Webinar Recording

Why Managing Privileged Users Benefits your Business

Log in and watch the full video!

KuppingerCole Webinar recording

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
Good morning. Good afternoon. Good evening, ladies and Tren, depending on the time zone you're in and welcome to our a call webinar. Why managing privileged users benefits your business? This webinar is supported by quest software speakers today will be me marking of a call and Phil Ellen of quest software. So before we start some housekeeping information, some other information about upcoming events of keeping a call before we then directly dive into the topic. So keeping a call is Analyst Analyst, company providing enterprise it research advisory services, institutions, support, and networking for it professionals through our subscription services, advisor services and events. And we have some upcoming events. Two of them later this year, one will be run about two weeks in Berg. It's a term language. We'll talk about your risk and a protect requirement analysis and cloud computing. So how to identify what you have to protect from the cloud.
Definitely a very interesting thing for the German speaking attendees. The other one as well in term language will be an industry round table around cloud commuting security and data protection. So again, Trump language will be, but we will do that type of things also in English language. Soon, this is targeted at end users. So it's really for the industry talking about how to deal with these things. And for sure there will be any European identity and cloud conference. Again, next year, 2012, how to be in Munich again, April 17th twenties, all the information available to our conference website, WW id.com. So that's from that side guidelines for webinar, you are century zero, don't have mute yourself. We are controlling these features. You don't have to do anything about this. We will record the webinar. In fact, we are, have started recording it and the podcast recording will be available latest tomorrow at our website.
And there are many, many other recordings of webinars available as well. So I think that's a very interesting source of information for everyone. Q a will be at the end. So you can ask questions at any point of time using the questions panel and you go to webinar control panel. We will pick the questions at the end, or if appropriate during the webinar. Usually we do it at the end of the webinar and to have a comprehensive list of questions and to directly start Q and a, I always suggest that you enter questions which come to your mind directly so that we, the list fill up for us. And we can do a very interesting Q a session at the end. So talking about the end of the webinar, also talk about the trend and what happens before we are at the end of the webinar.
First of all, I will talk a little bit about it. Use the downs of P M also a little bit about what P XM is to really clarify the topic we were talking about. Why is it relevant to the business even more in hyper cloud environment? So really let's say a little bit more the, the background of P XM, where it's moving and why we want to look at. And so some things around is the second part in of quest software. We'll talk about combining access governance and, oh, sorry. That's the wrong thing I've trust with. He will for sure. Talk about how business benefits from this thing. For some reason, I obviously mixed up my slides. I hope the agenda slide at the end is the correct one, but he will also talk about P XM, sorry about that. And par three will be the Q and a and Q and a will be then something where you can bring in your questions.
Okay. So two parts talking about P XM first meet and fill. I think it'll be very interesting presentations around just especially one fill providing his insight of how bene business benefits from P XM. So what we are talking about today, we are talking about things which are, we try time to call P XM because there are so many terms out there for sort of the same thing. There's the term of privileged access management, which then usually puts the access into the center of attention. Then we have privileged account management. Both of them are, have PAs abbreviations, privileged identity management. So the, or the privileged user management, the PO thing. So in fact, they are all looking at privileged users, doing things which they are allowed to do or not, and how to deal with. So it's basically the same, many terms, same problems. So, so overall the person is a user.
So market equipping or is a user, the user has additional identity, which might be MK at whatever. So identity as one or more accounts might be on an ad account or other accounts, whatever the SharePoint account office three like six, five, or whatever as these accounts of access. And some of these access might be privileged and some of the user does, might be privileged. And that's the point we are looking at. So the real problem covered by all these differently named technologies with technologies, which are more or less looking at the same things, not every technology covering every aspect of P XM, but in fact, all looking at this privilege problem. So what is the real problem? The privilege access, this is higher risk. So that's the core of the problem. If someone's allowed to do more, then the risk is higher, very obviously, and people who have this privilege access who have a lot of access rights are that higher risk from that perspective.
And so what you're looking at is how to know who has privileged access. I think it's the very first question. And what we've learned over the years is that there are many more people out there having privileged access than there should be. There are many more accounts. There are many more things around this. We're looking at how to minimize and control this type of access. So how can we really deal with this? And finally, we are looking at how to audit British access, especially if shared accounts are used. So it's about knowing who are the privileged users, understanding and controlling what they're allowed to do, and also being able to lock what happens and to do all the things we need there down to forensics.
So we have many types of privilege access and we have many users there. So it's a very important point to always keep in mind. It's not only about the root. So somewhere still are selling things which are called root account management or something, which is just a piece of the story, but it's not the entire thing. So F the administrator accounts, including the root in or Linux and other systems, the administrator and windows environments, and so on, we have the operator account. So even someone who's not a full administrator still is a privileged user. If he has operational rights, which go beyond the standard user rights, we have, for example, all these accounts or management network devices, and other types of in system accounts, we have the technical users, which are a very important part of the, the entire thing. So these specific accounts, which usually also have a relatively high number of access rights compared to a standard user, and we also have to regular users, which have somewhat enhanced access rights that might be by the time, or it might be by accident, many cases by accident.
