Event Recording
Paul Fisher: In the Future PAM will Become Embedded in the IT Stack
Paul Fisher will expand on his analysis of how Privileged Access Management platforms will develop support for DevOps and other key users. This will mean that certain PAM functions will be embedded within the technology stack, opening up password free and secure access paths and enable rapid task fulfilment.
There it is. I'll be talking a little bit about what I see is happening with privilege access management in the near future. I've subtitled this in the future. Pam will be embedded in the it stack, but that's just part of what I see. I intend this presentation really to be a more of a kind of discussion starting point. I'm not saying that everything I predict will is, is, is gonna happen or that it's necessarily correct, but I think that there are some trends in the market, which suggest that some of these things may happen. So there's my quick agenda today. So I'll quickly open with the business and security landscape that Pam is now are operating in. And then some of the challenges that Pam platforms face with the never ending growth of privilege accounts and the number of users that wish to access them, then a thorny issue that is central to Pam today.
And that is, can we get rid of passwords? A lot of most pan platforms still use a password management system, password rotation, and issue passwords through a vault. There may be ways we can reduce that reliance or, or get rid of it together. And then finally the future itself, where we, as I said, reduce reliance and passwords and move to higher value. What I'm calling high value privilege, account management. So that's the agenda. Let's get it into what I see as the business and security landscape. And I've broken us down into business technology, business processes, and then security integrations, and then security processes. Not all of these will be happening in every organization, but at least some of them are depending on the size of organization, the type of business it's in it's market sector and so on. So of course we have cloud cloud has been around now as a thing, as they say for, you know, a good 20 years or so, but it's still on an upward curve.
There's still many organizations and many manufac, sorry, many sectors such as manufacturing that are only just beginning to explore the potential of the cloud. And beyond that, we have a distributed cloud where clouds are no longer is not just one cloud that an organization may be accessing, but many. And these clouds will be a long way from the central organization. Virtual machines are very, very popular virtualization. And then all of this is leading to a sort of hybrid architecture in, in many organizations. The DevOps is something that we've been seeing grow in the last probably five to 10 years as organizations wish to become more competitive. They need to respond most internally and externally. So internal software applications and internal development needs to happen a lot faster. And that's why we've had things like DevOps, containerization, agile working, et cetera, which means that the business demands more agility in software development.
And it, and it security is sometimes slightly behind in, in, in managing DevOps. And related to that, of course is containerization. We're seeing more automation, which is a good thing and more AI and machine learning still at a, a very early stage. Really, when we talk about AI in applications these days it's really machine learning. We it's, we're a long, long way from actual artificial intelligence. As I was saying to my colleague, George, just before we came on air, the exam results fiasco in, in my country shows that algorithms are a long way from predicting anything like what might happen in real life and a long way from taking over from teachers. That's for sure. And finally the internet things. And so business processes are changing mobile working where we all know about mobile and remote working and how the whole world has changed in, in the last six to eight months.
Thanks to COVID, which sadly is still with us, but it has fostered quite a lot of innovation. This very event that I'm speaking to you today probably wouldn't have happened so early if it wasn't for COVID. So there are some good things, but it also has meant that organizations need to balance mobile working and remote working and ensure that those workers are working securely related to that is of course compliance the pressure on businesses to meet GDPR and other compliance regulations around the world. We're seeing third parties into the business process. We're seeing customers in some sectors and also vendors being given access to what's once was off limits to them. And I've already said agile development related to DevOps op collaborative working that is increasing at the moment. That's for sure. It's, it's kind of forced us into being more collaborative using it because of, of COVID.
So therefore we're talking more on things like zoom, Microsoft teams, et cetera. And we are using probably more of those collaboration tools that come with things like teams than we were before. So we need to see more and better security integrations. So with things like SIM security incident event management, so that we have a better idea of the security landscape or the risk posture of our organizations, excuse me, we need to use better use, make better use of analytics, multifactor access, and single sign on, or becoming much more important, particularly for that remote working. And as I said, customer access, identity, access management, and of course privilege access management, which is what we'll be talking about in a minute are, are becoming central to the way we do business. And finally, some of the security processes that are important instant response. So how we deal with those incidents when they happen. And we have to now accept that we live in a business world where unfortunately cyber attacks do happen and they tend to happen successfully. As far as the, the perpetrators are concerned. So we need better security management, we need better forensics and we need better auditing and reporting. And before we do any kind of security investment, we need to up our game in risk assessment and risk management.
