Enforcing least privilege allows organizations to minimize the attack surface and improve audit and compliance visibility while also reducing risk, complexity, and costs for the modern, hybrid enterprise.
Watch this on-demand CyberCast to learn more about the benefits of a Just Enough, Just-in-Time (JIT) approach and more Privileged Access Management (PAM) best practices:
- Temporary, time-based role assignment
- Dynamic access controls
- Zero standing privilege
- Identity-Centric Privileged Access Management
Katy Martin (01:46):
I really want to introduce our speakers. We have Brad Shewmake and Chris Owen. Brad is the director of corporate communications here at Centrify based in Santa Clara, California. He uses insightful thought leadership to bring cyber security awareness and communicate that out via global media, and works with industry analysts. And he basically helps our share our message throughout multiple social channels. I'd also like to introduce Chris. He is other person on your screen. He is our director of product management based in London and he's joining us today. Thankfully he joined Centrify back in 2019 and has over 15 years of experience in privileged access management and ID management. He travels all around the world, but we've got him here today right in your home office. So, he's going to be sharing more of his information about how to use Zero Trust principles for your Identity-Centric PAM. And with that I hand it over.
Brad Shewmake (03:01):
All right. Thank you, Katy. And good morning. Good afternoon everybody, wherever you are. Thanks for joining us today. And Chris, I'm glad to have you here with us on our second CyberCast Live that we've done. We did one a couple of weeks ago around secure remote access for IT administrators and it was really helpful. But one of the pieces of feedback that we got from that one was they wanted to hold us true to the intent of the CyberCast, which is to make it conversational and interactive. So with that, we're going to jump directly into content and we want to make sure that we are also answering your questions. So as Katy mentioned, if you have questions anytime throughout the CyberCast, enter them into the Q and A box and Chris and I will answer those as quickly as we can, hopefully in, in as close to real time as possible and get you the answers that you need. But again, our topic today is enforcing least privilege. So we're gonna just dive right into it. No big opening spiel or anything like that. So Chris, let's just open it up with a pretty broad question. So, what is least privilege and why does it matter in the context of PAM or in the context of cybersecurity or what have you?
Chris Owen (04:06):
Cool, thanks Brad. So, I mean least privilege is a part of a privileged access management program. You know, it's always a multi-faced approach to delivering. And the bit around least privilege is all about controlling risk relating to privileged activity. And by risk this can be risk from a user. It could be risk from a program or workload, a command or even an API or service account. And there are different types of least privilege when you think about it from a risk point of view. You know, a typical external breach, if that occurs, an attacker would maybe look for an endpoint first. So you have endpoint privilege management, and even within endpoint, there are different types of privileged management. It gets very complex very quickly. But the key thing to distinguish here is privileged access management for administrative activity and privileged activity or privileged access management applications.
Chris Owen (05:05):
And there's two very distinct differences there. For us in our product sets, you know, we very much focus on the administrative activity. The other vendors in the market that focus on something called application control and there's a very good reason we haven't gone down that path. And that's, you know, it's, it's difficult. And it's really difficult to categorize apps, know what apps need elevation, what doesn't. And looking forward, you know, Microsoft have now got a lot of good capabilities with AppLocker and Wdapp, they're calling it, which is all about windows defender application control. So that's an area we steer clear of. But if we move away from the endpoint, you've then got the servers. So, you know, how do my users get onto infrastructure and applications, What can they do when then on those applications? That's really what the least privileges allow my, as a standard user to be able to elevate applications, tasks, commands all workloads in a least privileged kind of way. So zero standing privilege elevation or two kind of familiar concepts that you'll hear a lot.
Brad Shewmake (06:14):
Right? Yeah. And so, you know, I've been at Centrify for a little bit over two years. And the easy way for me to associate what these privileges has always been.
Brad Shewmake (06:26):
Just enough, just in time. Right? So this concept of, of you're giving whoever the requester is, right? You're giving, whether it's a human or a machine or an API, you're giving them just enough time, sorry, you're giving them just enough access that they need just in time, and only for enough time to get that privileged task done. So maybe, you know, maybe tell a little bit more about just enough, just in time.
Chris Owen (06:56):
Yeah. So I mean, JIT, as it's known just-in-time, or just enough access, are relatively modern terms of least privilege. And if you go back to the goals of privileged management, there's always two that you see in every single PAM program that takes place globally. Reduce the number of privileged credentials. So that's why people go with a password vault and then reduce the risk of users having permanent privilege. To do that you have just enough and just-in-time. Just enough means that as a user, I can run a workload, an application, a task, a command or whatever it may be, with only the privilege that I need at that particular time in order to do my job. So do not just make me a blanket administrator because then I can go off and do other things. I can install other applications and I can introduce risk into the environment. When it comes to JIT or just in time…
Chris Owen (07:53):
What that means is essentially I'm going to allow you to do the task, but I'm only going to allow you to have the relevant permissions for a period of time. So I'm not going to make you a full on administrator forever. I'm going to give you only the rights you need to run your application or to perform that task and only for a period of time. And you can integrate that into other technologies such as ITS Samware, where there's a ticket during the approvals and you can remove that access, you know, whether it be after an hour and a half and a half, whatever it may be for them to learn that job.
