Watch this webinar to learn about:
- Secure privileged access though a SaaS offering
- Just Enough, Just-in-Time Access
- Simplify identity management in complex on-premises and hybrid cloud infrastructures
- Ensuring your audit and compliance requirements are met
Timothy Robnett (00:00:09):
I'm looking forward to this opportunity to talk to you today about a Centrify and vaulting of credentials and being able to move on in your PAM program from just having a vault, just using it as a place to store things. So, you know, the main thing I want people to take away is, why a vault is not enough. So, I'm going to share some information on my background, how I came to the perspective that a vault is not enough and some of my life experiences. I think those will resonate with a number of you. And then we'll try to wrap it up with some clear takeaways so that everyone, can walk away from this webinar with clear action steps in mind, to things they're going to want to work on or think about or risk assess in their own environment.
Timothy Robnett (00:00:59):
So hopefully it's an excellent use of your time. Let me introduce myself and a little bit of my background. So we'll start with this question. Does anyone recall getting a letter from me? So, this is a lot more fun to do and it's in person and I can see your faces and there's a little bit of confusion in your face. Of course, I, wasn't talking about a letter like you see this gentleman writing, this is the kind of, news that I was involved in once upon a time in my life.
Timothy Robnett (00:01:42):
And as a result, my organization got to send out 79 million of those letters. And so when you get a front page, press release like this, that a database has been hacked and you get to send out that kind of notices. There is a lot of postage that goes out a lot of letters. So I use that a little bit to be humorous, but, I have lived through a number of cyber breaches now after leading the IAM response for Anthem on their cyber breach, I had an opportunity to go do some work with some other organizations and have now helped a large beverage company with a breach there's, and just say they run super bowl ads, pretty much every commercial break. So that gives you an idea of disguise size and scale. And another large clothing manufacturer who's had some breach activity.
Timothy Robnett (00:02:33):
So the things I'm going to share about privileged access management are hard learned lessons, and hopefully there's some applicability for all of you. So, this is what came out February 4th, 2015. And what I want to do is just kind of walk you through a little bit of a timeline just real quick. It's kind of ancient history now, cause it's five years old and in the world, that's a long time ago, but just kind of giving you an idea of what it looks like if your organization suffers a major breach. So, again, kind of keep with this timeline. So, January 29th, the Anthem discovers, Hey, there's, there's something going on here? This isn't right. You know, this is during the week, within a few hours, it was very clear that this was not a random happening there. This was clearly a cyber attack.
Timothy Robnett (00:03:21):
Everybody went into full working mode. We're continuing to work obviously into the weekend, super bowl Sunday comes around. And I only throw that in there because it was somewhere midway through week two that people started questioning, Hey, does anyone know who won the super bowl? I was watching it until my phone ring or I was trying to watch it in the background as we were working. I never saw the outcome of the game. So, when it's the weekend and you're working like that, we've all done that. That's not the way you want to work for five straight weeks. I can assure you. So, in less than a week, Anthem does a press release with the wall street journal, sheriffs, a little bit of what's happened. And by February 6th, the decision was made that there was going to be a very aggressive, privileged access management rollout for Anthem to completely change how privileged access was handled at the company.
Timothy Robnett (00:04:10):
And so, by week three, it was clear that the infrastructure they had in place to manage privilege was not necessary or not appropriate to the scale. So new servers had to be purchased, scoping the problem by week four, you're wrapping cabling, powering all of that. Stuff's going on, configuring it, standing it up in two separate data centers because this deployment was done as an on premise versus a cloud deployment. At this point, I would recommend people do these sort of things in the cloud. And then by week five, we're segmenting identity identities into tiers, vaulting all the admins across 20 plus domains, 6,500 windows servers, several thousand people with privileged access to one or more systems. Oftentimes it's just a system administrator that's overseeing a specific application. All of that got vaulted, in a period that in total 29 days.
Timothy Robnett (00:05:06):
So, a lot of work got accomplished in a very short amount of time. That's not the way to do these kinds of projects. We want to have a more thorough approach and I'll talk about some of the things that we learned out of that. So let's talk about, this is the exercise that I went through. Let's talk a little bit more about why vaulting is not enough. And so I'm going to assume right now that almost everybody on this call probably has already purchased some form of enterprise vault. I think, the drum beat for that from both regulators, the Gartners and the Forresters of the world made it pretty much mandatory that most companies deployed. One, if you have, we can talk to you about that as well, but yeah, most companies have one. And so when you think about your vault and what was probably the driving force behind getting it stood up in the first place, you have kind of a notion in your head of what that vault looks like.
Timothy Robnett (00:06:03):
And I talk about vaults. Like they're a great big vault in a bank, and then there's safety deposit boxes with different people, with different access to the contents of those safety deposit boxes. And so that creates this very organized view in your mind. Maybe a little bit like this image that I'm sharing on the screen. So, as you think about your vault, you probably think about. “Yes. I've got some privileges for domain admins and I've got a break glass account for the database team or for a developer to use, or I have all of my ERP system admins in a safe and it's very neatly organized.” So, we have, washers in one place and nuts in another and lock washers here in this image. I think this is how we intended our bolts to look, this is what we sometimes think.
