Privilege Access Management (PAM) is changing, driven by the move of most businesses from on-prem IT applications and infrastructure to the cloud, resulting in a multi-could, multi-hybrid IT environment. This has resulted in a proliferation of privileged identities that need to be managed. Join PAM experts from KuppingerCole analysts and iC Consult as they discuss the need for organizations to modernize their PAM capabilities to manage access and entitlements in today’s complex and volatile hybrid IT environments, that can operate at the speed of the cloud and grant access dynamically, based on tasks, toolchains, and workloads.
Paul Fisher, Lead Analyst at KuppingerCole will talk about the main trends emerging in PAM and he will explain why there is a need to modernize PAM to support the new and emerging needs of rapidly changing business IT environments. Johannes Hauer, PAM Lead Consultant will give an overview of the iC Consult’s methodology for PAM assessments and explain how to prepare to implement a future-proof PAM capability. They will also talk about the key success factors in starting a PAM initiative and the need to modernize PAM.
So let's have a look at, I always do this or I soon to have done it on the last few webinars anyway, but talking about the, the business demands on it, identity management and security. Cuz quite often we don't always remember that behind every piece of technology is a business demand or a business reason for it to be there. Before that, let's get kick off our first poll. So I'm asking what do you think is the biggest challenge to security in multi-cloud environments? Three choices. So number one, credentials, secrets or data left on protected in the cloud. Number two, no control over privilege accounts with which have access to cloud or three poor cloud architecture design and a lack of network hygiene. So those are the three choices you can vote now, we'll just give you 30 seconds or so to to do that.
So what is the biggest challenge in security Multi-cloud? Is it credential secrets or data left unprotected? Is it no control over privileged accounts with access that have access to the cloud or poor cloud architecture design and a lack of network hygiene? One of those, either of those would be bad. So, okay, so most people have now voted. So let's move on into the main part of the webinar. So I said we talk, we don't always talk about the business demand, but here are seven demands or topics that businesses are looking for in modern organizations. Post the pandemic post, the economic problems that we have all had to endure across the world.
Business now is looking a lot more for more agile ways of doing things. That includes in right across the board really throughout all the lines of business. So right from HR through to marketing, product development, depending obviously on what kind of sector the business is in. But everything needs to be more agile, it needs to be more rapid, it needs to be able to respond quicker to changing market conditions. We've seen that in in almost all sectors. IT those, those those businesses that can innovate faster, that can respond quickly to customer demands are the ones that are doing better.
And internally that also means then that the pressure is on for those groups within the business such as developers, production professionals, IT managers, security people, of course identity managers right up to the CSO and the CIO need to rapidly roll out services and products to meet the agile demands of the business. We need to improve those infrastructures. And quite often this will mean moving to the cloud because we all know cloud has huge advantages in terms of flexibility, deployment, speed, agility. At the same time costs are going through the roof virtually everywhere raw materials are cost more, they're in short supply. So anything that the business can do to reduce costs for itself or from its suppliers and then pass on those cost savings to its customers, they will look for. Related to that of course productivity. Productivity is a word that is used a lot recently, particularly on a macroeconomic scale.
So various economies are seem to be low on productivity and others a bit higher up the scale. But productivity is also a micro thing. So any business and the industry, any place where people and machines get together to produce something, if they can produce that in less time for less cost, then they will increase productivity and, and while this is happening, data, it used to be rather misleadingly said a few years ago that data was the new oil, which isn't really true. But what is true is that data is now ubiquitous. There are huge amounts of it being created every day again in micro and macro forms. But increasingly businesses now realize that there is if not oil there, there is gold in as much that some of this data if is harvested, if it is looked at properly, reveals some hidden secrets about how the business is run, how customers respond, et cetera. And of course as I mentioned earlier, something that we're sort of focusing on today and that is the cloud is where most businesses are now looking to, to put it in a more every day vernacular put stuff. So they are the business demands for the, that we're seeing right now.