Brad Shewmake (08:27):
Right. So you know, I think that one of the words that you mentioned there is one that I want to kind of drill into in just a second here. You mentioned risk and as ever with, with cyber security or InfoSec you always have the competing priorities of risk and productivity. And we'll, we'll get to both of those in a second. But one of the things I did want to bring up with regards to risk is, you know, we know that the privileged credential, privileged access abuse is the leading cause of data breaches, right? So whether it's Forrester's estimate that it's 80% of data breaches are result of privileged access, or whether it's Centrify's own research that says it's 74% of data breaches exploit privileged credentials, you know, clearly there is an element of risk there that needs to be addressed and least privilege is one of the ways that you can reduce that risk.
Brad Shewmake (09:20):
So really quickly again, we'll come back to that, that competing those competing priorities of risk and productivity later. But I do want to push the first poll live. So hopefully we can get a little bit of an idea from the audience about, you know, what elements of least privilege your organization's currently using. So I'm pushing the poll to the audience now and hopefully it's up on your screen. And I believe for this one I think this is a multiple selection. So you can choose whichever ones your organization is using. But Chris, while they're answering the poll question about which elements of least privilege approach their organizations are using, you also mentioned something. Zero standing privileges and that's another source of risk. So maybe really quickly, what is zero standing privileges and, and why is that kind of the end goal or, or actually first of all, what are standing privileges?
Chris Owen (10:20):
Cool, thanks for that. Yeah, so standing privilege is whether, you know, I have permanent administrative rights, this could be one type of standing privilege. So you know, my active directory account has maybe got a an AD group membership that gives me administrative permission and sort across a bunch of servers… that would be a standing right. Now before we go into zero standing privileged. There's, there's other mechanisms that actually other PAM tools and technologies that also enable standing privilege. So for instance, one of those could be seen as a vault, you know, yes I'm involved in credentials and I'm using a session proxy to get me onto a target system, but the account that I'm vaulting has standing privilege so we're not actually solving the problem of risk with password vaults or layer. All we're doing is rotating credentials. Similarly with a lot of least privileged tools in the market, whilst they remove rights or you know, default users to standard users and then they elevate tasks, applications, commands.
Chris Owen (11:25):
Those privileges are still standing privileges. It's a static policy. So even when I double click on an application, it's being automatically elevated. When I run a command. It automatically elevates. And that's because there is a standing policy behind me that says I can do that. And the move to zero standing privilege says, okay, we have this policy but you are not a member of that policy. What must happen is you must request access to a role, not role ranch to entitlements and you are removed from that role at the end of the time when you've performed your task. So really just to move to zero standing is doing away with, you know, the risk associated with typical least privileged tools that have this policy associated. Because what's kind of fine to happen is like if there's a breach, an external attacker, even if you've got a password vault or release privileged tool, if those policies are always applied as soon as your machine is compromised, the attack and then gains that privilege automatically. So again, it's not solving the problem.
Brad Shewmake (12:32):
Right. Yeah, that's a really good, really good synopsis. So you know, I know on the poll that we have up on the screen we've got some, some terms here that we haven't quite covered, but hopefully everyone understands what most of those terms are. So let's take a look at the poll results. And so again, these are which elements of at least privileged approach is our organization currently using? You know, I don't think it's a big surprise to see our back or, or role based access controls right there at the top being used by over three quarters of the, of the respondents. I don't think that's a, that's a huge surprise. MFA privilege elevation. I mean, you know, that's another best practice that I think is not surprising to see that that one score is pretty highly.
Brad Shewmake (13:16):
But as we, as we look down at just-in-time, just enough access you know, those two components are kind of key elements of a least privilege approach. And those are the we're going to drill into as we move through this CyberCast. So glad to see that. Well on the one hand you know, it's you know, we would hope to see that those are a little bit higher numbers, but on the other hand, I think that shows there's probably some appetite for some of the topics that we're going to cover today. So Chris, any comments from you on the, the results of the poll?
Chris Owen (13:47):
Yeah, definitely. And it's certainly quite interesting, to see, you know, all back to space to role based access control it's known. I've seen a steady increase in the markets. You know, when people first started deploying active directory domains, role based access control was first of all used for delegation of active directory rights for controls over overuse. And then with the, I guess proliferation of identity and access management organizations are now implementing role based access control for applications that data access, governance, and things like that. So that's definitely not surprising. Elevation. in fact, MFA of privileged elevation is quite an interesting one. Certainly what we see in the market is the, you know, the concept of MFA everywhere, you know, whether that be on a system log on, elevation, command, running and things like that. So that's a good one. But again, like you brought, you know, I'm a little bit surprised by just in time and, and just enough. For me just enough is really what least privilege is, you know, having just the right privilege to your role. It's been around in the market since around 2007 in a windows world and the, you know, 1980s for a month for UNIX Linux world. So I'd expect to see that a little bit higher. But we can, we can kind of talk through the what’s and the whys as we go through this as well.
