Analyst Chat #74: The Influence of PAM on WfH, and its Influence on PAM

Welcome to the KuppingerCole analyst chat. I'm your host. My name is Matthias Reinwarth I'm lead advisor and the senior analyst at KuppingerCole analysts. My guest today is Paul Fisher.

He is, um, analyst working with KuppingerCole out of London. Hi Paul. Hi Mathias. Good to be back. Great to have you. And this is the fourth episode we are doing in the area around working from home scenario. So we are one year or more into the pandemic, and we are looking back a bit and we are looking into our crystal ball into the future. What will change for the future? When it comes to cybersecurity home networks, working from home, home devices and people accessing resources on corporate systems, which are on prem in the cloud and everywhere in between you and I.

Paul, we have been talking about privileged access management recently when it comes to dev ops, when it comes to Pam in general, does Pam play a role in work from home scenarios as well? Yeah, I'm in contact with many Pam vendors all the time, as you, as you'd expect.

And, uh, although they won't give, you know, they don't, they'll give out actual figures straight away, but they've all expressed or will have said that their revenue, their sales have all increased in the last 12 months. And they always say, that's purely down to the effects of the pandemic that you were just talking about. So if you consider who uses privilege access management, people that have privileged accounts, they previously would have been working within the enterprise.

I mean, as a, I mean, sort of within what we would call the office space, uh, to give it a more real world term. Um, and of course, many of them have found themselves outside of that. And they suddenly had to work from home. They suddenly didn't have a secure end point or at least they didn't have one that had been set up for privileged access from a remote point, uh, or worse than that. They may find themselves working on a machine that is actually a domestic machine that is literally no security whatsoever.

So if those people, uh, let's, let's, let's say their admin, so are the traditional people that use privilege access, um, cause we can talk about how things have changed, but the admins would still need to have access to systems and servers, um, to do the things that they do, which is to do updates and do maintenance also to provide access to other users to potential privileged accounts. So they need to do that from home.

And so it quickly became apparent that people needed what we call endpoint privilege management added to their laptops, or at least added to the protection that the organization has. So very much it's, it's impacted on privileged access management. And what I was going to also say is that when we're talking to Pam vendors, they also say the market is changing in that people that have privileged access are not necessarily just, uh, admins anymore.

There might be, let's say ordinary employees, let's say, uh, for want of a better term that require access to certain things which would be deemed sensitive or confidential or private or personally identifiable information that they need to do a certain job. So those people have been given privileged access as well. So it's changed the game quite a lot.

Um, and I think when we assess the market, as I am doing right now with the 2021 leadership compass, I think we'll see quite a few changes in revenue and also the kind of capabilities that the products are offering. And, uh, very few Pam vendors will now not talk about endpoint privilege management as if it's a bit of an afterthought. I think it was seen as very much integral whether this will continue.

I mean, we were talking just before we sort of recorded this, that, um, you know, we don't know the long-term effects of the pandemic. We don't know how much people will stay, remain working at home. We can't really foretell that because there's two schools of thought one thought is that companies work better when employees are in, uh, in one place for all the creativity, reasons and productivity, et cetera.

But I think there has been a lesson learned that the world wasn't actually quite ready for the massive switch to home working, remote, working straight away, and a lot of cybercriminals who after all or the reason why we always take all these measures, I think they realized and took advantage of the fact that, uh, there was a lot of unprotected endpoints out there and it was a fairly easy way to find your way into privileged accounts and then move sideways into, into the organization. So we've seen a massive rise in malware and a massive rise in ransomware, especially in the, in the last year.

I don't know whether that's improved till recently. Um, I don't tend to look at numbers of attacks and things. I don't know if you know matures.

Yeah, absolutely. I think there has been an increase in Annie came up with, with some, some stunning figures in the one of the first episodes in this sub series that we're doing around that topic of working from home and cyber security. So there have been lots of texts. There have been lots of targeted attacks, um, that that has changed quite dramatically.

Um, and that is something that I see in my daily life because I received these mails from presumably trust worthy people, which are not who they claim to be. So a colleague, um, ups parcel notification, which I have not ordered and all this kind of stuff is coming in. It's really targeted attacks and it's all around that topic.

Well, that's How they work. Isn't it?

I mean, they, uh, they'll look on LinkedIn and other directories, even Facebook to see, to find people that, that I think may well have privilege access or access to things that they want to find themselves. So the lesson is that don't put too much information about yourself in a public place, particularly on things like LinkedIn, but unfortunately people like to boast.

So, uh, you know, prey, don't say your, your, the, you know, head of anything admin and ahead of admin, uh, uh, a bank sort of thing. Uh, I I'm talking rubbish ship here. Obviously people are going to say what they do for real, but the real threat is though that they, um, people will, like you say, target certain individuals and try and fool them into clicking on things and, or giving away secrets. It's no longer simply about protecting passwords or credentials to, to give you access to stuff it's about protecting secrets.

