#294 - Navigating Privileged Access Management with Michiel Stoop

But the first thing what I always do is check if the salt is closed because you really want to prevent that. There is a blast radius of attack of salt of course on your when you meet our foods. And yeah, that's also of course with previous access management. You cannot prevent that your data gets stolen, but you at least can minimize the risk.

And that is limited data gets stolen because those so-called bad guys, maybe they're already in your environment, but at least if they steal certain credentials or whatever, do you want to minimize that attack? And therefore, again, it's really important that you have your maturity model also defined properly and your capabilities, which you want to have. So it's also, you need to be clear what are your requirements

in your organization. And I think also important is how do you sell this to your organization, of course. I can't think anything worse than being assaulted. Oh, terrible fun, I know. This is identity at the center if it has anything to do with IAM. This is the go to podcast now your hosts Jim McDonald and Jeff Stedman. Welcome to the Identity at the Center podcast. I'm Jeff, and that's Jim. Hey, Jim. Hey, Jeff, how are you? Not so bad yourself. Doing great.

And we're sitting here in the middle of the summer and we had

a meeting earlier today to talk about conferences and all the conferences that are coming up. And I'm like, how are we going to get into actual work done if we go to all these conferences? Well, that's the thing, right? I think I, I'm, I'm always surprised at how good of a job you and I have done of separating our work life from this podcast. People don't know we actually have real jobs. We are identity consultants during the day.

We're for a large company named RSM, and that's what we do, right? The podcast is like the separate thing and yeah, there is work that needs to get done, plus the podcasts, which is the separate thing, plus like conference attendance and stuff like that. So we are very busy boys basically throughout the year. Yeah.

I mean, you know, we're very busy and I think it's good that you pointed that out because I don't think many people either realize that maybe they think we do the podcast full time. That would be great. But that probably won't happen until like because we retire from our day jobs.

But I, I think the podcast is getting to the point of almost being like a second, you know, job like moonlighting, because most of the time we're recording sessions after the US business day, unless we are lucky enough to get a guest like we have today who is based in across the pond in Europe or elsewhere in the world. And we have to kind of have some kind of realistic time that works for both parties. Yeah, exactly. And we're going to get some heel

in a second. I want to talk about those conferences though, so we can kind of take care of business before we get started with our main topic on privilege access. But you mentioned conferences. We got a bunch coming up.

We've got Identity Week. I'm at Danny Week, America, September 11th and 12th, you and I are gonna be there. We've got Asia, which is October 22nd, 23rd. I'm not planning on being there. I don't know if you are, probably not either. But unfortunately not this year. Yeah, I'd love to go. I've never been.

So I'm always happy to go any pretty much anywhere at least once I'll travel to. But we've got a discount code IDAC 30, IDAC 30 that gets you 30% off of your registration for both the Washington, DC America conference as well as the Singapore conference in Asia. So you can use that code interchangeably for both of those or, or both. And if if you end up going to both. So that's the one conference that we'll be AT.

And then we just finally got our discount code thanks to the our friends over at Fido. So shout out to Adrian. The authenticate conference that's October 14th through 16th that's in Carlsbad, CA Super cool location as it was last year. Definitely recommended any anytime you can go to a conference that has like a good, you know, vibe and location that's like just like puts it over the top. It's like a work vacation then. It is kind of, but it's a great spot, kind of a resort golf

course type things. There's plenty of things to do IDAC 1/5 that gets you 15% off your registration for that one as well. I'll have all those codes and stuff in our show notes so people can check that out and we'll have them on our website and I already put put them on our home page. So if you just go to idacpodcast.com and Scroll down just a little bit, depending on your minor resolution, you should see how the code's there and stuff like that. So hopefully we'll see people

there. What else we've got, you know, Gartner's coming up with this year? I think you and I are trying to figure out if we're gonna make it out for that one. Identiverse has their regional events coming up in November. So there's one in Chicago, there's one in New York City looking at, you know, one or both of those as well to be at. But yeah, busy boys. So that's the conference stuff. Yeah.