Brad Shewmake (15:10):
Yeah, yeah, that's, that's so actually, you know, let's, that's actually a good segue into our next section and you know, again, I, I do I do wanna remind people that if you have questions, feel free to ask them throughout the session. I see a note from someone that they did not see the poll, so apologies there. It looks like we did have some people that voted in the poll. So again, I think that if you did not see the poll or you're not seeing the screen change you know, just hit refresh on your browser. It should clear up the issue. So Chris, you had mentioned something about I think something about the history of PAM and how are, you know, how enforcing MFA is, is a part of part of that. So let's actually take a step back. So I think that'd be a good idea. I mean, let's, let's talk about, about kind of how PAM has evolved. You know, I think one question that some people might ask is, you know, isn't, isn't all PAM the same as least privilege? So, you know, I think that might be a question that would be taking a kind of a step back and a broader view and maybe we can drill into some of the history of PAM and how it's evolved over the years.
Chris Owen (16:26):
Yeah. Cool. So isn't all PAM the same? I think there's certainly a perception in the market, but that it is. The reality is certainly very different and the evolution of PAM is quite interesting as well. You know, personally I've worked in the PAM space for 19 years now. Starting off, you know, in typical terms an unix linux elevation, , moving into the vaulting world and the windows world. But if we look at where privileged started, you know,
Chris Owen (16:56):
If you go out to market, if you do a Google, on privileged access management, the first thing you're going to see is a password vault. But that's not where PAM started. So PAM started in the 1980s. It was actually the early eighties, and the first UNIX Linux tool was actually Sudo. So as we know, sudo is an opensource tool on UNIX Linux to control elevation. It's basic policy, enabling somebody to run a something cause root essentially. Around 1985, a company called sign Mark international created a Unix Linux least privileged tool. That ran on, I think it was a VAX at the time. I was quite young in those days. So the terms of not that familiar with myself, but what happened then, you know, in 2001 the first password vault came out to market and it was a company called EDMZ.
Chris Owen (17:50):
EDM Z had a product called Par password, automatic repository. And it was this tool that I really first got my hands on. And the funny thing is, you know, par was this hardware appliance solution to appliances, active passive configuration. And it did some really basic things, but I'll tell you what, it did them really well and as vaulting, got more popular or the vendors came into the market. You know, and I think we're all aware of the competitive landscape of things like this. But vaulting really took off at that point. And now, when you speak about PAM, people think, okay is PAM vaulting? Well, no it's not. You know, going back to the point around if you just put your credentials in a password vault and you rotate them, you have a session proxy. The only thing you actually achieve is password rotation.
Chris Owen (18:41):
And yes, you get a nice audit trail but you don't reduce the number of privileged accounts and you don't reduce the risk associated with those privileged accounts in the first place. So least privilege is really designed to help with that risk element. And essentially, you know, we're in a windows world, at least privilege came out around 2007 now the first tool that actually came out to market. And you've got some vendors like BeyondTrust had the old PowerBroker product to vector defend points. But at that point it was called privilege guard and lots more. I've gone to the market after, whether that be via acquisition or kind of viral organic kind of growth. But nowadays, you know, the world is changing, at least privilege is definitely changing. And the concept called widgets that we're talking about today is changing that, you know, we're seeing a whole bunch of new vendors and enter the JIT world, you've got companies such as Okta, you've got Remida and people like that that are focusing on different types of JIT or different types of you know, kind of provisioning You could almost say,.
Chris Owen (19:45):
You could almost say, well we'll run through that shortly. But the reason why everything's changing is digital transformation. You know, going back to my point around application control earlier, and least privilege. The reason why we don't see a future in that is because the way we work is changing. If you look at developers, you know, you used to have to run visual studio for instance, as an administrator because you needed a privilege called SED bug. Well, the only way on windows to get that is to be an administrator. So you have to buy a pam tool, at least privileged application control tool to elevate visual studio for you. Nowadays, developers, and you know, we've got a great ops team here at Centrify that are writing code for our SaaS platform all the time. They're writing code in the cloud, then writing in in SaaS applications themselves, and developing it on AWS and using AWS services to check that code. So the days of using applications on our desktop like we used to, that's changed and that will change furthermore going forward.
Brad Shewmake (20:52):
Yeah. Yeah, I think that's a really good background on, on PAM and how we've gotten to this era of least privilege. And the point you brought up, like digital transformation I think is a good one. You know, clearly this, this isn't the same kind of IT environment that we had even just 10 years ago or even maybe five years ago. You know, we've got dev ops, we've got microservices, containers, we've got cloud transformation. I mean, cloud transformation alone has changed the game so much. And so when you think about that concept of most people equate, you know, when they think of PAM, they think of a password vault, right? So as you mentioned, this is a, you know, a technology that came out in 2001. And yeah, it served a purpose for, for awhile. And but now if you think about the evolution of the IT estate and how people work and the way that they need access you know, is a 20 year old technology really the best way to do it or is it better to look at ways that, you know, are more evolved and have moved and have evolved in time with these new technologies that have come into the enterprise IT fold?