Timothy Robnett (00:06:52):
I've had the chance to work with organizations and take a look at vaults after they are two or three years in. And oftentimes this is what I find is that what was well intentioned, as nice clean delineations, sometimes those delineations don't make a whole lot of sense anymore. What you find is reorganizations or people putting things in the wrong places. And so, while we'd like to believe that we're in, the first image, if your Vault's been run up and running for more than six months, it probably looks a lot more like the second image. I'm sure it’s perhaps a situation where you're saying not my fault. We had a very clear design doc when we started this. My experience indicates that it, it drifts towards chaos. And so, here's, here's some thoughts for you about how vaults do get disorganized.
Timothy Robnett (00:07:44):
And again, going back to the theme of why vaulting isn't enough. So, let me ask this, do you allow users to store passwords or other secrets, in the vault where they can self-identify what those are by placing it in there themselves? It's not automated, it's manually typed in. So that's a question. Do you reorganize your vault and the logical lines in which groups protect what things after every rework happens within your IT department? So, the data warehouse team used to report to the database team. They no longer report to the database team. They're broken out as a separate team that just does the data warehousing stuff. Did you do a reorganization to be involved for that or do database administrators still have broad access across more than one technology now, as a result of things like that? How about validation?
Timothy Robnett (00:08:36):
Do you have automated processes that go through that actually tries to log in with that credential on a schedule to ensure that the value in the vault is actually the real value, and not something that became stale or somebody changed it out of band and didn't update it involved also purging credentials from your vault when something does get deleted. and occasionally, accounts do get deleted. Do they get removed? If so, do you have circumstances for that? How do you monitor, how do you track that? And then of course, the big one that we all know monitoring your logs, are you aware, do you react to those? It's not enough to just log in. Of course, are you monitoring and reacting when credentials don't verify when they failed to change when they changed her, an unauthorized means, are you following up on those?
Timothy Robnett (00:09:19):
If you're not, and that's a pretty tall ask, I understand if you're not, your vault probably is a lot more disorganized than what you think. So, what I would encourage you to do is don't be resistant to hearing that your vault might be a little bit messed up at this point. Just recognize that it's a large ask. You have to prioritize certain things, but getting to the point that you spend time looking in your logs will reveal that maybe things aren't going quite as smoothly as what you thought. And so, all I ask is that when you hear truth and it comes in front of you, don't just stumble over, pick yourself up and hurry off as if nothing had happened. Maybe take time to spend some time if you're in management with your technical folks, if you're technical, spend some time looking at your logs, the challenge I always gave my engineers was always, pick an event ID in the log for this week and research it, understand it, find why it's there and get it to go away.
Timothy Robnett (00:10:16):
It's something that's at the level of warning, not the level, of course, like a panic, or a critical where the system is down. Find some warning it's going off in the log and let's figure out how we're going to get rid of those false positives and figure out what behavior needs to change. So we have less noisy logs so that we can actually effectively monitor them. So just some thoughts. And as a result of doing that, I can assure you that my team was able to avoid a lot of outages. In fact, we discovered a one time and helped another team avoid an outage when the, the PKI system that was backing that up was starting to have some problems, so good practice to be in. I think we all know that. So, let's talk a little bit now about what it means to move beyond just vaulting.
Timothy Robnett (00:11:00):
We have vaulting credentials here at the bottom of this pyramid. So, this is how I like to think about it. Gartner has a little different notion where it’s almost looks like a ramp or a wave. But for me, I start with vaulting credentials. I never saw a lot of value in that. And so, I had some experiences where Anthem had a prior vault product installed that they used at one of their subsidiaries. The subsidiary liked it, thought it valuable. And then when it came time to, to migrate it, a lot of that disorganization that I was talking about started to show up. And so just lessons learned. If you're not verifying a credential, you really don't know that it's accurate. And as we started digging into things, we've discovered that multiple people in place the same credential in two different safes in this legacy ball product.
Timothy Robnett (00:11:52):
And, then people, weren't sure your vault gets blamed for that because you have bad data. They assume that somehow the vault is magical and it was aware of all things. So at a very minimum beyond just vaulting, and we don't want to stop here, but at a very minimum set as a baseline, if you can't verify the credential, you need to think long and hard about placing it in there. That's my opinion. But if you can't verify it to me, you're setting yourself up and your team up for failure. When you have things in there that you have no way to know if they're current, if the account exists, et cetera, the next level is from there is obviously rotation. If you evolve is actually able to validate it, start getting in the habit of letting the vault have a schedule for when it rotates it, you get a lot of value out of this.
Timothy Robnett (00:12:37):
And a couple of ways, one, you have a programmatically selected password. Users aren't doing what they do with generational passwords, where they figure out all of the construction rules for passwords must be, you know, eight characters, 10 characters, 12 characters must be upper and lower case numbers, special characters, all of these rules. And they figure out a way that they can make that work. And they come up with something really clever that they think is clever. It meets all the requirements, and then they just change the number at the end. Every time they're asked to change, that's actually evidence has shown that that's used in breaches where people use that as a form of attack. So having an automatic rotation lowers your attack surface pretty considerably. So again, moving beyond vaulting and let it rotate. The next level up is getting to the point that you say, Hey, let's do session monitoring, session recording.
