Celerity Security Panel – S2E7
DAVID TAYLOR [00:02:10] Hello and welcome to security panel. My name is David Taylor, and today we’re going to be talking about Privileged Acess Management. Today, I’ve got two security gentlemen to help me talk about this. I have Sam Hector, IBM Security Channel Leader at the UK and Ireland and I also have Ben Lake, Regional Director at the UK and Ireland Thycotic. Welcome, guys. Alright, o before we get started. Can you just give us a little introduction for both of you. Sam, would you like to start?
SAM HECTOR [00:02:40] Sure. Thanks, David. As you say, I lead the IBM Security Channel team here in the UK and Ireland and we support our skilled partners such as Celerity going to market without technology. Prior to today’s IT roles as both distributor and a partner myself. So I put it down the channel tour duty and looking forward to talking about PAM with you today.
DAVID TAYLOR [00:03:03] Great, and yourself, Ben?
BEN LAKE [00:03:05] Yeah. Hello, everybody. So my name is Ben Lake and I’m the Regional Director for the UK at Thycotic. I’ve been with business about three years now, and we entered a very exciting phase of our business around 18 months, two years ago, where we partnered with IBM around the Palm Solutions that’s we have. So I’m really excited to be able to talk about some of those solutions today to see how we can help your customers to be able to drive privilege security within their businesses.
DAVID TAYLOR [00:03:35] Really? Thanks for that, both. So I think the very first question we should answer is what is privileged access management? Also known as PAM? Ben can you start on that one?
BEN LAKE [00:03:45] Sure, I can give it a go. So, so privileged access management ultimately is the concept of being able to manage and control who, when and how people are accessing your most privileged and sensitive and critical assets within your business. Now, that can be a multitude of things. That can be your customer data. It could be your employee information. It can also be source code if you are a software company or if reputation is one of your most important elements of your business. You have social media accounts could also be your privileged accounts. It’s what you as an organisation hold most dear to you as a business. And it’s about being able to protect and monitor who is accessing those most critical assets. And privileged access management solutions are there as the ultimate gateway to ensure that people are accessing the right things, at the right time, by the right people. And really that is a very high-level view of what privileged access management is. I know you actually came up with some very interesting analogies of this, of what privileged access management really means. And I know they can come across as being quite simplified but I think they do a really good job of being out to explain. I wonder whether you can share with everybody that’s watching the analogy you came up with.
SAM HECTOR [00:05:08] Yeah, sure. Though thanks for teeing me up for that, that’s embarrassing. So I was trying to kind of come up with the example of PAM in layman’s terms that, you know, anyone could understand. And we came up with the idea of with PAM, any firm is trying to protect the most critical and most valuable assets. So I fault, what’s the most critical and valuable asset that an individual could have? And I came up with the superyacht, okay? So let’s imagine that you have an incredibly valuable asset yourself you would like to protect and you more your superyacht up in a brand new place. I would like to give your regular crew, a bit of time off. One of the main things that PAM can do is enable you to have third party contractors accessing your most highly sensitive systems in a secure way. And that’s one of the main benefits of it. So let’s say that you’ve moored your ship up and you need to get a cleaner and a chef onto your ship. So in a very rudimentary analogy, you know, PAM would check their identity on the door. Are they who they say they are, they then you know, pat the ship’s PAM system would then call the temp agency and say, hey, are these the guys that you send? are these definitely the guys that we should be letting board your ship two factor authentication. And then once aboard the ship, you know, the chef is by nature of his role, that role, excuse me, going to need access to very different things than the cleaning would need access to. So, for example, the ship’s PAM system might automatically unlock the nice tool for the chef, whereas it wouldn’t for the cleaner because why would cleaner need access to a knife drawer. And even within the role of a chef, you know, we’re using this analogy, stretching it slightly thinly to kind of mean you might have different admins that you know, one admin only needs access to the email system, one is a web admin, but then only needs access to web servers etc.. So, you know, even within that, you can subdivide it by role so that you can have a pastry chef that only has access to the rolling pin, et cetera, et cetera. But that’s really stretching it quite now. And then, you know, the ship’s PAM system automatically open and unlock doors on role-based access control. But it’s also got an infinitely perfect and good CCTV system which records everything. It’s almost like omniscient. It records everything that they do, regardless of where they are in the ship, and can replay exactly every single action that the chef and the cleaner has taken. So let’s say that, you know, they manage to bypass the security control and make it aboard the bridge and try and access the navigation data on the ship, something which is really highly unusual for either of those jobs to need to do with all that data access. We can detect that. We can record that activity and then take action based upon it safely remove them from the ship if we detect something malicious going on. So thanks for teeing me up to that, Ben. I haven’t used that one in a couple of weeks, I hope I did it justice. But it’s a good analogy, you know, two-factor authentication, role based access control and a really robust set of auditing and replay. Is that fair?