Well, and if you're out there listening, you're like mention my conference, reach out to us, Jim at IDAK podcast or Jeff at IDAK podcast or both, but give us a discount code so we can share it with our listeners. You know, everybody's looking to save some money these days and all days people want to save some money. But yeah, we we are the home for getting this information out there and helping people save

money on attending conferences. Again, like from even from my own standpoint, I can't go to all the conferences. I want to day job. Yeah.

Well, why don't we talk about privileged access management? And to that end, very excited that we have Mihiel Stope. He's the director of Identity management at Phillips, joining us all the way from the Netherlands. Welcome to the show. Thanks Jim and Jeff for the introduction and I'm looking forward to be a guest in your Identity at the Center Show podcast. Well, thanks for joining us. I want to take care of some

downer business right up front. I know that you were cheering for the Netherlands against England in the Euro 24 match that took place recently. I, I, you and I had a little bit of a bet going. Well, at least that kind of sounds like Jim usually starts off with something negative. And so that was like our inside joke. And so I was like, all right, well, you know, just listen, see if it happens. I don't think today was super negative. I think it was great.

So kudos to Jim for keeping on the positive note, but I'm the one who's going to drop it down a little bit. Unfortunately, not the ones lost in the last minute to England. How are you feeling? Yeah, it's, it's a, it's a sad loss of course, but as Gary Lineker always said from the England, the game is 19 minutes and always the Germans will win at the end, but this time it's already 2 matches in a row.

It's like exactly for England. So they won't let a game in the 19 in the last 19 minutes or they won the game. So except for the Netherlands, but luckily for the England. And in either case, identity and access management goes on. I mentioned when I introduced you that you're a director of identity management for Phillips. Tell us a little bit about your journey into this field of digital identity or identity and access management or or maybe both. How did you get into the space?

Is it something that you chose or did it choose you? No. So my journey at the Identity Nexus Management started after I graduated my Master of Information Management at the university. So just posted my resume on the Internet and hopefully some recruiters would reach out to me and then one of the companies would reach out to me was a consultancy firm in the identity and access management space. And yeah, I, I really like the

conversation. So I joined it and from there onwards, I'm only in identity and access management. But looking back, I think I already had some background in identity and access management because I started as a System Administrator, network administrator when I was a student. So they also needed to do account management and ensure that the people had the right access, the right time. And so now you're with Phillips.

Tell us I, I feel like, I know like maybe what part of what Phillips does kind of everywhere, but what is it that Phillips does for people who aren't aware of that? Yeah, Phillips is a company that has been founded more than 130 years ago and since then, of course we are improving people's lives with steady flow, ground breaking innovations. But as technology comes and go, the same applies for company. So in the last decade Philips transforms as a company in a

health technology company. So we only held technology focused with a lot of brands, licensed companies. So the light bulbs are not from Philips anymore, that's different company. And the same is for the kitchen appliance and the television. So nowadays we are really focusing only on the health technology. And at the center of the Philips health journey is then of course that's we want to ensure that people are living healthy. So we want to prevent that you get diseases.

So we have products there, but in case you need to go to the hospital, for example, then we supply products for the health professionals. So they can also do some diagnosis threats. You help you with treatment, not a treat because it's something else. And of course, if you are recovering from, you need to recover. We also have products there, so we can monitor you from 1:00. So I'm always curious about the sort of the day-to-day jobs that people have when it comes to

identity. You know, Jim and I mentioned we do kind of consulting that kind of we do consulting during the day, right? We talk identity all day. Tell me about about your day-to-day. What's it like to be a director of, you know, identity management? Help people understand what that means? Yeah. So I need to ensure in Phillips that we define our strategy

division and the road map. So and also ensure that we get the buy in from the management and get funding of course to get the things implemented to improve our security. And then I'm leading A-Team who is like a product owner subject matter experts who are doing the actual implementation.

