Centrify SVP Engineering, Jason Mitchell presents "Privileged Access Management Challenges when Moving to the Cloud" at RSA Conference 2021.
SVP Engineering, Centrify
Karen Sung: (00:10):
Trusted by over 2000 organizations worldwide and over half of the Fortune 100 Centrify helps strengthen your resilience with market-leading privileged access management solutions to enforce least privileged access at scale for humans and machines in the cloud. And on-prem, my name is Karen sung and I run Centrify's major events as the leader and Pam, we know now more than ever that privileged access management is vital to an organization's cyber defense strategy. And we know this because research shows that more than three quarters of all data breaches involve compromised access to privileged accounts. So how can PAM benefit your organization? Well, let us show you. I'd like to now introduce Jason Mitchell, our senior vice president of engineering. He's going to walk us through what secure digital transformation means for you and for your organization. Jason is responsible for the research and product development of our PAM product portfolio, which includes the vault suite server suite and cloud suite. In this presentation, Jason is going to walk us through some common PAM challenges organizations are facing when moving to the cloud. We work with hundreds of customers on a daily basis, and they are constantly asking us how to solve privileged access management challenges when moving to the cloud. So, Jason is going to share some of these common challenges, as well as best practices and strategies you can use as you were developing your PAM practice while shifting to the cloud. All right, Jason, over to you.
Jason Mitchell (02:05):
Thanks Karen. Happy to be here and happy to be presenting on behalf of Centrify going to start with a couple of market trends, their implications, uh, then going to talk about some strategies that many of our customers are using to develop their own PAM solutions. Then we're going to talk about some common challenges associated as customers are moving to the cloud and then summary at the end. So let's look at two trends here. One of them is on the left. Gartner says that by 2025, uh, 80% of organizations will move entirely away from on-premise IT infrastructure that means moving to co-location moving to hosted, or moving to cloud. That's a lot of customers, uh, a lot of organizations on the ride sofas did a survey and found that in the last year, 70% of organizations experienced a cloud security breach. So with so many customers, organizations moving to the cloud and experiencing a security breach, why is that?
Jason Mitchell (03:09):
Well, let's look at that. It's because the attack surface is expanding and there's a new complexity that we used to have just on-prem infrastructure servers, talking to databases with a good network perimeter with firewalls sitting around that infrastructure. Now with mobile and moving to the cloud, we're saving all of that data that that is representing, uh, big data, new methodologies of how you deploy and you manage that infrastructure things like dev ops and new architectures and new ways of computing, serverless and containers. Uh, the access requester is moving from human to now machines and services. And API is communicating with each other. The accountability levels gone from shared accounts to now individually and individual identities and machine identities. Uh, and the control posture has gone from static to much more dynamic and, and AI-driven and risk-aware, and the authentication strength has increased, but now we also have ephemeral tokens and MFA everywhere. And then the ecosystem has gone from just servers and databases to now infrastructure as a service and dev ops and containers and serverless and other ways. So it's just more complex and it's expanded, which is making it easy for threat actors to get access and, uh, to these cloud infrastructure.
Jason Mitchell (04:29):
So now let's take a step back. What does it look like to design a privileged access management solution? Well, the first thing you have to do is define your access policies. And so I'm going to talk about some strategies and ways of thinking about how to do that, but then also as part of the practice, you have to figure out how to manage the life cycle of those policies. So how do you create one? What's change management? How does it get deployed? How do you, uh, elevate privileges? How do you, uh, D elevate privileges and how do you retire that policy or change that policy later? Uh, the third thing is you have to audit everything because a big part of this is being able to constantly learn and adapt. Your environments are going to be changing all the time. There are new threats, new things to consider.
Jason Mitchell (05:14):
And so auditing all of that access allows you to learn from that set up proper monitoring in place and adapt and grow your practice. So now let's talk about some of those common strategies that our customers have been using. The first is around zero trust. And every, every security vendor out there at RSA is talking about zero trust. And, and, and it's, it's the right thing to be talking about, but when it comes to privilege access, we can talk about zero trust, zero trust. We used to be, we had the network and the, and the firewalls and the network gave us that layer gave us that moat around our infrastructure that no longer exists as I talked about. And so now you can't trust anything. You can't trust something that's on a server. You can't trust a specific identity. You can't trust a particular service communicating just because it's on the same VM.
