According to recent research by the Identity-Defined Security Alliance (IDSA), 59% of organizations say that cloud applications are driving a 5X increase in the number of identities over the past 10 years. And, over the past two years, 79% have had an identity-related breach.
Digital transformation has massively expanded the threatscape, as modern technologies like cloud, DevOps, containers, microservices and more are creating an explosion in the number of machine identities in the IT estate. Now more than ever, it’s vital to take an identity-centric approach to securing privileged access to resources in on-premises, hybrid, and multi-cloud environments.
In this webinar from Centrify, an IDSA member, we’ll explore:
- How organizations have evolved their use of cloud
- How Privileged Access Management (PAM) solutions have transformed to support new methodologies and tooling
- The differences between a shared account approach and identity-centric approach to PAM
- 6 key challenges organizations face for DevSecOps when it comes to cloud, and how to solve them
-
Julie Smith (00:10):
My name is Julie Smith and I'm the Executive Director of the Identity Defined Security Alliance. Thanks for joining our webinar today, presented by IDSA members and Centrify webinars, Identity-Centric PAM for Cloud and DevOps. During the discussion today, if you have questions for the presenters, please submit them through the QA chat window. I also want to point out that the research that was referenced in the abstract, as well as the slides for today's session are included in the attachments section of the portal. Before I turn it over to our presenters today, I wanted to do a quick commercial for the IDSA. The IDSA is a nonprofit organization that facilitates community collaboration to help organizations reduce risk by providing education best practices and resources to implement identity-centric security. Our membership is comprised of leading identity and security vendors. In addition to our customer advisory board members who provide guidance on our mission and represent the practitioner community, we deliver on our mission through cross vendor collaboration, thought leadership through research, our blog, which is populated by our members and educational webinars like today. In addition, we develop an identity-centric security framework, which is vendor agnostic, best practices, security outcomes, and implementation approaches. I encourage you to visit our website for more information
Julie Smith (01:36):
Today's webinar, as I mentioned is presented by Centrify. Our speakers are Brad Shewmake and Chris Owen. Brad is Director of Corporate Communications at Centrify. He uses insightful thought leadership to increase awareness about cyber security. He communicates Centrify's Identity-Centric PAM vision and news with global media industry analysts and customers across multiple channels. Chris joined Centrify in 2019 as director of product management. He has over 15 years of experience in privileged access management. Having started his career at Cap Gemini, where he was an integral part of the team that at the time worked on the world's largest PAM deployment. Since then Chris has worked at various PAM and identity management organizations, such as quest software CyberArk, where he was responsible for implementing architecture best practices. And most recently at Beyond Trust where he led the solution engineering team across EMEA and APAC, Chris’s current role takes them around the world. He speaks frequently to audiences looking to gain insight into privilege access management, and we're excited to have him here today. So with that, Brad, I'll turn it over to you to lead the discussion.
Brad Shewmake (02:45):
Thank you, Julie. And good morning everybody. I just want to extend a quick thank you to Julie and the IDSA for allowing Centrify to use this channel to speak with everyone today. So thank you very much. Just a couple of quick items.
Brad Shewmake (03:00):
To reiterate what Julie said, there are some resources available as well, including these slides that Chris will be going through for the next 40 minutes or so. As many of you are probably aware it is National Cybersecurity Month here in the US and we've got two more days left in October.
Brad Shewmake (03:46):
So, it's a fitting time to have this webinar. And as everybody knows, organizations across all industries, even those that have traditionally lagged or been resistant to it, they're now moving to cloud. And the reality is that many of them are moving to multi-cloud. And obviously there are availability and scalability gains that are extremely attractive, especially as we're in a pandemic where there's a broadly distributed remote workforce. But also, as people are accelerating their move to cloud, that's also creating some confusion. So, we'll address some of that. In the meantime, we have DevOps and, uh, these teams, they, they want to be agile. They want to move quickly. And sometimes that means that they want to try and skip over security. So, we're going to talk a little bit about DevOps today with regards to privileged access management and how PAM can be as much as possible automated into both cloud security and DevOps. So, it's built in and as easy for everybody so that you don't lose productivity. You don't lose agility, but you can increase security. So, with that, that's a short intro. I'm going to turn over to Chris Owen, Chris?
Chris Owen (04:55):
Thank you very much, Brad. And, once again, thank you, Julie. And the IDSA for hosting us today. So really what we're talking about today is the adoption on rise of cloud technologies. And then what we can do from a DevOps, DevSecOps point of view to secure that access. And really this is coined to the umbrella of digital transformation, right? And it's driving cloud adoption faster than we've ever seen before. And of course, the global pandemic that we're all going through at the moment has really led to an increase in cloud adoption, as many organizations transition to this new remote way of working and how to gain, as Brad mentioned, efficiencies, scalability, cost savings benefits. If we look at the stats for, cloud adoption over the next couple of years, it's thought that by 2024, 90% of global 1000 organizations are going to have multi-cloud management strategies.