So previous access management, I know that most of you here will, you know, pretty much understand how it works. User requests, privilege access to an account, the pan platform, approves that issues password. And then you get access to the ever increasing number of accounts and services that need privilege access, including social media. I put the Twitter bird down there. A lot of people don't realize that access to a corporate social media account is a privilege thing and it should be used carefully. And we've seen incidences of how social media can be abused and how it can affect the company. But of course, privilege access management today is a lot more than simply a, a password management system or a password vault. We have all these things shared access control application to application privilege management, endpoint management, just in time, single sign on and behavior analytics.
Now all of these things have added up to a very comprehensive set of solutions from many vendors, which do much more than just issue passwords. However, because of that com that extra feature load and certain complexity, we, we, we have a number of what I see as current challenges for privileged access management and the development of Pam will very much depend on meeting some of these challenges. So, as I said, we, we have a number of big players now that are offering feature pack suites versus some smaller players that have started to emerge in the last couple of years with more innovative perhaps ephemeral tools. So is there a balance that we need now between feature sets and speed of access? Because if we go back to our DevOps example, the speed of access is very, very important and neither the business and nor the developers can hang around, waiting for privilege access or to code or anything that's defined as privileged.
How do we define advanced Pam vendors talk about advanced Pam, but sometimes we find ourselves still wedded to volts, passwords, and session management, and then they add layers on top. Now, certainly as I, I, and I want to make clear throughout this presentation, I'm not suggesting that we strip away all those layers. Those layers are actually very important, but is there a better way of perhaps sectioning off some of these layers and as I'll come to in a, in a, in a little bit, is there a way of proving access for certain Pam accounts? Does, does Pam really understand some of the operational nuances of different sectors? For example, the health sector, something that also has been very much, obviously in, in the news recently, right around the world where I'm sure that people on the ground have had to work in, in a much more exceptional way.
And part of that job will be accessing data. So it does Pam, or do Pam vendors cater for the sector, such as health finance, again, a very demanding sector, manufacturing, a sector, which is traditionally being seen as being a little bit behind the curve on it developments, but is catching up. But again, manufacturers, finance people, health people may have different definitions of privilege access. They may have different definitions of privilege accounts. And how far is Pam now supporting hybrid architectures and distributed clouds? Do, does Pam still still sit in a kind of a mindset of, of protecting a closed environment, almost, you know, something with a perimeter or, or is it enable, is it ready to support hybrid architectures and distributed clouds? So here's the big question. As I said, passwords are central to most, most Pam solutions that we have on the market, but I I've come up with this, this idea that we, we we've created a kind of a Palm pass password pressure cooker, which with so many passwords out there and our shared accounts as well, relying on them is putting a strain on services and security. And this is because the, the, the physical level of it, the expanding it estate, virtual machines, clusters, et cetera, are causing arising demand for Pam passwords.
We are having more it, so we get more privilege accounts. That means more passwords, the speed of deployment lines of business. As I said earlier, in development teams, unknown to add more service and systems on demand, they spin up things on AWS, et cetera, credentials, maybe hard code into apps. They may get challenges on AWS or Azure things. This, again, in the traditional way will re require more passwords to control this. And then we have our friend legacy. It, all of this is being pushed through in many organizations in a manufacturing. And even I sorry, finance through what I call the creaking levers of legacy systems and which makes it harder to process a password based system.
So is there a too much privilege? That's the other key question to this? Are we overdoing it in, in the number of privilege accounts that we create? So is proliferation of high value data and services, and there is more high value data and services being created in businesses. So that suggests more privilege. So how can we reduce perhaps the reliance on vaults and passwords? So, as I said earlier, a risk management or risk assessment is always the best place to start with any it security deployment. We, we should look at which privilege accounts access the most at risk data and services. And we call these high value accounts. And these are not necessarily admins. Admins do a lot of sort of bread and butter, keeping the lights on stuff, which gives them privilege access because they have to access other people's machines, et cetera, but that's not necessarily high value in terms of what is value in the business.