So Mahila, I'd like to transition to our topic for the day privilege access management. I'm going to start real simple, like how do you define it? Which simple question, but maybe a complex answer because when you think about privilege, obviously I think we all think domain administrators privilege, right? But if somebody can make a journal entry or there are power users that privilege, I want to know how you define or how Phillips defines.

Maybe less about Phillips, but in your mind, how do you define privilege access management? Yeah, yeah. From me Privilege access management is an umbrella terminology which consists of multiple let's say capabilities to manage the elevated non restrictive access of on the accounts in the application layers or platform or infrastructure layer. Yeah. And so kind of thinking, one of the areas that I always kind of start my thinking when it comes to privilege access management

is your policy framework. So having good policies around what is privilege? So what types of access do all these rules that we're going to lay out apply to? And then what are the rules? So, but then it goes beyond that, right? If you get the, the foundation of the policies, right? You talked about this, right? So the way we we got introduced was you're doing some presentation on privileged access management.

You have a kind of a story and one of the parts that you talk about is kind of the framework for how you look at kind of initial maturity up to more mature in terms of privileged access management. So given that, can you kind of talk about that framework a little bit? Yep. So it's really important, of course, that you also first understand the risk in your organization. So you need to have a risk

register. So there you will define all the observations which you have in the organization. You will the observations you will link to the to the risk. Then you will define your mitigation actions, of course, and your road map items. And the second thing is indeed what is really important to show maturity and you need to define a maturity model in your organization to understand where are you today and where do we want to be in the future. So what what do you want to achieve now?

What does that then look like? I think do you want to zoom into that, Jim? Yeah, let's zoom in. Let's get get right into this. The Identity at the Center podcast, man, we're all about this. Perfect. So yeah, if you're looking at the maturity, you will. No, OK. Everybody knows when maybe what a maturity is, but we define our maturity metal from level one to level 5. And that's based on the, let's say from the analyst companies.

Yeah, from the analyst companies like Gardner, Copernicul or Forrester, they also provide a framework which you can use and then vendors as well. A framework. Yeah, that's nice guidance. But within Philips, we defined our own maturity model that's applicable across multiple domains, not only for the identity and access management domains, because my peers, for example, are responsible for trend management or data protection. So we have a standard model defined across these domains.

Now, if you're looking into what does it look like to have capabilities, what I explained on the left side, then you have your functions defined and the functions really like from level 12345 S think about session recording, faulting or whatever. And these relink capabilities will link to controls and controls. You need to think about the standards which are existing around the globe is like the sys controls, the NISH controls or the ISO.

And these controls we have defined in, in our security management framework. And then we link these controls to the threats and that's defined in the Metra track framework. So then you understand really the risks which you have in your organization, you link them to the controls and the capabilities. And then with the matrix, you can define, OK, where are we today? And it gives you a very clear overview where you are in your organization and what you need

to do in the next coming year. So first, I want to acknowledge what you just said there around framework thinking.

And I think this is something as a consultant, I learned very early on, but I think for our the practitioner community, which I consider myself part of, you know, being able to talk in terms of industry frameworks makes you sound well prepared, not just sound well prepared, but be well prepared and tapping into, you know, some of these industry defined frameworks like you mentioned, like NIST and ISO and ITIL and being able to say, OK, this is what the industry's doing.

But then being able to make it make sense for your organization, I think is a very proper way to communicate, you know, what the expectations are to your organization. Because let's face it, when we're talking about privileged access management, you're not just you're not defining the the policies and rolling out the tools and then implementing the controls and then doing the work, right? These are you're setting up tools for other people to use to

securely manage access. And so being able to come up with a proper program and then communicate that in terms of a framework, I think is is very key. But you also brought something else up. And so I'm going to shift the conversation to that, which is the importance of privileged access management relative to securing the organizational's IT assets, right? And so I think a big part of what privileged access

management. So I think privileged access management we think of as the lane of like controlling the accounts and controlling the entitlements, maybe check in and check out. But it's more than that, right? It also taps into areas like all manual controls. It taps into areas like governance, but it also taps into some areas like, OK, how do you shrink your scope, shrink your attack surface as much as possible so you have the least amount of area surface area that you need to protect.