Chris Owen (05:55):
And really what that means is taking it a step further from where many organizations are now who are dipping their toes in into cloud technologies. They may select one particular vendor, whether it be Microsoft Azure, whether it be GCP or AWS. And it broadens that to say, okay, a lot of organizations are going to have multi-cloud strategies where they may take some components from different vendors best based on best in class, best of breed technologies. Along with that, you know, 93% of organizations are really storing sensitive data in the clouds now, and there's been various different bits of research done, whether it be by forest or by Gartner. And it all points to the fact that cloud adoption is growing, but so is our risk exposure. And one of the scariest stats really on this page is, looking at the stat for through 2023, at least 99% of cloud security failures are going to be the customer's fault.
Chris Owen (06:54):
And as a security professional, that scares the life out of me because while the attack surface is already greatly expanded, cyber adversaries have a lot more time on their hands than what we do, and they can spend days, weeks, months, probing for probing for gaps. So hopefully throughout the rest of this session, what you'll take away is really some best practices of how we can evolve our privileged access management strategies to really look after the new breed of frets that we're seeing when it comes to cloud security. And then finally on here, businesses are ultimately still responsible for the confidentiality, integrity and availability of your data in the cloud. And I think most of us are aware of this in reality, but it's always a good reminder, especially when we just went through the previous statistic that we are responsible for protecting big data in the cloud. The cloud provider is responsible for the platform and providing that to us, but that's the reason why 99% of cloud security failures are thought to be attributed to ourselves, the customer's fault. And Brad, I don't know whether you've got any insight that you can share on some of these as well.
Brad Shewmake (08:11):
I think that one thing that's interesting as we were prepping for this webinar, we actually had an older stat down in that bottom left quadrant. And, I think the number was 95% through 2020. So clearly, you know, this is a Gartner stat from a fantastic report, by the way, you can see we've got a reference there. Centrify actually has this report available for free on our website, if you want to go get it. I can see if we can, maybe in real time here added into this, as a resource for this webinar as well. It truly is a terrifying stat. And again, a lot of it comes around to confusion, right? Some of these industries, especially who have been resistant or hesitant to move to the cloud now suddenly feel like they're behind and they knew them to move very quickly.
Brad Shewmake (08:57):
But as they're doing that, there's confusion, right? They don't know where the responsibility lies in this shared responsibility model. A lot of them might think that all of the security is the responsibility of the cloud provider. And that is just not the case at all. So, Chris, you've already touched on the shared responsibility model, but I think obviously a lot of it starts with understanding of what the shared responsibility model is, and that will hopefully help to, over time, knock down that 99% stat that Gartner predicts, so it at least gets down. So, we don't have 99 out of 100 organizations having customer faulted security failures. Yeah, absolutely. That would be fairly terrifying. And I'm pretty sure. And just as well, that's really where we're privileged access management comes in, right.
Chris Owen (09:49):
We know privileges at the heart of the majority of breaches that are out there. You know, attackers can't do bad things if they don't have privileges, don't have rights. And when we think about traditional privileged access management, it really focused on protecting the data center. You know, all of our assets were contained within bricks and mortar, and we were in full control of security authentication, and really as organizations embraced cloud, that kind of changed it, it changed everything. You know, we, we joked about it on a blog that we did and said, you know, cloud changed everything. And unfortunately recently it turned to COVID changed everything. But when we look at the adoption of clouds and what happens, I remember working in a previous company about 10 years ago. We did this huge shift to cloud and it was literally a lift and shift.
Chris Owen (10:44):
We took all of the servers that we had in our data center. We moved them to a hosting provider and we quickly backed out of it. Right. And I think a lot of organizations have done this when they embrace cloud. You take what you've got, you're shifted into the cloud, and then you quickly realize, hold on, I've gained zero here. You know, I may not have a building cost anymore, but I'm not realizing any scalability benefits, any cost savings or anything like that. So, there's organizations mature to their cloud environments, they started to redesign for elasticity. And this is where you have terminology such as infrastructure-as-code. And what that really means is that we are provisioning infrastructure provisioning. What used to be a server as you know, compute in a public cloud platform. And then we'll leverage things such as auto scaling where we can shrink or grow that infrastructure and compute environment based on need, based on requirements.
Chris Owen (11:42):
As our services become busier and the final stage, and some organizations are adopting this now, is really the replatforming of our applications for containers. And this is really a drive towards agility. And some organizations have started, they're dipping the toes in the water with container technology, whether it be Kubernetes or docker and things like that. But I would say the majority of organizations are kind of in the middle of this picture, really still looking at elasticity and trying to think about containers, but that is a major shift. Brad, I think it's something that we're seeing, right? This huge rising cloud adoption. And I know you've been tracking some metrics in this area as well.
