KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
The short abstract of this topic would be "How we can make a proper business case and ROI(Return on Investment) for PAM". Below are some of the preparations we need for a smoother PAM flight:
The short abstract of this topic would be "How we can make a proper business case and ROI(Return on Investment) for PAM". Below are some of the preparations we need for a smoother PAM flight:
In this talk, Alpha will discuss the often arduous way from buying and initially implementing a PAM solution to achieving significantly improved security as a program target. He will share lessons learned about necessary changes to IT infrastructure architecture and operational processes to ensure maximum impact of a PAM project. Overcoming organizational resistance to the new processes and tools is equally important. Alpha will explain what to expect, and leave the audience with some best practice ideas to engage and involve stakeholders in IT operations and general management.
As businesses continue their digital transformation journey, managing privileged users has taken on a new and greater importance. Privileged Access Management (PAM) has never been more important, with increased remote working and employees increasingly getting privileged access to data and services.
What makes a PAM strategy different from enterprise password management or Identity Access Management? What are the first actions you should take to protect your privileged accounts in the shortest amount of time? And, how has the definition of “PAM Basics” changed as the industry and cyber risks have evolved? This webinar is a must for teams launching PAM initiatives to ensure they start on the right foot. As you progress on your PAM journey, there’s always something new to learn. If you’ve already begun your PAM rollout, this event is a great chance to confirm you’re setting the appropriate milestones and see how others demonstrate success.
PAM (Privileged Access Management) is one of the established core disciplines within IAM. PAM also is the IAM discipline that is changing most from what it has been in the past.
On one hand, there is the impact of CIEM & DREAM, Cloud Infrastructure Entitlement Management or Dynamic Resource Entitlement & Access Management. This is about the expansion of PAM beyond humans accessing servers and selected applications towards any type of human and non-human (silicon) identity accessing any type of workload, from servers to dynamic cloud resources. This also implies an expansion from serving static data center infrastructures to dynamic workloads in today’s agile IT. PAM is changing, with more parties involved – a “PAMocracy”, as KuppingerCole Analyst Paul Fisher recently named it.
These changes also require expansions in integration to other IT services. There needs to be a dynamic governance approach, where IGA comes into play. It requires rethinking whether PAM tools really should care for authentication. There is no need for authentication point solutions in an age where most organizations have a strong Access Management solution with MFA, passwordless authentication and adaptive, risk- and context-based access in place. Finally, this new PAM must integrate with the DevOps tools chain for permanent updates about new code and the resources used as well as with IT Asset Management for an always up-to-date insight into the ever-changing, dynamic IT landscape that needs to be protected.
Also worth to think about is integration with further security solutions, beyond the standard SIEM/SOAR integration. AI-powered security solutions are one aspect. Integration to Cloud Security Posture Management is another example.
In this panel, the state and requirements on the future PAM will be discussed.
As your business grows, so does your IT footprint – both on-premises and in the cloud. This adds to the overall complexity of managing access to the newly acquired IT assets and applications in addition to existing ones. The conventional approaches of managing privileged access using controls native to the individual operating systems, and other internal access policies, are not only cumbersome to manage but add to the security risks in today’s hybrid IT environment. IAM leaders need to assess security risks associated with unmanaged and uncontrolled privileged access across more dynamic IT environment to ensure the appropriate PAM controls are chosen and deployed to address these risks.
Privileged Access Management (PAM) has assumed a critical role in protecting the most valuable data and services within organizations from theft, loss, and unauthorized access. But as companies and other organizations have become more complex and embrace digital transformation, PAM is also taking on a core operational function to achieve better insight into data usage and contribute to agile working processes.
Privilege Access Management (PAM) is changing, driven by the move of most businesses from on-prem IT applications and infrastructure to the cloud, resulting in a multi-could, multi-hybrid IT environment. This has resulted in a proliferation of privileged identities that need to be managed. Join PAM experts from KuppingerCole analysts and iC Consult as they discuss the need for organizations to modernize their PAM capabilities to manage access and entitlements in today’s complex and volatile hybrid IT environments, that can operate at the speed of the cloud and grant access dynamically, based on tasks, toolchains, and workloads.
Paul Fisher, Lead Analyst at KuppingerCole will talk about the main trends emerging in PAM and he will explain why there is a need to modernize PAM to support the new and emerging needs of rapidly changing business IT environments. Johannes Hauer, PAM Lead Consultant will give an overview of the iC Consult’s methodology for PAM assessments and explain how to prepare to implement a future-proof PAM capability. They will also talk about the key success factors in starting a PAM initiative and the need to modernize PAM.
