Analyst Chat

Analyst Chat #20: PAM - What are Privileged Accounts

Matthias Reinwarth and Paul Fisher launch a new series of talks about privileged access management.

Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth. I'm an analyst and advisor at KuppingerCole Analysts. In each edition, I have one guest joining me, often a fellow analyst or another interesting partner. And we will have a 15 minutes or so chat around interesting or current topics. My guest today is Paul Fisher. He is senior analyst with KuppingerCole working out of London. Hi Paul.
Hello, Matthias. Great to be with you on my very first podcast.
Yeah, that, that, and it's a long distance one again between Germany and London. So let's try to find out how things work today. We will start a short series about privileged access management and you, Paul, you just have completed a leadership compass about privileged access management. Can you explain a bit what that is and what you've done for that?
Yeah, for sure. Well, it it's a, as you say, just being published, it came out about four weeks ago. And what we did with the leadership compass is assess 24 of the leading vendors in pan. And these would be vendors from across the world. We then review each one of these vendors. We then assess them using a questionnaire and then a series of scoring. And from that we decide who are the leaders and the followers and the challenges within the PAM market. And I believe that you can download this if you sign up for a, a 30 day trial in KC plus, and you can read all about it as we say in the UK. So it's well worth reading if you, if you, if you're in the market for pal,
Right. And that is what, something that we want to achieve, actually also with this, with this, with this episode of the podcast and the, and the subsequent ones as well, not to get you into the market or to, to make you buy something, but to help people, our audience understand what privileged access management actually is. So if you would start to explain what privileged access management is, then I think we should start with what is a privileged account, what would be a, a definition, or at least some examples of privileged accounts,
Traditionally materials PR pretty much account has been given to the administrators in an organization simply because they needed to access certain parts of the organization or certain files and certain accounts that have sensitive data or sensitive information. They might be allowed access to another user account in order to do some kind of maintenance or update on their system. So they're already provisioned in the sense that they were allowed to do and go to places that most employees are in use as well. So that's the, that's the sort of easiest way to describe it.
Okay. So it would be the, the, the root account, the DB admin, something like that.
Yeah. Yeah. So it it's, you know, if you're, if you're working in a, in a company and you need to change your password or, or you can't access something, or something's not working, then usually an app administrator will come in and access your own files. So in that sense, someone allowed to access a individual's PC, which is effectively what they're doing is privilege access because they were allowed to root around in personal files.
Okay. So if we think about these accounts, I consider them often as shared accounts that the root password is something that usually more than one user knows, at least when it comes to a unique server in a, in an enterprise environment, or maybe also the master account of an AWS instance. So this is something that more than one people does know. So there's no control.
Well, yeah, there no control if you don't have a privileged access management solution in place, because you're right, often more than one person will have access to the same account. They might have a different password, but in the worst case scenario, they would always share the same password as well. So there's a debate about whether you should have a individual privilege council shared privilege accounts, and all the debate is really, some companies simply have too many users that need to access a shared accounts, sorry, new tracks or privilege accounts to give them individual access. But again, that is where privilege account management solution comes in because one of the key and essential things they will have in a shared account password management, which allows in theory, at least secure use of shared accounts.
So that, that would be a technical solution for an organizational problem. But I think because I think that shadow accounts it's really just a design flaw. Would you agree?
It is. Yes, you're right. A lot of tech technologies is obviously there to cope with, with design flaws. So if you were to build an organization from scratch, you would hopefully avoid shared accounts. However, as I said, for giant corporations with hundreds of thousands of users, that that's a little bit difficult and one of the reasons why they carried on using shared account. So the privilege access management is getting better at controlling shared accounts. And I think we are also seeing developments within sort of ephemeral usage and one time passwords and one time usage that'll eventually might enable us to get rid of shared account. Okay.
If we, if you look at the complete scope of the accounts that a privileged access management system should be or could be covering, is it only technical accounts? Is it only the accounts that we just mentioned? So the rule, the DB admin, or are we also talking about other types of accounts when it comes to the criticality and the, and the risk that goes with the usage of these tools?
Yeah, we're seeing now that privileged access can also mean access to, for example, customer database or my access to personal files or personal identifiable information. The very stuff that if organizations are careless with they'll get fined by under GDPR. You'll also find that privilege accounts are being used, not just by human beings. So increasingly applications will talk to another application or to access certain data that they need. And then that brings us into something that's quite current, where we have organizations doing out development with dev ops and CIA and CD and all that. And these people need access to code, but they also need access to credentials and also API APIs and all that stuff. So the scope of what constitutes a privilege account and what's in it, or what it gives access to certainly moved on a long way from simply admin accounts. And like you say, access to the root directory and things. So it's become a, all that stuff is still obviously happening, but it's becoming probably a much more dynamic and much more across the enterprise and taking in more what you might call lines of business and business administration. And of course we're seeing companies which are opening up their own applications and services through API APIs to third parties in to, to develop new products. And again, that will also involve privilege accounts at some point. So it's become a quite exciting field, but also a more complicated one, right?