Brad Shewmake (21:57):
. So yeah, I really, really good point there about digital transformation too. One of the questions here that has come in is, is this session being recorded? And the answer is yes. We will, we are recording this. We will make this available on demand once we're done. And again, would encourage anybody, if you have any questions, please feel free to ask them. So actually one question that has come in that is very relevant to what you were just talking about, Chris, is, you know, can least privilege be accomplished with the vault solution?
Chris Owen (22:32):
So, yeah, I mean, absolutely not in reality, you know, I don't know how many hundreds, possibly thousands of vault projects I have seen, but I have never seen lease privilege implemented with one. Typically if you look at a typical vault project, you install the vault in an environment, you run a discovery scan of a bunch of accounts. It gives you this huge output, you know, thousands and thousands of accounts on upon a typical on a typical project. And you sit there and you have this decision to make. Do I really want to analyze all those accounts? Do I want to see whether those accounts are needed, what permissions they have, who has access to them? Or do I just want to put them in a vault and start rotating them to remove the risk of somebody knowing the password? And the completely honest answer is people just throw them into vaults and kind of forget about it because that vault gives you that, that secure buffer, doesn't it?
Chris Owen (23:29):
You know, I'm rotating them, nobody needs to know the password anymore. But for me, that's a real false sense of security. I don't think it really achieves anything in the PAM world. So yeah, I think it's good. It's got its place. But I think if we go back to what vaults were designed to, they were designed to manage default built-in credentials. And for me personally, you know, I think vaulting products are much more successful if you just stick to those guidelines. As soon as you start to manage personal identities, application services, et cetera, you're fundamentally changing the IT operating environment. And this is when projects tend to fail at that point because there's too much internal change.
Brad Shewmake (24:11):
Yeah, yeah, absolutely. Okay. so I want to keep things moving. So I think that we have now gotten to a point where we can do a little bit more of a deep dive into just in time access and just in time PAM, so Chris, really quickly, I think you've kind of already done this, but you know, just give another quick overview of, you know, what is just in time access or just in time privilege and you know, is it isn't enough. I mean it, you know, we've talked about password vaults not being enough, but is just in time privilege enough to secure your organization.
Chris Owen (24:47):
Cool. So just in time is “I need access to that for a particular amount of time”. So you know, the concept of that could be a server, a network device or even an application. It just means get me somewhere, but remove my access after a period of time. And you know, when we think about is that enough? Well I think it's a starting point because it kind of does away with standing privilege, but what it doesn't do is the amount of privilege and that's really where just enough. So you'll often see that to intertwine together and use together. So just in time get me somewhere just enough control what I can do when I'm on there.
Brad Shewmake (25:31):
Yeah, yeah, absolutely. We're gonna we're going to go to our next poll question. And while we do that, so really quickly, the poll question here is, is your organization considering a Just in time approach to PAM? So while everyone is taking the time to answer that poll and the poll may be at the top of your screen, if you can't see it readily, just it should be there. Maybe a refresh it, bring it back up. But Chris, we do have another question in the Q and A, which is, can Centrify be integrated with other vault solutions?
Chris Owen (26:06):
Yeah, I mean that's certainly no technical reason why not, but we have to know a bit more about the type of integration. For one, we have our own vaults. You know, we have an on-prem vault, we also have a SaaS vault in the Azure in AWS. So typically when people look at our platform, they would look at it as one PAM program, but we can absolutely work in environment and we often do, right? We sell our least privileged tools or identity brokering and AD bridging technologies to work alongside other technologies. We're starting to see some interesting cases alongside modern day vaults such as Hashicorp as well these days as well. So, yeah, absolutely we can, we're certainly not closed off from an API or kind of integration point of view.
Brad Shewmake (26:55):
Yeah, that's, that's a good point. You brought up about HashiCorp vault too, cause you know, that's a very specific instance and a specific integration. But yes, it is one that we, we can do. All right. So hopefully that once had a chance to view the poll again, the question is, is your organization considering a Just in time approach to PAM? So let's go ahead and take a look at the results. All right, so hopefully those are up on the screen now. And so this is encouraging. I think Chris so you know, about two out of five for a 30, almost 40% say yes, your organization is considering a just in time approach. I'm assuming that that also means responding to their organization already is implementing or considering a just in time approach. So that's, that's good news. Less than 20% say no. You know, we have, we have about almost 15% saying maybe what is just in time PAM and that's why we're here today and then 30% don't know. So that could be indicative of them just not knowing where their organization is currently in their, in their pam prematurity. So, I think that these are encouraging Chris, any comments from you?
Chris Owen (28:08):
Yeah, definitely. So certainly we see a shift in the market moving to just in time. And I actually, I think that has come about to due to challenges in the market. You know, I think notoriously privileged access management doesn't have a bad name as such, but it very much gets related to, I don't see an access management in terms of the typical challenges that somebody would see within an organization. And really jit is seen at the solving that. So if you look at typical least privileged tools, the least privileged tool for Unix/Linux, you would have a policy, that policy controls what commands somebody can run on a Unix /Linux server. If you look at it on windows, the least privileged tool has to have a policy that controls what applications you can run. If you think about all the upfront work that has to go into modeling those policies, defining them…
Chris Owen (29:08):
That's, that's really a tough one. Like really tough. There's a lot of upfront work that goes into least privilege. There's a lot of management of policy. So jit really is seen as I guess the savior because what people are really willing to accept, it's the fact that somebody may just be given the administrative access, not necessarily granular. So you see all of these new jit tools coming up that say, Hey, I'm just going to drop you in an admin group and I'll take the risk of what that admin group allows you to do, but I'll remain for you after a period of time. So I think the market is seeing that approach easier. You know, I would, I would say it's certainly less secure, but I like the jit approach. I think it could be combined quite well with, with just enough access.