And the consequences of that is that types of cloud or cloud technologies are now seen as the majority pattern of how businesses see that they can get to some of those demands. But the, the cloud itself has has split into many areas and many businesses will have clouds in this. Like they'll have multiple clouds operating within the business. They will access clouds for not only their own business but obviously also from partners et cetera. We're seeing the rise of what can be called shadow cloud where lines of business are because it's so easy because you can set up instance on AWS pretty quickly and easily and you don't, you can use any credit card to pay for it, but we're seeing the clouds are being run up, spun up and used by businesses which are not formally part of the IT infrastructure except that they are because as soon as that cloud is used, as soon as that cloud is deployed, it connects in some way to the existing infrastructure.
It's not controlled though, that's the key thing. So we see software as a service, increasingly applications are run as a service, we're seeing platform as a service. So where applications are developed within the organization and of course infrastructure itself is becoming cloud driven or created in the cloud and all three of those saying multiple cloud, shadow cloud, sarpa and I, shadow cloud SA pass, I are all mixed up and all become almost like one thing very hard to manage. In added to that we see the rise of coders, developers, the importance of coders and developers within organizations. They are taking on a new importance. They are seen as the engine that drives innovation, that drives the development of applications, et cetera. But they are the ones that are using and creating all, all the multicloud shadow cloud, etcetera. So we need to move into more of an area of entitlement management where we can manage how users are accessing clouds, moving more towards a zero trust type of model. And when it comes down to privilege access management, which for a long time has been seen as the defacto or the default way of managing those identities which have access to high value high security entities, we have to start thinking, is existing privilege access management agile enough for this new world? Is it agile enough for the consequences of cloud which are related to the business demands?
So that's the background, that's kind of a very high level view of what's happening in organizations and in business and in it, in it. Let's look at some trends within privilege access management market itself. Before that, let's do our second poll before we get into pretty access management and ask, does your business currently have any form of PAM in operation? So the choices are no, we are investigating the market for a solution, yes, but we do not use a dedicated platform. So you may be using some kind of DIY privilege access management based on existing technologies or three, no we think we are happy with the PAM you have at the moment so you can vote now, we'll give you SSA about 30 seconds. I'll just take a quick drink.
So just letting those votes come in. So number one, we are investigating the market for a solution. Yes, but we do not use a dedicated platform as in one off the shelf, one from a vendor. No, we think we are happy with Pam that we have at the moment. All right, so let's close that. Thanks very much for voting. So I at KuppingerCole have spent the, the last three years working closely with prime vendors and right the annual privilege access management, leadership compass, the the third one I in the process of closing right now that'll be out before the end of 22.
What I've noticed, these are some of the key things that have, have emerged, at least for me in the last three years that we prime is kind of both a mature and not a mature market. Which is interesting because each year these seems to be more entrance into the market, which is unusual and these entrants are coming from different parts of the globe. So places like Asia, South America, et cetera, which have kind of disrupted the status quo of the established big PAM vendors and those, those entrances have actually stimulated quite a lot of innovation and then they've seen gaps in the market and they've particularly seen opportunities for Pam for cloud. We're seeing a kind of divergent slightly of where pan providers provide a suite products. So the idea is that they have a number of modules that in theory if you buy into that you should be able to cover all bases of privileged access management.
So they would have things like privilege elevation, they would have application to application privilege management and they would usually have a very robust set of analytics tools. But we're seeing, as I said, with the new entrance, we're seeing a more app approach which kind of strips out some of those areas of privilege access management, which have been bolted on over the years to make them more complex applications. And they've sort of gone for a cloud native and lean approach, which does the basics of Pam in that it does manage access to those things that businesses want to keep secret. And very recently we've seen the emergence of what has become known as cloud infrastructure and entitlement management solutions, which is very much disrupting the pan market because it's doing exactly what I've just said. It is taking one part of the sort of technologies and focusing on what we've been talking about in this webinar, the cloud and you know, managing entitlement for crowd. It also does away almost with the idea of privilege in that it just allows organizations to manage what identities have access to what entities on resources.
