Event Recording
Interview with Dave Wishart
So I talked a awful lot about passwords in my presentation and whether we might be able to get rid of them. So what, what's your view, David? Is it, is it now time to shift to a completely passwordless Pam, so biometric authentication or single sign on et cetera, or is it a bit, bit too early, a bit too optimistic, a bit kind of brave new world. What, what, what's your view? Because I, I talked about it a lot as well, and I think eventually we'll get there, but you're the expert.
Well, thanks. I, I'm not sure about me being the expert, but I, I, I think we are ready for it. There are, there are in terms of, if we talk about higher connection goes from, from the end user, logging into their laptop to getting access to the system, you can, you can have a biometric challenge to log into your laptop. You can have an SSO authentication into your Pam system, and then you can use a certificate based ephemeral certificate based approach to get to your target system. So that that's as a simple scenario where you can see that in that, in that whole journey, you do not need any passwords to be vaulted or to be rotated. So I think, I think it is possible, but I also accept that there are, there are use cases where passwords are still needed, particularly for like legacy application access or, or even break glass where you want to have some way of connecting to your system, should your privilege access management system be done or something like that.
So I, I, and I think for, for those, then, then you can, I think you can still, you can still see there being a password required, but I think in the, in the main, for the majority of use cases, you can go towards a password, less approach. And I think it, it, it makes more sense to do that, especially when you consider having servers that are being built and being built and spun up and then ripped down quite quickly, like having a highly elastic environment. I think it makes more sense to have just in time certificates rather than passwords that are being rotated.
Yeah. And the break glass is actually a, a very good point. And I was talking to one of the delegates just now in, in the, in the speaker's lounge about this, that, how, how, how can you break glass on an account if it doesn't have a password? So perhaps we could move similar to, to sort of my idea of a high value account, where those would be still protected by passwords all the other way around, you know, how, how would you break into a, if, if you wanted to access a privilege account that doesn't have a password.
Okay. So yeah, so, so I, if, if you're, if your privileged access management system is, is done and you can't get access to via your privileged access management system, then getting access to something like a non-privileged account with, with a password. And then switching up to the, the relevant client could be one way of doing this and then, sorry.
It's okay.
Sorry. So you could, you could switch, switch up to the account from a non-privileged account and then any access that's going to the, the brick glass account. Then I think that should be alerted like, so that, so that basically the access to the brick glass account should never really be used. And then when it is used, then you should get an alert for it and people should be say, right, what are you doing to get access to that? I think that's one way you could still probably have to use a password to get onto a system. Yeah.
Yeah. So we won't, as it's a long way into the future, passwords are everywhere at the moment, but let's move something else that you, you talked about quite a lot, which is also very important, the balance between speed and ease of access. And that comes up all the time. You know, security wants to make things well, not hard to get access to, but they need to ensure that they're secure, but then the end user just wants to get on with their job. And the trend in business tends to favor that viewpoint that we need people just to do stuff quickly. So it's a hard balance for Pam vendors to, to strike. So where do you see, where do you see any progress in coming in in that area?
Well, I, I, I think whenever Pam solutions first came onto the market, I, I think it was probably generally accepted that they, you know, didn't need to be that fast. And the security aspect of it was more important, but now more and more customers or prospects that I talk to, this is becoming far more important to them. And, and also if, if they want to like really sell this internally, they have to, they have the, the security architects and the security, the security function, they need to sell it internally to the operations people. So if the operations people look at it and go, no, this is gonna take me twice as long to do my job, they will, they will reject it. So I think the operations teams they're, they're they're, they know that there are solutions out there that they can, that they can work with quickly.
So I think there is, there is definitely, it's very important to have a really like cohesive user interface that makes it easier. It makes them want to adopt it internally. I think one of the biggest hurdles for the security team to, to get over in terms of selling things internally is not always the security aspects, but how much is this going to impact my operations team? You know, are they going to be resistant to doing this? And if they are resistant to doing it, I know from my time working at Deutsche bank, whenever we had security, security imposed on us, everybody was like, well, how do we, how do we get around this? Or how do we make things or keep things the way they were. So I think it is really, really important that, that, that, that, that the, the Pam solution really is fast and easy to use.
Otherwise, otherwise you'll, you'll struggle to sell it internally. And even if you do struggle to, to sell it, or if you do manage to sell it internally and get it deployed, then the operations team will, will not use it or find ways Ryan's using it. So it is, I, I think nowadays it's, it's really important, especially also with when people are moving to cloud solutions where they kind of, people expect things on demand, like with everything. Now people expect to be able to do, like, watch a movie with a click of a button, like in, in every aspect of their life. This is kind of the way we expect things to happen now. And I think getting access to your system to do your job is, is similar. And I think most, most operations teams, you know, don't want to wait anymore.