Brad Shewmake (12:37):
Yeah, we have actually. So Centrify does quite a bit of a of survey research. We actually have one that we just announced that at the beginning of this month, and what the survey found is a survey of over 200 US business decision makers and that found that 48% of organizations have accelerated their cloud migrations in the past seven months as a result of the pandemic. Now, what was interesting about that was if you look at the data and break it down by enterprises with 500 or more employees, that number jumps from 48% to 73%. So clearly the larger enterprises, large companies who may have been in any kind of place in their cloud transformation journey. They're all, for the most part 3 out of 4, they're all accelerating those journeys, they're accelerating those cloud migrations. And so, as Chris said, for a lot of those larger companies, they're probably going to land somewhere in that middle phase that Chris went through. These three phases. But for some smaller organizations that may not be as far along that path, they might still be in that lift and shift mode. But interesting to see that clearly there is data there that shows that, hey, it's a new way of working. There are new requirements for our workforce, new requirements for our partners and customers. We've got to make this; we've got to accelerate this move to cloud.
Chris Owen (13:58):
Absolutely. And one of the interesting things as our organizations adopt cloud technology is that we embrace new ways of working and new technologies. The exciting part is that our staff are also transitioning as well, and they're learning new technologies. It's exciting because people gain new skillsets. It's great that people get to progress their career. And it gives us some challenges from a security point of view, but we really have to look at security being an enabler at this point. But if you look back to the good old days as I like to call them, I remember working in a data center once, and it was a large migration project from a Windows NT 4 up into, server 2003 with active directory. So we had to spend a lot of time in a data center, building servers.
Chris Owen (14:52):
And in those days, you had, first of all, change control, you had physical security, you'd walk up to the data center, you'd have your RF Id card to get in. You'd be met by a data center Ops person, they'd check all your details and all the change control, they'd escort you to a server. And sometimes they'd even stand behind you and watch what you do on that server. But if you look at our transition to the cloud, this has completely changed. And I'm a little bit old school. I miss going up to a server rack and hugging servers and keeping them warm. But now our data center can be accessed with a password. And, that from a pure security point of view, that's scary from a technology point of view. It is fantastic. But there's definitely, I call them a new breed of it, Ops staff under the umbrella of kind of DevOps.
Chris Owen (15:45):
And there's also DevSecOps and SecDevOps. It can be a bit confusing, they are deploying infrastructure-as-code and it definitely acting in a more agile way. And we're trusting the staff to build security into their process in order to enable agility really with rapid time to value. Our staff at transitioning our data centers and our cloud of transitioning, and there's a whole raft of new technologies that are now being introduced into our environments. And, frankly, as a central security team, we cannot possibly know all these tools, how they work, what security gaps are in them. And I think the old model of centralizing security operations isn't as effective as what it used to be. And of course, that's not to say that a central security team isn't needed. It absolutely is, but the role of security is constantly changing and definitely should not be seen as an enablement function to really assist on new staff kind of building security into their workloads.
Chris Owen (16:53):
And there's varying different layers to this. You know, the slide here has a typical DevOps environment as I call it. And the pure number of programs, platforms, et cetera, is quite daunting, but this is the world that we live in now and right, the way up from virtual infrastructure, which simply used to be VMware, you know, we've now got AWS, Azure, Rackspace, GCP, et cetera. We've then got across the operating system layer. You know, all of the major players that you would expect to see, plus some new ones, you know, container Linux, for instance, we're seeing a lot more applications designed to run in Docker containers. And then of course, you've got an orchestration layer on top of that, a platform layer, and then you've got the CICD pipeline. So tools talking to tools in order to do this work.
Chris Owen (17:48):
So there's lot of change that organizations are having to deal with a lot of new technologies that are being adopted. Some are being adopted at a rapid pace. And sometimes, you know, COVID is a prime driver of that. As we change our environments, we're changing our applications at the same time. Cloud has been a great enabler for a whole wave of new authentication mechanism, as we try and consolidate identity. So now we've got web standards, things like SAML tokens. OAuth tokens, open ID connect that really enables us to centralize authentication onto a single identity and provide that to cloud applications. Now, as we embrace cloud technology. And as we think about privileged access management as a whole and how it fits into this, there were really some key challenges, key use cases that we've got to look to address.
Chris Owen (18:46):
And, you know, we're not going to sit here and say privileged access management has been an easy thing for organizations to adopt and implement over the last 15 years or so. You know, it's had its challenges for a lot of organizations, and some have struggled with adoption. Some of that has been, how do you sell it to your internal user base? Some has been, how do we position it in a way that we're not taking things away from our user base? And now we've got to think about what are the new ways of working? What are the new things that we've got to protect? So some of the key use cases for privileged access management when we think about DevOps is really, how do we protect access to the management consoles?