It does it more on a zero trust and more just in time basis, which I mentioned here, it starts to move away from passwords and vaults so that we see these technologies are using PA certificates or more other ephemeral forms of authorization authentication and gives access to identities for a very limited time. So they can go in, do whatever they need done and then it'll be shut down. So the pan market, as I said, is kind of mature and immature because it's, it seems to be very dynamic and is actually exciting, but it also makes it harder perhaps to find the right choice if you are a buyer. So finally then your deployment or pan deployment needs to adapt a little and it and this slide can actually apply to many technologies that we talk about on a daily basis CO with the growth of cm, with the growth of passwordless and just in time solutions.
Much of relies on automation, it relies on stuff that once would've been manually configured, needs to be automated. And we're now seeing that the automation of this is possible and that it is safe to allow the platform to use some form of machine learning or AI to automate those capabilities that in the past may have had to be managed by administrators et cetera. We're seeing that a centralized monolithic approach or pan platforms and and their related policy engines are not necessarily suited to the cloud and the cloud way of working. So we need more dynamic, more dynamic access to resources, data cetera. The idea of having a big pan platform is still, is still valuable for many organizations. It's valuable for large scale organizations, it's valuable for those organizations that have existing privilege, privilege accounts which don't change that much, which always need access to the same kind of thing that is still useful to have that as a centralized platform.
But what we're seeing is the teams that are using technology in your organization are increasingly moving out of the co CIO or CSOs zone of influence, CISOs of becoming, you know, enterprise position. They are burdened perhaps is the the right way to use it, but they're kind of burdened with with strategy, accounting, budgets cetera and overall planning while that's happening they've got guys in in devs in development that are doing exactly what I said right at the start, which is buying their own clouds, et cetera. So we need to think about how we manage that and how either technology or admins which don't need the level of skill that they needed in the past can manage privilege access management closer to where it's happening. We need if we can, to enable zero trust as far as possible. This is not about zero trust this webinar, but zero trust where you treat every identity as untrusted and only trusted once you have verified it.
We need to verify, entitle and secure, but we need to do that rapidly and we need to do that dynamically. And again that comes back to if we verify entitled and secure on an agile basis dynamically we are pleasing the guys that want that access but are also pleasing the policies that exist within your organization for access. And we are pleasing the business that is getting stuff done. So pan deployment has got to adapt and that doesn't just mean whether it can be deployed in the cloud on premises, et cetera or SaaS IT needs it's, it's also about how you think about deployment. And I think I'm slightly out of time here, but I just want to show you basically where we see Pam sitting right now in this new identity flow in the new world of PAM and cloud infrastructure entitlement management.
Basically it, it sits there between the identities who then need access to cloud services and that's where they find the resources. So here's some stuff to think about before I hand over to your, your choice is wider, no doubt about it. The choice of PAM is wider than ever. The tools are all good, they all have capabilities that are worth looking at, but that makes it actually harder I think particularly if you already have a, if you bought into sopa, but finding it doesn't cover all the uses that you need. So you need to define, redefine your privilege framework, think about what privilege means in your organization and decide on what are the essential capabilities that you need. Embrace that optimization in infrastructure as a service in ops and how that can be as can assist and start about those PAM tools which cause going back to this slide, fit into a more dynamic resource entitlement and access management architecture such as we see here, which can cope with all six types of identities, admin, developers, end users, machine, third party and end points. So explore those solutions and think you know carefully about how your organization is set up. And with that I'm going to hand over to Johanas Howard who is a consultant with IC consult and he'll be talking about the future I hope. Thank you.