Brad Shewmake (29:56):
Very good. Yeah. So, I mean w we, we just had a question come in. Could you provide an example of just in time, just enough access? I think Chris, you kind of, you kind of just went there with you know what you were just saying there with regards to the poll. So but is there, is there maybe a, you know, maybe we can provide a more specific use case or a specific example of you know an IT administrator who needs privilege access to some kind of a target system. How would, how would Just in time just enough, how would that process work?
Chris Owen (30:34):
Cool. So it's a really good question. There's so many different approaches to doing that. So we'll kind of go through those different approaches as well. But a typical IT workflow would be something along the lines of the Unix/Linux administrator wants to run a series of commands to update an application across a bunch of service. So what they could go to is some form of PAM portal. They could request temporary access rights to those systems. And then there's some form of process behind the scenes that really enables them to do that task for a specific period of time. So it could be that they're requesting administrative activity or been a strategic max access for an hour, two hours, or even a weekend. The just enough is really, I want to take this a step further. You know, I want access to update a bunch of servers over the weekend and a change control window, but I know the exact update and the exact script that I'm going to run. So I want you just to allow me to run that command across a bunch of servers. Nothing more, nothing less. I'm in a windows world. You may get a windows administrator that needs to run a PowerShell script across a bunch of systems to run it again, updates or different role changes, things like that. Exactly the same concept of unix/ Linux.
Brad Shewmake (31:57):
Right? Yeah. So, so in the example you just gave, right? Someone's a windows administrator there's no need for them to have access to like a Unix machine, perhaps, right. So you know, if they're going in for a very specific task on a windows machine, there's no need to give them access to view a unix machine for example. Yeah. So yeah, I mean I like that idea of, you know just enough to, just enough to get the job done just in time. Nothing more. I mean, I think that's really what we're talking about. We talked about least privilege. Another question is coming here is how do you balance just in time, just enough granular access with overhead of access requests on the user side or access granularity on the admin side? There might be a couple of questions in there. Chris.
Chris Owen (32:52):
This is, I mean this is a great question. You, you could talk for hours about this kind of topic, you know, in some ways. And it comes down to risk versus impact because there is definitely a trade off there, right? So on one hand you could take a Jit approach of I'm just going to give you administrative access. I don't care what you do with it because the what you do with IT path is really too complex, too hard to manage, too hard to maintain. And usually that goes out of date pretty quickly. But on the other hand there's a window of risk. If you enable somebody to be an administrator, you need to make damn sure that you are recording what they do. And you know, we're not talking about session proxies here or anything like that. You need to do things like host based auditing so you can really prove that person is doing that particular activity.
Chris Owen (33:44):
So usually what you end up with is an access like this, a risk on one side, impact of the other, and then you'll define high level tasks and really rate them on this risk versus impact. So what's the risk of allowing them to do it versus what's the impact of actually managing it within the least privileged tool. And what you'll see is there's almost like a bell curve of activity and you will typically see a hybrid approach to Jit and Just enough, it is used and can be used within an organization that really goes along with that kind of bell curve. But interesting. You know, I'd certainly like to speak more about that topic. So certainly, you know, whoever asked that question, please do reach out because it's an area that we're keen to explore further as well and work with organizations on.
Brad Shewmake (34:36):
Yeah, absolutely. One answer, one more question before we move on to the more of a deep dive, like just enough PAM. So one question we have is who or what is authorized the just in time and just enough access requests and this is an area that I particularly find interesting cause I, I met my previous company, we offered an it service management tool. And so I know that that's, you know, one of the ways that we can help to put a little bit more control around the authorization of these just in time, just enough access requests. So Chris who or what is authorizing these requests?
Chris Owen (35:14):
Yeah. You know, it's very basic level. You could have a human doing it, right? My PAM solutions have workflow solutions built into it. It'll ping off an email and they'll say, do you approve this? I think the reality of that is nobody looks at those notifications that come through via email. I know, you know from a past life, anytime you get an expense claim through that you need to approve, you just hit the approve button. Anytime you get an access request, hit the approve button because you haven't got time to sit there and think about it or read all of these emails. So integration is really key. ITSM you mentioned, you know, it's a really big area for PAM tools from an integration point of view. So you would see tools such as ServiceNow for instance, where something is already approved, you know, a ticket for access and that access could control all the information relating to the change, the individual applications, task commands, et cetera. And that way you're automating the approval process. You could take it a step further and integrate into, you know, tools such as SailPoint identity and access governance. So what you could do is things like role requests where you'd go in through an identity and access governance portal and say, okay, I need access to this particular role because I need to perform X, Y set job on a bunch of servers. And then SailPoint will talk to the PAM tool for instance, and grant you those access for a temporary period of time.
