Privilege access management is really an important topic. And so far today, we heard a lot of interesting stuff about trends and challenges and how to do it. I'm very happy to also welcome our panelists here. And today's speakers in this panel where we will talk about how to address enterprise security challenges within Pam. First of all, I would kindly ask you for a really short introduction by yourself, and some words about you and your role for the people who haven't attended. One of the previous sessions, let's start with Joe.
Hi everyone. My name is Joseph Carson. I am the chief security scientist and advisory CSO at th and based in talent Estonia, and have been in the security industry for now close to 30 years, doing various different roles, primarily doing research and also creating content authoring books, and normally speaking at events globally. But this year has mostly been online digital events like such as this,
At least via the internet. It's also global that's excuse. Thank you. Reboot here about you.
Hi everybody. We reboot chief cloud officer with ENT been the industry security industry for 20 plus years, doing identity security and governance. And at Sian I run Sian global cloud platform and cloud security products. Looking forward to have a good discussion today.
Thank you. Okay, David.
Hi. Yeah, I'm David wish Richard I'm at ssh.com. I look after our partnerships globally and I've, I've been at SSH for the past four years previous to this. I worked in various enterprise technology roles within the finance industry in, in Europe. And yeah, I'm a pleasure to be here.
Thank you. Okay. So first question, maybe we start with webut. What are the important privileged access management trends in your opinion, especially when looking at your role focused on cloud.
So I would, Chris, I would summit up for three specific trends to look at one the risk and consolidate the view of security and risk in an organization's ecosystem, which entails the convergence of IBM Pam and cloud security technologies under one single platform. The second one would be the, with the rapid push towards application and remote workplace. The, you have to start looking at how you can do effective and creative ways to do privileged access management for applications. So diversification is the, is the second trend because Pam solutions cannot just be infrastructure focused applications are going to play a, a very, very big role in the upcoming future. And lastly, we all hear the trend zero trust, but doing zero trust effectively is again, a very, very important aspect of your Pam strategy. Not don't just fall under the trap of zero trust as a, as a, as a naming convention or a lingo, but doing an effective zero trust by going through aural account and access based provisioning, ephemeral role based spa and effectively doing zero trust is the mantra and the next trend, which a lot of Pam solutions are already looking and doing it.
So zero trust effective zero trust would be the, the last trend I would be focusing on.
Okay. David, what about you anything to add besides risk remote workplace and your trust?
Yeah, I'd also add into that the, the, the move towards Clyde and multi-cloud environments as well. I think that's gonna be play a really big role as, as companies become more appli Clyde savvy in terms of what cloud platforms they use. I'd also say whenever you integrate with your identity management platforms and making, using context based authentication, and also like the behavior analytics, I think that's also like going to really come into play as well.
Okay. Thank you, Joe. What about you?
Sure. So for me, I, I think one of the biggest trends that I'm seeing in the industry, and it's not just in Pam by itself, it's actually across the entire security industry is making security usable. I think that's one of the biggest things and the challenges that we have is actually simplifying security so that people don't look for ways around it, that they actually embrace it and use it. So I think that's one of the areas that we really need to enhance and enforce and look for is actually innovate, is making security, usable, and acceptable, and making, getting excitement, getting people positive about security. We actually helps 'em do their job. So that is an area that I see is kind of something that is, is important for success of the future. The second major trend is also is really around the emergence of physically and the integration of both security and risk.
Well, we can't, don't do security for the sake of security. My job is while my, my background experience is very in depth in security and, and ethical hacking and pen testing and all right, attempting and access management. However, my job is to help the business be successful. So we have to look at how basically we apply everything we do in security to basically a risk-based approach and a business resiliency. So there's a big mergence and basically consolidation of those together to making security be focused at the risk side of things and enhancing the business. And these are kind of some of the major trends. And of course, there's also the adoption and acceleration of using things like OT and IOT, where we're seeing the importance of access management within basically operational technology, such as scatter controls, you know, smart devices, hubs automation, and rowing vehicles and, and transportation. So those are probably the three areas that I see having accelerated trends.
Mm, thank you, Joe, Joe, you are a very experienced cybersecurity professional. What about, or how challenging is it for you to, to tackle insider threat and to determine if an organization is doing really enough to address it?