Timothy Robnett (00:13:34):
If we can broker that session so that the user is using a secure jump box concept, that is the next level, because now you're not even exposing credentials, that user doesn't even have to be aware of them. So you have an uptick from a usability perspective. You're the folks that have to use it, don't find it as, as cumbersome. And you're also not exposing credentials. And then continuing up, that's something that Gartner, as recently as 18 months ago, wasn't even talking about, and then just a little over a year ago, they made a reference to just in time and by about this time last year, just in time for privileged access management was all over the material. It's, it's clearly where the industry is going and as needed to go for a while. Centrify as a leader in that space. It's a concept whose time has come.
Timothy Robnett (00:14:22):
And then marrying that with the concept of zero trust, where we move away from, well, it's on the local network. We should just trust it, right? It's, it's different than it's coming from the outside. We all know that our networks are pretty porous using that as a, as a basis for an authentication decision, not always the best choice. So, zero trust is obviously an inflection point of maturity, but something we should be striving for. So let's talk about this now, what this looks like against something else. So, we're talking PAM, but I'm assuming all of us here have worked with like the, the capability maturity model, CMMI. And so, when we think about what CMMI looks like when we apply it to PAM, think about the fill levels. So those are often the last, do you have initial repeatable define quantitatively managed optimizing.
Timothy Robnett (00:15:13):
So that's all good stuff. Now let's think about it in terms of what are the characteristics, what do you start to see? And so, we all know what initial looks like, it's chaos. But even at the level of defined, it's often just standardized and documented. And we, again, going back to the organized versus disorganized fault, it feels as if it's standardized and documented, it's probably very neatly organized under the covers though. It's when we get to that quantitatively managed, we start to have processes are monitored. Opportunities are identified and an improved upon. You have some level of automation there, even if the automation is fragmented and limited, you start to see major upticks. And so, the difference between jumping from a three to a four, pays big rewards for your organization. You don't get surprised by audit findings because now your oversight as managers, as management is, you know, compliance with procedures as measured.
Timothy Robnett (00:16:13):
We know how it happens because part of our automation is used to ensure that we're doing what we said we were going to do and what we thought we were doing versus assuming that it's continuing to happen. And so that's why I feel so strongly about, as privileged access management becomes such a critical issue in so many audits about taking it to this level, moving beyond vaulting, moving up that pyramid and making changes. So now I mentioned a Gartner a moment ago, their, their guidance has absolutely changed. So, this is a quote from other Identity-Centric PAM document published, almost like I said, exactly a year ago, 17th of September last year. So traditional PAM controls such as credential, bolting and session management are essential, but not sufficient and not sufficient is key. We have to move towards just in time approaches and move beyond just thinking that, Hey, we've got credentials, vaulted, we use a session manager. There's so much more that needs to happen there as we move up. So, the focus on that is a, is a big jump for a lot of organizations but one that's definitely worth doing.
Timothy Robnett (00:17:27):
I can tell you that real world, from my perspective, this is Gartner's perspective. I've worked in environments that had vaults that had things set up. I worked in environments where passwords were being rotated, for example, every 30 days, through automation, and breaches still occurred. So how do you stop that from happening? You do have to think in terms of zero trust models, just-in-time models, having persistent access out there, even if it's being rotated very regularly. And the environment I was in, every 30 days, credentials on, privileged accounts were being changed very regularly. They were being set to very complex, long values. They were being randomized, as far as what the characters were. It wasn't generational passwords. It wasn't being chosen by an admin or something like that, and breaches still occurred. We'll talk a little bit more about that, but just I've been talking for a while. Let's ask the audience a poll question here to get you kind of engaged again before you tune me out too far. So just a quick question. How many of you have experienced with pass the hash?
Timothy Robnett (00:20:07):
The type of pass, the hash that I was referring to was of course password hash, and it's an example of a, an attack that can be used across a network.
Timothy Robnett (00:21:06):
And so it's oftentimes spelled a capital P lowercase T capital H when you see it in popular print, it's very similar if you don't have familiar with it to stealing passwords, but what happens is, is the attacker just replays the hash across the network. So they see, they find a hash, they test the hash out to see, will it work? Is it still a valid hash? And for the life of that credential, whether those passwords to get changed every 90 days, 60 days, 30 days, doesn't matter for that period of time, that hash remains completely valid. If you can find it on a hard drive, somewhere in a registry hive, et cetera, you just replay that hash and it's a way to attack a system. I had a Microsoft consultant from their security practice share with me that they actually saw an example in the wild of someone sending a spear phishing email, the user clicking on it.
Timothy Robnett (00:22:05):
And from that point, they went from nothing to having full domain admin privileges within that entire corporate network in 20 minutes. So the reason this is important and why privilege is important, why getting to zero trust? Why having just in time credentials is important, why not having similar password share throughout an environment, even if they're changed regularly is enough. In the environment that I was in, desktop laptop, those local admin credentials, they were changed, very, very regularly and yet still vulnerable because pass the hash, allows you to find a credential, it, start replaying it on other machines, finding more and more hashes, and you build up a collection of ashes so that they become like keys on a key chain. And you just try each one in each lock until you get into another, another, through another door.
Timothy Robnett (00:23:01):
See if you can collect any more keys from there, continuing to move around the network as a local admin on one machine and then a server administrator, and then finding a domain admin and progressing from there. Let's talk about another example. So you have a vault, you use it, but you still get hacked. Why so incomplete inventory and discovery. So, it comes back to, we have to understand what's in our environment. Let's say you bought all the DBA accounts, but you don't have a means to discover new accounts with privileged access when they show up. So, I saw this in a different environment that I worked in once, where there was an effort to go through to vault, all the DBA accounts, the DBA has decided that was difficult to use. And so they created a service account and its service process that they built themselves that did a lot of their work for them that had a static password that never changed and had the same credentials as a DBA.
