Interview

How Can Privileged Access Management Help Securing the Enterprise?


How can PAM technologies fit into a Zero Trust architecture and model? How could a PAM technology help us sleep better at night, as many are anxious about falling victim to an attack similar to the Solar Winds attack? Is there a future in deploying PAM in DevOps environments? And how can PAM technologies help to address regulatory compliance? Join Paul and Jim as they talk about different current topics around PAM - Privileged Access Management.

Hi, I'm Paul Fisher. I'm a senior analyst with KuppingerCole and today I'm joined by Jim Taylor, head of product with the identity management and security with Symantec. Hi Jim. Hey Paul, how are you? Yeah, I'm very well, thanks. Great to have you here this afternoon, or this morning, depending on where we are in the world before, before we get started with our sort of discussion, maybe you could just tell us a little bit about IMS and how it's moved to Symantec and what that means for the larger Symantec portfolio and more, most importantly, I guess, for, for your customers. Yeah, no, absolutely
Happy to Paul. So, you know, great, great to chat with you again, as you said, you know, a lot's been going on with that. So the here at Broadcom, you know, Broadcom obviously been getting into the software business over the last couple of years, couple of years ago, Broadcom acquired CA and that's, that's where I come from. I was on the CA side of things, looking after CA security portfolio. And then about a year ago we acquired Symantec. And, you know, we did that because, you know, a couple of different reasons. One, we have a focus on growing our software business at Broadcom, and we see security as being very, very strategic, and it just made so much sense. There's so much synergy for us to, once we acquired Symantec, you know, we now have one of the world's leading security brands and one of the largest cyber security businesses to move all of the identity and access management, the privileged access management, the former security assets of CA into the Symantec business.
So, you know, we really did that because it, it just gives us that, you know, breadth of portfolio, we added a bunch of capabilities, identity, and access management to the Symantec portfolio that they didn't have. And we're able to leverage some of the core security capabilities, you know, that Symantec already had that we didn't as a standalone identity and access management business. So that's really leaning to us, bringing him to focus on some core industry topics and themes, things like sassy, zero trust, those kinds of things. We're taking a very kind of comprehensive approach to cyber security.
Well, I mean, it's exciting times, and it's great to hear that there's this new sort of impetus there to for security and the cushy, right? That our customers talking over a lot about pretty Jackson's management. And one thing they have been talking about is another thing you mentioned zero trust, and for many, the zero trust is a lot more than just, you know, securing the perimeter. So can you tell us a bit more, how well Symantec's pan technologies fit into the zero trust architecture and modeling? Yeah, no,
Absolutely. That's a, that's a great question. And it's funny core, cause you know, I mean you and I are not so young anymore, you know, we've been around a while, you know, and, and zero trust by, you know, maybe, maybe, maybe more me than, than you, but is it a trust, you know, by many of the names that concepts and the principles of it have been around forever, you know, but we also see that, you know, even though this stuff has been around for a long time, it's really risen in Mindshare recently. And I think that's to do with things that, you know, much people migrating to the cloud, more adoption of dev ops technology, you know, that crazy circumstances, we've all found ourselves in the last year, you know, this huge shift of working from home, but then when it comes to Pam, the principles of zero trust have really been driving Pam technologies for years.
So we look at it in, in, you know, these three kind of key core tenants or principles of your like, and so for us, the first principle of zero trust is to really identify every user, you know, every device, you know, strong identity, knowing who is a, is a critical component. And that's obviously a core use case for Pam technologies. One of the core use cases or original use cases for Patton technologies was always the, you know, privileged accounts, administrative accounts, you know, DBA use database admins, root accounts were always traditionally kind of shared, you know, you had all these super powerful accounts and then organizations would share either internally amongst their admins or externally with contractors, those kinds of things. And so it was very, you know, difficult to manage and secure those. It became nearly impossible to figure out, you know, who doesn't want or who perform certain activities.
So that's a core use case of Pam. That's a directly a core tenant of zero trust. You know, Pam technology to address, address this with, you know, credential voting. We require people to authenticate to the Pam system to identify themselves usually with some stronger form of authentication, like two factor or something like that before they get access to those shared credentials. The second core tenant for zero trust is really to enforce least privilege access and privilege accounts. Generally speaking, you know, things like route counts have very wide ranges of, of entitlements and access and permissions. And so that usually represents a huge risk because if compromised malicious user would have access to steal all sorts of sensitive data or do all sorts of things. So Pam has a system tends to enforce a, a finer grained access control, even over those privileged accounts. So, you know, what it does is it limits what activities a user can do or, or usable or files or information a user can access.
And that's all based on the security policy. So Pam really helps you to enforce that whole leased privilege concept. And then finally the third tenant of zero trust is always to assume breach, you know, always to assume, and it doesn't matter how strong your security is, but just as human breach regardless, and, and act adopt a security posture based on that. So we already discussed it a little bit about how Pam helps in this area with identifying and limiting access. But Pam also provides you an indelible audit trail of all of the activities in the accesses that have taken place. So in the event of a breach or something like that, knowing what's happening or has happened is really critical to being able to mitigate and manage those types of attacks.