Yeah. And the other thing is, you know, we have gen Zers, ORs, I don't know which, which one it is, but anyway, young let's call 'em young people younger than us that also expect that kind of bandwidth and ease of access that they got used to in, in social media, et cetera. And some of those guys are like to be working in some of the places that we've been talking about, like DevOps and content creation and all that stuff. That's becoming high value. Do you? Cause I, I said in my presentation that maybe there's too much privilege. Do, do you think we're companies are a bit, you know, a bit risk averse, so they just start creating privilege accounts for too much?
I, I don't know. I, I think it, it, it often just depends what, what organization you work within in terms of like providing too much access. I've certainly, I've certainly seen both sides of it where I feel like some, some, some companies we've spoke to have felt like they're almost like quite draconian in terms of like, no one is allowed to do anything other than through the Pam solutions or, and then you, I've also seen far too wide open access. And I think it's, it's that balance that needs to be struck to so that you can basically get your operations teams and your security teams, both, both in a aligned. So I think it's, yeah, it's, it's, it's hard to say a yes or no on that. I think it it's probably depends on, on the, on, on the C involved in the culture within the company as to whether they have too much open access or not.
Yeah. I think culture of the company is, is vital. You know, you mentioned big banks, maybe energy companies, people, companies that in the sector, they might actually be in, tend to be more careful, maybe about staff than perhaps a smaller, more nimble, I don't know, startup somewhere. Yeah. So let's change a subject a little bit something that obviously we can't get away from. It seems like it's, that's embarrassing. There's someone at the door. So these things happen. Let me, I'll ask my question, then I'll answer the door. How, what effect will cor coronavirus have on the long term it operations and consequently privilege, remote access?
Yeah. Well, I, I, I think basically what it's done is it's, it's opened Pandora's box. If you like to, everyone has started working from home. And I think in the main, most people have still been able to do their job, get on with, to, to either a higher degree of, of effectiveness than they were when they're working in the office. And I think getting people to come back into the office is going to be actually quite tricky for a lot of businesses because their, their work staff will basically be saying to them, can you prove that your work environment is as safe as my home at the minute? So I think that that's, that's something that people will, you know, certainly a challenge that we're gonna have to overcome in, in, in the next months or, or year. But then I think also with that, people need to start thinking about right, is my remote privilege access?
Is it, is it just, is it as good as when someone's in the office? And it's almost like you just have to consider your privileged access, like another application, another business application, can my, can my workforce do their job from anywhere? And if they're doing it from anywhere, do they have the right amount of auditing and security and authentication along that, along that the, their, their journey to get access to, to wherever they're going. So I think more and more what's gonna happen is that working from home is just going to be, it, it is already an extension of pretty much the office. So there is no perimeter on people's offices if you like anymore. So I think, I think what, what people are gonna expect is whenever they log in from home or from the beach or wherever they want to have the same access, the same ability to do their job, just wherever.
So I think that's something that companies need to consider. And I think as well, certainly with whenever the outbreak first came out and everybody there was a huge, like shift to working from home immediately. I think a lot of corporate VPNs really struggled with handling the, the immediate bandwidth. And I think it's worthwhile considering whether you want to have a VPN that could be swamped and then provi then stop your, your critical, it support staff being able to get into their organization. So I think that's, that's something as well, that should be considered long term. Like whether you should have a remote access system, that's either Clyde based or rather than behind a VPN alongside of VPN.
Great. I wish I hadn't given the postman privilege access, but nevermind, let's just see you, your company talks about lean, lean access management, which I guess would, would assist in exactly what we've just been talking about when people want access from places which are no longer traditional desktops, et cetera. And, and, and part of that is, is multi-cloud and the, the way that companies are moving to multi-cloud strategies or distributed clouds, what, what, what do you see the, the effect on privilege access management in, in that, in that scope?