Chris Owen (19:38):
How do we protect programmatic access to them? So the command line, API, things like that, how do we protect the CICD pipeline? So tools talking tools, how are we protecting infrastructure and workloads? It’s a little bit different to how we'd protect, I guess, servers compute within a data center and then what are we doing? Right. And secrets, and then app to app authentication. We're going to look at these use cases one by one, and kind of give you some suggestions and things that really you should be looking to do.
Brad Shewmake (20:11):
Yeah, Chris, I love it. Let's get into some of these specifics. Cause I think there's a lot of things we can go over here. I mean, as I, as I think about this first, kind of challenge that we're looking at, one of the things that comes to mind here on this topic is, each cloud provider has their own, they have their own best practices right around and specifically around securing root accounts, for example. And so that can include enabling MFA at the cloud provider level, but when you move to a vault most solutions, then they can't manage these passwords unless you remove the MFA
Brad Shewmake (20:48):
That you set up on the cloud administrative console. So, just to kick this particular topic off, how do you resolve that?
Chris Owen:
Yeah, absolutely. And a really good point there. When you sign up to a cloud platform, you first came to is always route, you go through a series of best practices and generally it finishes with enabling MFA through that platform. And really that sets the lock on the front door. Now, if you're going to manage AWS routes, as an example, with a vault, a vault automatically reaches out, it may use an API CLI or, or other kind of mechanisms, but it can't deal with an MFA prompt. And that's a major problem for vaults because vaults will come in and they'll tell you remove MFA. You've got MFA on the vault and the problem solved, but for me, you're taking the lock off the front door and your last kind of security controls.
Chris Owen (21:42):
So it's a little bit risky. What you'll generally find, and this is the route we've gone down as a vendor, we do, what's called an assisted password change. So, we will actually get you to the front door of AWS. We'll do all the form, fill we'll manage the password, but we'll actually take a pause and then prompt the user to enter the MFA as part of that password change process. And there's lots of notifications, the things that, you know, when that needs to happen. But if you think about the challenge, these cloud management consoles are full access to the data center essentially, and it's using a password. And at the same time that humans have access DevOps tools, pipelines also have access, whether it be via API CLI. So the things that you want to do is certainly manage those credentials in a vault, make sure that you're auditing any kind of access to those management consoles and maintain the infrastructure-as-a-service provider, best practices.
Chris Owen (22:40):
And that's really for admin access when it comes to staff, when it comes to users, Federation is key, right? The last thing that you want is identity silos, being spun up. You know, somebody's going into Azure, creating local users, the same with GCP and AWS, IAM users, et cetera, tie them all into whatever your directory may be, avoid the identity silo problem. You can also do host based auditing on end-users workstations. So anytime that they have browser access to one of these cloud compute prep platforms, you can fully track what it is they're doing. More pertinent with admin access though, rather than standard users.
Chris Owen (23:22):
Now the next challenge comes with programmatic access. When you think about automation and really what most people think of as DevOps it's scripts, orchestration services, other tools that have, API command line access to those cloud platforms itself. So some of the basic controls that we should doing here is really managing those service accounts and access keys. Again, vaulting is ideal for this and then allowing scripts and orchestration tools to programmatically access these accounts and keys. So you can either do that via what's called the AAPM; application to application password management. Allowing the scripts and programs to programmatically, retrieve them from the vault, play them into the target system. Or again, you look to leverage Federation which really ensures secure control over the authentication process. If you use Federation, you eliminate the need for service council, that's static credential.
Chris Owen (24:23):
A major security benefit in doing that next step. We're going to look at the pipeline itself and much like the previous example, this one goes a step further, really and focuses on tool to tool or application to application credential management. And usually when we, when we talk about a pipeline it's established between tools and requires authenticated access to run applications, scripts, which you never want to contain hard-coded credentials. So the solution here is really when it comes to application to application, password management, you’re vaulting the credentials, ideally don't have them that static utilize ephemeral tokens where possible, and really don't create additional front doors. This is a really interesting point. And it it's the point of application to application password management is a difficult subject. It's one of the hardest parts of a PAM program. There's some serious security concerns with how people do this. I guess, Brad, we can talk a little bit about the AAPM approach that typically, you know, PAM vendors have and what we do, that's a little bit different here.
Brad Shewmake (25:48):
Yeah. it application password management or APM, I mean, it's not new. It's not like a new acronym and, there are definitely traditional approaches to AAPM that I think, Chris, we can maybe talk a little bit more, but also I think that there's clearly a desire in the market to see some more modern approaches to APM. And I know that we have one in particular, Chris, that maybe you could touch on, which is our delegated machine credentials capability in our privileged access services.
Chris Owen (26:22):
Sure. When you look at APM, historically, what happens is that you vault credentials, you have a script, you have a workload that needs to retrieve them. So you remove the hard coded, embedded credentials from the script. You replace it with a call to the vault. Now, in order to make that call, your script needs to talk the vaults to retrieve it. So you have a username password and an API key, usually that your modified script contains. And the reality of that is you've moved your privileged account into the vault, but you've now created a doorway and you've left the credentials in that doorway or the key in that doorway. You're creating all of these entry points into your vault and you'll have them distributed on lots and lots of applications servers. So that for me, doesn't really solve the problem.