And so my question to you is like what is your approach when it comes to minimizing that attack surface or that blast radius that's sometimes called? Yep. So I use always an example. I also explained it one time to Jeff. So about the example of a salt. So I was we're attending a conference and was sitting on the table and had a conversation.

And of course, if you have to get your food served on the table, maybe you want to have more little bit more salty or whatever you saw and you take the salt. So and then you want to put the salt of course on your these potatoes or whatever. But the first thing what I always do is check if the salt is closed because you really want to prevent that. There is a blast radius of attack of salt of course on your when you meet our food.

And yeah, that's also of course with previous access management. You cannot prevent that your data gets stolen, but you at least can minimize the risk. And that is limited data gets stolen because those so-called bad guys, maybe they're already in your environment, but at least if they steal certain credentials or whatever, do you want to minimize that attack? And therefore, again, it's really important that you have your maturity model also defined properly and your capabilities

which you want to have. So it's also you need to be clear what are your requirements in your organization. And I think also important is how do you sell this to your organization, of course. I can't think anything worse than being assaulted. Oh, terrible fun. I know. I was thinking of the analogy and male you and I were talking about this the other day of kind

of like a submarine, right? If there is like a, you have these little doors throughout and they can, if one park gets flooded, close the door and sort of prevent the rest of the of the boat going down. Your example is way more positive than mine, so we'll stick with yours. You mentioned there briefly about getting support for privileged access management. Now that we kind of understand, right, We have definition of what it is and why it's

important. This is the next step in my mind is how do you get support to actually do something about it? It's like, OK, at some point we have to like stop talking and start doing something to better secure lower risk, maybe make maybe make people's lives easier. I'm not sure. But how do you work through that process of selling the Pam program or the Pam project or initiative, whatever you want to call it to your organization to say, OK, yes, we've got buy in now.

Here's the funding or the resources to go get it. Yeah, yeah. I think that's the hardest thing of course, because it's not really visible for everyone because I'm just, it's only limited. So it's really that only to the IT department from a lot of people I think. But it's not only limited to your own IT, maybe it's also to manufacturing your OT or your R&D. But yeah, that's the hardest point of course, in previous action, man.

How do you, how do you sell it? Because it is not really fancy or whatever. It's like maybe you need to see it like your electricity or water, it's working. So why should I invest something which is working? Because their services are running fine so. Why should I do it? And I think from my perspective, from my own platform or application or infrastructure perspective, I have the feeling that I'm really well controlled because here there has been an audit done and according to this

audit to this, it's fine. So you never should treat this individually per application. So you'll need to look at the bigger picture. And I think it's important if you look at the bigger picture that you sit together with your compliance and audit department and that you have clearly defined, OK, what do we want to measure? What do we what, what do we want to have as a result of looking

into these audit reports? Because there's, there are a lot of findings in it. And then also explain that to your management, make that visible. So just as an examples, like just look into how many of the software using are using the default accounts which are provided by the vendor. So the audit reports will give you this data or how do you deal with access review even its privileged access, Do you review these access rights?

Who has access to it when it's revoked for the last time or already elevated access revoked or whatever. So you need to look at all these kind of things and get that data that will help you. And then it's going back to your risk register again because that helps you with your observations which you have to provide the evidence.

And if you have this, then yeah, you can show to your management what the risks are in your organization or why they should invest in it. Do you find that your message changes context based on who you're talking to? I would assume you'd have to, you know, talk one language maybe to more technical crowd versus less technical language to a different crowd. How do you manage that context switching to make sure that your message is being communicated effectively to whoever your target is?