So we just don't know who really had more rights than he should have had and so on. So there are a lot of different types of accounts we have to look at. It's very important to keep in mind the XM wasn't limited to the root account. It's something which goes well beyond us. And it's really something we definitely have to deal with. And it's also something which we, we have to understand goes, let's say, across stack. So it's not something we do only at the operating system layer, for example. So we have privileged users and applications sub all, for example. So SAP, all the in fact, the, the super user of SAP systems, we have them into databases in databases. We have them infrastructure systems. So back up operators and responsible for IM system. We have them in operating systems. We have them for network devices.
All these are privileged users. So it's important to look at PHM for all layers of it across all types of systems. So not only windows are Linux, but all these things are also the network device OSS would be a big F another small one. So these type of things, all deployment approaches. So P XM, isn't something we just look at when we look at on-premise deployments, it's important for our choice users, it's scenarios, it's important for hybrid public cloud scenarios. And interestingly, I think that's a very important point. The problems are doubles once you don't look only at the on premise word, because when you look at all the other models you end up with, you have the privileged users within your organization, and you have the privileged to use a within the outsources, the cloud providers, whatever organization. So you have sort of twice the problem there.
And as I said, it's for all operators, regardless where they are. So I think that's very important thing to source the brief phase. I would like to make before we really dive into the topic also from my business perspective. And when we look at what business really, what business really wants, I think an important point here is business really wants the services. They need to do their job. That's what they're interested in. They want to have it very quickly and business wants to keep corporate information protected adequately. So that's, these are the two things we are really have to look at the service delivery and it's information security.
And when we look at this big picture of, of how we understand it, then we have the business services we have to provide at the top. We have as a middle layer, this service management information security layer, and we have the it production on premise and the Excel and cloud production. So it's about use, manage produce. And the cloud from that perspective is faster deployment model and what it means from, from the perspective of P XM and, and security in general, when we look at hybrid environments, we, for sure as well have to look at the entire P XM thing, because it's a specific requirement we have for any type of service. We need to have control about a privileged use, regardless of where stores services are running and looking at hybrid environments. In that case, we end up as a picture a little bit like that, which have, we have to look at the functional requirements, like the features, these of use and other things.
And we have to look at a non-functional requirements and the most important one within the non-functional requirements definitely is security. So how to deal with information security and the related things. And the one part of information security are the privileged users. So that's what we have to look at. And it means just when we think about any type of it services and the way we are procuring them or producing them, then the question of P XM is one part of the entire story. And we have to look at regardless of where we are doing these things. So one of the really important points to look at from a business perspective on, at P XMS, that it's a fundamental capability of any service it provides to the business. So that's one of the things from a business perspective we have to look at, and there are other things as well. So some reasons why business should care about P XM. One is liability.
CEOs have to keep risks under control. That's a legal requirement in most countries right now. So it's part of the legislation. And if you look at a UBS case where the CEO recently retired, that wasn't directly a P XM issue, most likely we don't know the exact details, but it's hindering sort of the, the direction because it shows, okay. Someone has failed to implement their risk management in a way he should have done. And he's the responsible person at the end of the day. So he had to go, risk management has to be in place. And that includes P XM. And I will, I have a look at the ISO 27,001 stand later on. So within the next slide, looking at some of the, the points where ISO 20,007 one requires P XM to be in place the point from a business perspective, from my perspective.
And that, again comes back to this hybrid cloud thing. That's agility. So when we look at agility, the thing business cares most about when it comes to it, that's not cost or things like that. The thing business really cares about is agility and speed. They want to have what they need. So this business service I've talked about before, right in time. That's what they're looking for. And agility in fact means quickly providing services to the business and they have to meet all the requirements. So we I've been talking about this functional product of requirements and long functional product requirements. And in fact, it's about supporting both elements, the functional and the nonfunctional requirements. And if you are not able to provide services, which meet the nonfunctional requirements by the design, including the P XM support, then you're not able to be as agile as you should be.
So that's really the point behind this business requires at trial. It natural. It means that you have to look at, do really provide what business requires. And if business requires from liability perspective that you fulfill regulations, and for example, support P XM, that's one part, and that's just the part of every proper risk management. Then it at the end of the day means if you don't have your services ready and P XM ready services, sort of, and P XM ready providers out there, then you won't be able to be as agile as you should be from a business perspective. And that's really the point where, where business benefits from these things, not only from a risk perspective and security perspective, but also from when doing this, it makes links more agile because the consequence otherwise is you don't fulfill the requirements of the service. You can't use the service, or you have a security liability issue there.
So looking at ISO 20,000, 27,001, there's some control 11.2 0.2. And this that the allocation and use of privileges should be restricted and controlled, pretty simple. And that's one of the, the most important standards for implementing information security is this ISO standard. And so it's pretty simply saying, yes, you have to have it there responsible to C it line management. And at the end of the date are the people above the it line management. There are indicators per percentage of British accounts under P XM number of people with British access. Do you really know, or have you tracked all the systems for their, their privileged accounts, all these type of things, you can have built some very simple indicators there, which you then use the, then there are some other ISO controls that area. So for example, for teachers should be in place to control the location of excess rights to information systems and services.