Chris Owen (27:17):
One of the really cool things that our engineering team came up with was the concept of DMC or delegated machine credentials as it's called. And this works really well in a cloud world. As soon as a cloud workload is provisioned, it can actually enroll itself with our platform. And we think of that enrollment, very similar to what you had when you do things like MDM, mobile device management, you'll join a company you'll enroll your mobile and the MDM platform. It has a bunch of security policies applied. Well, we can do that with servers and workloads. So you spin up something in AWS. It registers itself in our platform and we use under the covers, our two tokens and we can use scope tokens as well, but we ultimately then trust that machine. So there's a certificate exchange that goes on.
Chris Owen (28:08):
We trust that machine and we allow that machine or the application to then speak to our vault without needing the username password API key, so much stronger form of authentication under the covers. And it solves the problem of APM because it doesn't require you to create privileges or holes or backdoors into your vault. So huge kudos to the team when they came up with, with that, I think it a fantastic innovation in the world of AAPM and, something that I expect others to follow with, as soon as they start looking at how it works.
Chris Owen (28:45):
Now, we just spoke a little bit around workloads, infrastructure. And when we think about this, a lot of us think of compute. A lot of us think of servers. So many of us will think about traditional privileged access management controls and some of the tools, technologies that we can actually use here, but actually cloud workloads have a little bit different. When we create servers, containers, they're really are most granular security boundary. And these are often ephemeral in nature. Typically, we know what's in our data center, we know how many servers of which type, but in the cloud world for using things like auto scaling, they will spin up. They'll spin down. They're very dynamic in nature. So installing big agents on them, having policy pushed out to them to control privilege, doesn't really work very well in a model where you are not static.
Chris Owen (29:43):
So really the solution to this is it's one, what we just spoke about with the delegated machine credential, you know, allow machines to enroll role within the PAM platform and trust them as soon as they are provisioned to, as part of that process, you can automatically dynamically vault, any accounts. So they've got enable just in time. And JIT is a relatively new model in the world of privilege. You know, we've been speaking about JIT for the past couple of years, but that does make it new in the world of privilege and really just in time access. And also just enough is only allow access as an when it's required and sometimes with approval processes, et cetera, but it's granted just in time. So removing static access to systems. And then the final point here is really on an MFA. You know, MFA is a very important security control as we're all aware, but a lot of people just have it at the front of their privileged access management solution. And actually most, most sessions that you see are not always initiated via PAMtool. People go round vaults, people log on direct, and that's okay. You shouldn't necessarily force all users through a vault because that's when you get into trouble in fundamentally changing how users operate. So by applying MFA everywhere, or in this case, upon system log on, you're putting a further barrier in place for the threat actor.
Brad Shewmake (31:18):
I think that that point about enabling just time access is worth drilling into a little bit more. This really comes into play as we start talking about the concept of least privilege. It's more than just authentication, it's how do we make sure that we are only granting just enough access for just the amount of time needed to complete the task, and then removing those privileges. So there are no standing privileges that's really what's at the core of the least privilege concept and goes a long way to ensuring that you're closing some of these doors that the threat actors would seek to walk right in, right through.
Chris Owen (31:58):
Yeah, absolutely. And I think you hit on a really good point there, which was the zero standing privilege model. One of the things that has happened historically in privileged access management is the concept of standing privilege. It’s a bizarre thing because you would implement a least privileged tool to take away privileges or to only grant the relevant privileges to people. I should say if we're selling this in the right way. But actually those least privileged policies are completely static. If somebody compromises my account, that's still got all the privileges that I have that are being managed by a PAM tool. So the concept of JIT was really coined to grant just in time access on a, just enough basis. So JIT and JEA, other terms that you'll likely see across the industry, but as Brad mentioned, it does away with standing privilege grants, just in a assess only when it's needed there.
Chris Owen (33:05):
We then come into one of the most common things that we get asked about, which is about secrets management. And most people think of secrets as either bits of code or certificates or tokens and things like that, but the secret could be anything can reality. It could be configuration data. It could be all of the things that we've mentioned before, your certificates, tokens, API keys, et cetera. So you definitely need somewhere to store these. You'd want some kind of central storage vault for them. And actually all of the major cloud platforms actually have secrets management capabilities built in or I guess I'll offer one bit of advice. You know, we are here as a vendor and we have a password vault solution, you can get into a little bit of trouble. If you start utilizing secrets management capabilities natively within the cloud platforms, you can very much have a disjointed and siloed approach to privilege management.