BEN LAKE [00:08:40] Yeah, I think I think it’s a great analogy. I really do, because it what it does is it takes it down to a personal level. I think, you know, kind of sometimes those simplified analogies do a really great job of being able to really hit the nail on the head on exactly what grooviest access management is and you did a good job.
DAVID TAYLOR [00:08:57] Yeah, I personally love analogies when explaining things. So thanks for that, Sam. So we’ve discussed what is PAM. So, Ben, can you tell us why is PAM such an important part of cybersecurity?
BEN LAKE [00:09:09] Yeah, I mean, so PAM is definitely a very, very important part of cybersecurity because you’re dealing with protecting the businesses crown jewel. You know, the most important things that a company hold dear to them. So it is always got to be a critical part of any PAM strategy. If you want to get a level deeper than that. I think if any organisation is looking at embarking on an identity project, for example, for digital transformation projects, PAM has got to be almost a central part of those projects because it’s almost like what Sam was talking about before. It’s all well and good having some level of protection. You know, let’s say multifactor authentication. What’s the point of having a, you know, a gate and a fence all the way around your property with security guards in the front? If you’re leaving some of the doors open inside that property of, you know, of a safe. For example, it makes no sense. You know, you’re still leaving yourself open to attack and somebody doing something within your property that you wouldn’t want them to do. So being able to control and manage what happens at the kind of the core of your business has got to be an important part of that strategy. You know, you don’t want anyone walking around your business or your home with access to everything, you know, anything and everything. You want to control the monitor what those people are doing. And, you know, before I pass it on Sam to comment on that. I think there’s another element here as well is that compliance is also a big driver for any cybersecurity programme. And if you look in the frameworks of most of the compliance that most organisations in the UK have to abide by, being able to control the manage privilege is one of the cool things off of nearly all of them. You know, being able to control who is accessing what and when. You’ll see as being a fundamental kind of, you know, a number of those tick boxes are around previous access management. So anyway, you look at this, PAM has to be an important part of any of security programme.
SAM HECTOR [00:11:18] Yeah. Thanks, David. There was one thing I’d add to that is you said, why PAM is an important part of cybersecurity? And if we look at the ultimate goal of cybersecurity, it’s to prevent attacks, right? And PAM is really highly effective at doing just that. If you look at reported breaches, the vast majority of breaches that had to be reported, for example, to the ICO as part of GDPR or you know any other data controller. The vast majority of reported breaches acknowledge access to privileged accounts as part of that attack. And what this means is that while the attack attackers go about compromising a thumb. They will get in through any route they can. So they’ll exploit any vulnerability. And then typically they will sit and just observe the typical behaviour of an organisation, and particularly the privileged users of that organisation. So what times they do work? What time is typically this firm sending out the most data so we can hide data exfiltration in the normal pattern of traffic. But far more bright on a daily basis, etc.. And they will observe for a period of time. and then they will try and compromise if they haven’t already. They will try and compromise a privileged user to escalate their privilege so that they can then go and perform the malicious activities that they’ve been planning on before. And so PAM is almost regardless of how an attack originates. A super important preventative measure in terms of how we disrupt criminal behaviour in organisations.
BEN LAKE [00:13:01] So would you say it might be seen almost as like some sort of insurance that once someone does get an extra layer of security?
SAM HECTOR [00:13:09] Yeah. Yeah, I mean, cybersecurity fundamentally is risk mitigation. And one of the key areas is for so long. You know, David, you will know this is you know, cybersecurity has been focussed on identity and access management as a whole. And for the last few decades, we’ve kind of been talking about, you know, users security, accessing systems. And it’s only really being in the last few years, but not if you’d agree with this, that the time has really come to the forefront as a focus area. And firms splitting out privileged users from the rest and saying, actually, these guys need an awful lot of focus because this is where the most risk is help run.