And maybe there's examples like if you're talking to, you know, maybe a, let's call it, you know, CIO or ACEO versus maybe a manager in another area or maybe even someone from the business. How do you how do you approach those conversations to get that buy in and get that support? Yeah, that's a very quick

question, Jeff saw. So yeah, first of all, first to get the buy in from your own management because try to sell the story to your own management which you have because I think if you convince them, then it's all they will also guide you how you can convince other people. And then you can sell it as well. For example, your CEO or CEO or the Avenue organization can also sell it to to the CIO where it's needed or they can help you to tell your story to the CEO and

get the challenge. Of course, that's different than if you're talking to a service manager, because a service manager, it's always looking from their perspective. So they always will get the questions like what's in it for me? So why? Why should I do that? I'm fine. So yeah, maybe my colleague is not fine, but I'm fine. So and there you need to use a different approach of course always and explain what the benefits are. So, Mahil, I wanted to talk a little bit about running a

privileged access management program within your organization. And I want to start at the very top in terms of, you know, kind of the approach to governing the program. And my question is, you know, do you see privileged access management as being its own program or part of the identity program? And I'm talking about in terms of philosophically speaking, but also in terms of actually like do you have separate steering

committees for the two? Because I do see them as to a a large extent being a different audience. What? What are your thoughts? Yeah, Yeah. First of all, it's always

related to of course to your company strategy. So you have company strategy and you have security strategy and then you have your IM strategy. But indeed, what just you mentioned you have for let's say identity next management umbrella terminal. So you have separate domains and one is then the privileged access management. So you have different stakeholders there. So you need to do stakeholder management. So you need to identify who are you stakeholders are.

Then also per stakeholder, you need to define, it's like, OK, should keep them informed, should I manage them closely or etcetera. So that's what you'll need to do with your stakeholder management. Yeah. Now, OK, so let's take it down a level. So when you get you're talking about kind of is organization dependent, maybe that's the answer for all these. But I'd also like to get kind of like a hot take on some of this. So in terms of like operations,

you know, building out privilege access management capabilities, running them on a day-to-day basis. So let's take an example of password vault. So you're deploying a password vault. Who does that deployment? Is that the identity team? Is that the system engineers who are going to use the identity vault? And then in terms of operations, who owns and runs that thing after it's deployed?

You know, you get that, that 3:00 somebody, 3:00 in the morning, somebody's working on a server and the password vault is down. Do they call the identity team or do they call the vendor and fix it within their their group? Or how does that work it work best? I think there are three models and it depends on your company. So you have maybe a central model, Federated model I call or

decentralized. If your organization using a central model, then you are defining the strategy, you're doing the implementation, you're defined, apologies, you have everything in control sensory. You can also use a Federated model and then the Federated model dare you define your policies, the processes you do, the actual deployment, but the responsibility is then in the business because the business needs to make sure that they comply to your policies and

everything. So they need to support you with doing the actual implementation and the decentrally. Then everybody is has their own responsibility and we are using a Federated model in the organization. So we drive everything centrally. But the business is, in the in the end, of course, responsible and accountable for that. Do you have a a rule of thumb in terms of like if you have the central model or the decentral model, how many people you need on your digital identity team to

support those models? If you're looking into the number of FTE in Philips, we have a lot of outsourced say like that. So we have like one SME product owner who is responsible for that and then we outsource everything to a managed service park provider or an implementation partner. Yeah, it depends on how pick you are as a company and what you want to achieve of course with you during your deployment. So if you want to and how many servers you have in your organization and what that's so

there's a lot of dependencies. So to the size of of that varies. And then you have of course an operation team who manage the platform. We also outsource that in the company. So it could be in house outsourced or whatever. So we have it outsourced in our organization. So if you're looking into the number of people who are currently involved in that entire privileged access management area, then I think we have around 15 people. OK. Well, that's pretty.