So maybe we need a sort of separation of duties who needs access the most and who needs it fast. So we can call this agile pan agile high value privilege access management. We need to reduce the number of passwords. So we need to shift these high value passwords, sorry, high value privilege accounts to things like just in time and ephemeral and password free access. And those systems are starting to appear on the market. And can we move Pam parts of privilege, access management closer to its the source. Could we use automation and AI tools as AR to speed access and reduce the security load? So a certain amount of the admin stuff is done automatically. And then we create a, a zero trust and least privilege environment to access high value accounts.
So I've talked about Pam ops there, and this is really a kind of higher level view of where we might place the high value Pam accounts and how they might be able to access the stuff they need on a faster and more agile basis. So let's take away some of the layers of traditional Pam. And when I do that, I'm not saying we get rid of them altogether, but for certain high value accounts, such as DevOps, such as perhaps people don't need access rapidly to financial data or M and a data, that kind of thing. Then these guys here can get rapid access straight to the data they need. And most of some of the administrative stuff will be done automatically. But these high value accounts have to be very, very carefully given out. They have to be risk assessed and they have to be monitored. And which is where analytics come in. So to, to sum up, and I think I'm in time, I can't see the clock here, but I'll go through what I see as six possible futures, privilege, access management, Pam suites, as we see them now and high value solutions as I've christened them will continue to sit side by side and Pam, I keep reiterating. I'm not saying get rid of all the good stuff that's there. Pam still need to be regulated and monitored by controls
Pam vendors. Some of the bigger ones may split their own suites, or they may develop high value solutions themselves, or they may acquire some of the specialist vendors and technologies, which are appearing on the market and people are, are already developing encryption standards and passwordless solutions that are just a technology in themselves, but they could be easily applied to a Pam solution in the future. We need to see greater use of AI machine learning and automation to boost efficiency, accuracy, and across speed, time to value for privilege access management. We're gonna see Pam continue to grow in market sectors. More smaller businesses will likely adopt Pam in some form. They may not use some of the wider suites, but smaller businesses as business becomes much more interlocked. We talked, you know, third party and vendor access. So some of these smaller businesses will become part of the bigger businesses distributed architectures as well. So it's very important that they also regulate privilege accounts at their end. Organizations will control what is becoming a bit of a Pam overload. So they restrict users or they limit accounts or perform a better discovery solution.
We may see a eventual phasing out of passwords. It'll take some time, but as the, excuse me, for that as the ephemeral certificate in tokens technologies start to appear, then we might be able to look forward to a day where we get rid of passwords and we may get rid of shared accounts to finally my goal or my vision for Pam is it doesn't matter where the user is or where the data is or where the application is or what the privilege account user is. Is this a thing or is it as a human, but their access should be seamless, fast and secure. So seamless, fast, secure privilege access management is the goal. Thank you very much.
And that is, can we get rid of passwords? A lot of most pan platforms still use a password management system, password rotation, and issue passwords through a vault. There may be ways we can reduce that reliance or, or get rid of it together. And then finally the future itself, where we, as I said, reduce reliance and passwords and move to higher value. What I'm calling high value privilege, account management. So that's the agenda. Let's get it into what I see as the business and security landscape. And I've broken us down into business technology, business processes, and then security integrations, and then security processes. Not all of these will be happening in every organization, but at least some of them are depending on the size of organization, the type of business it's in it's market sector and so on. So of course we have cloud cloud has been around now as a thing, as they say for, you know, a good 20 years or so, but it's still on an upward curve.
There's still many organizations and many manufac, sorry, many sectors such as manufacturing that are only just beginning to explore the potential of the cloud. And beyond that, we have a distributed cloud where clouds are no longer is not just one cloud that an organization may be accessing, but many. And these clouds will be a long way from the central organization. Virtual machines are very, very popular virtualization. And then all of this is leading to a sort of hybrid architecture in, in many organizations. The DevOps is something that we've been seeing grow in the last probably five to 10 years as organizations wish to become more competitive. They need to respond most internally and externally. So internal software applications and internal development needs to happen a lot faster. And that's why we've had things like DevOps, containerization, agile working, et cetera, which means that the business demands more agility in software development.
And it, and it security is sometimes slightly behind in, in, in managing DevOps. And related to that, of course is containerization. We're seeing more automation, which is a good thing and more AI and machine learning still at a, a very early stage. Really, when we talk about AI in applications these days it's really machine learning. We it's, we're a long, long way from actual artificial intelligence. As I was saying to my colleague, George, just before we came on air, the exam results fiasco in, in my country shows that algorithms are a long way from predicting anything like what might happen in real life and a long way from taking over from teachers. That's for sure. And finally the internet things. And so business processes are changing mobile working where we all know about mobile and remote working and how the whole world has changed in, in the last six to eight months.