And that for sure that only includes standard access rights, this user access control thing also includes for sure all the privileged access. So it's really about having this in place for everyone. And interestingly, and I think that's one of the, the really interesting points. We are much better in doing access management for non-privileged users than for privileged users. So also if you look at provisioning versioning, these provision systems, identity provision systems, mainly deal with the standard user, not that much with the privileged users, and for sure we have to have in place for everything. Otherwise we are just failing, going ahead, another controller we should do auditing, we should review things and we should do it for sure, for every type of user, especially for the privileged ones, especially for all the shared accounts for the technical user accounts and all the other things. So that's what we really should look at.
And then finally, when moving ahead, we should also think about what to do in P XM and what not to do in P XM. And I think that's also another very important point to look at and what should we do in P XM? What shouldn't we do in P XM? What we should do is we should, for example, have a P XM strategy and a holistic architecture. What does it mean having this strategy and holistic architecture P XM is something I've talked about, which goes across a lot of different systems, which goes across a lot of different user types, which goes across the entire stack. And so the important point really here is at the end of the day, if you don't really look at P XM as a topic, which is a big topic with a lot of facets, you won't be able to really solve this P exams thing efficiently.
What you also should do is you should have P XM controls defined in your TRC Orions. So if you have this TRC thing in place where you have your regulations, where you have your controls and all these things, that P XM should be one part of the coverage, for example, related to the ISO twenty thousand twenty seven thousand one regulation, you should define what happens around British access. So how do you look at these things? How do you deal with things which are not correct? I think that's also very, very important point. One of the things you really should look at and you have to look at is how should I deal? Do I deal those things? So which projects for improving the way we are dealing with British accounts, should I have in place? And what are my actions in a crisis scenario, including the ones you didn't expect to happen, because that's always important.
How do you react? If something happens, if you didn't expect, you should also have a plan for that situation, you should also request audience from your MSPs and cloud providers request them to have PHM in place and to report about, but you shouldn't don't, but you shouldn't do is simply, you shouldn't ignore the P XM challenge. Let's call it challenge. That's better than thread. You should not look at point solutions without integration. So many of you probably have some parts of P XM in place. And the point is, how do you make a, a consistency out of it? You shouldn't look at purely technical P XM approaches. P XM is not only about technology. It's about organization process. So you shouldn't do P XM without organization process. Who's the responsible person. How do you deal with crisis scenarios and all these things that has to be defined?
And you shouldn't start collecting data like audit data or recordings. So really session recording things with all the procedures to deal with them. So having a lot of audit data, doesn't help you. It helps you when you really make well out. But if you detect problems quickly, if you're able to do forensics, if required in an efficient way, all these things. So when looking at these things, what to do in P XM, whatnot, then it's something where you should focus on do, and don't don't do, these are, I think, most important things from my perspective. Okay, let's move forward. Like I've said, I've been talking a little bit about the, the big picture of these things I will hand out right now to Phillip and Phil, little bit then talk about the business benefits of PX. M while I hand over to Phillip, the trust answering one question, the question which came, is it possible to download a presentation? Yes, the presentations will be available for download soon after the webinar. Okay. Phillip, it's your tone.
Perfect. Thank you very much, Martin. So as Martin alluded to there, it, it's not just about the technology. And I think traditionally privileged account management solutions and privileged user management has been very much focused as a technology driven requirement. And, you know, a lot of it is it's focused around issues that are sitting within the it organization. And so it's, it's very typically focused at those, those it people. However, there are some very serious aspects now, which the business need to get more involved with and actually want to get more involved with. And, and if this actually is positioned correctly within your organizations, and I think it's our responsibility as security professionals and people who have been in the industry a long time to actually get this message across correctly is that the business will actually see a good level of benefit and be able to make better business decisions and more agile business decisions.
If they know that their privileged users are being managed correctly. So we know that business is demanding a huge amount more from it, and then demanding that level of flexibility that is needed, whether this is around moving into hybrid cloud environments, moving into virtualized environments, making decisions without the, the involvements of it around applications that they're going to be using. And, and what's happening here is we're ending up with large amounts of very business, critical information, being placed in all sorts of different areas. These, these can be sitting on, on virtual machines that are lying dormant. These can be sitting out in the cloud, and if there isn't good control over, who's able to get access to these. And a typical access governance program is being put in place within these organizations to make sure that the right people are getting access to that information.
If those privileged users aren't being looked at in the same way, there is a great risk to the business. And what we've been seeing is the it organizations and security departments within it, organizations are often restricting the behavior of some of these new opportunities or some of these new challenges that the business wants to take on. And actually starting to take away some of the agile nature that people are going to be looking for. So it is really important that the good control and, and compliance and security components that are surrounding privileged users are, are being addressed correctly. And, you know, we are seeing on a day to day basis still aspects where there are real life examples. And, and, you know, I've put up four of, of probably the most well known cases that have been specifically highlighted around typically internal threats, but these need and be internal threats.
