Event Recording

Panel | Best Practices for Effective Privileged Access Management


Log in and watch the full video!

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Register  
Subscribe to become a client
Choose a package  
Hi there and welcome. We'll have, we've got a, a good collection of people here, so let's go through and do a brief round of introductions. So why don't we start with Paul, if you say hi.
Yeah. I'm Paul Paul Fisher. I hope. Yeah. You can hear me. Yeah. Good. I'm a lead Analyst with KuppingerCole and I've been covering Pam. So keep it short.
Yep. Fantastic. We'll move over to Denny. If you can give a, a brief introduction of yourself for those, those of us who weren't here for the entire day.
Hello everyone. I'm Denny Peru from the row bank of Canada. I'm I'm recently I spent 20 years in the identity space, similar to Martin and transitioned from the vendor space into a client capacity, working for the bank. Now I'm their lead identity architect for RBC.
Fantastic. Thank you. And Justin, why don't you give us a brief introduction of who you are and where you're coming from?
Justin McCarthy co-founder and CTO at strong DM, and our Pam is particularly focused on infrastructure access and those members of technical staff. They need to access sensitive workloads every day.
Fantastic. Now Martin is going to be joining us in just a moment, but we will invite him into the conversation when he arrives. But I have a few questions for you and I'd love for this to be a, a discussion. So I'll certainly name somebody to, to give an answer first and we'll make the round Robin. But if you have something that you wanna contribute, give me a signal and make sure that there's room for you. And yes, and Martin is joining us now, Martin, for anybody who hasn't been with us in the earlier sessions, could you give us a brief introduction of yourself and how you come to be an expert in Pam?
So my name is Martin SUD, and I've been working in the, I am space for about 20 years now. And my latest engagement was at Al house, which is a global retailer where I ran the IM engineering team, which includes includes Pam. And I'm now in the process of moving over to Ikea. So I don't know what land of meatballs and flat back furniture connected with my, my roots in Sweden. I'm already a Swedish, but I'm also American and lived in Germany and the UK. So
Fantastic.
Lots of experience from different places for you. Yeah.
Good. You can can bring that cross-cultural experience as well as the, as the many different Pam implementations. But to, to bring us to our first question name, one common mistake that organizations or CSOs make when planning a deployment of Pam, Denny, why don't you kick us off?
I hope this isn't going to get me in trouble with some of the vendors, but I would say vendor tie in a number of vendors provide some great features and great functionality, but I, I think finding the right technology to suit your needs, not, not every vendor is a one size fits all. So that may be possible to get different features and functions from different vendors to provide what, what you need for privilege to access.
Great. Justin, let's move over to you.
Okay. This isn't gonna be a particularly original answer, but I'll of course say underestimating, the number of conversations that are necessary to both inventory systems yeah. And roles, and then correspondingly just under staffing that estimate. So that's, that's the number one that, that I'm always looking out for.
Yeah. Makes sense. Paul, what's your take on this common mistake,
Looking at price first and also deployment times as promised by vendors, all that should really come, come at the end of your process. So find out what you need first and maybe think about budget second. I think if someone says to you, oh, here's, I don't know, a hundred thousand dollars. You've been budgeted to implement Pam. Well, that's gonna limit you a bit. So I know that's easy to say, but not a lot harder to do in reality, but focus on the need and the technology first.
Right. And then over to you, Martin, what's your take on a common mistake that organizations make when to when planning a plan, Pam deployment, excuse me.
I think the thing that I've seen in most cases that they, they underestimate the effort of actually rolling out the solution and therefore they burn through all of their time and their budget on just the technical implementation. Then you have a nice, shiny Palm solution that runs no business processes. And in most cases, I think most organizations much better off to have a, a simpler solution that perhaps they need to expand on later with fewer features, but actually has some applications running in it.
Great. Thanks for your thoughts here and now moving onto the topic of cm, C I E M what is your take on the impact this will have on Pam and the Pam market in general? Is this something that we could imagine replacing Pam or working in parallel? What do you think? And let's go then in reverse order. So we'll start with Martin here.