It's quite interesting actually, because I, I think the one thing that I find is that it, there seems to be no silver bullet at the minute for privileged access for almost every use case. So I think with moving to multicloud, it certainly opened us, opened up opportunities to us for having a lean Pam solution that works within a multicloud environment. And then we basically work alongside traditional Pam, which provides access to the, the on-premise. So, so one thing I, I do think is that having, when, whenever companies are moving to like a, a, a cloud solution or a multi-cloud solution, I think having it, it gives them basically a new opportunity to look at what Pam systems are available and which ones are actually best suited for which use case. And I think a lot of them are starting to accept that it's, it's difficult to get one, one solution that, that fits every use case. And having, sorry. Yeah, go ahead. So,
So we, we might be moving to sort of multi pan as well, hybrid pan, so maybe different parts of organization use different different pan
Yeah. PO possibly. Yeah. Yeah. We, we certainly, whenever we are talking to, to customers about particular use cases, they'll often say, yeah, that this, this part of our network's already covered, but this part of our network, it, you know, the, the solution we have in place just doesn't really work that well for it, it doesn't scale up enough and we're, you know, we're, we're open to looking at new, new Pam solutions. So I do feel that with, with the companies bringing more, having more of a multicloud strategy, it's kind of it's, it seems to created like a second wave of people looking for Pam, even, even if they've already got a, a traditional Pam solution in place that they, they are more open to looking at something that might be actually better fit for their, their cloud or their remote working or, or things like that.
And, and finally, do you see the emergence of Pam as a managed service? So PE companies would take, say for example, SSH technology and then create their own managed Pam service.
Absolutely. Yeah. Yeah. I, I think so. So we, we already work with Fujitsu in this capacity, so they, they have Pam as a service and vex is, is, is runs under the hood for that. I think I, I also talk to a lot of managed hosting environment companies and managed service providers, and they very much want to embed a Pam solution in the service that they provide. So I, I do, I do think that having Pam as a service within a managed service is definitely something that that's, that's there already. One thing I'm not quite sure on yet. And I think this will actually come is when you have like a full, like just SAS service of Pam. And that's something that we're looking at internally at, at SSH, but it's, I think sometimes it's, it's get wondering, you know, our customers will, will they be ready for a SAS service of Pam or not? And you know, that that's, that's something that's, it's, it's, it, it requires like quite a lot of like market research in terms of like, you know, is, is this actually gonna be something that, that customers really want?
Great. Okay. Well, I think we're outta time for questions. I really, as I said, great presentation, and thanks very much for your conversation as well. And I look forward to talking to you again, I'm sure the, the pan market is, is developing in all sorts of ways. So it'd be great to be there for the ride as it was. So,
Yeah, yeah, yeah. We we're enjoying the ride so far. So thanks so much for everyone at keeping J call for setting this up. It's been really, really good. Thank you. Okay.
Back to you.
Well, thanks. I, I'm not sure about me being the expert, but I, I, I think we are ready for it. There are, there are in terms of, if we talk about higher connection goes from, from the end user, logging into their laptop to getting access to the system, you can, you can have a biometric challenge to log into your laptop. You can have an SSO authentication into your Pam system, and then you can use a certificate based ephemeral certificate based approach to get to your target system. So that that's as a simple scenario where you can see that in that, in that whole journey, you do not need any passwords to be vaulted or to be rotated. So I think, I think it is possible, but I also accept that there are, there are use cases where passwords are still needed, particularly for like legacy application access or, or even break glass where you want to have some way of connecting to your system, should your privilege access management system be done or something like that.
So I, I, and I think for, for those, then, then you can, I think you can still, you can still see there being a password required, but I think in the, in the main, for the majority of use cases, you can go towards a password, less approach. And I think it, it, it makes more sense to do that, especially when you consider having servers that are being built and being built and spun up and then ripped down quite quickly, like having a highly elastic environment. I think it makes more sense to have just in time certificates rather than passwords that are being rotated.
Yeah. And the break glass is actually a, a very good point. And I was talking to one of the delegates just now in, in the, in the speaker's lounge about this, that, how, how, how can you break glass on an account if it doesn't have a password? So perhaps we could move similar to, to sort of my idea of a high value account, where those would be still protected by passwords all the other way around, you know, how, how would you break into a, if, if you wanted to access a privilege account that doesn't have a password.
Okay. So yeah, so, so I, if, if you're, if your privileged access management system is, is done and you can't get access to via your privileged access management system, then getting access to something like a non-privileged account with, with a password. And then switching up to the, the relevant client could be one way of doing this and then, sorry.
It's okay.
Sorry. So you could, you could switch, switch up to the account from a non-privileged account and then any access that's going to the, the brick glass account. Then I think that should be alerted like, so that, so that basically the access to the brick glass account should never really be used. And then when it is used, then you should get an alert for it and people should be say, right, what are you doing to get access to that? I think that's one way you could still probably have to use a password to get onto a system. Yeah.