Chris Owen (34:08):
If you start consuming secrets management from Azure, AWS and GCP, and then you have a password vault on top of that, regardless of the vendor, all of a sudden, you've got four different vaults to manage, to secure, to ensure that there's consistent policies across. So traditionally, what you'll see across the PAM world is vendors that are consolidating these into a single offering to give you that kind of central platform that does everything for you. But secrets management is really at the heart of cloud because secrets are used everywhere and through all of the tools that you're likely to see in this.
Chris Owen (34:52):
Really the final bit is app to app authentication. And this is a little bit different to app credential management. And this is really focused on the fact that modern application, so ultimately requiring access to other applications services on the hosted platforms that they reside in or data storage services. If you think about designing applications in a legacy world, you'd typically have a web tier data tier, et cetera. So in a typical three tier architecture, those components need to talk to each other. And when you architect applications in the modern cloud worlds, you're leveraging services of the cloud platforms, you'll be doing web development yourselves. So tokenization and authentication are really key here and the common technologies are really OAuth, open ID connect or SAML, that we see, most of the time. We've got to allow applications to retrieve these tokens. One of the things that we can do is actually generate these tokens as a platform and allow then, applications to consume them. And because we're trusting the machine that hosts that application, we can allow them to retrieve them securely and without needing additional credentials to do that.
Chris Owen (36:15):
So they're really the six key use cases that you look to protect. And you know what, one of the great things about us doing this kind of webinar in conjunction with IDSA is really the identity-centric conversation. And it really plays a big part in privileged access management. I think historically we've very much focused on data-centric security in a world of data centers. And that really focuses on applying protection to data. And rather than trying to protect data in specific locations, even where they run a laptop specific network, the goal is really there to protect sensitive data in a, wherever it goes using policy-based protection that prevents unauthorized users from accessing it. And typical technologies that you'd see, data discovery, classification, encryption, tokenization, data masking type of solutions and identity and access management has always been a part of data center security, but it's not the foundation of it.
Chris Owen (37:25):
An identity-driven approach really focuses on identifying individuals or things in a system and controlling access to resources within that system. And the goal is to ensure that the right people access the right information at the right time. The typical technologies that you'd see here include identity and access management solutions or IAM solutions, as we know them, identity governance, IGA tools, access management, and privileged access management fits into an identity-centric security model too. And the arguments for this approach, some of the similarities in reality to data-centric security. What an example of this is that a new security approach is needed in a zero trust environment where no one can be trusted by default is. Zero trust is never trust, always verify. However, advocates for identity-centric security say that identity, not data is the common denominator and increasingly complex kind of networks, and really should be used as the core of all trust.
Chris Owen (38:35):
Another thing that the identity-centric approach says that is, if you don't know who or what is requesting access, then no other security method really matters. And I'm not sure whether I 100% agree with that. I think we've always been taught defense in depth, but it is true that you can have the best data encryption application security, but if the wrong identity gains access to that data or application, but that efforts kind of fruitless. There were a number of reasons why identity is becoming increasingly important in the last few years. And I guess identities have evolved far beyond humans, where now systems APIs, applications, et cetera, and really identity continues to be at the root of most headline grabbing data breaches. They all involve privileged access in reality. So very important.
Brad Shewmake (39:29):
I think that's an important point and on the previous slide, when you're talking about cloud PAM for app to app authentication, you had a bullet in there that talked about how we can remove the need to create additional privileged accounts. And as you started to think about identities, and you mentioned this already, Chris, which is, now we're seeing this the exponential kind of explosion in identities, isn't happening at the human level, it's starting at the machine application and service level, right? The more and more that we can remove the need to create those additional privilege accounts for those identities, the more potential doors or entryways in we're going to be shutting.
Chris Owen (40:12):
And I think it's one of the fallacies of password vaulting. I remember my first vault project that I did when I was a customer. It was in 2001. And I implemented this password vault and it could only actually manage three accounts that was it. It could manage root, administrator and SA. And that was all this vault did. And I'll tell you why it was fantastic vault. It was highly successful. I used it in about three projects that I did and every single one was successful. Two years after that in 2003 vaults really became commercial. A bunch of new vendors entered the market and the password vault space. And I can honestly say, as soon as vaults were able to manage more accounts, what I actually found is, organizations I was working with ended up creating more privilege than they actually managed.
Chris Owen (41:06):
And that trend continued, you know, vaults have evolved, they've become more complex, but at the same time, you've needed more privilege in order for the vaults to work. So you ended up exploding and creating additional privileged accounts. We'll come into it in a sec when we talk about agents, but I embrace agents in a cloud world because agents remove the need for you to create additional privileged accounts that be for password reconciliation purposes or AAPM purposes. But, we need to look at this pragmatically and from a security perspective, that vaults aren't the be all and end all, they are very important. They do a very good job that they don't secure everything. So definitely you need to look at an embrace of the technologies around the side of a vault in order for it to be effective and agencies, one of the ways that you do that.
