KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Welcome Rob burn of one identity field strategist to a conversation. The two of us will have about navigating the Pam password Qumar and as we all know, we, we are in it. So by the way, my name's Martin Kuppinger I'm principle Analyst, we are had it.
And, and we know it is very, very good in throwing passwords, frequent used also to, to create some sort of fast. And our idea in the next few minutes is to bring a little bit light into that. So let's have a look at the first pan password, which is zero trust and zero trust, I think is the one of the most popular passwords in it. Even maybe outside of cloud first and a few others. What does it mean to Pam? So privileged access management factually.
So can, can we do bridged access management with zero trust role? Well, to me zero trust it's, it's a term that comes to us from our network security guys who basically came to realize that having implicit trust, because you're coming from a network or an IP address or range is really not a good idea. So it's really, I think of it as an absolute that we can never get to it. Doesn't really actually logically make a lot of sense, but it's something that can guide our approach to say, Hey, let's always check. Let's always validate.
Let's always, so trust put, verify is maybe I think a more realistic way to think about it. And in terms of privilege, if, if let's not do that thing where say, Hey, Martin's the ad guy. So I'm gonna just dump all these permissions on, on Martin's account. And just why, because I trust him because he is Martin. That's not good enough anymore. We have to have a really a trust, but verify model across authentication, across access across entitlement management.
I would say in the case of me, it's, it's, it's not necessary because I'm really still trustworthy, but, but usually you're totally correct. Yes, you, you, you, you really should verify and you should limit and should verify.
Is, is it really Martin or is it someone who's using his credentials is what Martin tries to do something Martin should do without further approval? Is that photo verification?
I think, yes, I'm fully busy. It's it's not really not trusting.
It's, it's a constant and, and regular verification and that's something we definitely need. So proof access management might be benefit really benefit from my perspective from zero trust initiatives, if you do it right, because it would increase our level of security. So next password defense in depths. This is probably amongst all the passwords. We're talking about one of the, the most Fu ones, because it can be a lot of things here.
So how, how would you define defense and depths in the context of privileged access management? Well, defense and depth. The fundamental point here is that it's, it's a, it's a layered approach. So I'm not gonna just put one lock on your access. There's not just one door I have to go through. Particularly if it's privileged, I might have a sequence of doors. If I'm getting to the vault that contains all the, the, the treasure, I gotta go through several layers. So it certainly makes sense as, as a policy item, it certainly enhances security.
The one thing I would say, Martin is it's, it's a double edged sword. I've had customers present this and they just say, well, okay, Rob, but how many layers you gotta come back in six months and tell me, I need two more layers.
Or, or the other thing I would mention is for example, Microsoft, the red forest, DSA architecture is profoundly layered hierarchical approach. And some customers do find it a little bit heavy and, and perhaps a bit brittle in, in its architecture. So are there it, it does all as always. We need to walk the middle path there, I Think, and I think, I think it is closely related to zero trust in sense of zero. Trust comes with multiple layers of security, if done, right? But it's also thinking about how should our must our portfolio look like, and how can we, what do we really need at the end?
It all nails down to understanding our risks and, and understanding, which are the most important measures to take to successfully mitigate risk. But I think we, we, we fully agree on, yes, we need more than one layer of security. Otherwise we would be pretty much back to the three zero trust world and where we said, okay, you passed the firewall. You're a good guy.
So we need this, but we also should be careful and conscious about what really helps us in getting better and mitigating risk without ending up this zoo of tools in cybersecurity, which by the way most organizations have already, okay, what is the next generation, Pam, to look at another password? So what, what I see from an Analyst perspective as, so we have this, these two main areas which are shared account passwords and which are session management, monitoring, recording all this thing. And then we have a lot of sync which are discussed. So there's the endpoint privilege management.
There is the use behavior, but analytics was in ed access management. There is all this DevOps British access management. So what really is the next generation, or is it that goes into totally different technologies that disappears? It's not disappearing?
I, I, I hope, I think I see it really as extending out the, the, the footprint of, of what Pam is addressing. So for example, all those things you mentioned are part of NextGen, Pam, I, I would also mention the extension to high value business accounts. So we're thinking of those which are hacks, where, you know, know from a brand brand damage, I mean, brand reputation is, is one of the top three things that people worry about in terms of breaches.
So, so getting those, those business accounts, not traditionally part of the pan world or extension out to new technologies, and I'll remind you so that, you know, IOT is being 5g is being rolled out. That's just going totally explode. So that whole scatter critical infrastructure is I, I think is part of NextGen Pam as well. I sort of switch it also on the technology side. Part of NextGen, Pam to me, is going back to that expectation concept. It's an expectation on the part of security teams that next GenOn will be easier to deploy, right?
That the rollout, perhaps a certain convergence between IM and Pam, you know, governance facility of governance is, is gonna be really important. They, they expect that they expect it to be easier.
And, and, and I, I think when I look at NextGen, I, I think it is an integrated privilege access management, which works with excess governance, which really integrates of this, for instance, lifecycle processes smoothly on one hand, and which supports this very, very different it we have today, which is DevOps, which is as a service models, and this would be what we really need. So it is something which is capital handling. All we have and integrate better and being more than trusted sec separated admin security tool. Okay. Would this make everything to look at the next password breach safe?
