PAM for the People

So I have the goal of seeing if I can do this on time, but thank you all. Say five minutes when it's nothing. So thanks for being here. And of course this is late on the Thursday, so everyone is getting a little bit tired by now. So I'm gonna talk about Pam for the people. And I resisted the temptation to use card marks as the team for the presentation. So hope you will appreciate that a little bit first disclaimer, for my employer, all the last provides the information with best intent. Please understand the information and in your environment, of course your choices might be different.

What we do. So what is Al Delas? And it's a bit funny to work for this company because we usually operate through our, our operating companies. We have 20 operating companies in the United States on the Eastern seaboard and in large parts of Europe, not in Germany, but in Belgium, Netherlands, and large water Southeastern Europe. So it's funny sometimes when you talk to Americans, wonder what kind of company it is. And I would say, well, you shop a stop and shop.

And I say, yes, well then shop at me. So we are about 400,000. So internal users for the employees. And if you add also our franchise users and some of our closer B2B and partner users, we have about 800,000 users in the system, 20 opcos. We have one of the larger food retailers in the world. Walmart is significantly bigger, but we one of the second or second tier to give it all the unsimilar. So the reason why I'm here is that what we've been seeing is that if you look like five, 10 years ago, cyber tax was mostly something that you cared about.

If you were a multinational company, if you're a, a national institution, if you worked in defense or if you were having some kind of intellectual property that was, you know, sensitive. But what we've been seeing over the last couple of years is that even mid-size companies get hit. So previously we, we have a large substitute department and we've been spending a lot of time working with our large partners to make sure that they have all the cybersecurity stuff in place, send them long, you know, hundred pages stuff to fill out and that they have all the certifications.

But what is hitting us now is that the, all of the partners that actually supplies are stuff that we sell in the stores are also being hit. So a lot of mid-size businesses, and these can be quite large.

You know, it can be a thousand or a couple of thousand people sometimes, but these people are, you know, raising chickens, harvesting salad, they, they don't really do cybersecurity. They might have one or two people. So one example here is, is one of our suppliers back at logistics.

So they, they slice shes and package it and ship it out to our stores Nuland. And they got hit by Ranvir attack. We had no shes in their stores. This is very, very, very disturbing for a Dutch person, not being able to buy shes. So what we concluded was that you all, you have to kind of do something about this. So how do we look at what we do and what other multinationals do, and then scale it down so that it becomes relevant when the cybersecurity department is, you know, half an FD, one FD or something.

So we looked at the different cybersecurity parts, and we had a quite simple model with the in, through and out. So the idea is that, you know, the attacker gets in somehow might be through Aing email, might be run. A system has been patched, who is exposed on internet. They do lateral movement. So they walk around your systems. They try to get some kind of privilege to get the good stuff. They then do the out part. They might encrypt data from ran somewhere. They might steal the data to be able to blackmail you or just damage you.

And if they're really evil, they also destroy your backups or compromise your backups. Now, yesterday evening, we had a discussion about from Microsoft. I said that think about the children. And of course, if you are attacked by a state actor, they will probably get in. But these people who are in the, in the medium market, in the, they are not gonna be attacked by state actors. They're gonna be attacked by 17 year old sitting at their mother's basement. So think about the children and make it a little bit harder so that at least you will not have a 17 year old getting in.

So if you look specifically on Pam, so what we've been doing is that we have set up a, we already have a technology transfer program towards our smaller supplier. So we try to kind of share the stuff that we do from technology point. But we added that cybersecurity components. We went out and talked to them and said, Hey, this is what we're doing. This is what we think you should be doing. And we have area such as MFA. We have how to, to make sure that your network is not wide open and it's it's commonized and Pam is one of his points.

So what we looked at is to say, okay, you will not do what we do cause you will not build, you know, five different Pam systems, hopefully, but you will have some form of Pam. So you start out, this is a more like that is coming from tic. You start out in the lower left here with analog where you, you know, your Pam system is an Excel sheet. You go to basic where you at least can start shaking in your accounts, do some very, quite strong improvements. You don't know what to do. The advanced, where you have things like session management, session recording for ice principles, cetera.

And then on the upper right corner, you have the real advanced stuff where you, you know, just machine learning, AI to find outliers and be able to find one, Something is happening that shouldn't be happening. And most of our suppliers are in the lower left corner. So the goal is to lift them a little bit upwards. So the first thing you usually have when you talk to your suppliers, they say, well, you know, I have a cybersecurity business of budget of having half an FD and like 50 K or a hundred K investment. So do I need to go out and buy a Pam solution?

Cause that is gonna eat my budget for the perception is that that's gonna eat my budget for the next three years? Well, I would say that just like the previous discussion is that the first part of, of Pam is to see where is your critical business process? What are your crown jewel applications and who has access to them? That is usually the, the first step. And that actually takes quite a bit forward. And then once you know who, what you have that is critical, you can see who has access.

And then you can talk to them and say, please, can you not use the same password for the financial systems as what you use when you buy tools for your garden? You could also say that, you know, you probably have a quite small light department. So if you can convince them that perhaps if you use a different account for your normal day to day emailing, and when you are, you know, root on the servers or domain admin, that will also help quite a lot.

You know, you can still have a problem that you can get your normal account compromised because you got a link in your, in your email, but then at least you made it quite a lot harder for attacker. They can't just send you a fishing email and sudden in their route consider using a, a, some form of a password manager.

Again, the credential staffing and the reuse of password is the, the easiest way to get in. So if you have a little black book that is better now, you perhaps don't need to consider how you protect your black book and enable MFA on the key accounts. And the key systems, obviously there's different can, can always discuss that. You need to not use SMS cetera, but any form of MFA is better than no MFA. Another big discussion point when we talk to our suppliers is that, well, should I use a Pam in the cloud or on premise?

And for this point, I would say that the traditional Pam systems can be very, very large and very, very expensive around the, it is not uncommon that a, a PAMs classical Pam system has like 50 servers between QA and production. And the reason for that is of course, that you need high availability and you often need disaster recovery. So then the service just expand and suddenly you need a huge budget for building it and also for maintaining it. It's also true that configuring a conventional Pam system is not easy and it's very easy to, to get it wrong somewhere.

And I've been the QI director on a couple of when I was in consulting, I was the QI director and a couple of projects where it was really, really good Pam systems built by the best in the business. And still usually we found something that they misconfigured because there's just so many things you can do wrong. So running it in the cloud means that at least you have the standard build and it's probably done, right. And depending on, of course, what kind of business you are, if most of your business is in the cloud already, why should your Pam system be on premise?

If you're a very, very conservative company and have everything on premise, okay, Pam, trap's not the first system to move out, but consider this. So the other part is that we're seen is that the biggest cost for Pam implementation is not really the Pam system itself. It's the rollout. So when you try to get the systems onto your Pam platform, and there's one critiquer show, you can make conventionally when you did Pam products, should did horizontal say I would do all my Linux servers. I would do all my, my, my window server.

If you have a limited budget consider going for a crown jewel implementation instead. So you do everything for specific systems Integration with IM really recommends the SSO part. At least you don't have separate passwords. Also life cycle management is really good, both from the, the removal and the addition, if you don't have removal, the risk is that your admins still have access even after they left the company. If you don't have ad, you're gonna get a lot of angry managers come and visiting you because they're very expensive contractor cannot get in.

And again, MFA is a very good thing. And remember the, the, sorry, the remember that it's a good idea to have a good process for getting people out of the, the, the building, if they have done something bad. So thanks for listening.