Yeah. And that's, that's really important, isn't it? A lot of people often think of Pam has just about access, but actually having a record of who's done what and where they've been is invaluable. So session monitoring recordings is hugely important. I mean, you, you mentioned breaches and we tend to in a, in this security world, we, we, we don't even talk about breaches very much anymore because like you say, they, they happen all the time. But one that did, did sort of catch the, the headlines recently, I think just the end of last year was the solar winds attack. And I think that involved on authorized access to service accounts, which in effect are sort of privileged accounts. So obviously that was a bit of a wake up call for, for, for many organizations. And I was wondering what you would say to those people that, you know, I'm not sleeping at night now wondering whether they're going to be the next solar winds attack or similar. So how can Pam or Symantec help them? Yeah, no,
That's a great question. And, and you know, like you, we, we know we feel that question a lot. I think this attack really shocked. A lot of people certainly made a lot of people think, you know, so for us specific to pan technologies, obviously we have, you know, much Broda security solutions within, within Symantec. I won't get into that. I'll focus on, on, on Pam. There, there are a couple of key use cases that really think Pam type technologies can help prevent or mitigate, you know, similar attacks to, you know, what happened was towed away. And so, I mean, obviously first of all, you know, we're in the digital age just about every company now has developers. They're all, you know, writing applications and, you know, there's, there's a proliferation of, of source code and those kinds of things around. And so, you know, that that was in one of the starting point, so, or kill chain for, so the wins was some injection into malicious code into source code.
So, you know, we really advocate that enterprises really need to look at and PR and think about how they protect their source code. So Pam enables you to enforce very granular access to those systems, you know, where your source code is, or, or that have access to your source code. So that includes things like files, folders, you know, any processes, those kinds of things. We have a file integrity monitoring capability, which has a bit of a mouthful to say, but what it really does is it sits there and it looks at, and it monitors all of your source code in your source code files. And it looks to see if anything's accessing it, anything's changing it, anythings, you know, tampering with it. And we have the ability to stop that prevent that we can prevent, you know, tampering programs from accessing those source codes or those source code files, or we can alert on, you know, any kind of interaction with those.
So having some preventative controls and the strong security posture around accessing your source code, we see as critical and that, you know, could have potentially stopped the whole situation before it started to. But then if I refer back to what I said about zero trust, always assume you're breached, you know, assuming that, you know, you have been breached, that brings up the second use case that where we see Pam could help. And so that's for any end user organization that may have inadvertently or unbeknownst to them implemented some kind of malicious source code in their environment, having those fine grain access controls in place from something like a Pam solution can really help to mitigate any damage caused by any persistent threats or anything like that. Because obviously, you know, after an attack, it gains access to gain, you know, an administrative privilege. You know, they're usually looking to do things I can stall a back door and root kits.
You know, they want to start to explore sensitive data. You know, those kinds of things, they're looking around for what they can get their hands on, what damages they can do, what with proper access controls implemented, you know, attack is even if they have gain access to a privileged account, it's very limits what they're able to do. So you might even be able to prevent them from accessing things like sensitive files or Excel executing, malicious commands, you know, you might be able to set up alerting on those kinds of things. So we really advocate that, you know, fine-grain controls, you know, implemented through a Pam solution, maybe give you not just peace of mind in terms of, you know, secure ability, but also auditability and, and tracking. So hopefully that helps people sleep a little bit better at night if they take that, you know, comprehensive approach to their security posture.
Yeah. And I think that, I don't know how solar winds, how the malware got in, but it may well have been because of the shifter, the homeworking, and we need to secure privilege access from, from end points that previously probably wouldn't even protected, but I don't want to talk about that right now. I want to talk about dev ops. We cause that that's even hotter than the solar winds attack. And we, we KuppingerCole recently released our Pam for DevOps leadership compass. So it's sort of hot topic for us and you did very well in that. I'm pleased to say, but it was curious as to how you view the area, how it's going to develop, particularly with Symantec in mind and how are you seeing your customers deploying pamphlet for their DevOps? Yeah, I know that's a
Great question, Colin, and, you know, thanks for that. We were super pleased to participate in that, you know, DevOps compass, I'm very happy with the results that we got. So as you say, we're seeing an awful lot of Pam customers starting to leverage, you know, the Pam technology in their dev ops environment. So, you know, for us, it's a key area of investment. We're actually planning some very significant projects this year to increase our capabilities in dev ops and around things like secrets management and those kinds of things. But, you know, for us, funnily enough, we're still seeing a lot of customers. There's almost like a, a, a sophistication curve or a maturity curve of, of how people use this technology. Generally speaking, people, you know, will buy or, or acquire a Pam solution to address, you know, the shared accounts, the admin accounts in a user-based privileging.
Then once they've kind of cracked that and solve that, then they'll move to like the next, you know, next level in the game, they'll start to think about service accounts, you know, system accounts, machine to machine those kinds of things. Then once they've cracked that, then they start to think about, you know, more of their business processes, dev ops, CACD integration, those kinds of things. So January, we don't see people purchasing a Pam solution with the primary use case in mind around dev ops, but we do see that they start to get there tends to be an extended use case. And so we're starting to have more and more of those types of conversations. And so it's an area that we're really starting to invest heavily. And so, you know, w we're absolutely aligned with you on that? I would say in addition, you know, over the last year, our focus has really been around bringing together various solutions and use cases within the Pam space.