I, I think those rules of thumb are just helpful for the listeners in terms of when they think of standing up a program like this. I think the other interesting

aspect is like everybody's coming into this at a different point. I think a lot of what we talked about probably it's easy to picture from like an on Prem, we run the data center kind of model and that's how privileged access management was designed from the beginning. Then you had this thing called cloud spin up, right.

And it's, I don't know if it's going to be around, I don't know if it's going to make it, but this cloud concept, it seems to have created a lot of privileged access management use cases, scenarios that put things on its head. And not only that, I think developers tended to be the ones to kind of lead the charge or developers, not the security department led the charge to stand up clouds.

And then the security department had to come along and, and figure out how to secure it. And so I'm wondering, do you kind of share that perspective and have you any techniques to share with our listeners in terms of how to take an environment that's spun up that maybe doesn't have all the controls that you would want or maybe a, you know, a nuance set of products that differs from kind of the approach that you

had to date? So just using the example from us, so we started with the program in 2018, now it's already 2024. So back then we had like physical data centers, for example. So we want to implement a password for to manage the credentials of in the physical data centre on the platform layers. But in the meantime, the world was of course changing because cloud came there, which you also mentioned. So you need to adopt your strategy after well and change it.

So it's not just like, hey, I define like this now, maybe because the world is constantly changing, you also need to look again at your risk. So yes, you set your North star or whether or whatever on the horizon, but there's never a straight line. So it will always go like this. So you need to adapt to that as well. So it's like, OK, maybe there's some other risk are no more important than that we thought of. So yeah, then adapt your strategy.

I can excel that story to your management why you need to make these changes, Why? Why there is a higher risk, why we should invest there? Because now so also you see with there's like capability for cloud infrastructure entitlement management. Now we were not aware of that, of course, a couple of years ago.

But there's something which is now important because if those hackers get access to the OR the bad guys get access to these environments, yeah, then they get their access to a lot of information, of course, or maybe they can shut down your business even if they get the wrong credentials. So you, yeah. So you need to adapt your strategy. Wow. And it's a challenge because there, but you also mentioned at the introduction, there are so many credentials.

So think about SSH keys. Yeah, if your API credentials you have like your domain admin accounts, there are so many. So where you will start. So yeah, you need to define really where the risks are and accept that also that there are other risks and you cannot do everything in Mongo.

So I feel like this is go ahead. I feel like this is an area where, you know, policy and process only take you so far and it's one of the areas where it's like you really need technology to have this be effectively controlled and managed and so forth. Would you agree with that statement that this is really something that you do need technology, whereas maybe something like an identity governance, you could always sort of brute force the provisioning or deprovisioning of things.

But if you really want to effectively manage SSH keys, you know certificates, you know APIs, you need to have some technology there to effectively do that. Yeah, I fully agree with you. So it's nice to have your soft controls defined in your framework. But yeah, soft controls, never a heart control, so you cannot enforce it really. So you really need to have technology in place to enforce these controls.

So let's talk a little bit about that technology because they think this is an area where there's a lot of good choices that are out there. You know, it's, it's kind of like the, the, the, the, the pro and the con, right? Great news is there's a solution out there that will probably fit your needs and there's lots of solutions that you can be

successful with. The trick is always finding the right solution that's the right fit for your use cases, You know, your company, those sorts of things. How what's a, you know, what's a methodology or a framework that people can use to think about to say, OK, how do I go about this? Do I try to find, you know, one privileged access management project that kind of does it all? You mentioned cloud infrastructure, time, memory. That's kind of a growing space that has its own dedicated tool

set. And sometimes it's a dedicated tool and sometimes it's part of another tool. Walk me through how you select you know the right product or right mix of products to better secure your organization. Yeah. So, yeah. And also the market is a little changing of course, Jeff. So there you see a lot of vendors are now investing in other companies and spend buying so, and there's a little merging

of companies to say like that. So the, the, the privileged access management is really changing in the market there as well. So I think it's important that you go back to your maturity model where you define your capabilities and your functionalities, because that also gives you already good understanding on the requirements which you have. Sometimes you need to detail out a little bit more the requirements because the maturity in that level is off to a high level.