BEN LAKE [00:13:54] Yes, I would totally agree. You know, it’s you do have to separate, you know, normal standard uses some privileged uses and treat them very, very differently, because if any of those do get breached, you are gonna be in for a rough ride. I think as part of the Horizon Breach Report, it was stated that 86% of all data breaches occurred from stolen, weak or shared passwords of privileged accounts. So when you talk about risk mitigation, this is a huge potential risk. So if you’re able to reduce four out of every five data breaches that you are really reducing your threat back to within your business. So I think, you know, as I said before, any way you look at this PAM is definitely an important element of any cybersecurity programme.
DAVID TAYLOR [00:14:43] Most definitely of the back of those comments. So, guys, I think we’ve already touched on a few of them, but are you both tell me some more of the benefit at PAM?
SAM HECTOR [00:14:55] Sure. Yes. Yeah. Thanks, David. And let me actually twist your question slightly, if I may. I’m being slightly cheeky here, but let’s look at the challenges that customers face first and then I’ll throw over to bend to go over some of the benefits of PAM, if that’s okay. So if you look at the challenge, because I think they are, you know, one leads on the other. If you look at the challenges that organisations are facing in terms of what their privilege users are currently doing. Primarily three things. They’re storing credentials in an insecure way. Often, you know, we fall too often, go into it, go into our customers or prospective customers and see that store still worry admin credentials in a shared spreadsheet, which is, you know, presents a number of problems that I won’t get into. They should be fairly obvious. What if that strategy goes walking out the door, for example. Then the second challenge that the firms face is that by a matter of practice, some privileged users will share and reuse those same credentials. So you can’t tell which privileged user took what action in that system if they’re all logging in using the same credentials. You can’t differentiate and attribute those activities to a certain individual with any ease. And that’s really where the benefit of PAM’s comes in, is sorting out those two challenges.
BEN LAKE [00:16:32] Good. You know what, I think you make very valid points, being able to control and monitor who is accessing what can be a very challenging thing if you’re doing this in a manual way. You know, if you’re trying to kind of track and trace who is accessing your most privileged accounts, whether it be a database or whether it be a server or roots or a switch, social media account, whatever, that might be. Having a way of being able to audit who is accessing what and being able to delineate each individual’s access is just a benefit in itself. A straight off the bat. You know, you’re able to derive a lot of benefits, being able to chaperone, you know, every user that kind of enters into your system is a benefit. And there’s one, I think, that goes kind of, untalked about quite a lot. And this is around password fatigue. And I think this is a real benefit here, because if you think about and just a regular I.T. administrator, they have to manage and maintain sometimes hundreds of different systems. And all of those systems should have unique passwords. So you’re adding the burden of each individual I.T. administrator to remember very unique. And sometimes, you know, kind of a requirement is to have very complex passwords. You’re really adding a lot of complexity to each individual, right? And you’re putting a lot on them. So often as most human beings, you tend to go along the path of least resistance. And what that will mean is either you save passwords being easy to remember, which means easy to crack, or you store them in a location which is, you know, very unsecure. Which also means that is easily open to abuse. So if you imagine then that you have a system that takes that burden away from “the individual” and puts that burden on the system to be able to remember all the passwords while still giving the user access to all of their privileged accounts in the same way. In fact, even easier than they did before. That is a massive benefit because, you know, your meaning that you can, you are creating an environment which is much more secure, but still enabling your users to be able to go through the same productivity as they did before. Because as we said before, 86% of all data breaches occur because of a stolen weak or shared password. You eliminate that by using the system to be able to control it. And also, you know, kind of aligned with that. If you think the amount of support calls and help desk calls which are full manual password resets. There is a financial benefit as well for having your system to be able to manage passwords. Because you’re not having your team constantly picking up the phone gone, that’s in somebody else’s forgotten password. That’s gone now because the system does it for them. So I think there are a number of bi-product benefits of using a system like this, just like passwords to take.
DAVID TAYLOR [00:19:32] Great, thanks for that Ben. So, we talked about the benefits of the use of it for cyberattacks. But would you say PAM’s sole use to prevent or limit the cyber attacks? Or is there other uses? Sam?