As you know, we have the traditional Pam server control host based type solution. We also have, you know, the, the newer kind of Pam password vaulting type solution. So we've really been working to bring those two solutions together into a single capability, you know, and that, that kind of goes a little bit to the dev ops questioning that we're starting to see people really starting to get to grips with and understand the value of the Pam technology can bring not just ours, but Pam technology in general, and start to leverage it for other use cases. They want to be able to do host base control. So we want to be able to do fine-grained controls on, on host space. They want to be able to do password vaulting. They want to be able to do that in a single solution. So you're seeing a lot of the Pam vendors start to extend and move into adjacencies around use cases like dev ops secrets management integration with CIC CD, a lot more API integration. And so, you know, w we see the same and that's a key critical area of investment for us over the next 12 months.
Do you, you kind of mentioned it there, but do you think that people or an organization might buy a dev ops, sorry, a Pam solution just for dev ops or would, is it more likely they already have a Pam in place? I know it's a big question for Frank, you know, differentiated market, but
Yeah, so honestly, right now, I would say, I, don't not at this point, I don't think that would be the only reason that an organization would buy a Pam solution. I think it may be another reason or an additional reason. I think people, you know, once they start to get to grips with the technology, they start to find ways that they can leverage that technology across other use cases. So we may evolve to that over time, you know, as, as the technology and customers and usage of that technology evolves over time, we may get there, but right now I would be surprised if somebody bought and put in a Pam solution just specifically for, or only for a set of dev ops use cases. I think they're more likely to buy that technology platform for broader set of use cases, and then also leverage it for dev ops capabilities.
Great. I think it was 2018 that GDPR finally came into being in Europe. And now there's PSD two, there's also the California privacy laws and one in New York, I believe. And data privacy is obviously very much on everyone's minds and it's, it is an important subject, but can you, how probably a lot of people don't necessarily think they think of the data governance solutions and it GRC, et cetera. They don't always think of Palmer as a, as one way of meeting these, these compliance rules. So perhaps you could tell us a bit more how that, that would help. Yeah, no, absolutely.
And, and it's, it's an interesting topic, right? I mean, and the one thing we know about data privacy and regulation is, is there's never going to be less of it, and there's always, you can always count on there being more. We also see that, you know, there's more, you know, governments in nano kind of getting to the point where there's more consequences around types of things. You're getting more kind of, you know, fines and, and, and that kind of stuff going on around that. So, you know, generally speaking, the way we look at regulation is, is I like to break it down into this. There's more or less, basically two different types of requirements. The first one is accountability, you know, can an organization, you know, really control access to, or manage access to, you know, systems or data or processes that have regulated information, like, for example, PII.
So, you know, that's one key area. The second key area for us is around things like adastation and certification, as you mentioned, there's a lot of data governance tools, those kinds of things, you know, I mean, Symantec work, big DLP vendor. We have a lot of those capabilities as well, but organizations really need to be able to accurate accurately report on who's access those systems, you know, who can access that data, how are they managing and governing those entitlements to really ensure that lease privileges is bringing in forced. So what we see Pam offering in this space where we see, you know, Pam giving capabilities is, you know, obviously we talked a little bit about, you know, the access controls and fine-grain access that, you know, Pam can do that obviously, you know, certainly helps. And, and by default good security tools like Pam deny access to users and, and through policy, you allow access.
So there's an inherent base of security. You take that and combine it with the monitoring and the auditing capabilities that in order to who is enforcing regulation might want to see. And generally speaking, regardless of the regulation, showing that you have good securities, good security controls in place, being able to prove that through things like auditing, you know, showing that to your auditors, and then finally, you know, integrating with other security solutions, like, you know, IGA solutions, governance solutions, which by the way we do, we offer those capabilities. But we also very much believe in customer choice. So we integrate with market leading solutions like SailPoint out of the box to give you that certification and attestation, that overall approach tends to help satisfy a lot of regulatory requirements.
Okay. Well, thanks very much. Yeah. That's some great information there. Maybe we could just finish with a bit of sort of crystal ball glazing, glazing gazing, and where, where you think Pam is going maybe in the next two or three years in terms of product development. Yeah, no show.
Absolutely. So I think it's a very interesting time for Pam. Some of these basic of basic use cases have been around for a long time, but I'm starting to feel like the industry as a whole has kind of cracked those base use cases and, you know, the, those base capabilities. And so now Pam is starting to evolve and it's starting to move into adjacencies, which is always a very interesting time in a, in, you know, in a technology's life cycle. So, you know, just as, as you brought up and right, you mentioned portly, and we see things like dev ops, you know, secrets management, you know, broader integration of Pam into the wider security ecosystem, you know, machine integrations, you know, we see a lot of our customers have kind of moved past that first stage of securing users and admins. And then now looking at things like service accounts machine to machine, you know, banks want to secure, you know, ATM's or cash points access into their financial network. So we really see that Pam has a great set of core security capabilities, and it's going to expand and move into adjacency. So think, you know, dev ops is, is key and critical, but I also think service accounts and, and non-human, or, or non machine things are going to be big in the Pam space and just general overall integration into the CACD and the, the digital ecosystem, if you like, it's an exciting time.
Yeah, I absolutely agree. And even we've sent out the invitations for our leadership cup as 2021, and we've got just as many as last year, but that allows for a fact that a couple of companies have been acquired. So it's, it's, it's a really dynamic area at the moment. So I'm really happy that I'm covering it so that Jim Taylor, thank you very much for answering the questions this afternoon. And with that, I'll say goodbye. Thanks, Paul. Great chatting with you again.