So I think that you're gonna see, and it's a very interesting part because what you see is there's lots of new vendors trying to get into the what's called the kind of traditional P market as well. So you have all of the, the IIG vendors are kind of throwing their hazard ring and becoming Pam vendors. And you also have all of the, the cloud solution of course, had their own Pam solution. But most cases they've now attached some on top of that. So I don't think that the Pam functionality is probably gonna be around for a long time. If you look at large organizations, we happily have a lot of solutions that were built in the sixties or seventies. You know, we still have the mainframes. There still is a Iraq for those likewise, I think there's gonna be there. What was seen as the core Pam solution is gonna be there for a long time, but for more and more companies, especially for younger companies are kind of cloud native or where there's a subset of the organization that's called native. Then SIM is becoming very important because that's where all the stuff is going.
Very interesting. Paul, what's your thoughts here?
Yeah. I mean, Martin is absolutely right there. I think I am still has, as I said earlier, it has features that cm doesn't have, which are attractive to many organizations, particularly the ones like Martin just mentioned. So, you know, they have very good analytics, they have good governance, et cetera. They also have privilege escalation, but even within the Pam world, I think that we, at some point will have to move away from the past world and vault system. And I think that's where cm is starting to have an advantage because it's just in time, it's certificate based. But some of the newer players in Pam are also offering ephemeral access to privilege accounts. So to answer the actual question, it's already having an effect on the market in the Pam vendors are, are sort of racing to, to catch up. But I don't think it's a case like I think Martin is right. I think Pam will be around in its current form, maybe not throughout an entire organization, but maybe in parts of an organization where the infrastructure still needs that kind of platform. So, but it, it does made it's made life quite interesting, certainly in the last two years, seeing these new vendors come along.
Great. Thanks for that analysis here, Justin, over to you.
Sure. So I'll say the emergence of, I have to use the hard C. So I have to say Kim to distinguish from S I E M, which I, which I also have occasion to say almost every day, but to my mind, it's, this is just a good thing. You know, the, the technical implementation details are of course different, but so many of the needs are the same. So if, if there are products out there that can converge some of these use cases, I think that's great.
And Denny, what's your thought?
I wouldn't, I wouldn't try to differentiate my thoughts from my other, you know, Paul, Justin, or Martin. The, the thing I would think of is now timeframe, as soon as you guys mention the mainframe, you know, especially being in the financial space, I could think if I had a, a government employee tell me once the time it takes us to roll out a new service is the time it takes us to migrate off of an old service. So if you think of the speed of how governments and banks and insurance companies introduce new technologies, it's probably about how long it's gonna take us to get off of legacy technologies like mainframes and stop using on prem Pam.
Yeah.
Interesting. Yeah. And I, I think maybe I should, as a, as a kind of disclaimer, I think Analyst in our world, we tend to be not ahead of the curve in terms of, oh, we're, we're ahead of you. But I think we, we, we we'll be talking about stuff a lot ahead of where actually starts to be seen in the real world. So I wouldn't say that, like, you know, there's so much out there that is, is legacy stuff. So yeah, I think that's what I'm, I'm trying to say. Don't get too excited by what I'm saying, but I'm kind of undermining my whole position outside it's
Well, thank you for that, Paul. We'll move on.
Yeah.
Another larger question. What's your thought on, on treating all identities as privileged actors, actors, and creating dynamic fluid access management flows that could be spawn up or down and delete after use, what is your thought on this? Why don't we start then with Justin?
Okay. So, so if the question is, should we, the answer is of course, and absolutely, but the answer is of course, and absolutely in the same sense that we should all consistently eat healthy and exercise. Right? So the hard part about all identities act as privileged actors and in dynamic fluid management flows, isn't intellectually knowing that we should do that. Right. The hard part is of course, carrying it out consistently and then carrying it out at scale. Right. So that's the hard part. Absolutely. Let's go do it. Let's not give up, let's start today, but let's also acknowledge that there's, there's going to be no silver bullet. There's no button to push that achieves this outcome.
Yeah. Martin, what do you think about this? Yeah,
Well, I think there's actually a couple of organizations that have done this. And one is, and because they've spoken about that conference, as you can talk about it and what they tend to discover is that the hardest part of doing this is trying to explain to auditors, what calls them are you doing? What does this mean? So this is a great idea, but it's going to take quite a lot of effort to, to implement this and, and do not underestimate the time you will spend with auditors trying to explain that. No, no, I don't know who has access to what? I will only know that in the same second as the tried to access it, it's a very different concept for how we have historically been doing our auditing and all of that risk management.
Great. And then Denny, how would you respond to this?