Brad Shewmake (36:48):
Brad Shewmake (36:53):
Yeah. And it, and so, yeah, I think that's probably a good transition to this concept of just enough PAM on it. Take a little bit of a dive into that because one of the things that we know is that one area of risk is when, okay. And you know, so, so, you know, we talk about hackers, right? So getting into your network or getting into your environment, that's pretty easy, right? Hackers have been doing that for years. They know all the tricks and tools, humans use weak passwords, all of that. But the idea is that we want to make sure that we can stop them from lateral movement and keep them from moving around, keep them from being able to access something where, you know, the data might be more sensitive or it might be some more valuable that they can then extract and go sell on the dark web or whatever they want to do. So you know, in my mind, when I think about just enough privilege access management, I really think about that idea of limiting lateral movement. So, so Chris, maybe just really quickly, what are your quick thoughts about what is just enough, PAM and how is that different than just-in-time access?
Chris Owen (38:04):
Cool. Yeah. So, so just enough is a set of controls, a set of policies, which really dictates what I can do on a system, on a device, within an application. So at least privileged tools historically have been all about just enough. Some do it better than others. Some have, you know, static policies that apply that. For instance, when I double click on an application and a windows world, it will elevate it by adding an admin token into it, so they call that kind of just in time elevation. I argue with that a little bit because that policy is always applied to the user. So it's not really just in time, it's just the fact that you're clicking on the application at that time. Let me get across on a Unix/Linux world, you know what, you have tools such as Sudu or at least privileged for Unix Linux tools is a policy that governs what commands a particularly user can essentially run as root, you know, behind the scenes.
Chris Owen (39:04):
And these policies typically apply all the time to people. So again, it doesn't really introduce that, presumably standing privileged. And that's really the challenge in the market at the moment. Right. And I think organizations are starting to get the fact that PAM has been around for almost 20 years and it's modern world terms and a lot of organizations implemented vaults and some have successfully done least privilege, but we haven't gained that much from a security point of view. You know, breaches are still happening and the reason breaches are happening is because, well, we still got a bunch of privileged credentials, those privileged credentials, you know, the management of all that being rotated. But we can't fully rotate every single account all of the time from a least privileged point of view. If my machine gets compromised and I've got privileged via least privileged tool and the attacker has the same privilege.
Chris Owen (40:02):
So that's really some of the challenges. Just enough is different from jit. You know, jit is all about controlling the time element. Just enough is all about controlling the scope of privilege. And there's, there's quite a few challenges in the market. I think a lot of organizations struggle with the complexity of least privilege and that's really where we start to see a lot of projects fail. What I'd like to see in the market is more move to a kind of role provisioning point of view. So you know, at least privileged tools, host a bunch of roles. Those roles have policy, but users have to request access into a role. So taking it back to identity and access governance, you know, a lot of organizations, business identity needs granted via a role, but that role is often not permanent. You have to request access. So for me it's good to see privilege going in the same way.
Brad Shewmake (40:59):
Yeah. Yeah, absolutely. I agree. Have a couple of questions that have come in here wanna make sure we get these answered in as close to real time as possible. So is it possible to implement just enough privilege or just enough PAM using only Centrify privileged access service?
Chris Owen (41:17):
No, absolutely not. In reality, you know, privileged access is a vault. You're going to take the sales hat off, you know privileged access service is essentially a vault. Now what you can achieve with a vault is kind of just in time access to a privileged credential, but it's not just enough because all you're doing is vaulting an administrative credential most of the time. And that admin credential has a bunch of rights. Either you're an admin or you're not typically as the way that credentials go.
Brad Shewmake (41:55):
Yeah. And we had another question that came in and asked if least privileged can be accomplished with just a password vault. So I think we just answered that question as well. Yeah, definitely taking the sales out off there. Alright. So I want to keep the conversation moving. We've got about 15 minutes left and again, keep sending me your questions in. And we're happy to answer those as we go. But again, you know, Chris, earlier as we were doing the intro we talked about the idea of standing privileges and how really the goal of least privilege, the goal of just in time, PAM, just enough PAM, is you want to get to a point where you have zero standing privilege. And if for, for the folks on the, on the CyberCast if you, if you haven't seen it on the right hand side, I believe of your screen, you should see a list of assets at the top I think is a Gartner report that's called “Remove standing privileges with a Just in time PAM approach.”
Brad Shewmake (42:55):
And definitely encourage you to access that report. It's available there for free. So that has a lot of information about just-in-time privilege. And one of the areas that covers is zero standing privilege and in Gartner actually has a strategic planning assumption that by 2022 to 40% of privileged access activity will leverage zero standing privileges through adjustment time through just-in-time privilege. Elevation will effectively eliminate standing privileges. And today the estimate from Gartner is only 10% of privileged access activity leverages zero standing privilege. So, this is an area where Gartner is seeing over the next two years a lot more adoption and people understanding that zero standing privilege needs to be their goal of their PAM programs. So Chris taking a step back you know, again, just give us a quick overview of what zero standing privilege means.