I mean, that's a great, I mean, many organizations struggle with insider threats and we continue looking at most insider threats are sometimes are referred to as the unsuspecting unknowing victim. They don't know that they're doing it in many cases. So it's a case of basically convincing and making sure that people don't abuse their access. And it really comes down to putting controls in place that actually knows that employees when actually, you know, even myself, I was a domain administrator for a hundred thousand servers and it's about me not abusing my, you know, privileges in order to focus at doing the right things. But it's actually increasing the risk when I do things maybe logging in directly using a domain account for many servers and actually risking doing that remotely. So one of the things that we need to do is make sure that as we go through is basically making sure that as people are using their privileges, that they know they're being monitored, they know that they won't get away with criminal activity.
They know that if they try to copy data outside the organization, that there's no, they're not gonna get away with the crime. And that's what you do is, is you make the controls in place that prevent people from abusing their privileges, knowing that if they actually do it, that they'll be caught in the end. And that's, what's really all about is auditability ultimately will actually prevent people from doing abusive things, but at the same time, you know, that's gonna be the majority. You're never gonna get what I refer to as the suicidal insider. Who's just doesn't care, but you wanna make sure you actually get the majority who's doing it accidentally or unknowingly, or just even changing jobs simply knowing that they won't get away with it is the key thing for preventing insider threats.
Thank you, David. Anything to add?
Yeah. I'd also add to that. Actually. It's kind of what Joe was mentioning earlier is I, and it's making the security, plat security platforms that you use making them really easy to use. So that insiders, whenever they're doing their day to day job, they don't actually feel like this is getting in my way. It's like it, your access solution should, should try and make it easier for them to actually do their job. And I think I'd say traditional PAMs have had a habit of, you know, getting in their way and, and, and people not wanting to use them. Whereas I think there is, there's definitely an opportunity where we can basically make the, the, the way people access their, their systems easier.
Thank you. What about you BI?
Yeah, I mean, I think Joanne and David both have good points, but what I wanted to tell you from my observation is that when you talk to any organizational CISO and, and if they come up and say that, yeah, I have one tool or 10 tools to do that. That's, that's not enough. You can have, have as many tools as you want, but until, and unless you understand what's going on with your tool, you, you embed the findings and you do it at, at a continuous improvement process. It's no matter how much investment you do in tools. It's not, it's never going to be enough. So focus on people, focus on processes and focus on what your tools are telling you. And what do you really need to, to improve on. Do you need to inform and educate your people about, as Joe mentioned, that they're not gonna get away with this, or you have to fix your processes and then use that, and then combine that with your security investments to come up with the process. It's an ongoing continuous process. You are never going to do just enough. That's that's the key year.
Thank you, David. You as an representative of SSH, what should security and risk management do? Risk management leaders do in general to ensure and, and effective privilege access management solution.
I think that number one is get, get buy in from, from, from as many people as possible before you get started. So from the, the end users, you can't, you can't just look at this just from a security perspective, you have to, you have to get the people that are using it to, to buy in to what restrictions you're going to impose on them. Before the, before you can go ahead with the project. Then once, once you get, buy-in make sure that you are integrating effectively with your SIM tools, as well as your identity management tools and try and have as broad a coverage of your environment as possible. And if that means that you have to use different tools for different use cases, then then accept that might, that might be part of the solution as well, that you don't have. You don't have to have one silver ability to, to do everything.
Okay, Joe, I think
Absolutely. I mean, I had an interesting conversation a few years ago with the CEO CEO and the CFO. It's not the start of a joke, but it's, it was something that was quite an interesting conversation. And one of the things is I had learned from that particular conversation, is that anything we do in order to be effective, we have to show the return to investment. Simply it has to be a business focus. It has to show return investment for the business, how it helps the employee do their job better, how it makes them actually be able to be successful in meeting their metrics and goals, security isn't in a place just for checkbox. And it's not in place just to basically, you know, reduce the threats. It's there to make sure that the business is able to have resiliency. And I kind of, during that conversation, the CFO made a simple point. What is the cost of doing something actually putting security control in place and the cost of doing nothing. And that simply gives you basically your Matthias and your understanding about what the tangible value is. So everything we do in regards to making it effective implementation is that has to be returned investment. How are you helping organization achieve your goals? And that's the primary basically priority of everything we do. How are you helping the employee be successful? The partners, the shareholders, and the executive team to make the company more resilient.
