KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
A look at how 5 of Canada’s biggest financial institutions have tackled the challenge of Privileged Access Management. Sharing similar requirements all went down paths of successful deployments of technologies to protect their clients, and workforce while providing a more efficient user experience for day to day activities. A look at the 5 common steps to success.
A look at how 5 of Canada’s biggest financial institutions have tackled the challenge of Privileged Access Management. Sharing similar requirements all went down paths of successful deployments of technologies to protect their clients, and workforce while providing a more efficient user experience for day to day activities. A look at the 5 common steps to success.
Thank you very much. And, and one thing I try to get from, from every day at EIC is I tried to get a catch phrase or a slogan in the panelists just before us gave me today's zero assumptions and zero friction.
So, so we're gonna talk about privileged access management and, and there's been a lot of presentations in the past couple days and something that I've seen. So now I'm currently employed at RBC, one of Canada or Canada's largest bank, but something I've been in the field as a, as a consultant, as a, as a strategist, as an advisor and something I've seen across all of our banks in the country, they followed certain rules for implementation of privileged access management. So you've heard a number of stories, I'm sure at EIC, I'm gonna try to give you one to, hopefully you can relate to.
So I'm sure at one point in your life, you've had a shiny new toy and I know what you did with it. You did everything you possibly could. You pushed it to the limits. You did all kinds of wonderful things with it, regardless of age, you had that shiny toy and you used it until you couldn't anymore. And then you moved it aside. And why? Because a new shiny toy came in front of you.
So now, now that new shiny toy came in, you started playing with it. You started using it to the best of its abilities, all of its capabilities. And then you thought, I wonder if I can combine them together. And that old toy finally has a new sparkle. And this is, this is how I look at privileged access management.
You know, when I look at it, we look at, at the concepts and, and like was mentioned, I cubed. So when I started in the identity space, it's, it's almost 20 years ago and we always talked about protection and protection was gates, guards, guns, how we lock things down. And then the term, and I have to see where it came from. Identity is the new perimeter came up and I'm sure you've all heard it. And you may have heard it maybe once or twice at EIC this week personally, I've counted it, least 10 times.
And the funny thing about it is the first few times I heard it, I thought, you know, it might be over overused. And then I listened to even the gentleman from Siemens yesterday when they used the term identity is a new perimeter. I thought about it. And it's because identity has changed. So identity is not just a user with a username and password. It's who we are. It's what we are. It's the device you're coming from. So there's a lot more involved and the perimeter it's greatly changed. So now we've all seen what's in the perimeter it's devices, it's where you're coming from.
So I'm sure you've heard a number of times this week as well. You know, the concept of zero trust. So now zero trust. And even the panelists before me mentioned, it deals with account permissions and privileges. But before we used to lock things down and we used to prevent people from doing their jobs. Now we're using technology and solutions instead of the art of no saying, no, you can't have access the science of no. So now it's understanding how you use the technologies, understanding your privileges.
So when you're thinking of implementations or maybe enhancing what you have, because some regulators said you needed to let's look at some of the things that you have to address.
So everything in the cloud, whether it's software as a service platform, as a service infrastructure, as a service, how people are gaining access to your solutions, remote access, whether you're going out or whether people are coming in social media will always include because especially being part of a regulated industry, like in finance, what we post, who we talk to needs to be controlled, how we get access to those outside services. And, and there's, there's a funny thing. Even internally here, I'm sure a number of you use LinkedIn. We use LinkedIn at the bank.
I can't message anybody from it, but I can definitely read all about you. So our, our channels of control are, are privileged.
Now, before we were always concerned about software and technologies. Well, now there's data. Doesn't be big data, but any data. So people before were concerned about stealing money now, datas your currency. What they know about you, who they have access to.
Now, you're also protecting things like the internet of things. And the gentleman before us mentioned it, and I've heard it a few times this week, you have a number of devices and it could be, it doesn't have to be servers like the panelists mentioned. It could be things like badge access into a building. It could be a printer, or I'm sure some of you may have a, an electronic fax machine kicking around. We need to protect the business. So when we look at privileged access management, we need to enable the business to be more secure, to perform quicker, easier, and to secure what we have.
So hopefully this resonates with some of you. Now, this is one of those topics. When you go into privileged access management, I'm sure you've heard the buzzwords before giving the right people the right access to the right data. So that's why we have these three eyes that I've always worked with, whether I was implementing or now as the lead security architect for RBC.
You know, I, I I'm concerned about these things. We have a series of users. There's An odd switch. These series of users. We have to be concerned with the, the, the membership of these users. So we're concerned about who has access are the, the omnipotent beings that have super powered over things, shared accounts, shared accounts. I'm sure in every organization there's help desks. There's people that, you know, I won't lie in my career. I've given a fellow employee an account so they can log in as me to perform my functionality. But then the next bullet point of accountability comes in.
Who's responsible for what has happened. Second to last bullet point is, is a big concern, especially, you know, in regulated industries, segregation of duties, should you have access to what you're doing to, and if you shouldn't, then there's that lack of transparency. So that transparency of did I perform the role? So let let's get into the three eyes. So we're gonna talk about the, what in the who. So whether you're implementing or building or standing something up, we need to do a few things. We need to take inventory. Inventory is much as possible, could be physical devices.