SAM HECTOR [00:19:48] Yeah. So it’s cool that is there is a security, too, there is there is no getting around it. It is designed to improve the security posture of our customers. But there are other benefits that I think are probably not traditionally associated with security, such as productivity increases from having all of your systems that you need to administer on a daily basis, you know, on one portal that you can just quickly switch between the different sensitive systems that an admin needs to log into to get work done. And also collaboration between teams, I think you can have a much tighter admin team. And even, you know, coming back to the yacht example that I used earlier. Invite third party contractors to collaborate on systems when you have, you know, ongoing projects happening in a much easier way. So that onboarding and the offboarding process is done in a very secure matter as well. Ben, do you want to comment on some of that kind of benefits that are outside of what we traditionally classed as security, I guess.
BEN LAKE [00:20:55] Yeah. You know what? There’s one that comes up which I quite like talking about with prospective customers, is that if you think about the way that the system is a role-based access control system, you could really, you know, kind of granularly be able to dictate what people can and can’t use. And there is a real benefit to that for people like junior I.T. administrators, where you can give them some level of privilege but really restrict where they can use that. So whereas most senior I.T. administrators will be able to access maybe hundreds of different servers, you could really what you sat down and say the junior I.T. administrator can access five servers, but you give them domain level admin on that. So they can do all of the things that they need to to learn how to do that job, to be better, to develop. But you’re restricting the risk, all right? So as a development tool, you could quite reasonably say that there is a benefit there. And related to that on the where Sam was talking about the CCTV, where you can record sessions. You could use as a training mode as well, right? So you could record sessions of those junior administrators, go back at a later date, go through the process they went through. If there were any issues or mistakes they made, you could review that with them, you know, after the fact to help them with that development. So, yes, it is a security tool at it’s heart. And, you know, it will always be a security tool. But as I see, they are bi-product benefits that you can really rely on as a way of being able to sort of say this isn’t just a security tool, it can do X, Y and Z as well.
DAVID TAYLOR [00:22:38] Brilliant. It’s good to know it’s got those extra capabilities that it’s not just used for security. So, Sam, I think you touched on before about organisations maybe use of the passive and sorry, a spreadsheet for their admin passwords. But you think that that’s quite a common thing amongst organisations? Or is there quite a few? Are they using PAM?
SAM HECTOR [00:22:58] Yeah, it is concerningly common. I don’t have the stats, but I think, as I alluded to earlier, you know, PAM is something that has really come about as an area of focus in the last few years. But the… I guess the positive thing about PAM is that it’s applicable to firms of all sizes. This is not something which is niche specific to, you know, banking and insurance, for example, highly regulated industries, or, you know, only applicable to firms above a certain size. PAM is generally applicable and can have the same benefits for firms large and small. But what I would say is it’s not being that widely adopted yet. I think it’s one of the fastest-growing areas we have in cybersecurity. And, you know, it is at the very top of the CISO’s agenda in all of the studies that we’ve seen come out today. But we’re still gaining attraction, I think, and there’s still a lot of work to be done.
BEN LAKE [00:24:04] Yes, I agree. Yes, yes. Thanks. I would agree with that Sam. So, the last step that I heard about the growth that PAM was that it was growing 2.5 times faster than the overall cybersecurity space, as a whole. So it is definitely growing at an exponential rate because more and more organisations are seeing the requirements. I mean, there’s not a day that goes by that you don’t see something on the news about a new data breach of, you know, a new organisation. So it gets in your face all the time. You know, you could see CEOs, CIOs that are seeing this all the time, thinking, I wonder whether we’ve got anything in place that kind of helps mitigate this risk. So it is coming up more and more regularly and is becoming a need to have solution, whereas maybe a few years ago this was a nice to have solution. It’s very quickly changing. And I think, you know, there are a number of organisations and as Sam said, is quite scarily common that the organisations are using still to this day using spreadsheets to be able to hold and store their passwords. You know, if you knew some of the industries that this was prevalent, then you’d be very worried yourself. But it is becoming less and less of the acceptance where I think before it was an acceptance that this was an okay practise. That’s not the case anymore. And I think the more organisations that we talk to about the challenges, but also the potential impact to your business if that gets breached, this is becoming more of an interesting conversation around PAM with your customers.
DAVID TAYLOR [00:25:44] It’s good to know that companies are moving in that direction. All right, guys. So when we talk about PAM, are there many PAM tools available to organisations, Sam?