So you need to define your use cases and and then use these use cases requirements which you defines. Go for example, to Garner and also to the Copernico Law Forrester and then do a mapping on your requirements, what they product vendors offer to define your shortlist, for example, and to get an understanding, but also have conversations with the analysts choose like, OK, do we did we properly define our requirements? What do we overlook or what do

you see changing in the market? So I think that's really important to do to see. Also listen to your peers. So in other companies, what they are doing, learn from them to ensure that you make the right product selection for your company or multiple products maybe I need to see, I mean. This is definitely an area where you can talk with other people, right? You're, you're probably not the first person to do it. So, you know, why not get that

knowledge? You know, maybe it's yeah, at a conference or maybe maybe it's a local network or or things like that for sure. Oh, go ahead, Jim. No, I'd like to throw in there, I think the that's the two sided coin, right? I think we should tap into our peer network to learn, but you also have to be willing to be on the other side and tap into your peer network and educate. You've got to be willing to share.

Like that's one of the things that Jeff and I really wanted to do with the podcast was make this a community of sharing information. So you can't only take you've got to give as well. That's the only point that I wanted to make. Yeah, I fully agree. And that's the reason I loved your introduction about the upcoming conferences because they're this where you need to share your knowledge and experience and learn from each other because what Jeff also mentioned, you're not alone.

So other people have faced these challenges as well. So please reach out to your peer, share also your knowledge because we can also learn from it. So forever, a lot of people, things are new, so the best ways to team up with each other and in the end, we all have the same goal to improve the security of your organization. Yeah, For most of us, security is not secret sauce to the success of the organization. That's other things. I get it right. There's security vendors and

things like that. Of course it is. But for the most part, we're kind of all in it together as a community from a digital identity perspective.

Let's I want to kind of close out the conversation by you putting on your future looking baseball hat to say what is a upcoming feature of or capability or something in this privileged access management space that you get really interested in Like, oh, that could be something that could really kind of change the game. Is there anything like that that

you've seen? Yeah, I hope that the Signal framework will help because the big challenge currently in the privileged access management areas, there's still, we are everybody saying we need to have zero trust and 0 standing privileges. But you're still depending on technology from application platform, infrastructure layer,

but also what the vendors offer. So now you need to find the right balance between these privileges and 0 standing privileges, and I think the Signal framework can also help you with that. So I'm putting my hope there that it will solve a lot of privilege access management challenges. Yeah, and I'm that's totally

unprompted. That reminds me of the panel that I did at Identiverse with my friends Tool and, and Sean talking about that shared signals framework and being able to adapt and use, right, the same kind of parlance to be able to have security events going through there for whatever it may be, right? Whether it's continuous authentication or evaluation or whatever it may be.

Or even just having a, a pipeline that we can all agree, like here's the language we're speaking and have those data signals, you know, work through and take advantage of the data that we're already collecting. Jim, you got thoughts on this? Yeah. I mean, I think that the Signal framework is a great proactive preventative control. I'm also just thinking on the detective side that you need to

be monitoring your environment. You need to look for the unusual activity at the identity layer to say, OK, well, this person is in our environment and switching identities, and that's an abnormal behavior. And then taking a proactive step to maybe disable those accounts. You know, another word, stop the

threat in its tracks. And today we call itdri don't know what we'll call it five years from now when maybe it's just everybody's doing it. But I think, I think that's probably in my mind, potentially the most important thing about privileged access management is being able to detect when the wrong actor is using Pam. I think recording it, I think, you know, sharing or storing credentials, I think the signal framework, all those things have huge benefit.

But I think that they're, you know, you, you, I'm not going to call them point solutions, but they solve a problem at a certain point, whereas monitoring should be an umbrella that looks at everything. It's not completely true either. It has to integrate points, but that could be the fall back and you have to do you have to do monitoring anyway. So that's my my input. I think that's a good spot where we can probably close up the conversation. I do want to end on a later note, as usual.