Thanks to COVID, which sadly is still with us, but it has fostered quite a lot of innovation. This very event that I'm speaking to you today probably wouldn't have happened so early if it wasn't for COVID. So there are some good things, but it also has meant that organizations need to balance mobile working and remote working and ensure that those workers are working securely related to that is of course compliance the pressure on businesses to meet GDPR and other compliance regulations around the world. We're seeing third parties into the business process. We're seeing customers in some sectors and also vendors being given access to what's once was off limits to them. And I've already said agile development related to DevOps op collaborative working that is increasing at the moment. That's for sure. It's, it's kind of forced us into being more collaborative using it because of, of COVID.
So therefore we're talking more on things like zoom, Microsoft teams, et cetera. And we are using probably more of those collaboration tools that come with things like teams than we were before. So we need to see more and better security integrations. So with things like SIM security incident event management, so that we have a better idea of the security landscape or the risk posture of our organizations, excuse me, we need to use better use, make better use of analytics, multifactor access, and single sign on, or becoming much more important, particularly for that remote working. And as I said, customer access, identity, access management, and of course privilege access management, which is what we'll be talking about in a minute are, are becoming central to the way we do business. And finally, some of the security processes that are important instant response. So how we deal with those incidents when they happen. And we have to now accept that we live in a business world where unfortunately cyber attacks do happen and they tend to happen successfully. As far as the, the perpetrators are concerned. So we need better security management, we need better forensics and we need better auditing and reporting. And before we do any kind of security investment, we need to up our game in risk assessment and risk management.
So previous access management, I know that most of you here will, you know, pretty much understand how it works. User requests, privilege access to an account, the pan platform, approves that issues password. And then you get access to the ever increasing number of accounts and services that need privilege access, including social media. I put the Twitter bird down there. A lot of people don't realize that access to a corporate social media account is a privilege thing and it should be used carefully. And we've seen incidences of how social media can be abused and how it can affect the company. But of course, privilege access management today is a lot more than simply a, a password management system or a password vault. We have all these things shared access control application to application privilege management, endpoint management, just in time, single sign on and behavior analytics.
Now all of these things have added up to a very comprehensive set of solutions from many vendors, which do much more than just issue passwords. However, because of that com that extra feature load and certain complexity, we, we, we have a number of what I see as current challenges for privileged access management and the development of Pam will very much depend on meeting some of these challenges. So, as I said, we, we have a number of big players now that are offering feature pack suites versus some smaller players that have started to emerge in the last couple of years with more innovative perhaps ephemeral tools. So is there a balance that we need now between feature sets and speed of access? Because if we go back to our DevOps example, the speed of access is very, very important and neither the business and nor the developers can hang around, waiting for privilege access or to code or anything that's defined as privileged.
How do we define advanced Pam vendors talk about advanced Pam, but sometimes we find ourselves still wedded to volts, passwords, and session management, and then they add layers on top. Now, certainly as I, I, and I want to make clear throughout this presentation, I'm not suggesting that we strip away all those layers. Those layers are actually very important, but is there a better way of perhaps sectioning off some of these layers and as I'll come to in a, in a, in a little bit, is there a way of proving access for certain Pam accounts? Does, does Pam really understand some of the operational nuances of different sectors? For example, the health sector, something that also has been very much, obviously in, in the news recently, right around the world where I'm sure that people on the ground have had to work in, in a much more exceptional way.
And part of that job will be accessing data. So it does Pam, or do Pam vendors cater for the sector, such as health finance, again, a very demanding sector, manufacturing, a sector, which is traditionally being seen as being a little bit behind the curve on it developments, but is catching up. But again, manufacturers, finance people, health people may have different definitions of privilege access. They may have different definitions of privilege accounts. And how far is Pam now supporting hybrid architectures and distributed clouds? Do, does Pam still still sit in a kind of a mindset of, of protecting a closed environment, almost, you know, something with a perimeter or, or is it enable, is it ready to support hybrid architectures and distributed clouds? So here's the big question. As I said, passwords are central to most, most Pam solutions that we have on the market, but I I've come up with this, this idea that we, we we've created a kind of a Palm pass password pressure cooker, which with so many passwords out there and our shared accounts as well, relying on them is putting a strain on services and security. And this is because the, the, the physical level of it, the expanding it estate, virtual machines, clusters, et cetera, are causing arising demand for Pam passwords.