Yeah. So we won't, as it's a long way into the future, passwords are everywhere at the moment, but let's move something else that you, you talked about quite a lot, which is also very important, the balance between speed and ease of access. And that comes up all the time. You know, security wants to make things well, not hard to get access to, but they need to ensure that they're secure, but then the end user just wants to get on with their job. And the trend in business tends to favor that viewpoint that we need people just to do stuff quickly. So it's a hard balance for Pam vendors to, to strike. So where do you see, where do you see any progress in coming in in that area?
Well, I, I, I think whenever Pam solutions first came onto the market, I, I think it was probably generally accepted that they, you know, didn't need to be that fast. And the security aspect of it was more important, but now more and more customers or prospects that I talk to, this is becoming far more important to them. And, and also if, if they want to like really sell this internally, they have to, they have the, the security architects and the security, the security function, they need to sell it internally to the operations people. So if the operations people look at it and go, no, this is gonna take me twice as long to do my job, they will, they will reject it. So I think the operations teams they're, they're they're, they know that there are solutions out there that they can, that they can work with quickly.
So I think there is, there is definitely, it's very important to have a really like cohesive user interface that makes it easier. It makes them want to adopt it internally. I think one of the biggest hurdles for the security team to, to get over in terms of selling things internally is not always the security aspects, but how much is this going to impact my operations team? You know, are they going to be resistant to doing this? And if they are resistant to doing it, I know from my time working at Deutsche bank, whenever we had security, security imposed on us, everybody was like, well, how do we, how do we get around this? Or how do we make things or keep things the way they were. So I think it is really, really important that, that, that, that, that the, the Pam solution really is fast and easy to use.
Otherwise, otherwise you'll, you'll struggle to sell it internally. And even if you do struggle to, to sell it, or if you do manage to sell it internally and get it deployed, then the operations team will, will not use it or find ways Ryan's using it. So it is, I, I think nowadays it's, it's really important, especially also with when people are moving to cloud solutions where they kind of, people expect things on demand, like with everything. Now people expect to be able to do, like, watch a movie with a click of a button, like in, in every aspect of their life. This is kind of the way we expect things to happen now. And I think getting access to your system to do your job is, is similar. And I think most, most operations teams, you know, don't want to wait anymore.
Yeah. And the other thing is, you know, we have gen Zers, ORs, I don't know which, which one it is, but anyway, young let's call 'em young people younger than us that also expect that kind of bandwidth and ease of access that they got used to in, in social media, et cetera. And some of those guys are like to be working in some of the places that we've been talking about, like DevOps and content creation and all that stuff. That's becoming high value. Do you? Cause I, I said in my presentation that maybe there's too much privilege. Do, do you think we're companies are a bit, you know, a bit risk averse, so they just start creating privilege accounts for too much?
I, I don't know. I, I think it, it, it often just depends what, what organization you work within in terms of like providing too much access. I've certainly, I've certainly seen both sides of it where I feel like some, some, some companies we've spoke to have felt like they're almost like quite draconian in terms of like, no one is allowed to do anything other than through the Pam solutions or, and then you, I've also seen far too wide open access. And I think it's, it's that balance that needs to be struck to so that you can basically get your operations teams and your security teams, both, both in a aligned. So I think it's, yeah, it's, it's, it's hard to say a yes or no on that. I think it it's probably depends on, on the, on, on the C involved in the culture within the company as to whether they have too much open access or not.
Yeah. I think culture of the company is, is vital. You know, you mentioned big banks, maybe energy companies, people, companies that in the sector, they might actually be in, tend to be more careful, maybe about staff than perhaps a smaller, more nimble, I don't know, startup somewhere. Yeah. So let's change a subject a little bit something that obviously we can't get away from. It seems like it's, that's embarrassing. There's someone at the door. So these things happen. Let me, I'll ask my question, then I'll answer the door. How, what effect will cor coronavirus have on the long term it operations and consequently privilege, remote access?
Yeah. Well, I, I, I think basically what it's done is it's, it's opened Pandora's box. If you like to, everyone has started working from home. And I think in the main, most people have still been able to do their job, get on with, to, to either a higher degree of, of effectiveness than they were when they're working in the office. And I think getting people to come back into the office is going to be actually quite tricky for a lot of businesses because their, their work staff will basically be saying to them, can you prove that your work environment is as safe as my home at the minute? So I think that that's, that's something that people will, you know, certainly a challenge that we're gonna have to overcome in, in, in the next months or, or year. But then I think also with that, people need to start thinking about right, is my remote privilege access?