In the last couple of years the ransomeware attacks and other cybersecurity threats has not only brought cybersecurity topics to the board rooms but also widened the attack surface outside of the multi nationals and the financial institutions.
The cyberssecurity approaches and strategies that works well for a multinational with a large and well funded cybersecurity department may not be as applicable for a mid sized company where the security department may be a single person.
Still if the partner company that delivers the cheese to a retailer falls to a cybersecurity attack there is simply no cheese to sell to the customers so the retailer not only loses money but also fails at their most basic task. So how do we as multinationals help our partners with implementing basic controls such as PAM in a way that works in their business reality?
In this session we will be looking at how you as a relatively cybersecurity mature company can do to help your less mature partners. It is also suitable for persons who has been asked to launch a cybersecurity or PAM program without been given the full resource to execute a full program.
So hi everyone. My name is Aina.
Yeah, it's working. Yeah. And title for today's session is Preparations for Smoother PAM Flight and is focusing on the bit by bit milestones and prerequisites required during the PAM journey in order to have a smoother lift, in order to have a smoother flight afterwards. You can say it. Expansion.
Yeah, That's good. So let's go to the next one. So what is the agenda for today? So we'll be discussing about, first about the criticality of an PAM solution. What are the business and technical values it brings? Next to that, we will try to understand what are the different layers of pam where privileged account can exist. And then we'll talk about the vendor selection dilemma because it is one of no the tricky task when it comes to the vendor selection. And then next to that we will talk about the ROI that how we can generate a positive ROI when it comes to the PAM solution.
So we'll be talking taking some real world examples that can help to generate a positive roi. And last but not the least, we'll be exploring the strategies when it comes to the PAM rollout. So until this point, we are setting the foundation. So once the foundation is there, we just need to capitalize on that and just expand the solution like you know, your veins and arteries of the organization. And let's talk about the why they're crucial for the organization.
It's because it's letting the right people in to do the right things at the right time for the right reasons and they're too in an effective, efficient complaint and secure manner by keeping everyone else out of the equation. So in a nutshell, it is making sure that only the authorized user should be able to access the mission critical systems or privileged resources in an designated or defined policy of the organization. And that too, again, in a secure manner. So this would be the first milestone to understand the crucially.
And the next one would be, okay, what are the values a PAM solution brings? So the first and foremost is the centralized repository.
So PAM, solution vault and store the privileged accounts in one single repository in order to provide a single point of view that you can really see all the privileged accounts in an organization. And there is a study there where research still happened, which says, I think more than 50% of the organizations are struggling to find where their privileged accounts are and how many privileged accounts are. And it's a very common saying we can't protect, which we can't see. So this is one of the value. And the second one is compliance and regulations.
No matter in which industry and organization is operating, they have to one or another way to comply with the certain regulatory compliance. So be it PCI dss, you know, if an organization is operating in an financial sector but they're dealing with the payment card data or an industry who is dealing with the healthcare records of the patients, then they needs to comply with the hipaa. So all those regulations in the end has some prerequisites that's they want and organizations to follow.
And having a pan solution can fulfill those regulations, regulatory compliance or in then it generates a positive impact on the compliance. So living behind all those fines, those financial penalties that can occur. And next to that is the auditing PAM solution provides great auditing and complete logging of the activities that has been performed on the privileged account. This is really helpful in order to track the, you know, detect the anomalies, the behavior. And next to that is the credential management. So it manages the credential. So this is one of the cool technical values it brings.
Means here user is no longer needs to manage the credentials by themself to use any privileged resources to use any privileged access rather is the PAM solution who is going to manage the credentials. And it's with the policy-based rotation. It means if there is a system mission critical system a user is accessing and depending on the criticality, we might want to rotate the credentials after every use or after every X days. And the next, that is session management.
PAM solutions make sure all the privileged sessions, they are completely authenticated, authorized, isolated, and monitored at all the times. Those automatic rules we can apply, which make sure that whatever the activities user are doing, they should be compliant. So they might not, they shouldn't be doing any activities which are marked as non-op operational. Things that they can't do then is the security and access control. It improves the overall security posture of the organization. And then the principles like least privilege, zero trust, all those are the base of this solutions.
Last but not the least here is the risk mitigation. Having a PAM solution can mitigate a lot of risk. It brings a lot of good values when talking about the different kinds of risks. So be it compliance risk or be it some, you know, some operations that are not allowed on a certain privileged assets. One of those examples is one database, which is holding all the customer data.