Timothy Robnett (00:24:02):
But when you ask the question, are there any more DBA accounts? They said, these are all of our DBA. These are all the DBA accounts. They considered that a service account. There was a kind of an AMFM misalignment of communication. There wasn't any process for accurate discovery there. And as a result, databases remain vulnerable as a result and, data was lost. So again, a vault is not enough. You have to think of this in terms of not only we're going to install a bolt and we're done, how often do you go back through and do scanning and collection and try to identify new things? How closely do you work with the folks that manage your CMDB product or similar to understand configurations, how are you connected to that? So, you know, having that set up, getting to the point, obviously, if you're really mature and you would have a sore product, or one of those security orchestration, automation, response tools, you know, that's obviously the best place to be, but you want to get to the point that you discover when things happen and you react in an inappropriate way.
Timothy Robnett (00:25:04):
That could be as simple as in any environment that's trying to detour that you just fire off a ticket when something is discovered through some low level rest APIs into service. Now over time, a more mature solution is you just going to get it right in, push it right into your, into Centrify and allow it to start the vaulting for you when new things happen. So, at the end of the day, make sure you're thinking through inventory and discovery, not just, we bought a vault, we have it, it's sitting on the shelf, so to speak, it's just running away in the data center, but no one really thinks about it other than they'd put credentials in and they take them out manually. So I think I'm probably pretty close to my time here. And I want to leave time for Scott. So let's just take some quick takeaways here.
Timothy Robnett (00:25:47):
Please be honest with yourself. Self-assessments are honestly where you're going to get the best sense of where you have. You can have someone external come in, they might tell you things you don't know or look places you don't normally look, but you know where you have gaps in your organization. So honestly, assess that, honestly assess the state of safety in your vault, assess your entire hand program against the capability maturity model. Think through that model, and honestly assess where you're at set yourself goals, track against those goals, communicate them up and work to improve, use automation to drive consistency of process. Even if it's rudimentary, automation start building that as a competency within your teams. And then of course, monitor your logs solution, set up, alerting, respond to issues. Don't just carry on as if nothing happened. I'm going to end with one last question.
Timothy Robnett (00:26:42):
What is cost? We talk a lot about insecurity. What is the cost of a breach? And that's such a difficult concept to nail down. How much does a breach cost? How much for insurance, how much for the response, I'll ask a simple question. How much does it cost to notify customers that you lost their data? So, let me put that question out there to you, and I'll just, give you the spoiler on that. I thought that we actually had a question for the audience. I apologize there. So the answer in Anthem's case with 80 million patient records, roughly 78.9 was that the first round of postage was $20 million. And so when you start to think through, what does it take? That's not the cost of the envelope, the paper, you know, the, the writing it up, doesn't pay for the credit monitoring. It doesn't do any of those things.
Timothy Robnett (00:27:29):
The postage alone was $20 million. That number is obviously going to change for your organization. But as you look at the number of pieces of PA, you have, so if you're regulated under European regulations, California breach, privacy laws, you need to think in terms, that's a really simple one to do the calculus on and come back with some pretty fast numbers. And so, again, that's just the tip of the iceberg as far as what the costs are, but it's one that's easy to calculate. So thank you for your time. I appreciate your participation today. Scott, I'm going to hand it over to you.
Scott Englund (00:28:00):
Thanks, Tim. Really appreciate it. My name's Scott England. I've been with Centrify since the beginning of the year. Prior to that, I had a 14 year career at Fidelity Investments. And through that career, I spent my entire time in some form of identity and access management, the last two and a half years of my career at Fidelity Investments, I actually led the identity and access management program for their cloud journey. I took them to the cloud. And so that brings me to my first question. We're going to start off with a quick poll question here.
Scott Englund (00:29:13):
So, you either are thinking about it, you know, your team and your organization yet, we know we want to go to the cloud, not sure. How are we going to get there? we're just using one single provider. Hey, we've got office365 and Microsoft gave us a great deal. When I was at Fidelity, we had the option to think about all sorts of different things. And a lot of the customers that I deal with today is they're thinking about how are we going to get to the cloud? What does that mean? You know, which cloud do we want to use, or do we want to use multiple clouds?
Scott Englund (00:30:00):
And there's tons of things that are going on with that, right? So you've got AWS and yet they have all sorts of varieties of services, right? They have thousands of things that you can configure and do really cool stuff. As I mentioned earlier, Microsoft Azure and if you're using Office365 and you want to take the effect of things like power BI, there's some phenomenal opportunities there. And then of course the other big one in play is Google. And no development team, no analytics team is going to be satisfied until they can take advantage of Google analytics. So when you're thinking about all these different clouds, all the different options as security professionals, we sit back and we go, Holy man, what am I going to do? Because there's so many different things going on, right? If you've looked at the cloud identity and access management is different for each of these, and how are you going to administer that?