Yeah, I think even, even, even in, over above the auditors internally, a lot of organizations don't have that knowledge on, on a hierarchy or a role-based access control methodology to say, this is a privileged actor that can do these certain things versus this is just a general user to, to Justin's point. I'd love to see it be more dynamic and more fluid and easier to control with, you know, just a common identity. But I don't know if, if we're all there yet.
And Paul, what
Do you, yeah. I mean, I haven't got much add to what had already been said. It's it's it is the dream. If I may use that phrase, but what Martin said about the auditing is, is incredibly true. And that's one reason why Pam in its current form is, is, is a strength because of the logging and the way it can interface with instant management platforms, etcetera. So yeah, it's, it's the way for it, but we need to crack the governance side of it as well. Yeah.
Right. Yeah. Thanks for those insights there. And now if we bring our, our gaze to the Pam market itself, are there too many vendors who are playing in this space, does it lead to better choice? Does it lead to more confusion? What is your take on this? Let's go in reverse order. So we'll start with Paul.
Yeah. So my, I would say, no, we have remember that the number of tends to change due to natural occurrence of mergers acquisitions, psychotic, and Centrify famously merged to become Deline last year. But I really don't think there's too many vendors in, in the space right now that might seem strange, but there is enough of a difference between the way those vendors do stuff. There is enough choice for different size of organization. There are those vendors, like I said, that are moving more towards an ephemeral way of doing stuff. So does it lead to more confusion possibly? Yeah. If, if you are starting out, if you were suddenly given the task of, of implementing Pam, you would look at the 23 odd in the space right now and think, well, that is overwhelming. But of course that is why we do leadership compass so that we can identify those with which share our leaders. Which one thing, one thing I wanna say about our leadership compass people, particularly the vendors always focus on the leaders. So they always wanna be up there, which is, is obviously fair enough. But it doesn't mean that we say that everybody else in, in those reports is somehow inferior. They, they just perhaps don't have the reach. They don't have the resources of the, the big, big guns, but their technology is still worth looking at. And I would say that there is no pan vendor, which has technology, which is not worth looking at
Yeah. Over to you, Denny.
Yeah. I'll like what Paul said. I don't, I don't think there's too many vendors. And one of the things I'm very happy about over the last couple decades, Pam solutions and Pam vendors have started to use common terms and phrases. So some of the confusion is, is going away. It, it, it was really challenging before to know when someone would, would talk in a certain term or about a certain technology configuration aside, it gives us more choice
Martin.
I think one thing that adds to the, the challenge in this space is that it used to be, if you look, five years ago, you had, you know, you have IG vendors in the box here and your ERs here, and you have your access vendors here. And if you wanna run enterprise, you need one of these, one of that, that, and they put it together and then you have a coverage. Now you have that, the solutions go a lot into each other. And that I think is, can be very confusing and, and hard for people that do not have been spending a lot of time in this space to see, okay, but do I buy a CME per a C Meg solution? Or do I buy an access solution? And then, or how do I do this?
And Justin, over to you,
You know, in many cases I'd say competition is a great thing, but, but, but this in particular I've I've grave concerns. So I, I think I would, I would invite other vendors to reduce the confusion by simply joining our team instead. So it's really simple. So, so yeah, let's reduce the confusion in the number of vendors. That'd be great.
So in a, in a larger sense, thank you for the, the discussion and, and your thoughts on these different questions. We're coming to the end of time. So I'd love to do a rapid fire 22nd, answer to our final question on the list, which is how can we manage multi-cloud infrastructures better by using Pam? So Justin, why don't you kick us off
Initiate and participate in open standards, committees,
Martin,
Think through what you really want to achieve before you get to solutioning
Great Denny.
I was just, Justin took the words right outta my mouth. If we all did it the same way and followed a similar flow, so much confusion would be eliminated.
Great. And Paul,
Yeah, follow, I think not necessarily something to do with Pam, but perhaps if we could persuade the cloud service providers to line up their terminology and ways of doing things, it would help
Great
With, with Pam or cm.
Then once again, a big thank you to all of you participating on this panel. It was a great discussion and the audience appreciated it as well. Unfortunately, we don't have time to get to all of their questions as well, but as you know, please reach out to the speakers. I think they would be more than happy to continue the conversation with that. Thank you to all of you.
Thank you so much.
Thank you.