Jason Mitchell (06:01):
Uh, so it's at every layer, every level of your implementation, you have to re-authenticate and authorize every, uh, every access to every, every secure piece of information. The second strategy is around just-in-time privilege assignments. And so historically we used to have identities that had standing privileges, uh, and they were static. And now what we're seeing organizations, organizations do is remove those standing privileges and elevate, give them the privileges they need at the time on demand. When they're going to use when a human or a service is going to use that privilege, the third strategy is around least privilege. And so that is getting more granular with their privileged access. And so that is which identities, which servers, which resources do they have access to, maybe which protocols, uh, maybe what IP address they're coming from, what time of day, how long to have that access and S and even down to what commands can they run.
Jason Mitchell (07:00):
So really getting more granular, uh, as much as you can manage, because the more granular you get, it's harder to manage. It becomes more complex, but finding that right balance, uh, is, is, can be really helpful in preventing lateral movement. And then the last one is anchoring around the identity. It's, it's too hard. If you try to develop your policies that are specific to the servers and then develop another set of policies specific to services, and then another set that's specific to identities. You really want to pick one place and build your entire policy set from that. And really the best place to do that is from the identity. It's the most constant, uh, it's the Wisconsin thing. It, there is. And so starting with the identity, what do they have access to? What resources, what time of day building it out that way is the best way to implement it.
Jason Mitchell (07:47):
So now let's talk about some common challenges, uh, that are, that our customers have experienced as they're moving to cloud. Um, there are different groups inside of your organization that have different interests, they have their own requirements. So if you think about the infrastructure and the compliance folks, you know, they're, weren't, they're worried about how do I manage all of this IT infrastructure? How do I provision it? How do I, you know, implement the privileged access controls that are on top of that all the while maintaining compliance. So the compliance folks were saying, Hey, as we're moving to the cloud and everything is changing, and now we're going to DevOps, you know, how do I ensure that I'm still going to be compliant? Then you've got your security and your identity folks who are worried about the cybersecurity risk, both from external and internal, you know, how do they implement these controls and, and, and keep the IT infrastructure protected.
Jason Mitchell (08:38):
Then the other group is your cloud architecture and your application developers, you know, how are they going to write the scripts to deploy this infrastructure and keep it and maintain and keep it secure as they're moving things to vaults into secret stores? You know, how do they make sure that all of that is in one place? How do they prevent sprawl or prevent supporting multiple types or multiple instances of these secret stores? And how do you continue to provide that access from both internal and external, administrators? So now let's talk about common challenges as you, as you make that shift. Well, the first category is around additional identity providers. When you move to the cloud, you're most likely not going to support AD on premise again. And so you've probably introduced a second or even more identity providers, and now you've got the challenges associated with authentication.
Jason Mitchell (09:32):
And so the first thing that came out as a while ago is it's pretty common, a single sign-on, and everybody's been doing that. But then you have to worry about authentication brokering between these services and between different trusts networks. And so now you have federated authentication. Well, how do you ensure a consistent, consistent, MFA, a policy across all those different authentication sources and types, and then the whole shift from human to now machine-based authentication? So that is one category of challenges that our customers are facing. The second is around enabling these new ways of computing and these new architectures with a new methodology like DevOps. And so, this is what they do with infrastructure as code. Now, how do you put the secrets and put the credentials, you know, embed them in there safely, or, or allow the scripts to get access to those credentials securely all while maintaining regulatory compliance?
Jason Mitchell (10:25):
You don't want the application developer knowing the production secrets and what about the secret zero problems? So what's the very first service we used to put the credentials right in the script or writing the code or the configuration file the code. And now we've moved that out to a vault while you still need to securely access the volt to get that secret, or that credential that's the secret zero problem. Uh, and then the vaults role that I was talking about. So, if application developers are choosing the vault technology, you know, now you might have multiple vendors providing different vaults, multiple instances that just get too complex. You need one place to manage that. And then, ephemeral resources, new life cycles of resources. And so instead of static, you know, manually configured servers and things, now, things are spun up by script they're immutable, and they go away quickly, and then machines and services and APIs and serverless just, it's just more complex.
Jason Mitchell (11:20):
And the PAM solution needs to be able to accommodate these new ways, of computing. And then you have hybrid cloud and multi-cloud most organizations are not just choosing one cloud provider; they're going with multiple cloud providers. So how are you going to provide a shared access policy that spans those multiple providers or one cloud provider, and on premise infrastructure, you still need auditing and monitoring, uh, and something simple enough to manage you can't just choose a one-off solution. So now what does this start to look like along the bottoms? What our traditional infrastructure used look like? So, you've got some servers, maybe you've got an active directory, all protected by a network, and now you've moved to the cloud and maybe more than one cloud provider, and you've got resources up there. You've got maybe the introduction of a vault or a secret store.