I mean, you know, if people look back to things like the T JX scenario, a lot of that was based around using service accounts and administrator accounts that were sitting within those systems that allowed people to take that credit card information and remove them. The same thing happened with, with things like, you know, Fannie Mae and the San Francisco city of San Francisco administrators, where the person that had control overall of those systems was in a position where they could actually start to hold that organization to ransom. Now that's one piece of this, but if those people instead decided to take that intellectual property and actually start then putting that intellectual property out onto the market and say, whether it's to do with credit card numbers or, or whether it's to do with, with new designs or, or new business ventures that are being, that are being considered by an organization, these are things that seriously need to be taken into consideration by the business.
A and it's not really up to the it organization to make sure that this is being done correctly. It's not necessarily their responsibility, because then you can often end up with those people policing themselves. It is the responsibility of the business to be sure that this information is safe and then make the correct business decisions. And if I ask yourself, you know, who within your organization actually has those privileged, that privileged access, unless you already have a system in place and an extremely well defined business process, the chances are that you won't actually know that. And so typically, you know, it organizations do have these huge amounts of privileged identities sitting around all over the place, through every aspect of the it organization. And if we just go back to the fact that it is about information technology, and this is about the businesses information that is being managed correctly, then it can result in a huge amount of loss of information.
And it can also end up in situations where there is disruption to the it organizations, and one piece, which I'm gonna cover through a little later on is around how getting good process and good management around your privileged users can actually improve your processes. It can actually make it so that mistakes can't happen and help work towards getting better. SLAs. These are all things that are very often highlighted through audit programs that are in place today. We know that we see these, but so often these aren't highlighted. And I would just ask anyone on this call to actually go back through and say, if in order to came to you today and said, could you tell me every single person that has access to a privileged account or could know what a privileged account and password is? Would you honestly be able to say that that is something that is completely under control? That is that there is no way that somebody could use an anonymous privileged account to access company information, or is that something that still potentially leaves a hole within your organization?
And compliance has been the main driver. It's the main driver at the moment for business to try to get right. Audits are highlighting risks that sit within that business and, you know, study by Harvard university actually came through that said organizations that operate a compliant business actually have a value of about 12% higher than an organization that is non-compliance. Now that has nothing to do with the fact that they are compliant or that they're not compliant. It's the fact that if an organization is running in a compliance manner, they're operating in a far more efficient way, they're able to manage those processes better. So it is within the organization's interest to meet some of these compliance requirements, not just to manage that risk, but also to actually improve their processes, improve their efficiency, and actually help them drive down some of the costs. So we know that, you know, from, from the topics that, that Martin just mentioned with things like ISO 27,001 and Sarbanes Oxley and things like Grante the privacy requirements in, in Italy and PCI DSS, but there are very specific components within that highlighting requirements around privileged identities and how they need to be managed.
And, and I know some studies that have occurred in the past have actually said that organizations who themselves were stipulated as being ISO 27,000 on one compliance, in fact, 42% of organizations surveyed actually still didn't have good control over their privileged users. And this can actually then lead to people using those privileged accounts to carry out day to day activities when they could be doing that under their own accounts, potentially at risks to the business, there was a well known example of an SAP administrator, or it was in fact it was a Unix administrator who was asked to go in and carry out some general maintenance on a Unix machine. And in fact, then ended up deleting the entire production SAP database on that server, just by carrying out an incorrect task. Now, good privilege user management would've meant that actually that person wasn't logging on with the privileges to do that, or even if they were logging on with the privileges to do that, you could actually start to restrict the commands that that were, that were happening. So these sort of open audit issues that sit there today associated with these accounts, whether they're service accounts or whether it's the fact that passwords that were set up in a system 15 years ago, still exist. And everybody knows those passwords are things that can be very simply addressed. It also allows you to start to understand what people are actually doing within those sessions.
Another business benefit that I see that that is, is being looked at with privileged users is outsourced environments. People are looking more and more to outsource their environments today, but there are risks associated with that. Those outsources typically have access all of the information that's in there. And sometimes people are actually making business decisions to say they don't want to outsource it because of the potential risk to their business. And the outsources themselves are looking at this as a way of gaining competitive advantage. And again, that is a huge business benefit to them by saying, we have customer information and we have your information. It is held securely. We are able to say that our privileged users cannot get access to that. I think for an a, a standard organization, this is also something which should be highlighted. If you are able to say to your customers and to your, to your financial Analyst, that information within the organization cannot be compromised through these privileged users.
Or you've got very good processes in place to allow that that is something that is beneficial. People are going to trust you more if you don't lose their information. And this is a great way of being able to show that that is something that's being taken care of. Another line associated with the outsources is the contractors which come into your organization. Typically you're bringing in a contractor because they're bringing in a skill that doesn't already exist within your organization. They're highly skilled workers. They generally are on a highly paid salary. That's associated with that. If they need privileged access control, to be able to do their job and the process isn't in place for them to be able to get that, the minute they join the organization, then there are direct costs associated with that. And also indirect costs because the project may slip and they may not be able to, to have, have the, an application or a project delivered in the time that's expected by the market.