Scott Englund (00:30:52):
How are you going to administer access? Are we going to federate? Are we going to create local users? How do I get communication from one cloud to the other, if I'm doing multi-cloud, do I have to do direct connects? Can I go cloud to cloud? And again, the security. And you think about all the different access points and how are you going to management? You know, you find out that your environment starts to look a lot like this. You have this crazy web going on of all these different services and all these different things. And you're trying to make sense of that. And you take this diagram and you say, okay, I think this is what we're going to go with. And you walk it down the hallway to your audit guy.
Scott Englund (00:31:35):
And he looks at you with that really funny blank stare, that's the look of panic, because when they're trying to figure out how they're going to do audit and make sure that everything is tied up and secured, and they see this, everybody gets a little nervous and you say, well, don't worry. We've got an idea we're going to work. And what Tim talked about earlier is we're going to deploy a zero trust model, and we're going to try to clean this up as a, as best we can. So, what does it mean to be zero trust? Before we get onto that one more question, we'll go here. So that slide with all the gobbledygook. If you look at your, your IAM and your privileged access management, how many people say, okay, I've got that crazy spiderweb thing going on in my environment, give you just a second to think about that.
Scott Englund (00:32:38):
I know for me, when we looked at that, it was absolutely nuts and we were like, all right, we have to figure out a solution. And let's go see what our answer is and see what you guys have for just solution. I am not surprised 76.7 versus 23. So yes, we all suffer from that problem. We're all looking to figure out how to solve it and it, and it's not easy. It's difficult. Right? And it can be complex. So, when you think about that, I like to use a maturity model. And in this maturity model, we want to make sure that we, we can grow in our maturity and reduce our risk when it comes to privilege to access. And really, if you think about it, privileged access is the key piece. We're not worried about our regular accounts necessarily that we've logged into, but it's the accounts that have access to our data.
Scott Englund (00:33:31):
It's the identities that have access to process, people that can then pass the hash, right. And how do we protect ourselves from that? Well, I'm going to reiterate a little bit the things that Tim said. Okay. So, the first thing is we want to be able to take the first phase and give you some quick effective steps, some basic controls, let's get those credentials faulted, real simple. We're going to get them in a vault. We're going to secure them. It's certainly better than what's on the bottom of my keyboard. It's actually in my wallet. And we're going to take care of those basic things and get that taken care of. And we're going to do the bare minimum with vaulting next and phase two.
Scott Englund (00:34:14):
All right. We want to reduce our attack surface. All right. We want to consolidate identities. We want to eliminate local accounts where possible, all of these things. If we can get those under control and reduce that we're really then building a maturity model and reducing our risk, we want to consider things like multifactor, authentic patient. can we take care of that when people are logging into that vault? So we know that they are who they really think they are. I know who I think I am. No, just kidding. and then finally, the third step of that is really hardening that, okay. Auditing and monitoring, that's really key to making that happen, right? Building an air gap environment so that if people are accessing your most critical systems, they don't have absolute direct access to the asset to be able to apply just in time access with just enough privilege and really tightened down how we want to deliver that privileged access to those individuals. And that's how we build, build that maturity model. So, you know, we start at the beginning and you can see how it works up until we get to that final point
Scott Englund (00:35:26):
In order to do that, every company has to go through a due diligence process. I know I had to do that, and that took a long time to get that done. Alright. I'm just going to go through a couple of the steps, that I practice and that when I'm working with other customers, I talk to them about it. The first one is clearly defined your critical business issues. What are we trying to solve? You sit down and you say, okay, we need to evolve the accounts, but then ask yourself why and what accounts and what is really the larger purpose of what we're trying to do to take time to talk to your audit, guys, your compliance guys, the business side, you know, how are we really going to secure our environment? This way, when you're trying to figure out what your PAM solution is going to be, or your identity access management solution is going to be, you have some clear definition on where you want to go with that.
Scott Englund (00:36:20):
I know for me, as an engineer, my background being an engineer, I always focused on technology. And I wanted the coolest technology to me. I thought that was a critical business issue. and then you find out later on that, okay. It wasn't, we also, find that a lot of people were pretty smart, you know, and you know, I've been doing this since the early eighties, not to date myself, but, you know, I could probably build it, rather than buy it. And so, you know, you want to look at, can we bring it in house, do it ourselves, which at the surface you say, this is great. We'll save all of this money. This is going to be fantastic until it breaks at 11 o'clock on a Saturday night. And you find the guy who wrote that piece of code has left the company. And then all of a sudden you're like, Hmm. Now what do I do?
Scott Englund (00:37:09):
Okay. And keep that in mind. So, as you decide, that probably buying is a better way to go. and so you want to look at different vendors. One of the things that when I was, I was back in my old job, I happened to use Centrify for 12 years before we went out to the cloud, and the marketing guys hate when I do this. But one of the things that we were tasked to do was to make sure that we retest all the other vendors, not take anything for granted, our chief security officer at the time, he had a thing about complacency. And so, you don't trust what you already have because complacency, believe it or not is the number one reason why you have those breaches. People get complacent all the time. So, yeah, it's what I got is good enough.
Scott Englund (00:37:57):
What we've got is good enough and nobody thinks that it's going to happen to them. And so you become complacent, you become comfortable. If you're in that situation, I strongly encourage you to get out of that. it's not, you know, if you're going to get breached, it's when, that that's kind of tough because it kind of hurts a little, I know it hurt for me and you know, when are we going to get breached, and keep that constantly in your mind because the world out there is changing. I mean, Amazon is bringing on new services all the time. As yours, constantly doing upgrades constantly is going on with Google. And every time something new changes in those cloud environments, you have to reevaluate your footprint. You have to reevaluate what you're doing. Okay? So we looked at all these different vendors. We tried them all, we set it all up.