Chris Owen (42:05):
Ultimately when we look at, identity-centric privileged management, and what Centrify provides here, if we think about the challenges that we just spoke about, organizations are complex. A lot of us have data centers. A lot of us are embracing cloud technologies. And at the same time we're embracing multiple cloud technologies or multi-cloud strategies. So really what we as a vendor look to do is centralized, privileged access management for these heterogeneous environments and hybrid environments. We want to give you a centralized solution for managing credentials or secrets. When we think about authentication, identity, think about how you transition from a data center into a cloud platform and into cloud compute. So you want to take your active directory identity with you. You want to log onto cloud resources as yourself and federation is really at the heart of that at the same time, we've now got applications utilizing service account and APIs.
Chris Owen (43:12):
So again, we act as the centralized kind of broker for those and a couple of neat things is multi-factor authentication. We spoke about that and how important that is as a control. As part of our platform, we are an MFA provider and we can break that MFA to, to these desperate kinds of environments and cloud providers. What we have seen a rise in and Brad, I think you'll agree here is, certainly the global pandemic has really driven the need for remote access solutions. One of the things that we realized very early on is the way in which we architected our solution here, it provides that secure remote access without the need for a VPN and VPNs have their place. They're very good for corporate access, but when it comes to privilege, it's kind of like digging an underground tunnel into a prison, and then not having any visibility of what's going on inside that tunnel. So certainly, remote access, secure remote access without the need for VPN where a PAM solution is providing the credentials is something that we've seen huge and exponential growth in throughout this year. Brad, would you agree that?
Brad Shewmak (44:25):
Absolutely. One of the things that's really, really important to be mindful of here is a lot of times when you think about administrators, a lot of them are third parties, right? So you have third-party access where you don't want to give those people just to complete an open tunnel into the prison. So that's, oftentimes been a concern has been those third parties. But now with even your employee, IT administrators, all working remotely, well now you've got even more people who are trying to use that open tunnel. The way that we can actually secure remote access without a VPN really does provide for a more secure way for it is to continue to have the access they need. But not just grant full access to the entire network.
Chris Owen (45:22):
Yeah, absolutely. I think one of the interesting points here and we'll come on to in the next one is from an infrastructure point of view, privileged access management has traditionally been complex. Organizations have required a lot of infrastructure, typically on prem, there's been a large number of servers, very high performant servers. Third-party licensing has been a common thing we've seen as well. The new wave of PAM tools that have been out there for the past five years or so have changed things, many are now doing a cloud first strategy. And we're no different, obviously we're not the only vendor in the PAM space. There’s a lot of great vendors who do what we do with a lot of great technology, but we're really when we look to what sets us apart.
Chris Owen (46:22):
I think a couple of things for me, the platform approach is key. When it comes to privileged access management, nobody wants distributed silo tooling anymore. Everybody's looking to do vendor consolidation, tool consolidation to realize cost savings, et cetera. I think we're in a great place here. We are not ashamed to say that we're the only PAM leader in the leader’s quadrant of the Gartner Magic Quadrant MQ that hasn't made acquisitions. And you can look at that negatively and say, okay, what what's youre kind of great strategy, but I actually look at that in a really positive way, right? Because we've got a fully homegrown solution that we've built ourselves that fits in the one platform that fully talks all of the components, talk to each other, and it's modular. You just pick up the capabilities that you want to consume and they will all work together.
Chris Owen (47:19):
I think that really works in our favor. It definitely enables our customers to look at focusing the efforts on tool consolidation as well. We are seeing a lot of replacement programs starting to take place, people that adopted PAM maybe 10 years ago that went with a more kind of on-premise, old vaults architecture, thinking about transitioning to the cloud. So they come to us looking for a SaaS provided solution there. That's really where we shine, right? We built this solution cloud first. We built it in as transitioned it to AWS. So we we've run across both platforms. And is it mentioned, we are hyper scalable and what does that really mean? Our cloud solution, our SaaS solution will grow as our customer base does. We've got an excellent Ops team and we eat our own dog food to put it in a polite way.
Chris Owen (48:18):
We utilize all of the kind of controls that we've just been speaking about to really grow our platform and to do it in a secure way at the same time cloud may not be for everybody when it comes to security. So that same cloud architecture that we've built, we actually utilize the same architecture for our customers who want to deploy this themselves. So we've taken all of the great kind of cloud technologies, whether that be REDIS cache, whether it be fast databases, um, our cloud clients, et cetera. And we enabled people to deploy that within their own environment, whether that be private cloud or even on-prem. And then the concept of hub and spoke. So if we go back to privileged access management tools for vault, you'd potentially have a minimum of eight big servers.