They also have very transient jobs moving from one organization to another, from one department to another. And you don't want somebody who's coming in to carry out, work on one particular project to then be able to maintain and keep the privileged users and have permanent access to those privileged users when they move on to another project. And you certainly don't want it if they move from, for example, one financial organization to another, but still have the privileged access rights that are coming through. So if you have contractors within your organization, it is a really important piece that you are able to manage those guys quickly and easily and make sure that everything that they're doing is secure. They also typically work in both development and production environments. And this may not just be your contractors. This can also be the people that sit within your application development.
What you don't want is a situation where privileged users and privileged passwords and privileged accounts are being transferred between these development systems, where they have to be used to create the accounts and then being maintained in the live environment, opening up holes. And, and there's been a number of again, well, well known and well, this is, this is in place that process improvement. If you have a change window opening and any of your organizations that, where you're following things like Itel version three, as part of your, with your change management processes, if you have a change window opening, you know, who the person is that needs to carry out the activity that that change window brings. And so tie it in with that when the change window opens automatically grant that person with the privileges that they need, you then know who the person is.
That's responsible for the success of that change. And if you are able to get a good recording of the session that actually occurred, if something goes wrong with that change, then you are able to see exactly what happened. We know that that still over 90% of system downtime is brought about by a change that was either an unauthorized change or a change that happened in unauthorized way. If you are able to see who logged on and have a full session recording of that, you are much more clearly how you would that change. If that change resulted. It
Also means if there is down and you've got good privileged access management, you can help meet your business continuity and your service level agreements that you owe to that business by immediately granting a consultant or a contractor, the allocation of privileges that are needed to address a system failure, or if, if those people aren't around and you're not able to tie that into your change management process, if it's not down to tickets being created in an absolute fire drill, you can have break glass accounts available to anybody at any time of night or day. So if a system does go down, you are not waiting for the person that has the system account or the administrative accounts to come online, to be able to get access to that.
I wanna mention about privileged identities in the cloud quickly. And Martin talked about it from a hybrid point of view, privileged identity management, actually for your cloud services is something that's going to be quite a complicated process, but it is absolutely imperative for you when you're choosing a, a cloud provider to make sure that they have these systems in place. If you are looking for any type of cloud service today, then you must make clear to them that you expect then to have good management around their privileged users. And to be able to provide this type of audit and session recording that's needed, you've got a lot of P power being handed over and controlled being given to people that you don't necessarily know, and that they don't necessarily have that level of accountability that you would want internally. Again, your business is going to benefit if you can prove to them that their information is gonna be held in a secure way by that cloud provider. So it should be absolutely one of the pieces that is top on your list around privileged management for, for these cloud service providers,
From an audit perspective, it's not it that owns the information, it's a business that actually owns that. And so make sure that there is that audit trail for all of that privileged user access, don't have it so that the police can police themselves. We need to make sure that there is a full audit trail for everything, for any password that is issued. You need to know who has it, and who approved that in the same way as you would for any of your other access governance. So make sure that you have got those controls in place and that they're sitting again with your outsources and your service providers, and make sure again, that the controls are there. These processes are the most important piece, having that ability to, to delegate administrative tasks, having that ability to revoke privileged accounts when an employee leaves is something that is not in place in the majority of organizations today, somebody is within that system, they use their accounts and we can, we can revoke their access if they're using their own accounts through standard access governance and identity management solutions, but it's not typically happening when there are privileged accounts, they still have that route password or that administrative password or that system password.
And they're still able to do that. It also allows you to have more complicated passwords that people may not necessarily need to know because they can be system generated. Nobody actually needs to know what those passwords are.
One of the things of compliance and audit that is such an important area is knowing exactly what happened. And I mean exactly what happened, having a recording of every single action that was carried out by a privileged manager, seeing that the keystroke logging, seeing an actual video playback of their mouse movements of everything that happened allows you to see whether they're a remote vendor, whether it's an outsource provider, whether it's someone from within your organization, what happened, it is a perfect thing to be able to say to the auditors, this is the person that was carrying out those actions. And this is what happened to that. It gives you that better control, and it can even be linked through to specific commands and actually help to restrict specific commands that shouldn't be allowed to happen in the past. So, you know, what are your options?