Scott Englund (00:38:51):
We did what we call a bake off. And, you know, we, we made sure that whatever we chose met our critical business issues. Okay. Next slide. And then once we decided on a product, in our case, it happened to be Centrify. You have to run everything by governance, compliance and audit before you buy it again. I mentioned this earlier, you take the diagram down, you go over to the audit guys and you get the scared deer in the headlights look, and you don't want that. I'm going to try to avoid that as much as possible. So we went and take the time when you're thinking about your solution, before you go out and purchase it, that you have agreement with all the other key players and that that will really help. And then you have to go to the finance guys, right? No, no, no purchase is complete.
Scott Englund (00:39:39):
Unless you can go three rounds with finance. We've all been there. So total cost of ownership is key. Sometimes the price tags from the vendors that you're looking at can be confusing because you have to really great offer with this really great price. And then what you don't realize is how much infrastructure you need to supply, right? Oh yeah. Right. And how many servers are you going to need? How many SQL servers you're going to need to network people to run it, people to manage it, maintain all that infrastructure. Even before you put the product you just purchased on that infrastructure. Okay. And then you have to continue to work and figure out what that's going to be, and really think about total cost of ownership. All right. And then the next thing is, understand what it's going to take to deploy that solution.
Scott Englund (00:40:34):
I hear a lot of people as we go out and we talk about deploying different PAM solutions, that's going to be great for my production environment. We're going to take care of all our critical assets and it's going to be phenomenal. And please don't, believe it or not, you really should start with something really simple. I know that this is like common sense for most people, but I can tell you I've seen it where the first systems they go after the most critical systems and all of a sudden something breaks. And it's not that the product broke, but their process broke. And then you have a problem. All right, because you're in production. So think about how you're going to deploy that solution. Where, where are your test environments, your QA environments, starting to figure out how you can get buy in from the people that are going to consume that product.
Scott Englund (00:41:23):
And, and figure out what that's going to take to actually get to production again sometimes. And maybe you've experienced this yourself. Sometimes you, you get that product and this is great. Then the vendor comes back six months later and say, Hey, how are you doing well, we got it. Deployed into a systems. Excuse me. Yeah, we've got it deployed in two systems. What happened? Well, what happened is there, wasn't a proper execution plan, not a proper communication plan to get to all the teams that are going to consume this, make sure they're ready for it. Give them a deadline, have them understand the importance of what you're doing. Not just because, Hey, it's a security product, but understanding the benefit that it's going to bring to them and the security it's going to bring to your firm.
Scott Englund (00:42:10):
So, the way I looked at it and when we chose Centrify for our solution, and as other companies have chosen Centrify for our solution, it's all about building a platform. Okay. Instead of having a silo of tons of different products, and you can have four or five, six, seven, eight different PAM products, and then try to figure out how to link those altogether, it works out much better if you have a platform. And the reason we liked this is what I'm about to show you is all the different silos that we can meet with the product. And this is important again, think about that 11 o'clock scenario on Saturday night, when something goes wrong and you have five or six different vendors and you get them all on the phone because you're having a level one outage, and they're all there. And your vendors, all of a sudden start doing this, right. Everybody's pointing the finger at the other guy. We made a decision that we would like to have one person to blame, right? And a lot of other, the companies that a lot of our customers also subscribed to the theory that if I have a single platform problem, there's only one phone call I have to make. And that saves times money. And that gets you back to market much quicker if, and when that problem arises.
Scott Englund (00:43:28):
So there's a couple of different pillars here that we'd like to talk about. Okay. the first one is our central privilege access service. This is the basic one. This is low on the scale. This starts with your vault. we actually have a pass product, right? We have offered this in the cloud. And when you're thinking about this again, whether you're going to build infrastructure and bring it in house and then try to port it out to the cloud or be able to use a cloud solution. There's a lot of reliability when you're using a cloud solution, you're using security as a service. Okay. And using this platform in a cloud environment, you have that stability, that reliability, everything you need on that platform. So, where your vault is always available, it's always going to be ready for you.
Scott Englund (00:44:14):
The next one, okay. Is our authentication service, which provides customers the needed capabilities to go beyond just a password vault. And we want to hear, we can reduce your attack surface, by consolidating identities and eliminating those local accounts that I talked about in the maturity model. And then on top of that, all right, we have our privileged elevation service, and this is key. This is really key. So, it's not just checkout for a highly privileged account. Let’s get some constraints around that. Let's tighten it up. Let's use just in time access and just enough privilege so that when that person is there, they only have the four or five commands that they need. Or if using machine to machine that identity, that's going to do that. Automation, you know, heaven forbid those credentials were compromised. There's no place they can go because it only has the capability to operate in this much space for this much time. And then it's going to go away really key. As you think about that, for whatever solution you choose, hopefully it'll be ours.