So I could argue there's no 100% security because the cost of security going to towards 100% is infinite, but breach safe. What does it mean in the context of Pam? So breach safe again, I think a bit like zero trust is you can never be a hundred percent breach safe, but it's, it's something we should aspire to, to encourage us to have good practice.
The, the numbers statistically on breaches are pretty grim as you know, Martin. And I would also argue even from first principles, if you accept one that all software has vulnerabilities and two, that if there is a vulnerability, it will be exploited logically it's, it's almost a guarantee that you will be breached.
So the, the challenge is, is not, is we need to keep those layers of defense, but Hey, how can I contain those breaches? How can I minimize that damage? Let's think about, you know, spacecraft and, and, and air, you know, nautical engineering, where they have those bullheads to, to close all the whole breach, right? Can similar idea. And so principles both all to, to, to contain the damage when it concerns privileged accounts, because those are the accounts that will do most harm And, and to recover. I think that would be other element to, to add.
So when we assume breach, we also should put more focus on, on how can we recover from a breach. And as you said, how can we contain the breach if it happens? And that would be, maybe it's the better password would've been breach resilient. I agree. I agree in the same way that trust put verify is better than zero trust. I think breach resilient is definitely better. Okay. Then we have this term it or chip trust in time, elevation of privileges, which also then might bring up another password.
We don't have slide because it was just too long, which is ephemeral certificates, which is, I think pretty good because no one understands what it's about. So will we move to a time of trust and time elevation of privilege where you just get a privilege when you need it and never else, is this a fantasy or is this something become a reality?
It, it almost sounds like too good to be true, doesn't it? I mean, how would it work? So I think, I think in the, in the real world, let's say practically speaking, what, what, what we can see happen is that I need to elevate entitlements. I need to elevate by getting access to an account, Hey, that account may only be activated or even created. It may only be assigned privileged entitlements at the time that I needed. And that of course could go through the usual approval pro process to make sure that everything's okay.
So that level of just in time and, and above all just of time, removal of privilege, of course, you know, perhaps time limited is, is I think what, what we're getting at there. And I think the spirit Martin is to reduce friction in the security processes, particularly, you know, the DevOps guys. They do not appreciate when you stick sec into their dev sec ops, they at least they perhaps appreciate it, but living with it is maybe harder for 'em. So let's make that as easy as possible.
Yeah, It'll be, I think something where we need to learn a lot. So how long do we elevate and where can we really do a trust in time elevation and reduction of privileges? The last password slide is in fact about modern one password it's AI and RPA. So with AI being promised that everything becomes super easy, automated and seamless and RPA, probably more that privilege access manage is, is super important for RPA.
I, for the second part, I might come up with the calendar sees saying, if you need privilege access management for RPA, you did something wrong because then you created the super robots, which can do far more than the individual humans could do. Ideally your robot can only do what a single individual would do in the, in the job. So there shouldn't be much privilege management around RPA, but factually, and I've heard some companies saying, okay, it's trust for licensing reasons.
It's far as far cheaper for the RPA licensing to have so to speak a super robot, which can do tasks, otherwise dozens of different people would do it. Then you have a privilege management problem.
So what, what are your perspectives on AI and RPA? Yeah.
These, if you look at the numbers, these are areas that all CSOs and companies and corporations are at least in that investigating phase of, of projects, even if it's perhaps not rollout, the, the AI is, is for us the identity world, it's to do an identity analytics, user behavior, and trying to get handle on the anomalous behaviors and things that are happening. Please don't make me review 5,000 logs. Just point me to the ones that, that are most critical.
And, and, you know, beyond that, on the reducing friction side, perhaps recommending access, that should be appropriate, you know, and, or, or, and even if we don't trust it enough to automatically assign AI suggested access, Hey, let's inform the actual approver that the AI system is, is, is considers it. Okay. That's an information, you know? Yeah. And I think we can do something really better with AI. If we are conscious about what AI really can do and whatnot. And I like, I'd like really love to see some, some slide enhancements.
So for instance, if you have this one year recurring maintenance period, for instance, in a factory, if you are aware during the summer break, a lot of externals are doing changes, then you should be able to, to tell your AI ahead, oh, there will be a lot of anomalies in these three weeks. That would be super.
But yes, I think for AI, there's a huge potential to, to really augment the administrators. I think, I think Martin, just to, to finish up while on my side with the RPA, one of the things that's striking us is we got our customers is you, you gave a good analysis of the security aspects around it. Customers have not even considered that. And so when we raise the question, it's clearly not even thought about it often from a security point of view, perhaps they've considered the commercials.
And so we, you know, what we do is we try to advise and help them get that nailed down. Okay, great. So I think we discussed a lot of interesting thoughts around many of the passwords hope that helps everyone. Who's listening to this recording to get a little bit more light into this password bingo thing.
So Rob, thank you very much for taking the time to participate in this conversations. And thank you for all who are listening to this conversation.