Chris Owen (43:54):
Cool. Yeah. And it's, it's a fantastic document and well worth a read, everyone, because this document really talks through how gotten, see the world of just in time. Then they actually am outline nine different jit approaches and it's amazing. Sit here and think, you know, there's nine different ways of doing just in time. It's crazy. There's, there's a lot and they talk through each one and not every one that they go through is true just in time. So, you know, starting at the top, there's something where, you know, somebody asks the question, could we use a vault for just in time? Well, no, because there's no least privilege. Then you get one such as just in time provisioning. So I'm going to actually went to an administrative group for a period of time. Remove you at the end. Is that just in time? Yes.
Chris Owen (44:45):
Is it just enough? No, because you're in an admin group, so you're not doing the least privilege. And this is really what the zero standing privilege is. Zero standing privilege is the combination of just enough and just in time. So I don't want any user to have any form of standing privilege or always-on privilege. And you know, that could be through a privilege management tool, because most privileged management tools have a policy that is always applied. That just in time element is, I must request access to use privilege and that privilege policy must be applied to me at the time of the request. So that's really what, what does every standing privileges? It's the combination of the two. As far as I'm aware, there were two vendors in the market at the moment from my kind of research into this that are offering a true ZSP approach. I am pleased to say we are one. That's, that's the same as shameless sales plan. There is actually another one as well. Stealthbits have a relatively new PAM kind of approach that focuses on just in time task management. So they're the other one that are truly offering it at the moment.
Brad Shewmake (46:08):
Yeah. so I'm glad you mentioned that because we do have some questions about, you know, beyond a password vault, what organizations need to implement just enough or just in time approach. So let's handle that one too. And then there's another question I want to get to, but we did have a few questions that came in similarly. So, you know, what would an organization need to implement just enough just in time PAM, or, or at least privilege beyond just a password vault.
Chris Owen (46:35):
Cool. So for me, least privilege and password vaults go hand in hand. And not necessarily just for credential management, but when we think about the Centrify PAS platform, it really is that as a platform, it integrates into our least privileged solution. So we can do things like zero role requests and to kind of, you know, bring that down a little bit. A level. We can have a series of least privileged policies that we put in something called a ? role. So a bunch of entitlements users can come into our portal and they can request access to that role. The entitlement approval can be done by our ITSM, by something like SailPoint or even manually verbal approval process, but those are privileged and just applied at the time of the approval. And we can then constrain things like the time element as well for just in time. So from, for us as a software company that privileged access service and privileged elevation service are really designed to go hand in hand and deliver this capability.
Brad Shewmake (47:39):
Yeah. So actually, you know what, I really quickly, I should have had this up while you were speaking Chris, but I'm going to really quick, I'm going to post, this is the one slide that we did, we did bring to the CyberCast. And so, you know, this may have the Centrify logo on it, but really I think that this maturity model is very applicable to any organization. So Chris, do you want to talk quickly through kind of the four columns of the maturity model here? I think the first one is, is I think pretty simple, right? So zero maturity, right? Yeah. This is zero maturity. So you are in the danger zone. You're not using any kind of PAM best practices or solutions. If you have not already been, you will be data breached. I think that's a fair way to say it. So that's why you're in the danger zone. Let's move on to the next tier of the maturity model.
Chris Owen (48:38):
This is, this is what most people think PAM is, right? It's the concept that you've got a vault. You've discovered all these credentials, you've put them in a vault, and you're doing some form of session management. And it's funny to see how many organizations get stuck at this point, but it really should be one of the most basic things. In fact, vaulting should be around 5 to 10% of a PAM program. Least privileged should form the other 90% so, so first we see this as the basics. We struggle to see sometimes why people get it, I'm not going to say, so wrong. And that's really what I want to say. But yeah, this is what most people think PAM is but for me, vaulting credentials is just doing password rotation,
Brad Shewmake (49:25):
Right? Yeah. Mean so, so, so really quickly. So you know this clearly, you know you're out of the, you've moved from the danger zone. You're not out of the danger zone, but you know this is absolutely better than nothing, right? So you know, if you are discovering and vaulting you, you know you're on the path, you're doing better than nothing. So that's good. And then now let's talk about the next phase of the maturity model.
Chris Owen (49:49):
So really two components to this. One is identity consolidation and the other is least privilege. If we, if we go back to the two goals that we spoke about, know at the start of this, remove, reduce the number of privilege credentials, reduce the risk associated with privilege. Really you can only do this when you do identity consolidation. And again, going back to digital transformation, now organizations are moving to the cloud and have been for the past couple of years, but not just single cloud, multi-cloud. When you do that, you're at risk of identity silos because each one of those has its own IAM platform, it has its own directory system, it has own secrets management system. So when identity consolidation enables you to centralize this identity and authentication to have a single identity regardless of where the kind of infrastructure or code or applications reside. And then lose privilege aspect is really what we've been talking about today. Controlling what somebody can do when they're on a system or within an application.