You can either troll through logs. You can rely on people saying I did it, or I didn't do it, or have that recording have that session playback that really allows you to turn around and see every single component that happened when a person was logged off. I think it's a really important piece having this session. Management's why, you know, I, we, we live in, in a, in a world and in environment where we become used to having closed circuit, television, monitoring activities, maybe not so much in our workplace, but if you are prepared to literally give people the entire world in their hands, the ability to be able to do these things, it comes with a level of responsibility that they have to live up to. And that level of responsibility means they should expect that these types of, of replays and, and session aspects are happening, because then they're going to carry out operations in a better way.
If they know that they're being recorded, it's going to prevent people from doing activities that are, that are beyond their normal privileges. So from a quest point of view, quest provides a solution called total privilege access management. It is very much a compliance, driven security solution, but with this focus on how it can help organizations enable the business more, it provides that shared account password management. It provides that remote vendor access. It provides segregation between developer and and production environments. And it's been widely used and widely recognized. It's a well known solution, and it, it won the FC award last year for, for the best regulatory compliance solution. So if you are looking to change your business processes, if you are looking to put something in place around privilege management, if you are looking to bring in remote vendors to bring in outsourced environments, to get this better control, then you need to choose a solution that is able to cover all of your privilege management requirements, whether it's around simple password management or whether it's around far more complicated use of what people are actually able to do within those within those privileged environments.
So that's gone through from my side, sort of just over 20 minutes worth of why I think privileged management is an important part of the it infrastructure, but something that we need to take to the information owners and explain to them that actually today, it does still have a lot of control over that information. And in theory has access to information that they shouldn't have access to. And it allows us to then be able to go and speak to those business owners, let them be aware of that and get them to sponsor these projects. So it's not necessarily something that's having to come out of your it budget. It's something that actually the business sees that there's value outta. And so with that, I want to ask if there are questions, we'll hand this over to a question and answer session. So if you do have any questions, please feel free to, to write those in and Martin and I will discuss those. And for any further information or, or, or to request a more detailed solution overview, then we've set up a specific website on the back of this webinar, where you can go to, to quest.com/tpa, or people can email me directly. Or we have a quest TPA, Twitter account where we're, we're often, which we're often using. So please feel free to use
Any of those.
Okay. Martin,
Phil, thank you for the presentation and information you've provided. I will leave your slide possible for quite a while so that people can write down just information you've had at the last slide, link and email address and these things. So maybe you go back to that slide and with first questions here, and as I've said before, please, the, your questions now. So we really have a comprehensive list of questions then for our Q a session. So first question I have here is how do you see access management fitting with the wider access governance needs of an organization? Phillip, would you like to service your answer?
Yeah, so I, I think, I think privileged, privileged access management is, is absolutely a part of your access governance. And if an organization is looking to put together a, a true access governance environment or solution, then they have to take into consideration their privileged users in the same way as today, we determine that a particular person can have access to a particular set of systems. And we make sure that we, there are separation of duty. There aren't any separation of duty conflicts, and we're doing through role based access management, your privileged users often sit outside of that. So each person has their own log on, but in theory, they could log on as administrator or route every single day and not actually use their end piece. So I think, you know, as part of a wider identity and access management piece, and it's something, you know, which quest is, is providing with our, our, you know, our quest one identity solutions is an access governance solution.
And we see privileged account management and privileged user management as probably one of the leading areas. It's a good place to start. You know, that it is something that can get control over the, there is a, a limited subsection of people. And so we, we really see it as a starting point to your wider access governance. If you are already going down the road of an access governance project or access governance program, then you need to make sure that you are considering how you're gonna bring those privilege users into it and how you're gonna automate some of those processes. So obviously it's something that acts about 30% of your overall access governance.
Yeah. I think I fully agree with you that you can't separate what you're doing at KM in access governance. I think the point currently still is that that many access governance and provisioning projects provisioning even more are, are focused on, let's say the standards user, however, they have to cover every type of user and these things really have to, to integrate, and they are trust some of the controls and some of the things you're doing access governance, the things around your privilege users. So next question I here is, goes in the same direction is the privileged account management system separated or integrated standard user account management system. So with standard provisioning systems and so on,
Well, again, I mean, like I say, it's a similar, it's a similar piece. It, it can be fully integrated into those. I think typically people have had their own identity management systems in place or their own access governance solutions that they've been trying to put together. And it may be that the privileged access management is not an integrated part of that. Should it be integrated? Absolutely. Yes it should. And, and from, you know, from our point of view, from a quest perspective, we see that it is part of your overall identity and access management requirements. And, and in fact, you know, one of the things that we're also gonna be talking about, you know, with Martin on the 15th of November is around the wider access governance piece and, and privilege management will be part of that. So yes, this should be integrated into your identity and access management, but people are not always in a place where they can rip out a system that they've had to, you know, is already existing for the, for the last sort of five years or so.
And, and it may be, but it's simpler for you to actually start to integrate this with your change management system. So if you are using, you know, maybe a, a service desk from, from someone like BMC, or from, from H P or Tivoli, then actually being able to integrate your privileged access management into that as part of that change management process, as part of that Itel process that you're following that may be the simpler integration for you today. I think ultimately though you have to bring this together as part of your wider access governance piece, because from an audit perspective and from a compliance perspective, the two go hand in hand.