Mikhail, I've never been to the Netherlands. What is something that I should do my first time there? Like any activities, food locations, like what should I do as a first timer? And then I'm going to compare that against Jim 'cause I think you've been to the Netherlands before, and see if we're on the same page. OK, yeah, I'm from the South of the Netherlands. So I would recommend to go, for example, to a city that's called Certovan Boss. It's a medieval city which is

really, really nice. And then it's you. It was said about food it possible so that's like. Whipped cream inside with chocolate on top of it. It's really like a bump. But if you eat, it's really nice. So that's I really recommend to go to to eat and also visit the city because it is a beautiful city, Yeah. OK, you had me at whipped cream and chocolate for sure. Jim, what is something that you'd recommend that I would do having been there? So I'd been there and I was there for work.

So fortunately I have to go and have all my bills paid for on the weekend. I wound up staying in a town by the North Sea. So it was a beach area. I mean, it was fantastic. And I will say that there was a vendor outside of the beach and they were selling, I think it was sandwiches with like raw fish or maybe fish that was like pickled. I didn't try that. All right, so that's not my food recommendation, but North Sea I

definitely recommend. I was staying in a city called Leiden during the week and my food recommendation is not really a surprise anymore. So I had never heard of shrimp waffles prior to going to Holland. And basically they're like a cookie with like a waffle looking cookie and there's caramel in between and you put it on top of your coffee and it was heated up and oh, it was like a gooey, wonderful thing. Now McDonald's started mixing them in with with their Mcflurries.

So now everybody, there's no surprise for everybody, but wow, fantastic. And you get them on United Airlines too. Like that used to be like one of the things they do in the morning. Are Stroop waffles a thing? Or is that something that we've taken to America and like turned it into like something that isn't really our thing? I don't know. Mahil is that like is are stir waffles something there? From typical from the Netherlands, indeed. Yeah. So, so Jim is right.

And I think it's indeed one of the nice things in the Netherlands which you need to try. But yeah, you already had it from the United States and you shut in the during your flights, so. Yeah. I can't imagine the United Airlines version of a Stroop waffle is like the Creme de la Creme, the tip top. Like if I'm going to have a Stroop waffle, like what? Where should I go for a Stroop waffle? Yeah, volume fresh on the

market. So if you're visiting a market or whatever, there's always you can buy a stroke waffle and then they're really nice. OK, all right. Sold. I think I need to make a fact finding mission to go get some Stroop waffles. Thanks for setting me up for that one, Jim, because I, I, I'm a big fan of strip waffles. I'd never heard of it until, you know, a few years back when, when United started giving them out like, what is this delicious treat? Very good. I got hooked on them.

OK, let's go ahead and wrap it up for this week. Neil, thank you so much for being part of this conversation. We'll have a link in our show notes to your LinkedIn if you're comfortable with sharing that so that people can reach out with questions or concerns or strip waffle locations that people should be checking out. You know, we'll have the links for Jim and I as well as LinkedIn.

We always love to hear from folks who have ideas for shows or questions or comments or concerns or heck, if you want to high risk, if you want any consulting that too. We're on the web, idacpodcast.com. We're on X Twitter or whatever it's called. By the time this gets to your ears or face at IDAC podcasts. I did set up our DNS entry. So now we have idacpodcast.tv. We'll take you right to our YouTube channel.

We are trying to grow this, so please don't hesitate to like subscribe to all that fun, you know, YouTube stuff to help us grow this channel and get the community built out even further. And let's see what else masted on at IDC podcast at infosec dot exchange. And yeah, I think that's it. So with that, we'll go ahead and leave it for this week. Thanks everyone for watching and or listening and we'll talk with you all in the next one. You've been listening to Identity at the Center.

We hope you've enjoyed the show. Make sure to like, rate and review, and we'll be back soon. But in the meantime, hit the website at identity@thecenter.com. See you next time on Identity at the Center.