SAM HECTOR [00:25:54] So I think it’s important that we kind of position what IBM security is done here as well. So IBM security as an organisation, we’re looking at rapid growth of PAM. And we were looking at the vendors that are available in the market. And I’d say, to answer your question, David, that’s primarily about three that are leading the way at the moment. And we look to each of them and eventually decided to partner with Thycotic. That’s why, Ben is on the line. And we have a really strong technology partnership there that I think we’ve actually executed very well, if I say to myself. But the reason we chose Thycotic was above and beyond the other solutions available on the market. It’s very quick to set-up and deploy and get funding from. I think there’s other solutions on the market which potentially have a lot more of a services burden and a lot more custom work to get underway. And then beyond that, it’s really, really highly scalable from, you know, IBM mid-market customers all the way up to our largest enterprise customers that we deal with on a global basis. And also, it’s very highly customisable. So IBM’s PAM products is called Secret Server. It’s an OEM from Thycotic as I’ve said. And when you know, when you work with IBM on the PAM project and we bring Secret Service to the table, you know, you get the weight and the power and the enterprise grade support of a organisation like IBM behind you to make that project successful. Well, Ben, any comments on that?
DAVID TAYLOR [00:27:42] I think you covered it really well. I mean, it’s the three points that I wanted set straight. It’s the easy deployment, easy of use and also the IBM thing that’s behind the solution. That’s the real value is the packaging all of all of that together that is gonna enable you to be successful. What we’re trying to do is sell an outcome, right? It’s to sell something that we want you to be able to achieve. So that’s the overall package together. And I think with the combination of, you know, kind of Celerity, with IBM, and the solution itself. All of the expertise that goes around there, I think you’re in a safe pair of hands, you know, with all of those things combined.
SAM HECTOR [00:28:24] The one thing I’d add to what you just said, Ben is Celerity really have some skin in the game here. And you can practise what they preach. They use secret server internally. You know, Celerity are a MSSP. And I’ve been working with IBM technology and our customers for numerous years, it’s a great partnership. And, you know, to add credence to what we’ve said up until this point. Celerity uses it themselves internally.
DAVID TAYLOR [00:28:54] All right, thanks tp that, guys. I think that’s all the time we got time for today, but just before we leave, I just wondered if you could give any closing advice with viewers who may be interested in implementing PAM? Ben?
BEN LAKE [00:29:07] Yeah, absolutely. And without a shadow of doubt, my main bit of advice would be to utilise the experience IBM and Celebrity, because I think the most important element of any PAM solution is the design phase. It’s that beginning part of what do you want the solution to look like? What you want to be able to achieve? And look at that in stages. You know, PAM, implementing a PAM solution is ultimately a phased approach. You don’t just buy it, you know, install it and you’ve got PAM. It’s something you need to do over a period of time and use that team, a celebrity and IBM to identify what’s important. Do that first and then build on that foundation over a period of time. And try, just don’t plan to do everything all at once. That would be my main advice. Use experts. Get that design in place before you start and then follow that plan.
DAVID TAYLOR [00:30:05] Brilliant, Sam.
SAM HECTOR [00:30:08] Yeah, I think Ben covered that very well. The only additional thing I would say is there are breaches happening on a weekly basis that could potentially have been prevented by a credible PAM solution being in place. I think the most recent example we saw was a few weeks ago, literally three weeks ago, with Twitter being breached through a social engineering attack. And you know that compromised a privilege user. And the criminals were then able to change things on an internal privileged system, sensitive system that they shouldn’t have had access to. So we’re seeing this happen to large companies on a weekly basis and on remits every time it happens. Because, you know, we as an industry have got to a point where this and if you work with IBM, you work with Celerity and Secret Server, we can get this up and running pretty quickly. Has Ben alludes to it, it’s not just you deploy it and it’s good to go. There is a bit of a cultural change and there’s training to go along with that. But we’re very, very well equipped to take customers on that journey together. So please don’t end up being the next Twitter. Do reach out Celerity. Talk to us about privileged access management and we’ve got time to have a conversation with you.
DAVID TAYLOR [00:31:25] Brilliant. Thank you both. I think we’ve got some really good I’m quite extensive overview of what PAM is and what the benefits and why people should be implement it. So I like to thank you both for coming on the show today and for everyone else. Thanks for watching Security Panel and join us next time for a great security episode. See you then.