Okay. Another question I would like to ask is how do, how could you deal efficiently with the session recordings? So if you have to session recordings, I think the problem always is you have a lot, a lot of thing to look at and to identify what really has happened. So how do you deal efficiently with these recordings?
Yeah, I think there's actually, I think there's two aspects of that, that, that, that need to be considered. I think you are also gonna consider this of how can you use those recordings from a forensic perspective? So how can you make sure that those recordings aren't tampered with and enable to, to be, to sort of stand up and be used from a forensic point of view, having the search aspects within those recordings is a critical piece. You know, being able to, to understand where people are, you know, what, what commands people are running and be able to actually sort of see the commands that are running and be able to search from those is important. I think, you know, we have to consider that in the majority of cases, the session recording is not something that's needed, you know, in the same way as most CCTV footage is not something that is actually being reviewed on a continual basis.
We're not having somebody sitting there monitoring this to see whether when a particular administrator logs on what they're actually doing. So we're not looking at it from that real time point of view. I think, where this happens, the timestamp aspects of this are typically satisfactory. So if, for example, a service goes down and you know, that that was part of a change window, you know, which systems were being operated on, you know, which time it was. You can go back and look at those. You also are able to see, you know, if some information has been lost, you are typically within a time area of when that information was lost. So you can go back and look at those. So I think we fall under just our standard storage. We gotta have very good secure storage of these and being able to have the ability to actually search, you know, for particular strings, for particular audit aspects within those recordings and being able to monitor that or have it so that if particular things are happening or particular commands are being typed up, that that sends an alert, and then you move that recording into a, a, to be reviewed a high security area, so that you're able to then quickly go and monitor that recording and make sure that that command that was carried out, you know, or if a device was added in, you know, like a, an external drive.
So that was actually part of the process. So then you're able to actually move those recordings on a case by case basis.
Okay. Thank you. And to all the attenders, if there are any other questions, please enter them now so that we can pick them up during this webinar. I have one question here. So, so would you agree with that PX M overall is shifting a little bit from sort of an non-real time and reactive approach toward approach is much more preventive and much more if reactive than in real time reactive than it has been. Let's say some 2, 3, 4 years ago.
Yeah. I, I absolutely would. And I, you know, I think it, it, it comes with the overall maturity in it. People expect processes to be in place within their it organization, you know, and typically the entire it department was, was reactive. You know, even as projects were being, being worked on, things were reactive. And, you know, I, I'm a, I'm a firm advocate of, of things like it. And, and, and the way that security and access management has been brought into to it, version three, you know, much more so than, than it was in, in version two. And I think that level of maturity that's occurring within the, it, it organization has meant that privileged management and PX M can actually become part of that process. Typically it was just, I, the it organization realizing that they had a problem and quickly putting something in place.
And I think, you know, you saw that some of the solutions that have been been around, you know, have, have been in purely addressing that it's got to be part of a bigger identity and access management or part of a bigger change management process for this to be adopted by properly by the it organization and by the business. And, and, you know, that's why this is something that quest has brought into into our portfolio, you know, within the last 12 months is that this is now getting mainstream. And it is in the position where this can be, like you say, far more proactive or preventative rather than just being a reactive requirement.
Final question. How can you detect unapproved accounts and systems when I am and P are separated?
Well, they are. Yeah. I mean, if, if they are completely separated, you're still able to go through and do audits of those. And, and in fact, you know, one of the, the, the pieces that, that we are doing a lot of at the moment whilst we may not be, not every organization is having this completely tied into their identity management system. There's still the ability for an organization to come in and actually run a review under an audit and access entitlement review of the systems. And so if you can then see at that point, how many administrator or service accounts were sitting within those systems, it at least highlights to you that there is the possibility of there being a large gap. You're able to do that for all of your standard users, and then you are able to see, okay, well, based on that, I can now see with these systems that actually, there's a huge number of route accounts and, and privileged accounts or service accounts or shared accounts.
And that people are actually using those on a regular basis. If it's not directly tied to a person, then it should highlight at least that there is an opportunity that that could be exploited. And, and, you know, we know that we know that with, with the society general issue, that they were using shared accounts as shared passwords, so to, to avoid detection. So if you're able to, to go and do and access entitlement review, and it's something that, you know, we are, we are carrying out quite a lot of at the moment. Then you are able to see that at least this highlights a breakdown in the process. And, you know, again, in an ultimate environment, this would be directly linked with your identity and access management system. If it's not at least be able to highlight that through these reviews, put in the place to manage your privileged users and then see how you're gonna be able to bring and tie that into your identity and access management solution, or replace your solution with a solution that's linked to the privileged management systems.
Okay. Thank you. And right now we are running out of time. So thank you to all the attendees for participating in this call webinar and listening to our presentations and to D Q and a session. Thank you, Phil, for presenting in this webinar. You're very welcome. And there are many upcoming webinars during the next days and weeks. So just a little bit our website that you can register for our webinars. Thank you, and have a nice day. Bye.