We are having more it, so we get more privilege accounts. That means more passwords, the speed of deployment lines of business. As I said earlier, in development teams, unknown to add more service and systems on demand, they spin up things on AWS, et cetera, credentials, maybe hard code into apps. They may get challenges on AWS or Azure things. This, again, in the traditional way will re require more passwords to control this. And then we have our friend legacy. It, all of this is being pushed through in many organizations in a manufacturing. And even I sorry, finance through what I call the creaking levers of legacy systems and which makes it harder to process a password based system.
So is there a too much privilege? That's the other key question to this? Are we overdoing it in, in the number of privilege accounts that we create? So is proliferation of high value data and services, and there is more high value data and services being created in businesses. So that suggests more privilege. So how can we reduce perhaps the reliance on vaults and passwords? So, as I said earlier, a risk management or risk assessment is always the best place to start with any it security deployment. We, we should look at which privilege accounts access the most at risk data and services. And we call these high value accounts. And these are not necessarily admins. Admins do a lot of sort of bread and butter, keeping the lights on stuff, which gives them privilege access because they have to access other people's machines, et cetera, but that's not necessarily high value in terms of what is value in the business.
So maybe we need a sort of separation of duties who needs access the most and who needs it fast. So we can call this agile pan agile high value privilege access management. We need to reduce the number of passwords. So we need to shift these high value passwords, sorry, high value privilege accounts to things like just in time and ephemeral and password free access. And those systems are starting to appear on the market. And can we move Pam parts of privilege, access management closer to its the source. Could we use automation and AI tools as AR to speed access and reduce the security load? So a certain amount of the admin stuff is done automatically. And then we create a, a zero trust and least privilege environment to access high value accounts.
So I've talked about Pam ops there, and this is really a kind of higher level view of where we might place the high value Pam accounts and how they might be able to access the stuff they need on a faster and more agile basis. So let's take away some of the layers of traditional Pam. And when I do that, I'm not saying we get rid of them altogether, but for certain high value accounts, such as DevOps, such as perhaps people don't need access rapidly to financial data or M and a data, that kind of thing. Then these guys here can get rapid access straight to the data they need. And most of some of the administrative stuff will be done automatically. But these high value accounts have to be very, very carefully given out. They have to be risk assessed and they have to be monitored. And which is where analytics come in. So to, to sum up, and I think I'm in time, I can't see the clock here, but I'll go through what I see as six possible futures, privilege, access management, Pam suites, as we see them now and high value solutions as I've christened them will continue to sit side by side and Pam, I keep reiterating. I'm not saying get rid of all the good stuff that's there. Pam still need to be regulated and monitored by controls
Pam vendors. Some of the bigger ones may split their own suites, or they may develop high value solutions themselves, or they may acquire some of the specialist vendors and technologies, which are appearing on the market and people are, are already developing encryption standards and passwordless solutions that are just a technology in themselves, but they could be easily applied to a Pam solution in the future. We need to see greater use of AI machine learning and automation to boost efficiency, accuracy, and across speed, time to value for privilege access management. We're gonna see Pam continue to grow in market sectors. More smaller businesses will likely adopt Pam in some form. They may not use some of the wider suites, but smaller businesses as business becomes much more interlocked. We talked, you know, third party and vendor access. So some of these smaller businesses will become part of the bigger businesses distributed architectures as well. So it's very important that they also regulate privilege accounts at their end. Organizations will control what is becoming a bit of a Pam overload. So they restrict users or they limit accounts or perform a better discovery solution.
We may see a eventual phasing out of passwords. It'll take some time, but as the, excuse me, for that as the ephemeral certificate in tokens technologies start to appear, then we might be able to look forward to a day where we get rid of passwords and we may get rid of shared accounts to finally my goal or my vision for Pam is it doesn't matter where the user is or where the data is or where the application is or what the privilege account user is. Is this a thing or is it as a human, but their access should be seamless, fast and secure. So seamless, fast, secure privilege access management is the goal. Thank you very much.
Video Links
Stay Connected
How can we help you