Chris Owen (49:10):
But it's very rare. You'd see eight largest I've seen has been around 86 servers, huge, huge footprint and tools aren't designed like that anymore. If we take our, our SaaS vault platform, all you need to deploy in your environment are these tiny little connectors. You distribute them in each infrastructure-as-a-service provider in each VPC. If you want to put them on-prem to manage them on-prem, then you do that. But these connectors now are phenomenal in terms of the work that they provide and the things that they do. So they act as the proxy for you. They'll do SSH sessions, RDP sessions they'll act as the MFA broker, but they're also an API proxy, a certificate proxy discovery engine, a change engine, all in a little bit of code that you can just drop onto existing workload and compute.
Chris Owen (50:03):
So phenomenal, these things, the designs now, and I mentioned that a while ago, we're proud that we're agent based. It says here client-based and clients have so many benefits when it comes to privilege, the reality is having an agent is the only way to really manage privilege. Otherwise you're doing it as an abstraction layer on top of the operating, and you can always circumvent that. So a cloud client and our on-prem clients that they're really clever, you know, they can enroll systems into our platform that way you've got what we call the root of trust there, meaning that we're trusting the identity of the machine, and we can then enable workloads and enable automation. It enables you to do granular host-based access control, so enforcing least privilege. And then at the same time, it can record everything on that host.
Chris Owen (50:57):
So locally, if you think about traditional password vault solutions that have a proxy, that proxy will record all your sessions, and we can absolutely do all of that by the way. But what if somebody goes around the vault, what if somebody doesn't check out credentials or log for a proxy, how do you then know what they're doing you then in a really tricky situation where you're trying to correlate logs and reliance on SIM tools. So how you space, session monitoring and termination is a really important control to have in the future. And Brad, do you have anything that you think really sets us apart as an organization?
Brad Shewmake (51:37):
I think that's a good advertisement for Centrify. I mean, one of the things that I always love to talk about with regards to our solution is with regards to that multi-cloud architecture. Again, our solution was developed in the cloud for the cloud. And we actually were the first PAM vendor to offer PAM-as-a-service. The deployment options that we make available, I think are unparalleled in the industry. That does set us apart when you do start talking about things like cloud security and DevOps where that cloud architecture and those deployment options really do come into play.
Brad Shewmake (52:17):
I think that wraps up our slides and thank you for the thorough run through. I think we have eight minutes left, and I know that everyone appreciates some extra time if we have it, but if you do have any questions at this time, please do put those into the QA field. I do see that we've had one come in here. So we have a question Chris, about the issue of an individual having multiple identities used in context, and how they may not be known as the same moniker, or I assume that means the same identity within varying contexts. I don't really see a question here per se, but the comment is, most assume that this will be handled by isolating that indication systems. But there's more overlap of contexts that could create more conflicts. So do we, how do we address it? I don't know if that's clear enough.
Chris Owen (53:21):
Yeah, absolutely. The analogy is actually really good in that if you're home on social media networks, et cetera, you've got different identities on a system and some will be personal, some will be work-related in a work context, you may have multiple identities in a work context. And it's an interesting challenge to have, especially when you come to tokenization of authentication. I think if I log onto my office365, my work identity, it says, do I want it to remain logged in? Well, yes, until the point when I want to go and check my outlook.com email, and it does a similar thing, I've got different tokens running. So yes, we have solved some of that. I'm not going to say we're a 100% there. But specifically when it comes to, to work identities, we've done a lot of work on identity consolidation, obviously starting out in the UNIX Linux space, consolidating into active directory there, but our cloud client gives us what we call identity broker capabilities and allows you to take your identity with you into these cloud platforms.
Chris Owen (54:35):
So we've got a really neat capability for instance, is called Use My Account. So you can point to the cloud system and just say, log me on using my account. And that can be your current locked-in authenticated user, or it can be a secondary alternative that we can actually map to you as a user. There are still things that I think need to be done in that area. I'd be really interested if you've got further feedback, please feel free to reach out to us as a follow-up and let us know your thoughts on what we can potentially do to make that life better, or that use case better. But at the moment where we are is identity consolidation, UNIX/Linux in to AD Identity brokering, allowing you to take your ADA or your directory identity with you into the cloud world and into cloud workloads, and then the Use My Account capability.
Brad Shewmake (55:32):
That's a really good example to bring up Chris. I mean, really what this all comes around to at a very macro level is how can we simplify and secure access using both the tools that people are familiar with and just simplifying it, for example, Use My Account. I think that that's kind of the crux of what we're getting into here is, you actually mentioned this exact phrase earlier, Chris, which is, not just about throwing up roadblocks, it's about making security and enabler, right? So that's really what we're looking to do is, enable the productivity and agility and all the things that people want. But then also making sure that security is built-in automated as much as possible. And just make it easier.
Brad Shewmake (56:30):
Thank you again to everybody for joining us today. Thank you to Julia and the IDSA for hosting us and giving this opportunity to share some of our Identity-Centric PAM approaches to cloud and DevOps. And again, just as a reminder, we do have some resources available to you. Thanks a lot.