And I think we've said this before, the secrets can be almost anything these days. It can be a piece of code that is particularly important, or it can be credentials hidden in there, or it can be data of any sort. And I think Pam is starting to be used for, for that kind of management As well. Yeah. I think Pam really came to the rescue in many of the situations that arose with the, with the, um, pandemic and people working from home.

Um, you've mentioned that that many endpoints were not properly protected, but the technologies that are in use in Pam for years right now, they are really helpful in protecting also these end points, starting with application whitelisting. So to prevent, to prevent software, which is not expected to run on a machine from running by saying, okay, this, these are the allowed processes.

And, and I don't want to have a virus scanner guessing what is going on on my machine, but rather decide that there's only a defined set of processes that is allowed to run on my machine at all. At least when it is a highly sensitive. And this is a technology that came with Pam application, white listing is endpoint protection as part of Pam. And as you said, I preached that for years to also consider highly critical business access, uh, to be privileged and to be treated as being privileged.

But that has, as you've mentioned now really changed if somebody is able to in a banking in a core banking system to create clients, to do massive transfers from clients that have just been created, this is something that should be considered as critical as having root access to a database server because they can really change information that can be vital to an organization. And if this is one of the learnings that we are taking away from this pandemic into a post pandemic world, that these accounts are also to be considered as privileged.

I think this is a good thing that we've learned from that. Yeah. I think we, we started an obsession about root and in a protecting root and all that as if that was the, uh, the only way in. So you're absolutely right. I think the other thing is a lot of organizations probably weren't aware that there was already a number of tools within the applications they already use. For example, office windows have security tools within the, that you can unlock to, you know, it helps secure remote access.

I mean, even things as old as remote desktop manager can be used to control access from, from the desktop. So that's another thing that, uh, I think organizations need to look into before they sort of stop splashing out on particular technologies is to see what they can do already. And you'd probably be surprised how much they didn't know once they start looking under the bonnet, uh, or under the hood, uh, as they say, Absolutely. You've mentioned that you're currently planning for, or already in researching for the next version of the, uh, leadership compass, privileged access management.

Are there any developments that you can really directly associate with the COVID pandemic? So if we take our crystal ball and looking to the future, what will be the changes that come from the covert content?

Well, I've been having briefings with a number of vendors already. And like I said earlier, they've already mentioned that that has had an impact, at least for them in a positive way, you know, that, uh, it's increased revenue and, and driven sales.

Um, those that perhaps hadn't had an EPM or did have an EPM, uh, probably, uh, highlighted it a bit more. I think it's a bit of a short, uh, to be honest, uh, between now, between the pandemic starting and now I don't think many of the platforms have changed significantly. I don't think they've added new modules, uh, particularly toward remote working, but I think what they say is that those that have it already, we'll say that, you know, we'll boost we'll promote it more than they did in the past.

We we've seen a number of new vendors, uh, which is, which is interesting, uh, vendors that we haven't analyzed in the past, uh, coming to this year's ligit compass. Another, uh, trend that may be connected to COVID is a greater focus on SMBs and creating a privilege access management platform that is much easier to, uh, to have prem you need admins as well to run pat and not just, uh, uh, to allow admins to have privileged access.

So, and still many platforms. Once you, once you get beyond the sort of shiny outside, once you get into the admin consoles, you, you, you are suddenly in into code and a green screen stuff. And I think that's a bit frightening for smaller businesses, a bit frightening for those businesses that understand that privilege access is something they need to think about, but they're not prepared or they're not, they don't expect the, the level of command line interface. That was the phrase I was looking for. Still a lot of PAMs use CLI is to, to actually do the admin of the Pam itself.

And in 2021, you know, a color, a command line interface to most people, uh, particularly sort of millennials. It's not something that they're really prepared to put up with. And I think we have to start thinking about the sort of next generation of let's call them admins, but actually they're probably more likely to be just employees that have responsibilities for something, and they need to be able to see and do stuff really quickly.

And they need like a dashboard with buttons that do stuff, and they need API APIs that connect to applications and all the stuff that they are kind of used to in the other world of, you know, mobile apps. So that Pam application becomes something that is easier to use and does what it's supposed to very much more easily.

And I think a number of the vendors I spoken to, uh, really cottoned onto that, and they're starting to focus, although, you know, the revenue potentially in SMB, isn't, you, you know, you get one big enterprise customer for Pam and, you know, you're, you've made a lot of money, but I think some vendors are thinking, yeah, but it's almost kind of satisfying to provide a smaller business, a sort of a, a young startup business with Pam that they can relate to. So I think it's becoming more human in a way. So we talked less about credentials and admins and all that stuff.