Stay Connected

KuppingerCole on social media

Related Videos

Webinar Recording

Championing Privileged Access Management With Zero Trust Security

A modern approach to securing privileged accounts is to apply the principle of Zero Trust: Never trust, always verify. While Zero Trust is not an off-the-shelf solution, it is modern vendors of PAM solutions that recommend using this security principle to cement the technical capabilities…

Analyst Chat

Analyst Chat #156: CIEM Is Entering the Privileged Access Management Market

The PAM market is changing and expanding. Paul Fisher talks about the latest trends for Privileged Access Management, the role of CIEM, mergers and newcomers in this important market segment.

Webinar Recording

Implementing Zero Trust With Privileged Access Management Platforms

Among the many approaches to do that, Zero Trust is one where organizations apply the principle of “never trust – always verify”. Since Zero Trust is not a single product or solution, implementing processes that work accordingly can be a challenge to IT teams that want to…

Webinar Recording

Implementing Modern and Future-Proof PAM Solutions

Privilege Access Management (PAM) is changing, driven by the move of most businesses from on-prem IT applications and infrastructure to the cloud, resulting in a multi-could, multi-hybrid IT environment. This has resulted in a proliferation of privileged identities that need to be…

Event Recording

Expert Chat: Interview with Denny Prvu

KC Analyst Paul Fisher interviews Denny Prvu, Global Director of IAM at Royal Bank of Canada.

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00