Thanks Paul. I want to talk a bit about implementing modern and futureproof pump solutions and we will take a look on following points. First, what are the challenges with implementing a pump solution? What are the advantages of a classical pump solution? What pump models we have and what modules we have and what does this modules offer? And at least a roadmap how to, how to build up and plan a pump project and how I see could assist you. The challenges we have a current number of more or less visible cyber attacks, attacks involving privileged accounts and complexity is a security risk and it's with growing complexity the security risk is getting higher. The overview of existing privilege accounts and who's using them is missing more and more even when it comes to the topic cloud. In the last two couple of years, remote work and VPN became a much bigger part in most of the companies and there is an ongoing and growing transition from on-premise to the cloud in general. And at least when it comes to pump, there's always the topic regulations and compliance.
From a security aspect, nearly 90% of all preachers involves human failure and nearly a bit more than 60% of all preachers involves stone credentials. And mostly it needs human failure to steal credentials and with these credentials and that tech can assume a new identity comparing to the real world. It's like visit a military base with the keys of the commander, it could end in a nightmare. The most important risks for business and 2022 are cyber business interruption, natural catastrophes, pandemic outbreak and changes in legislation and regulation. And as you can see the numbers are for, for cyber incident and business interruption are high, 80% of all preachers involve privileged accounts in opposite to this 60% before it's not stone credentials, it's privileged credentials in general, 85% of cyber attacks are done through compromised and points and related to windows. 96% of critical vulnerabilities could be mitigated by removing local administrative rights.
But if this is so clear why securing privilege accounts on premise or in the cloud is not part of a lot of infrastructure designs and applications as well. While there are several challenges, the first and the biggest challenge is the complexity. The world is in the state of continuous growth and change and complexity is growing as well. Often there's no global identity management accounts are start in active directories locally or within applications. And when it comes to cloud, we have applications that are in the cloud infrastructure and there are accounts that are related to the cloud management infrastructure. It's hard to prevent sharing credentials for privilege accounts on a technical level and the LI limit of the limit access on access points. So using a firewall or VPN has in high administrative effort and there's no handling on application level. So if there is excess on application level, firewall cannot cannot block that.
When it comes to cloud transition, the number of accounts is raising and it's getting more complex because with the cloud management level there is a no permission level with multiple roles and access rights. There are cross application and platform authorizations, there's excessive privileges and there are rapid deployment and limitation cycles. For highly regulated industries, there's an additional point that is regulations and compliance. For example, banking and healthcare are required to maintain and comprehensive audit trail of privileged user activity and in more, more most cases they are driven by enterprise policy level and from industry regulations and compliance frameworks with on board tools that are offered by Microsoft with Windows or any cloud provider regulations can be mute functionally maybe, but in most cases not audit proof and there's always in high administrative expenses. The advantages of a pump solution target goal is zero trust and lease privilege and that should result in a reduction of complexity, raising security and mid compliance.
With a pump system we have a central access point to the whole company infrastructure and a central management of privilege accounts for human and also for machine accounts we can implement strong authentication. We have access control based on a roles and rights concept. We can implement password visibility revocation, we can automate authentication to target assets and we have automated password provisioning for technical accounts or applications and at least for compliance recording and monitoring of all privileged activities. When it comes to different infrastructures, most manufacturers of pump solutions are really flexible, building them up on premise or in the cloud as software as a service or hybrid infrastructure with parts in the cloud and for example the database on premise because some customers want don't want to store their critical data in the cloud. But when it's getting to cloud, what about managing the cloud infrastructure?
Cloud infrastructure entitlement is pump versus or with cm. So traditional pump technologies were mainly designed for human and not for machine identities. And in cloud infrastructure, privileged entitlements are frequently assigned to regular identities that often belong to services. And when it's coming to pump we have to separate cloud management infrastructure from the cloud infrastructure. So from a pump perspective, these are two separate points to be honest, pump tools currently have limitations in sea, in obtain and inventory of entities, policies and identities. It's hard to identify overprivileged relationships between roles and identities and there is no way to dynamically generate policy changes to enforce least privilege and at least behavior and risk on analytics is also how to achieve these problems are related to the cloud management infrastructure for the cloud infrastructure itself. For the most pump solution, it make no difference or not a big difference if the service are running in a cloud environment or on premise.