Thank you, Viti. What risks does uncontrolled privilege access management pose for business from your point of view?
Yeah. Fair enough, Chris. I think the, the, the first risk is obviously the financial implication. We all hear about the numbers and statistics, which comes as part of the data breach studies and leaving aside, or barring aside the financial implication, the intangible risk to an organization is the trust which customers are placing when they're placing their data with, with you as a cloud provider. And if you lose that customer trust, it is an irrevocable aspect of your business. Your customers are not going to come again and place their data or any other, any other service which you have been offering. So financial implication is, was one which is still manageable. The irrevocable customer trust is an intangible or the biggest threat, which you can have to your, to your business. And lastly, but most importantly, the, the damage to the, the business reputation, it takes years to, to build a business reputation. And if you do not, or if you take privileged access slightly, I mean, look at some of the, the breaches which has happened in the last few months, the, the amount of tarnishing which has happened to these business reputations is just insurmountable. So, so the, the, when you, when you start doing a analysis of what risk you are carrying, you are going to look at the tangible risk, the financial risk and the intangible risk in terms of trust, damage, and reputation damage.
Thank you, David, which emergent cybersecurity requirements should a modern privileged access management solution take into account from your side?
I, I think what, what I I'd like to see taken more into kind days that the, the user behavior analytics and making sure that whenever you have a privileged access management solution, you can use that user behavior analytics to either reduce the, the authentication levels that are required or increase them depending on the context of where they're connecting from, or whether they're doing something that's pretty normal, like in their day to day work or doing something that's quite unusual. And then you can introduce higher levels of authentication. So I, I think that's, that's one thing I'd, I'd certainly like to see.
Mm. So mainly based on one of the trends you mentioned at the beginning was privileged user behavior analytics. Very nice, John, from your side five minutes left. So probably one of the last statements here, the famous final words in the direction.
So that was for me, was it? Yeah.
Yeah. It was your opinion about what modern privilege access management approach should, should take into account.
We we've heard
Yeah. We've heard a lot about, you know, we've heard the discussion around passwordless numerous times today and I'm, I'm, you know, I think we should step back and really understand what passwordless means. It's actually not, passwordless, it's actually about less password interaction. It's about reducing the amount of interaction humans have with passwords. And it's moving to the background where Pam solutions can actually take control and automation of those. So I think really kind of the modern requirements should be, is about where you actually reduce the touch points for people to interact with passwords, whether it being, generating them, creating them, choosing them, entering them as much as we can reduce those interactions and automating it and integrating it with other basically security controls that actually move those to the background, such as what David mentioned wrong, behavioral analytics or access workflows, or basically proximity based alerts or biometrics or those all into the solution itself that actually ultimately basically reduces the interaction between humans and passwords. That way we can actually reduce the threat landscape and reduce the target of employees and humans getting cyber fatigue and becoming the targets of cyber tax and actually make organizations more resilient. So looking at not password lists, but less password interaction.
Yes. Thank you. Less password is a good point because if you start to annoy the users, the administrators was asking for a password, second factor, they find solutions how to deal with them on an insecure way, anything to add from your site reboot.
Yeah, certainly the landscape of an organization has changed drastically what it was five years before and what it is today that landscape has changed, but organizations are still thinking about solving privileged taxes, what they were doing five years back. So if you are underlying landscape, if you're underlying infrastructure platform and, and, and application layer have changed, it's time for you to think about time solutions in a, in a different way and something which really requires an evolution to happen. So that's number one where you, you start thinking about the next gen Pam solutions. And second don't bring all your focus on technology. Don't get dragged upon by the, the, the new terms, like just in time and zero trust focus, the biggest battle which I have had, especially when we were doing cloud transformation, ATS 8, 8, 9 years back was the, the mindset. So start educating your people and start focusing on processes because technology will fall in, fall in place. Don't let your, your employees or don't let your users think. Cloud is just another data center. It's not, you have to think about focusing more on people and processes. Technology will find its own way to sum it up. Thank you.
Okay. So thank you very much. So today we talked about things to address with enterprise security challenges within privileged access management. We heard a lot of very interesting stuff. We talked about risk. We talked about remote workplaces, zero trust, how to deal with cloud solution, usability and user behavior analytics, also for privileged users. And don't forget processes and organizational things around that. Thank you very much to David, to be booty and to Joe and giving back to.