Brad Shewmake (50:53):
Right? Yeah. And then, you know, the other thing to point out here is that, you know, this is where you can start to see some of those integrations with ITSM and IGA platforms coming as well. So again, you're establishing more of a workflow around it. Obviously that brings in a lot of, a lot of the goodness around compliance as well. So, you know, you're starting to see a more mature process I think really coming into play. And then now let's talk about what a mature PAM approach would look like
Chris Owen (51:22):
Yeah. So the final stage, stage 4, the maturity curve here is really once somebody's got all of these controls in place. So theyre managing all of their privileged credentials, I shall be rotating them or controlling access to them. They've consolidated all of their identities so that each business user has a single technical identity and you're applying controls to them that control that, the mind to the elevation that's being applied and when that elevation is being applied, the next stage really up in the maturity model is taking that a step further. You know, implementing things like NIST level three. So concept and things like MFA everywhere where we're applying MFA, not just log on but also to system log on for elevation and things like that. And it's the full on hardening of the environments that we're moving them all the old mechanisms for access, controlling, you know, cutting out things like firewall access and things like that.
Brad Shewmake (52:21):
Yeah, absolutely. So I'm going to leave this slide up just for a few more moments. It's at the, I believe it was also made this slide availabl was a PDF on the right hand side. Submit some other questions I want to get to. We've got about a little less than 10 minutes left, so can just in time just enough to be implemented along with SailPoint. The answer is absolutely yes. Identity governance and administration solutions absolutely can be, can be and should be implemented probably along with what the just-in-time approach or at least privileged approach. One question was interesting that came in is how does zero trust tie into into this? Which I think is a really interesting question. I think that when we see a phrase like zero standing privileges if you work in the security space, I think it's logical that your mind kind of goes to a zero trust question cause you equate zero and zero, but they're, they're not exactly the same thing. But Chris, do you wanna talk a little bit more about zero trust means certainly zero trust plays into a least privileged approach, but it which then feeds into zero standing, but they're not exactly related.
Chris Owen (53:28):
That's it. Yeah. So you know, we're moving away from the security model of trust, but verify, you know, that's always how we've, how we've worked in IT. And I'm going to trust you to do your job, but I'm just going to verify you by a username or password. That's how it's always been. The move to zero trust was really started by he's now a Palo Alto guy called John Kinder…. And so the concept was, you know, flip it on its head, never trust, always verify. So the concept and the relation of that to privilege, if you think about zero standing privilege, least privilege, we're moving to this world by, we were not going to give you permanent privilege. You have to request it and we're going to verify it. So they are intrinsically linked, but zero trust has so much more, you know, you're not going to achieve zero trust with a PAM tool essentially. Because is there a trust applies at the network layer? It applies at the identity layer and also at the application layer. So, what we like to say is we, we really are focused on, you know, identity-centic privilege management based on zero trust principles. And those principles are the fact that it's never trust, always verify. So it fits in for me in quite nicely having this request workflow request privilege, have it approved, gain the privilege, remove it after a period of time.
Brad Shewmake (54:54):
Yeah, absolutely. That's, I think that's, that's well said. It's a good way to address that question about zero trust. We're going to do one last poll. I know we've got about five minutes left, so I'm going to bring this poll up on the screen. Hopefully it will can see it and if you can't refresh your screen it should show up. But you know, given the maturity model that we were just looking at you know, how would you describe your organization's PAM maturity? So again, on the left hand side it was nonexistent. That danger zone and on the far right hand side was that mature, very hardened environment. And then in between we had the two other columns which were, you know, a second from the left was more of a volt centric approach and second from the right was more identity centric approach to privilege access management.
Brad Shewmake (55:36):
So while you're considering that question a couple other we've had a bunch of questions come in about Centrify's capabilities. We don't want to make this a CyberCast and ad for Centrify. Certainly, we appreciate the questions, but there is a wealth of assets that should be available to you on your screen on the right hand side several of those linked to Centrify webpages, Centrify documents. So, if you want to learn more about least privilege, I'd encourage you to go to the privilege elevation and delegation management section of our webpage and that's where you'll find most of the information that we offer about our least privileged solution. Questions about how those can be integrated with other vault solutions or Centrify zone, for example. So definitely go to centrify.com if you want more information about our particular solutions and of course we'd be happy to follow up with you after the CyberCast as well. So we've taken a few minutes here to have this poll question up and let's go ahead and take a look at the results. So how would you best describe your organization's PAM maturity? And so this is, this is good. Chris, I'll let you go first on this one.
Chris Owen (56:52):
Obviously the one that jumps out is, is the mature, that fine, 5.9%. And I think we have to be realistic and expect to see that in the market. So for those that you know, haven't chosen that, that approach and those that have, you know, don't, don't be surprised with that. You know, the PAM world is definitely evolving. It's changing constantly and digital transformation is driving that. I'm really pleased to see identity-centric because it really proves that we're on the right path in our messaging and why we're going with the product set. So I think that's, that's a good advocate for us. And it also means that people are realizing, you know, the notion of shared access, shared credentials, that's just not good enough. We need to be able to tie every single activity to an individual. And I'm so pleased to see that vault centric. Again, we expected, there's definitely been a notion over the last 10 years that PAM calls roles. It's tough. I've seen so many failed vault projects simply because of the amount of change that goes on. So, I think the shift to identity-centric PAM,.shift or at least pretty much zero trust standing privilege model is happening now.