Pump tools are not designed for highly dynamic resources and that's a big problem. The outcome is that currently seem it's not possible with traditional pump, but pump can correlate with SIM solutions very good. And SIM solutions like amatic are focused on disability detecting and remediating IM misconfigurations and fast lease privilege to cloud resources, cloud services and cloud administrative rights. They are specifically designed to tightly and consistently manage privilege in complex dynamic environments. And there's an additional point Cloud provider also implement own services like privilege access management or identity access management in their own ecosystem. But often there's a lack of consistency and standards across clouds. And with the raising management complexity in hybrid infrastructures, it's becoming more risky and more complex to manage that. But the past shows that Palm has gone several evolutions raised functionality to meet new requirements. So for example, threat analytics ad bridging or vpn Analyst external access are not classical pump topics that were added in the past to traditional pump solutions.
So if you take a look to the can be the next evolution solutions are built up in a Starship design with a module for at least every functionality and new modules can be edited easily. So if you are running an pump solution for several years, it's not a big deal to add new functionality to an existing environment, even if it's something like sim because at the end the method, the module is speaking with the palm environment is almost the same as an example. Cyber A added a couple of years ago privileged threat analytics as a functionality or conjure, which is a secret management for cloud or container based applications and DevOps del added Centrify that brought ad bridging and several cloud tools and at least a couple of month or last year or cyber arc added adaptive for access management or vpn less access. So in general, building up a pump solution currently is not focused for or is not possible to manage STEAM solutions or steam, but it can correlate with SIM solutions.
And from a technical perspective there's no limitation in adding such a functionality to an existing environment When it comes to implementing pump, I see site is offer a roadmap. It is based on the maturity model that is separated into several phases. In the first phase, the focus is to recognize risks and plan actions. And then in the first phase, sorry, then in the first phase the focus is on on get visibility and reduce tech surface and start with the accounts that can be onboarded quickly and can be added to the automatic management easily without too much effort. This is the admin privilege administration part part, and if that is running then you have the biggest security risk reduced to a minimum and then you can focus in the second phase on integrate company policies and limit OVERPRIVILEGED users. And then in the last step, that is always very important for operation and efficiency, increase automation and intelligence when it comes to managing accounts, onboarding new accounts, automatically decommission accounts, join a lever process at the whole pump solution to identity and access management solution. If there is one available, we we can provide you a roadmap to accelerate and simplify your pump journey. There are several packages and customized solutions for any maturity starting point. And yes, contact us if you have, if you are interested in a workshop or in a free initial workshop regarding your pump journey.
That's it for my side. Thanks for your attention.
Thank you so much Johan, for your presentation. We're now in the q and a section, but if I am right we should also see the results of the polls appear on the screen. What do you think is the biggest obstacle to security? 42% said that credentials secrets are data left unprotected. Another 42% said no control over privileged counts. 15% said poor cloud architecture and design. The second poll was does your business currently use Pam? 35% says no, which is a sign significant number, 35%. I said, no 20% I'm not using a dedicated platform and 45% remain happy with the pan solution or platform that they have. So that's pretty interesting Johans that we have 55% that actually don't either have no PAM or not using a vendor specific one. What what you make of that?
Yes, it is surprising because it is, it is critical regarding privileged accounts. Em, especially when you take a look at the Windows world, it's really easy to steer credentials. For example, if you take a look at cab technology that is building up tickets for, for every sign on on the Windows server and stirring it in the locker rum and it's really easy to dump the tickets out of the, out of the rum and do a pass to hash and get that hash and then you can easily authenticate to any server without knowing the passport because you can use the hash and do a single sign on. And from my experience, a lot of administrators use administrative domain accounts to do their work and every time they log onto a server, the hash is start in the server. And if someone is capturing that and it is an administrative privileged account, it's a, it's only a question of time if you can reach the active directory or domain controller and then he has the key to the kingdom. So it's, it's, it's really a high risk.