And to just talk about securing access to secrets, which is kind of what Pam should be. Um, so there was a shift in, I guess, the kind of philosophy of pal, and I think maybe the experience of the pandemic has probably helped that as it has, uh, other areas of computing.

So, um, I'm personally quite, you know, quite pleased to see that. And I've noticed a change that more and more vendors and are moving much more to dashboards and user interfaces, which connect to stuff and hide the mechanisms. Obviously for larger enterprises, they probably will have more of the old-school type of admins that, that love. And I know that coders and everyone else, they love come online interface.

I'm talking more about, you know, the, the general, well, you use, uh, sort of analogy I play around with photography and the level of photo manipulation, you can do it on an iPhone is just extraordinary, just with a few simple clicks, you know, 10, 15 years ago that would have taken, you would have needed a very large PC or a Mac to do similar work. And I think what's great about that is it allows people to be creative without don't have to think about it too much. So I think with Pam, it might allow people to access privilege without thinking about it too much and making it secure.

Absolutely. I fully agree. And I think when it comes to finally having convenience user experience and efficiency for different user groups for Pam, but also for the, for the traditional Pam users as well.

So moving away from this nerdy, geeky admin approach towards privileged access management, more towards a, an end user, a business user oriented focus, if this is one of the results that we see out of the developments of the last 15 or 20 months, when ever you hear that, then that is really something that can only help because introducing Pam into an enterprise or a smaller organization always comes with lots of obstacles. And there are people who just don't want to do that.

And if it feels more like home, it feels more like one of these shiny new cloud-based software as a service architectures, then I think that can only be, um, can only be good. Yeah, absolutely. And that's another thing software as a service or Pam as a service is another emerging area, but talking about deployment of Pam, I mean, we still talk about weeks and months and sometimes even years for Pam to be put into an enterprise and that's going to change as well.

You know, why does a company have to wait that long for something to work, uh, or to get time to value is in the business term? So I think, although there are some rather grand claims for Pam being up and running in a day, which is probably a bit too much on the other end of the scale.

Um, but I think that if we can get more towards, off the shelf or as a service Pam, uh, that's going to benefit a lot of companies as well. Right? Exactly.

And as I've considered Pam also to be a part of identity and access management and a vital part of identity access management, I think, um, this boost that we have seen towards Pam also shows more visibility for this important part of identity and access management and cybersecurity, and in the end also covenance and, and, uh, the principles of, of least privilege of need to know of protecting information whenever it is not required to have access to that. Yeah.

Um, when it comes to our audience to find more information on that, I understand this leadership conference will take a few more months. I expect, Um, it's, uh, expected June. That's the, the, uh, the, the drop date to use our music, the music industry term let's get really cool now. So it's expected to drop roundabout the end of June, I would say. Right. So we will present the first single out of this release within this podcast.

Of course, yes. We will talk about the results that you found out by then.

Um, until then those who are interested in privileged access management could have a look at your, um, the research around pamphlet DevOps that we've already talked about, a recent version of that topic. Of course. And I've seen, there are a few videos you've provided, um, around the topic of Pam also available on our website and I guess as well, right?

Uh, yes, yes, indeed. Yes, yes.

Uh, I don't know the address, but yeah. Yeah. You just type Pam into YouTube, you're bound to come up with something, All, it might be something different, but, um, but at the end, if you would, But, but definitely, definitely it's on our website somewhere. Yeah. Right. So if you're a type Paul Fisher into this search engine that we have embedded on our website, you will very quickly end up with some nice results and interesting results around privileged access management.

Paul, thank you very much for being my guest today for talking, um, as part of this work from home series about the, um, the development and the influence of Pam, um, during this pandemic and the work from home scenario, any final words that you want to add when it comes to what you've experienced, what you've seen with Pam and the working from home center? No, just one final thought was that I've been doing some work on data governance platform as well.

And it's interesting that in, with those where those platforms have some level of access management, so, you know, they decide, or they can see who's getting access to data. They're actually putting a little bit of privileged access in there, which is very interesting so that they can provide, uh, uh, just in time access to something which is Pam in all senses of the word. And yet it's not in a Pam solution. So that's very interesting and something else to watch.

So I think we're seeing a bit of a merger between, like you said, I am Pam and data governance because after all, they're all related, I thought from my side, if you think of this identity fabric that we're talking about, then also these platforms need to be part of an overall identity and access management approach. And that of course needs to include privileged access management. And if there is some Pam functionality, some Pam features building clocks built into these platforms as well.

You need to consider them within this bigger picture as part of an overall privileged access management, at least a paradigm that you want to implement within an organization to be feature complete, to have a complete picture of what is going on in your organization. Great. Thank you very much.

Paul, looking forward to having you in another episode of this podcast very soon and, um, latest with the, with the new release of this Pam leadership compass, the drop. Yes. Okay. Thank you very much. And thanks for being my guest. No problem. Great. Bye. Bye. Bye .