Video Links

Stay Connected

KuppingerCole on social media

Related Videos

Webinar Recording

Championing Privileged Access Management With Zero Trust Security

A modern approach to securing privileged accounts is to apply the principle of Zero Trust: Never trust, always verify. While Zero Trust is not an off-the-shelf solution, it is modern vendors of PAM solutions that recommend using this security principle to cement the technical capabilities…

Analyst Chat

Analyst Chat #156: CIEM Is Entering the Privileged Access Management Market

The PAM market is changing and expanding. Paul Fisher talks about the latest trends for Privileged Access Management, the role of CIEM, mergers and newcomers in this important market segment.

Webinar Recording

Implementing Zero Trust With Privileged Access Management Platforms

Among the many approaches to do that, Zero Trust is one where organizations apply the principle of “never trust – always verify”. Since Zero Trust is not a single product or solution, implementing processes that work accordingly can be a challenge to IT teams that want to…

Webinar Recording

Implementing Modern and Future-Proof PAM Solutions

Privilege Access Management (PAM) is changing, driven by the move of most businesses from on-prem IT applications and infrastructure to the cloud, resulting in a multi-could, multi-hybrid IT environment. This has resulted in a proliferation of privileged identities that need to be…

Event Recording

Expert Chat: Interview with Denny Prvu

KC Analyst Paul Fisher interviews Denny Prvu, Global Director of IAM at Royal Bank of Canada.

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00