Is it, is it just, is it as good as when someone's in the office? And it's almost like you just have to consider your privileged access, like another application, another business application, can my, can my workforce do their job from anywhere? And if they're doing it from anywhere, do they have the right amount of auditing and security and authentication along that, along that the, their, their journey to get access to, to wherever they're going. So I think more and more what's gonna happen is that working from home is just going to be, it, it is already an extension of pretty much the office. So there is no perimeter on people's offices if you like anymore. So I think, I think what, what people are gonna expect is whenever they log in from home or from the beach or wherever they want to have the same access, the same ability to do their job, just wherever.
So I think that's something that companies need to consider. And I think as well, certainly with whenever the outbreak first came out and everybody there was a huge, like shift to working from home immediately. I think a lot of corporate VPNs really struggled with handling the, the immediate bandwidth. And I think it's worthwhile considering whether you want to have a VPN that could be swamped and then provi then stop your, your critical, it support staff being able to get into their organization. So I think that's, that's something as well, that should be considered long term. Like whether you should have a remote access system, that's either Clyde based or rather than behind a VPN alongside of VPN.
Great. I wish I hadn't given the postman privilege access, but nevermind, let's just see you, your company talks about lean, lean access management, which I guess would, would assist in exactly what we've just been talking about when people want access from places which are no longer traditional desktops, et cetera. And, and, and part of that is, is multi-cloud and the, the way that companies are moving to multi-cloud strategies or distributed clouds, what, what, what do you see the, the effect on privilege access management in, in that, in that scope?
It's quite interesting actually, because I, I think the one thing that I find is that it, there seems to be no silver bullet at the minute for privileged access for almost every use case. So I think with moving to multicloud, it certainly opened us, opened up opportunities to us for having a lean Pam solution that works within a multicloud environment. And then we basically work alongside traditional Pam, which provides access to the, the on-premise. So, so one thing I, I do think is that having, when, whenever companies are moving to like a, a, a cloud solution or a multi-cloud solution, I think having it, it gives them basically a new opportunity to look at what Pam systems are available and which ones are actually best suited for which use case. And I think a lot of them are starting to accept that it's, it's difficult to get one, one solution that, that fits every use case. And having, sorry. Yeah, go ahead. So,
So we, we might be moving to sort of multi pan as well, hybrid pan, so maybe different parts of organization use different different pan
Yeah. PO possibly. Yeah. Yeah. We, we certainly, whenever we are talking to, to customers about particular use cases, they'll often say, yeah, that this, this part of our network's already covered, but this part of our network, it, you know, the, the solution we have in place just doesn't really work that well for it, it doesn't scale up enough and we're, you know, we're, we're open to looking at new, new Pam solutions. So I do feel that with, with the companies bringing more, having more of a multicloud strategy, it's kind of it's, it seems to created like a second wave of people looking for Pam, even, even if they've already got a, a traditional Pam solution in place that they, they are more open to looking at something that might be actually better fit for their, their cloud or their remote working or, or things like that.
And, and finally, do you see the emergence of Pam as a managed service? So PE companies would take, say for example, SSH technology and then create their own managed Pam service.
Absolutely. Yeah. Yeah. I, I think so. So we, we already work with Fujitsu in this capacity, so they, they have Pam as a service and vex is, is, is runs under the hood for that. I think I, I also talk to a lot of managed hosting environment companies and managed service providers, and they very much want to embed a Pam solution in the service that they provide. So I, I do, I do think that having Pam as a service within a managed service is definitely something that that's, that's there already. One thing I'm not quite sure on yet. And I think this will actually come is when you have like a full, like just SAS service of Pam. And that's something that we're looking at internally at, at SSH, but it's, I think sometimes it's, it's get wondering, you know, our customers will, will they be ready for a SAS service of Pam or not? And you know, that that's, that's something that's, it's, it's, it, it requires like quite a lot of like market research in terms of like, you know, is, is this actually gonna be something that, that customers really want?
Great. Okay. Well, I think we're outta time for questions. I really, as I said, great presentation, and thanks very much for your conversation as well. And I look forward to talking to you again, I'm sure the, the pan market is, is developing in all sorts of ways. So it'd be great to be there for the ride as it was. So,
Yeah, yeah, yeah. We we're enjoying the ride so far. So thanks so much for everyone at keeping J call for setting this up. It's been really, really good. Thank you. Okay.
Back to you.
Video Links
Stay Connected
How can we help you