Scott Englund (00:45:19):
And then audit and monitoring. Can't say enough about auditing and monitoring, audit everything, monitor everything, but then comes the key piece when you get auditing done. And I really recommend host auditing, which means having the audit capability on your host. Okay. Because that's where everything happens. That covers the server to server, that, that covers anything external coming in. There's also a lot of companies out there, and we offer a piece of that too, is gateway monitoring, which is great for interactive sessions, but that only covers such a small lens of what you're actually monitoring and auditing and recording. So think about that when you do that, host space auditing is really the way to go, because then you get the whole picture, you get everything that's touching that server. And when you get all that audit information and you have all of that data, it's important that you have proper analytics and be able to figure out what data is really important.
Scott Englund (00:46:14):
And Tim talked about this at great length and I can't stress it enough. He's absolutely right. Be able to figure out what data you need to give to your analytics service, whether that be Splunk, Qradar. There's a ton of different ones out there that you can use. It's really important that you feed it that right data. I talk about CapitalOne a lot. And perhaps you guys remember that a couple of years ago that CapitalOne had a breach, and they didn't know that they had the breach until a long time afterwards for that where the hacker couldn't resist it. They were so excited. And so gleeful that they had to go out and they had to post it, look what I did, what I did. And then CapitalOne went, Oh, goodness. Ah, right. What an embarrassing way to find out you've been breached, is when the hacker can't control themselves and has to let you know that you've been breached.
Scott Englund (00:47:07):
The irony of that story is when Gartner and a few others were helping them do that diagnostics and there's documents out there. They actually had all the data that said that they were breached. It was all in their logs, but because they had a log override, a whatsoever overwhelming logs, they couldn't actually see what happened. The forest was too thick, and they missed it. Right? So like Tim was saying, I'm reiterating, it's really important to make sure that the data you are getting into your system is exactly what you need.
Scott Englund (00:47:53):
So ideally we come back to this diagram and what I'd like to talk about here real quick is that, you know, we'd like to take the opportunity here at Centrify to help you get this under control. So we can take this spider and heat and actually turn it into something simple like this. And by doing this, okay, we can help you with your multi-cloud investment. We can make sure that all your environments are available through a single platform. We can take care of your on-premise as well. So it doesn't matter if you're in hybrid a and we'll be able to help you with, with all sorts of different solutions, different ideas, and get all of that under control into one simple solution. So, I'm going to ask you one last question here. How many would you would prefer to work in the last slide, the simpler slide, or whether you'd rather stay in the spiderweb of complexity.
Scott Englund (00:49:05):
And again, we'll take the opportunity. We're going to reach out to you and talk to you a little bit more on how our solution can actually bring things together, make your life a little simpler, and see what we can do for you. This was huge for us, and for the customer, other customers that I've worked with, it's been great. Now I understand that in identity and access management and in PAM, yes, we are not the entire solution. We're a part of the solution, but that's where someone with Tim's company, with wave point consulting, can help. He can come in and his teams can come in and help. You actually build a full end to end program, with full solutions that include process.
Scott Englund (00:50:00):
He can work with your CSOs. We can come in and help you with the technology, and really, you know, our, our partners are great at doing that. We really appreciate your time today. I hope that you got a lot out of this. I always enjoy the opportunity to speak with people. I know Tim does as well. and then we have a few questions here that are in our chat window. Want to take a few minutes to answer those?
Scott Englund (00:50:44):
Let's go visit our answers and questions section. The first one, is there a guide or an article how to set up Centrify infrastructure automation in AWS using Terraform? Great question, what we can do, I'm assuming this means that you're an existing customer. And if you are, we do have some stuff available to you. I can reach out to you after this. I happen to do it personally, to build some automation out there. It wasn't using Terraform though. I did it using cloud formation templates in AWS, and for us that, that was the way that we did it. And we did some magic through cloud formation. I'm sure our professional services team, and I'll talk to some of the engineers. We can find a solution for you for Terraform, although the platforms are slightly different. The solution is very similar. I hope that answered your question. Do you consider service accounts to be a privileged account, Tim, I'm going to let you start with that one and then I'll fill in.
Timothy Robnett (00:52:08):
Okay, good. So, I don't consider service accounts to be necessarily privileged accounts. They can be, in most cases they should not be. I think what's more important service accounts as you do. Your risk assessment is to think through the fact that frequently the credentials are stored in some very insecure ways and by insecure, I mean, stored in plain text and an XML file or something like that. And so having a secure means to handle that as the larger concern. And I think that's where PAM plays a very large role in that. I think also the ability to have some ability to change credentials so that as team members change within the organization, you have that happening through automation. And then you spoke about complacency, Scott. It helps avoid the complacency of not doing things that are difficult because it's scheduled. And it happens on a routine from a risk assessment. I would protect my databases before I protect my service accounts in most cases. But it should be part of your overall PAM journey. Thanks for the question
Scott Englund (00:53:08):
And just to follow up with that. So I agree with Tim that they don't necessarily have to be privileged accounts if they're scoped correctly. So, a lot of people, when you build a privilege service account, I've seen a lot of times where they make them administrative accounts because it's easy. And in that case, yes, it is a privileged account, and they need to be highly guarded. However, if you can scope that has just enough privilege, and it can operate very tightly. It only can run those three or four commands, to access that database. And you can keep those credentials are rotated on a regular basis. Okay. So that nobody can take it and put it in their pocket. And come back later. I know we didn't talk a lot about insider threat, but insider threat is very real. You know, so there, there are things that you can do, so it doesn't have to be a privileged account. So, keep that all in mind when you're thinking about your service accounts. I hope that helps. Okay. Next question.