Jason Mitchell (12:07):
And then you've got VPN and a jump host to provide, give admins, access into the servers. And so now what have you created what you've created, maybe a separate system of bolting, a local admin accounts. There are no enterprise directories for federated acts for federated authentication across all of them. You've now got to look, local service accounts with static credentials that aren't being rotated and managed, uh, and a sector, separate secrets management, and each one of your cloud providers can't have consistent MFA, with this implementation and possibly require a VPN to get access. So, a little bit of a challenge for admins. So this is what our solution looks like, but it doesn't have to be our solution. Any PAM solution can, can help here. And this is where you've centralized out those vaults, those secret stores into a centralized location so that it makes it easier to manage and audit, and monitor.
Jason Mitchell (13:00):
And so now in this solution, you can see that is centralized vaulting of those local admin accounts. So they're no longer there inside of those, um, virtual private networks. You've now got authenticated authentication, brokering across your enterprise directory, uh, uh, set of logins. And you've got service account management with proper authentication services that would allow for MFA, uh, and you've centralized your secret stores and you've removed the need for VPN to get access into these resources. So you've simplified a lot of things for your administrators and for everyone who's implementing and using the Privileged Access Management solution. So in summary here, you know, the key is simplicity. When you make things too complex, it becomes too hard. And really that's what threat actors are looking for. They're looking for the cracks in the system and the cracks in the system get exposed. What it's too complex to manage.
Jason Mitchell (13:54):
The second one, there is really with simplicity. You really want to centralize, you really want a single place for ministering this access, creating these policies, uh, and supporting all the various cloud providers, various ways, uh, that, that your infrastructure is being used. And then the last thing is PAM has really, it's not a state, it's not a state of being, it's not implemented this one tool and you're done. It's really a practice. So really thinking about how are you going to continue to learn and evolve over time? That's a big part of any PAM solution. Karen, back to you.
Karen Sung (14:27):
All right. Thank you, Jason, for this very informative session. So many of our customers have a platform and tooling questions. So, I'd like to ask you a few questions as a follow-up to your presentation that I think our audience will be interested in. So, Jason, my first question to you is most cloud providers offer native tools. AWS, for instance, um, offers both secrets manager and a systems manager. Why would I need a PAM-specific solution when I can use the native tools that are provided by my current cloud provider?
Jason Mitchell (15:05):
Yeah, we get this question all the time. It's a good question. Well, my first thought is, you know, if you're going with multiple clouds, so if you choose the out of the box native capabilities in any cloud provider, and they all have a secret store of all store and access control policies, but once you go with just that native provider now, how do you manage if you choose a second cloud provider, or if you also have on-premise, you know, how are you going to have one solution that manages the access policies across both environments? That's one, the second is while there probably are some basic use cases that can be solved with a native out of the box, just look at your full set of needs and requirements and make sure that, you know, you have a comprehensive solution in place enough to manage the auditing, the recording of sessions, the real-time monitoring, and the behavior analytics around those sessions, and make sure that, you know, the solution that you pick can accommodate all of your needs, given all of your different stakeholders and their interests as well.
Karen Sung (16:08):
Interesting. As I know that a lot of enterprises certainly have complex requirements. So, the second question I have is, do I really need a PAM solution if I'm using primarily ephemeral resources?
Jason Mitchell (16:23):
Yeah, that's a good question. It's a common misconception, ephemeral resources just mean just the lifecycle, the resources are different. It's still, you still, at the end of the day, have services communicating with other services going and getting access to sensitive information, regardless of how that service was spun up, how long it exists, how it gets retired, that that's independent. You still have to manage the privileged access and make sure that those services can communicate securely.
Karen Sung (16:55):
Thanks for that clarification. Okay. So we do have one last question for you. If I'm using an identity provider like Okta or Ping, do I still need a PAM solution to securely protect my infrastructure and services?
Jason Mitchell (17:11):
Again, this is back to looking at the requirements while these identity providers do claim that they have some privilege access control. It's very easy to add just a little bit, make sure you consider the full range of needs and use cases to maintain your regulatory compliance that provides the right auditing and traceability that you need. Make sure you just consider the full set. There's a reason why over half of Fortune 100 companies have chosen. Centrify were familiar with enterprise use cases and can meet all of those needs. And over half of the Fortune 100 customers have chosen us to provide that privileged access management for them.
Karen Sung (17:47):
Thanks, Jason makes sense. You know, I guess if over half of the Fortune 100 customers trust our PAM solution, then we must be doing something right. Well, that's going to conclude our session for today. Thanks, everyone. And thank you so much for your time. And if you're interested in learning more about our products and solutions, please do reach out to us @www.centrify.com. Bye everyone, and have a great conference.