brain space out for the people who are doing it well, that comes through.

No, I think I might be on time. This is us. We'll be on trust. We are probably the largest Pam vendor in the world that you've never heard of. Just a quick shift, answer anyone in the room ever heard of us. Yes. It's only taken 10 years.

Yeah, we, yeah, I I've gone through 10 years of asking that question, not getting a single hand, which is great. You know, we, we came together. We are four companies who came together bombard beyond trust Aveo and Lieberman software. So we have an enormous pedigree in this space. We invented a lot of technologies that are there, but you know, we, we enjoy what we do. We are the leader in intelligent identity and access security, a new acronym for you for today. It's really just about being smart about what we are doing.

You know, we have these technologies now where we can be intelligent about this, make your security models as simple as you possibly can because then they can fit in one head and people then can respond and react more quickly to what's going on. And when you get zero trust as well, when you've got that level of control, you find that security model shrinks yet further because now it, it isn't about they've got admin. How do I lock it down? It's they're a standard user and they can do this, this and this it's much easier to deal with within that space. This is our portfolio.

I said, we're, we're the largest. We have the broadest coverage of the Pam space as a single vendor and our technologies across all of these areas are underpinned by what we call beyond insight, which is our platform for reporting and configuration of the system. And it also threat analytics connectors for all sorts of things. So as you can see all the things I talked about there from privileged password management, secure remote access, endpoint privilege management, which is your least privilege on the end point for windows. So Mac for Linux, for Unix.

And yeah, we can even do network devices in there. I love watching people with the Cisco, with the tab completion, finding that they can't get to all the things they thought they should be able to, and that they can only change that interface to this subset of IP ranges when they're configuring them. That's always good fun, but I'm, I'm awful like that.

So yeah, as I say, Pam fundamental and zero trust, all those other things I mentioned are also foundational elements. If you haven't got them in place, think about those because those are good places to start. They can be picked off in silos and then you've laid yourself a really solid foundation on which you can build a more elaborate cybersecurity solution. That's just gonna make your life a little bit easier. We got lots of white papers on the website going download away and come and chat to us at the booth.