We might, we shouldn't, we might not want anyone to able to delete that command even if you have a privileged session opening around. So these kind of mitigations we can easily close. And now next milestone in this case would be the ERs. So what are the different ERs where privileged accounts can exist? So the answer to that is privileged account can exist anywhere. And the difference between them and a standard account is that they have the elevated level of privileges, they have elevated level of permissions, they can perform mass changes than the normal users.
So here are some of the layers that we have demonstrated. Like it can be in the cloud infrastructure or it can be in the databases, web apps or servers like physical server, windows, Linux in the form of local admins, route accounts or pseudo file.
You know, those are virtual machine network devices, you know, like trrs switches and in the devs upwards in the form of secrets, be it in the c cd pipeline, scripting champions, ible, a lot of DevOps. We can say DevOps on the rise. And one of the layer would also be the ad like the active directory, like an enterprise admin, domain admin, some service accounts. So these are some of the layers which have brought it down law to understand where a privileged account can exist. And now we understand the crucially, we know the values, we know the layers.
Now next steps would be really is this vendor selection dilemma And why I said it's a dilemma because it, it's a very tricky process when it comes to the vendor selection. But if we introduce a certain process in this, then we can dilute this dilemma a bit rather than having almost the time a dilemma. So the first one in this process is to having a PAM requirements a clean, clear, and crisp requirements. We need to lay down in order to use this as a blueprint because this is going to serve your a blueprint for your organization when it comes to the PAM initiative.
So the first and foremost, what we can do is we need to identify the stakeholders from the management and from the technical side who are going to support this whole initiative that we need to identify the critical systems which are really mission critical for the organization. And next to that we need to assess those critical systems and how we can assess those critical systems by the knowledge we shared we got from the PAM layers. It means we need to decompose the system, find all the PAM layers which are into the system and then assess it against the privileged accounts.
What, what are the policies and procedures? Find the gaps. This is the chance we need to find the gaps, areas and improvements because all those steps are going to help to lay down a better requirement plan. The more better, the more crisp, the more detailed the plan would be, the more better it is going to help us in the end. So once we have the requirements, then we go go to the vendor selection. We can always leverage Casey, our research organization list. Normally they assess the vendors, they now they have Casey Select as well, which is doing amazing and here, but here is the check.
We need to assess the vendors against our own PAM requirements because if we take an example of Kuppinger coal, they are assessing the vendors against a lot of different parameters and those parameters might not be valued for you. So you need to go with really your own PAM requirements.
Use that, use Casey as a framework and then add or update, add or remove based upon all your requirement and then pick the list from there. And then some of the other factors that can be included is the organization future strategy. What is your organization future strategy? Are you heading towards any transformation or is there any transformation planned? All those things needs to be planned. And then the pricing, well pricing matters a lot.
If our requirement is just to travel from one street to another street, we should not be spending time on a high-end luxury car because it's not going to solve the purpose unless, until you have hell amount of money to throw. But this, that's why pricing matters. And then the vendor vision for me, this is a pretty good point when we talk about the vendor vision, how vendor is aware about what is the current developments happening in the cybersecurity world.
So the more they are aware and what are the steps they are taking in order to mitigate the risk because we know the world where we are living in almost not every day. Every second new threat is coming. And what is your vendor vision in that? How they can protect and make you secure. So those are the factors where we can use. And then using that, we can pick the best fit when it comes to us. We have now crossed past the second step in this process.
The next would be the poc, perform a proof of concept of proof of work with with the the selection that you have and show to your vendors that we are doing a proof of work and present it to your stakeholders, gather the feedback, this is the key and leverage security scoring. Why I am saying security scoring is going to help because it's on the organization that what are the factors important for them, use that as a scoring mechanism. And in the end what we are going to get are complete details.
Who is ahead with the feedback with the scoring and then it can, that's why I was saying with the process, it can dilute the vendor selection. So after this step we will have our vendor and then we'll get to the next part, how to get a positive roi.
Wow, return on investment. It's a very heavy term. So there are multiple factors that can be concluded in order to generate a positive roi. First one of this would be cost benefit analysis. The cost benefit analysis works everywhere, especially in the security. We need to be aware of the benefits that we are getting against what we are paying because we cannot be spending thousand euros on a hundred euro asset just to prevent this. So having a clear cost benefit analysis, the amount of benefits we are going to get against the the cost, it is very important.