I fully agree. And I've seen organizations at Archer financial in that example that actually even have high-risk business access. So creating a new customer, creating new account, transferring a large amount of money who have put that access, although it's really business access, but with a high impact and with a high risk when abused into a privileged access management system. So it's really more a risk-based approach than a necessarily a technological or technique related approach. One account type that is awful for cotton that I've seen recently in PAM as well. It's actually the management of the shared accounts for, for social media, for the social media outlets of larger organizations. We just had a few weeks ago that a large German cough manufacturer got his Twitter or Instagram account hijacked. And there were some nasty things out there as well in this account. So managing that via a privileged access management system and having the shared password avoided and the password managed adequately would have made much sense for them.
Yeah, that's a great point. And as social media has become well, almost essential to many corporate, I mean the motor industry is, is a great example. They're, they're all over things like Instagram and Twitter, Facebook, because they realize it's a great way to, to reach new customers and existing customers. Also, it makes them note great trendy and all that as well, but it's not just a danger of the account being active. That's actually a point that probably should have made right at the start. The reason why it privileged accounts need to be protected is because they quite often will lead to what we might call the crown jewels of a company. And they will also lead to root access and things. So criminal hackers will obviously target privileged accounts because they know that once they get into them, that gives them a good chance of accessing the kind of data that is worthwhile them stealing.
And also they can move sideways across the organization into other networks and files, but yes, to go back to social media, it's not just a external, but if you have too many internal employees having access to a corporate Twitter account, knowing the password, et cetera, it's not healthy. And it can lead to the situation like we had in, in the UK government where a civil servant posted something, criticizing the government on the government's own account, which potentially is, is, is, is quite humorous depending on your political views, but in serious, in all seriousness, it's something that could be highly dangerous. And I think matures you're right. People don't think about social media as being a sort of highly privileged area or something that should protected, but it's not, it can do great damage to, to the organization. So, and it's where you're, you know, the organization is directly facing their, their customers.
Exactly. And I think also, maybe, maybe we should also think of privileged accounts are on, on the end point. So on the actual user system, many, many organizations have the bad habit of assigning a local admin rights to windows users on their box. And that is something where the usual user gets elevated access and can do almost anything on there. Otherwise well-protected corporate desktop or laptop. I think that is something where privileged access management could also help to achieve both that the user can install a bit of software, but cannot do everything all the time.
No, and that has to be very carefully controlled, especially now, like, you know, in a current situation with so many of us working at home and using family laptops or laptops that are not, haven't been approved by the corporate it department or security department quite often, it's easy to think, oh, this guy's okay. You know, because he's the head of accounting allowed him to download whatever he likes or is it out to access different bits and pieces that that person might well be a good employee and has no malicious intent. But by doing that on a remote device, they, and on an insecure network, they are inviting in trouble from hackers and others that may be able to hijack onto that PC or laptop. So it's, it's also the flip side of that is allowing administrators access to end points so that they can do the actual security announcements that need to be done so they can indeed lockdown those laptops. So the administrator has produced access to that laptop. The user should have limited privilege access from that laptop.
Exactly. So, so to sum it up for today's episode, I think the, the most important thing for considering privileged access or privileged accounts in general is that we have to apply a risk based approach. So identify which risk comes with, which type of account and that to identify which account needs to be subject to privilege access management, that, that we do this on a, on, on, on a well executed risk assessment and not only on the type of accounts, would you agree?
Yeah. And I think the other thing too, too, is don't say that you don't have any privilege accounts because you do even, even the smallest business have something or some accounts which have access to things that you want to keep secret, or you want to protect. So if you have no protective management at all, the first thing to do, and we can talk about this in another podcast is how you go about deploying privilege access management. And the first thing is to understand where and how your privilege accounts are used.
Exactly. So today we've learned a bit about what privileged accounts are, but as mentioned before, this will be a serious of more than one episodes covering privileged access management from different angles. And I think as you've mentioned, the, the, the next starting point might be to look into core functionalities of such a solution and how to apply it and how to get it really, to life in a real life organization and how to implement that. And that, I think there's lots of potential.
Yeah. Well, I hope I can help you with that Mathias.
Absolutely. I know you're the expert and I'm looking forward to that. So thanks again for your time, Paul, for taking part here. Thanks for, to the audience for listening. And let's talk soon about further PAM things. Great. Thank you. Bye-bye thanks. Bye.