Scott Englund (00:54:12):
What are the advantages of this product according to CyberArk? Okay. That's a loaded question. Maybe compare it to CyberArk, might be a better way. So, CyberArk and Centrify are somewhat competitors, but not really a CyberArk has a phenomenal vaulting service. I'll be honest with you when we were using Centrify. We were also using CyberArk, you know, and, CyberArk absolutely has its place in the market, but as you go into the cloud and you're trying to be a little more dynamic in how you do things. And again, you know, now that we offer a cloud service and I understand CyberArk is now doing the same thing, think of your holistic program. And again, I showed you that platform and we talked about that platform with all the different silos.
Scott Englund (00:55:07):
And one of the things that I like to emphasize about that is that as a platform and being cloud-based, there's a lot more flexibility. There's a lot less overhead. There's a lot less infrastructure you have to stand up in that type of environment. Now is everybody heading in that direction? Yes. But, with the service and the support and the level of integration that Centrify can offer, I feel like we lost Scott there, also be API based. So, if we don't have something that's there, since we have all the APIs that are available to you, and our professional services team can come in and actually help customize. So we can integrate with whatever products you may have, as long as they're willing to talk through API. I hope that answers your question.
Scott Englund (00:56:19):
But our platform is all API based. Which means that whether we have direct integration or not, if you have a platform that can also work with APIs, we can build right into your system to build that workflow, to build that automation, so that you can have a more integrated system. So it doesn't have to be disparaged. Can you go into a little more differentiation from CyberArk, considering that their cloud platform, which on the surface looks identical to your platform, which makes sense since, this is another beta question.
Scott Englund (00:57:22):
Yes. So Idaptive was a company that was part of Centrify. We did sell it to CyberArk. So, the idea of a piece of that, and stepping slightly out of my comfort zone here, focus on endpoint. And single sign-on. When we made the decision to sell off Idaptive, and again, I'm not the expert here on this, the choice was, is that we're going to focus more on the infrastructure side, and not on the endpoint side. We do have the capability to do some of the same things that the Idaptive platform has. But we have the ability to take it much further, and give a lot more in depth than again, I'll talk about that integration. So again, the best thing to do, as I mentioned in my diagram, as you're considering options, and you're looking at different things, you know, set up POC, we are not afraid of our competition.
Scott Englund (00:58:19):
So, try them out, let us come in, let us show you how we can help you out. Bring in other competitions, you have to do your due diligence. It's only the right thing to do for your firm. Bring in other organizations, bringing other companies, try their product out. And again, I'll remind you if total cost of ownership when you're considering that and what that actually means and what it's going to mean to support a particular product in your environment, whether it's ours or CyberArk's or BeyondTrust. So, take your pick, they're all out there. And again, I can speak from my experience. I tried them all out, before I came here, and we chose the Centrify product, or it was the right decision for us.
Scott Englund (00:59:13):
I hope that helps. Next question. Do you provide PAM for cloud console access sessions? Yes, absolutely. So, this is really cool because when you're going to AWS and you're logging into the console, that's probably the most dangerous place you can be. Mouse clicks are really dangerous if you're not good with them. You know, one of the things we tried to do, and it's not always possible, I understand that. And Tim probably has some experience with this as well, is that you want to be able to prevent as much interactive access through console as possible. Take advantage of things like Terraform. As somebody mentioned earlier, take advantage of cloud formation templates, be able to use our secrets capability in our product so that when you're building your CICD pipelines, you can do things through automation and not do it through the console, but yes, we can handle that.
Scott Englund (01:00:20):
We can cover both vault the root account for your AWS console and also then be able to give you a portal where that can only be accessed from and we'd be happy to have somebody talk to you in more detail about that after this webinar. I hope that answers your question. All right, last question we have here on the board, if we're using Centrify to handle all the multiple cloud vendor logins, what is the solution to, I have a smaller screen. I have to click on it to avoid a single fail issue. Excellent question. This is why we encourage, that you use our cloud solution because we're in the cloud. And our platform was built in the cloud, supports the cloud so that you don't have that single failure. We're going to have your information, your data in multiple sites.
Scott Englund (01:01:16):
It's going to be backed up. It's going to be encrypted. So, if you're, you know, using a cloud-based service, you take all of the features of functionality of the resiliency of cloud. We were in both in AWS and Azure, and we can build your, your platform in either one of those cloud providers. And then from there, you know, we'll talk to you at the process about what zones whether you want to be East coast, West coast, Europe, whatever your situation may be, and build it there and build in the redundancy necessary that you don't have to worry about another scenario. It's always a hot, hot type situation. Hopefully that answered your question.
Scott Englund (01:02:07):
What are the different features between cloud PAM console and on-premise console? One's on-premise and one's in the cloud. I know that sounds like a sassy answer but, we do offer our cloud solution for on-prem is the exact same thing. And it has all the feature functionalities. For those folks who are not comfortable going to the cloud at this point in time, and want to take advantage of all the feature functionality that we offer, we can build you a solution on prem. So, when we talk about total cost of ownership, you have to bring the infrastructure. Okay. And, we will then be able to put our platform on top of that infrastructure. So there is a little more cost for that. And, you know, again, we can have one of our sales folks talk to you about that, and we can have one of our sales engineers reach out to you and talk about a little more depth than that on the details. Do you have a timeframe on FedRAMP?