And then the increased compliance, as we already know, the regulatory compliance requires certain set of conditions to be fulfilled and those certain set of conditions are related to the privileged access also. And having a PAM solution can just improve the compliance and we, it can save us from the financial, you know, fines and it's good for the organization and reputation as well. And with the increased security it, it is really good for the organization's security posture that they are having a PAM solution.
They're critical mission critical systems safeguarded and in the end it is going to make sure that only authorized users should be able to access the resources by keeping away all those bad actors and everyone outside. Next one is cyber insurance. This is quite hot topic these days. So with the PAM solution we can bring down the premium when it comes to the cyber insurance. Why these days even insurance are, are getting smart. Oh they're, they're smart now and they have learned from the past few years about the incidents, whatever has happened in the organ in the industry.
And if we again decompose this, it all goes towards the privileged access. In the previous slide, in the previous presentation, we were seeing there 80% of the breaches that are happening because of the privileged theft. And this is also one of the part in the cyber insurance and all on one of the other features that has been seen is that there are some privileged resources that are not properly safeguarded leaving an open end. So having a PAM solution can safeguard all those things. So it can bring down the cyber insurance and for sure cost saving it can significantly reduce the cost.
When it comes to the audits, you know when we have the audits and generally audit teams want to ask the IT teams or who are managing those systems, you know, we want to review all the privileged activities that has been performed, please give us a list and to provide them a list everywhere that now this user logged in this activity has been profound.
Okay at this time and make those and long access, it's eating up a lot of man hours and those can be utilized in a much better way when you have a PAM solution with just couple of clicks you can already find activities, what are there and also without now I will say without PAM solution when there is a credentials. Now when we need to manually handle the credential, it's a very painful process for the IT teams that they are managing the credentials. They have to rotate the credentials every time.
And once you are leaving the organization, they needs to make sure wherever the IG system is not connected, it needs to remove the excess. So it's a very significant cost saving in terms of man hours. When we say, and last but not the least is operational efficiency. Pam solution streamlines and automate a lot of privileged access related activities. Beat credential management or beat session management or even self-service. So a user can just go in and request access, privilege allegation, delegation, nothing to worry about. No human intervention required.
Everything is automated, everything is recorded. So which in turn increases the operational efficiency of the organization. But you might be thinking, but these are journal terms, but if we want to talk about the numbers, then we need to leverage the quantitative risk analysis approach because it's the quantitative risk analysis approach that is going to provide us the numbers and how we can get the numbers. We can perform an impact analysis just to simulate what if a real disaster happens, how much it can cost to us.
We can identify the top prioritized scenarios in this to simulate the disaster like you know, data breach outage and somewhere. And the easiest of this would be out of this what we are going to get. Numbers. Numbers which will clearly say it is a positive ROI to have solution because we will have the quantitative risk analysis already. The asset value, it's not about purchasing software or hardware, but what is the real value of that asset because it's holding data and then the total cost of autoship.
So this is pretty helpful in terms of ROI and now we have the roi, but what are the strategies that we need to explore in order to roll out? So I will do a bit more quickly. This is pretty close to my heart. First of all, integration with the identity stack. We need to leverage all IM core technologies.
I am BAM, an identity federation to provide a better identity security. They are not substitute to each other. We need them. Why we need it in order to manage the identity lifecycle, in order to have a self-service, in order to leverage all those governance, school governance features, access review, policy violation, segregation of duties, and then identity federation for authentication and and MFA rollout approach. We needs to have, there are basically two kinds that the name suggest crown jewel, which are really close to your heart of the organization.
Just safeguard them or the platform, just pick one platform, bit like Windows or databases, just safeguard them. And then we needs to create a PAM control coverage metrics in the end that is going towards service and kpi. That is what a living document for us that will show us what is our controls and divide it into faces. So do nothing in the phase zero, just do the account onboarding and discovery and then pick one platform, do all the capabilities of the pam, credential management, logging, session management, reporting, auditing, all those task of automation features.
And the next step would be just to replicate, and this is what I was saying, expansions until phase one we are setting up the stage. This stage is set up, future phase, just capitalize on this stage and just keeps on expanding. Expanding and expanding. And with that, I would like to say thank you. Thank you very much for listening. Thank you so much coming up. Okay. Oh bang on time. You should really pay attention to what he says because he's also an award winner from last night. So thanks again. There is no questions unfortunately, but that's okay. Thank you. Thank You very much.