Like I said, could be applications could be solutions, could be badge access into a building, a server room. You need to have something to control your privileges, to then identify who cares. I know that sounds like a funny topic, but when you look at solutions, you know, if you're gonna implement something, you've gotta have someone for money. And someone has to be interested in the solution. Protecting is great, but if they're not concerned about it, maybe they're lower on the priority list. Now who's responsible is a different category.
The responsibility falls traditionally on who gets yelled at, if there's a breach, if there's a functional problem, look at things like what you have in, in your organization. I'm sure there's inactive accounts somewhere.
You know, we've, we've heard this for decades, you know, cleanup, orphaned accounts and accounts from test servers and whatnot, but it's something that we rarely do and we all get busy. We understand it. Now. There's also a learning process that track and monitor what I'll cover a little bit later, but we wanna see who's doing things along the way.
Some organizations aren't ready yet, but over time you will have recorded that someone has requested access to servers important to know because that's how you do the next part and determine those high risk accounts, threat actors, target specific people. They may be privileged users like administrators. They could be executives that have the keys to the kingdom. Once you do all these things, don't just do it once, do it on a regular basis and try to keep up to date. It's very important to know your inventory changes your ownership and responsibilities change.
So now you've got this big collection of material, you know, all of the things in your environment, and now you have to secure them, but you have to integrate with tools because one technology, regardless of vendor, isn't going to be your silver bullet. And you may hear it from vendors that yes, we can do these wonderful things, but they're gonna need help. So when you do integrations for Pam solutions, privileged access management, consider the identity and access management technologies that do the heavy lifting.
So identity and access management does things like the life cycle management, creating an account, deleting an account, disabling an account. So that's where IM comes in. It's your life cycle? The IGA is your governance. So there are programs that do certifications and attestations at the banks traditionally minimum once a year, sometimes as much as once a quarter, depending on the application, we need to churn reports to say, do you approve that Denny has access to these technologies integrations with things like active directory or your primary account repository is key.
You need to know that when a user leaves your organization, traditionally you turn off their, their accounts. You should probably turn off everything they have access to, or at least transfer the ownership to something else. Most of you in the audience, whether behind the scenes or not, there is some sort of it service management technology. And whether it's the way you request access to a privileged account, or whether it's the way you track to see if one was granted and then one was removed. The usability depends a little bit about, about your implementation vulnerability scanning.
It's usually lower on the totem pole of items to address, but when you are concerned about a privileged account, we tend to target systems that are attacked more and vulnerability scanning doesn't necessarily mean that, you know, it's not patched or there's viruses, but maybe your systems that are targeted the most. So consider about your, your systems that are, that are most vulnerable threat analytics number crunching is something. We do a lot at a, a lot of at the bank. We wanna know what's going to happen.
I know we don't have a crystal ball that we can foresee into the future, but we need to anticipate what to protect. We need to know how things are being secured. And if our security is working and that's where Sims come in, there's a number of technologies cloud based on premise, some are for reporting some correlate, some do risk scoring. So you can target systems that are, are more vulnerable.
So now, you know what you have, you know, that there are technologies that have to do your fulfillment and concerned, be concerned with those privileged accounts. Now you need to be concerned on what else to deal with these technologies.
So there, there is some intelligence, there are building blocks, there are standards you need to follow for privilege. And some of 'em are regulatory. And that kind of falls into the policies and controls as well. But if you're doing credit card transactions, PCI, you've all heard it. There are requirements around privileged access in healthcare. There are elevated privileges required for gaining access to systems. Something simple as oil and gas. There are privileges around who can turn the dial on the pipeline to send the oil down the line and controlling that is, is part of the standard.
So do you need education? Do you need services? So it doesn't just have to be from the look and feel of a bank, but there are some building blocks and some standards you need to follow policies and controls. And I think the gentleman on the panel before me just mentioned it define what is a privileged account for you? A privileged account could be just someone that can run a report. A privileged account could be an administrator. A privileged account could be an executive, the needs access to a specific system and their constraints. What can they do? There are privileged accounts.
There are elevated accounts. So the things that you you'd need to do, some definition work and, and any one of the consulting firms, or, you know, you're than welcome to reach out time my contact information's here. Happy to share information that we've looked at in the past KPIs. So these are indicators to prove that you are being effective at privileged access management. It's tough. I won't lie.
I mean, you can implement a tool in several weeks, turning it on and making sure you're not turning the dial too tight or keeping the gauge too open is a difficult task. So knowing that if you're protecting a tax, if you're making jobs easier, if you're making requesting accounts is something that everyone can do a big benefit to you. Accountability. This is something that is a difficult concept, but you cannot put the responsibility on one team. One team may own the technology, but everyone's responsible for privileged access management.
The app owners that are being protected, the users themselves, the managers that are doing approvals and certifications and the wrench Turners that are doing the care and feeding these applications. Lesson learned.
Now, I, I know this is a tough one, but if there's any systems you will get pushback. There. There's no question. You'll get pushback from users that have to request privilege accounts that never had to. Before. I can't tell you over the years, how many administrators of Linux Unix servers that have come to me and said, Nope, I absolutely must have omnipotent control of this account.
Well, you know, when you break it down to their requirements, as one of the panelists mentioned, you, you didn't need all power. You needed to perform certain functions.
And, and in my catchphrase for you guys is, is grow through what you go through. As you go through this process, learn from it, keep developing. Now I know I've thrown a lot at you. The presentation's available for download, and it's easy to gain access to. If you have any questions, my contact information's here. You're more than welcome to reach out anytime via email or I'm available at LinkedIn as well. I thank all of you.