Thank you. Well, a question here from MuTu Christian, a listener, he said cool presentation, so that's nice, but his question is, is Pam mainly around service accounts and administrators only? What is it expected to cover in a hybrid as in on premise and cloud setup?
Hmm, I'm not sure if I understand the question. So he,
He, he, well he's saying that traditionally Pam has been focused on service counts and administrators only, which have been the traditional
User. Yeah, it's, it's in general, it's in general focused on human accounts and there there is no limitation or extension to functionality if you are running it on premise or in hybrid cloud or in the cloud itself. It's related to the infrastructure itself. But from a management perspective it totally makes sense to add your privileged, your, your pump solution to the cloud or to the cloud cloud environment as well to secure your environment. There are two and with environment, I mean the service that are running in the cloud, as I said, the management infrastructure for, for cloud, so SIM is not possible to handle by classic P solution, it's related to the infrastructure and there you can also focus on the human accounts that are start in the cloud and on the service, even if it's cloud in terms of Azure or something else. So there are connectors that are working with that service too and it's able to at that to the pump solution as well.
Thank you. Thank you. Fantastic. So what, what could be done, I mean this is maybe a bit of a long question or an open question, but what could be done if the PAM solution is gone completely down if it's offline? So, so how do people still get to do their work? How do they still access their accounts?
Yeah, that's always a big fear because if you implement zero trust and least privilege, then you have single point of failure with the pump solution because then it's the only way you can access your environment. So there are several possibilities like HR or disaster recovery and practice processes that give you an solution for several kinds of escalation. And even if all is complete down, there's always a way to get or retrieve passwords on credentials from the world. So if this is not possible anymore, then I would say the whole word is burning.
Well, it's true that many pan vendors will provide that as as capabilities, but one thing that like I talked about is, is you know, the emergence of new entrance don't always necessarily have such break glass or high availability that as something yes, important to look out for what interfaces then I talked about automation, but what interfaces can a PAM solution offer for automation processes? I think that means perhaps, I'm not sure if that means physically an interface or a connector, but how you interpret,
I would say it's a, a connector to speak with other technologies or applications like an identity and access management solution on automation script. So I think most of the biggest pump manufacturers offer something like arrest API where you can, where you can send commands and retrieve information and send information as modified environment and in, in terms of cyber A or deline, this, the functionality of this REST API is growing and growing as they see that automation is becoming a bigger and bigger topic for the customers. Because in general, pump running a pump solution is, has an high operational effort and the target is always to reduce the effort and for that we need automation.
Okay, so finally then, this is a question from me actually. If you were to sort of what those, those 55% are as yet have not really investigated privilege access management, what would be your first piece of advice to one of those? Those customers?
The, the first helpful step would be to sit together in a, in a workshop and take a look at their environment and maybe do a discovery scan and take a look at the numbers of privileged accounts that are flying around in the network and then talk about what could be a possible way to secure this account regardless to to any pump solution or other stuff. Just get a clear picture of what the STA current status is and what are the risks are and then we can talk about the next steps. And there are tools, for example, C A C is offering a DNA tool that can discover privileged accounts on Unix, Windows local or domain devices and list them and can classify them as privileged or non-privileged. And most cases customers are shocked about the high number that they have.
Yeah, I was gonna say that a lot of organizations have no idea how many privilege accounts they actually have or what people have access to. So yeah, great advice.
We don't have any more questions coming in so I think I'll close the webinar. Say thanks to everyone, thanks to you. We had a, a great attendance today. I hope it was worthwhile. I hope you enjoyed it. Big thanks to Johans Howard for his presentation and also to IC consult for supporting the webinar today. If you do have any questions following this, there's my email should be on your screen. You can send questions to me and if you want them who directed to your highness, I can make sure they go to him. But I don't forget also that this will be online for download from tomorrow, I believe. In the meantime, thank you all and have a very good morning, afternoon, or evening. Thank you.
Thanks Paul to you too.
How can we help you