This is the identity at the center podcast. This is a show that talks about identity and access management and making sure you know who has access to what? Let's get started. Welcome to the identity of the center podcast I'm Jeff and that's Jim. Hey Jim hey Jeff, how's it going? I'm good yourself. Good. I gotta observation my observation for the week.
So ugly driving with my son, my younger son last night and I said you know I was giving him the rundown of where we had to be and when we need to leave the gym by quarter after quarter, quarter after what's that, you know, like 7:15. When I grow up, I'm just going to say 715. I'm not going to say quarter after why not? He's like well why do you have to make it so confusing? I thought, okay, that's Through The Eyes of babes, right?
I mean it gives you that fresh perspective, you don't think of very often, I empathize with him because I'm the same way I am not 10:15, to type of person originally, I was always very specific because, you know, I'm the nerd in middle school, high school with the digital watch. And, you know, what time is? It is 723, right? It's not. It's about half till, you know, I don't deal in vagaries of time, I like to know when things are Are taking place.
So so I can empathize and I certainly understand. Yeah, well he you know he followed up with. Why do you why do you even do that? Why do you say I was like, I don't know, that's what everybody does so he you know he made me think about it. I've been thinking about it several times today. I'm sure we could have a very philosophically discussion and time and the you know, human constructs that it is and all that good stuff. Stuff.
But we should probably talk about identity about identity and access management, which is easy for me to say. Yeah, we don't do that. I think people are going to going to turn this off pretty soon so we should get to that. Well, let's talk about privileged access management and to help us with that conversation. We've got a guest. His name is Paul lanzi. He's the co-founder and CEO, a tree medians.
He's also a member of the identity, technical working group 48 Arc, chair of ideas, say Beyond best practices, technical working group. The board advisor to the cybersecurity non-profit member of the order of the arrow, and a whole bunch more. I'm sure that if behind the scenes, welcome to the show. Paul, thank you so much Jeff. And by the way, that introduction makes me sound far more important than I actually am.
So thank you for that. Well, I don't know how you find all the time to do all that, you know, in addition to what I assume is your day job working over at median and you know, operating you know that that is an organization, a lot of coffee, is it? Turns out and sleep is optional. So those two things makes it work.
So there was a lot of things we mentioned there but typically, when we're going to have a conversation like to start kind of at the beginning and, you know, you've been in the IM space for a while, maybe you can kind of give us a synopsis of, how did you get into identity and access management? Is it something that shows you or did you choose it? Yeah, well, it really starts back in 1994 and I'm actually going to date myself pretty severely here.
But back in 1994, I helped helped co-found. The first Aaron service, provider, and the rural County where I grew up, Humboldt County and the farther Northern reaches of California and one of my first jobs was the guy who had to go create and update and delete accounts. So my very first job was in managing the identities of our customers. So my technology career started off with account management fast forward about give or take 20
years. I was at Genentech and I was working as an IT project manager there and one day my my manager called me into her office and said, hey, I think we got this new Checked. I think he'd be perfect fit for it. It's a great thing.
Tell me about this project. Well, it turns out that Genentech ex-ceo is also the member of Google's board of directors and when Google launched, what is now called, Google Suite, or Google apps for domain, or it's had various names over the years, but basically the concept of having
Gmail and decal. But for Enterprises the our CEO at Genentech decided that we were going to be one of the first companies to adopt it. And so the specific project I got assigned was trying to figure out how to hook up wave set. If you guys remember wave set from the way back days, how to hook up wave set to Google's at that time. Very nascent API is for account creation, deletion update. And we had a very limited time very to get that done. And it's to my knowledge.
The first time that at that time was actually called son. One Source, I son, identity manager, but trying to get son, identity manager, hooked up to Google suite and all the challenges that presented and that was really what really launched me into the idea. World. So that's quite the history. Especially when you start talking about wave set. You know, I think of the, you know, Obi-Wan that's a name. I haven't heard in a long time.
Well, they worry that I just figured a bunch of PTSD in a bunch of your listeners. So I apologize right off the bat for any mental trauma. I just caused by mentioning that word, it was too late. Now I guess it's easier to ask for forgiveness than permission right before you get into it. So what about some of these other organizations that you work with like idsa and eight? Tariq, which is the advanced technology academic research center and things like see, snps
itís, pretty nonprofit. How did you get involved with organizations like that and maybe you could tell what about, you know, some of that? Yeah, well just last week you had sought on for my ds8. I think you got Julie on before that. So I will refer listeners back to those episodes because Juliana solder far far better trained on the history of. I they say that I am but I can talk a little bit about the cybersecurity non-profit. That's an area. I have a lot of passion around.
The cybersecurity non-profit only has two missions. The first one is to increase the diversity of the cyber security practitioner community. And then the second mission is to sort of increase the level of information security. Knowledge among the populace in general, right? And demonstrably, nonprofits, amazing. They've got over 7,000 members globally and they've got chapters in cities that stretch from San Francisco to Chicago to parts of Africa and parts of Asia.
Now, as well and being aboard a visor to that organization has been just a fantastic Fantastic way to look at this problem from a different area, a different sector because the members of see SNP by and large are, those were just getting started in their cybersecurity careers and you know, us the three of us have been around. This been around the block a while. It's often easy to forget how hard it is to break into cyber security.
We talk all the time about this, massive shortage we have in cyber security practitioners, but at the same time like I hear stories every day about how difficult it is to break into this as a entry level. Insurance. So csmp is trying to help bridge that Gap and find ways to make that easier for new practitioners and Community, especially those who are a diverse background. So Paul, I'm very interested in your background with room,
medium. My understanding is that you guys are focused on privileged access management and Jeff and I, you know, we work with our clients and developing their I am strategy. We typically start that with With an assessment process kind of a maturity assessment and one of the areas that we look at is privileged access management.
And so you know kind of taking the look at the privileged access management capability and organization and assigning a value say somewhere between like one in five in terms of kind of current state maturity and then targets 8 maturity.
And so what I'm wondering is kind of do you have you formulated Maturity model similar to that or could you maybe talk through some of the capabilities that least in your mind that are kind of at that Baseline level of maturity of privileged access management and then how an organization we kind of move up the scale in terms of increasing their maturity?
Yeah, for sure. Well, I want to start off by endorsing your son, or your kid's perspective of we don't need to do it the way we've always done it, right? And so that's one of the reasons why I helped start remediation was when we looked at privileged access management for Basically the 20 years of privileged access management existed as a concept, it always sort of revolves around this idea of
past revolting, right? And over the years, password vaults have evolved to be better, faster cheaper, but at the end of the day, it's all about taking some credential and sticking it in a password Vault and then making users go fetch it when they wanted to do something privileged. And so that's sort of the way that it's sort of one of Point always been done and when we started Romanian, it was really with this idea that there should be a better way of doing this.
And that we should have strapped out the Concepts of authentication from the concept of authorization or access rights after V sort of merge. Those two things together that if you can, authenticate then you should have all these access rights in. Generally, speaking that sort of access rights to a lot of things, right? And in the remediate perspective really authentication, should happen. However, then occasion happens,
biometric, cards, whatever. And the authorization is really the thing where we can apply the controls, the principle of least privilege. So, getting into the concept of a maturity model, it's really about Sort of call it three, three major stages, that we've seen organizations sort of go through, as they try to climb the Pam maturity curve and often, you know, they're pushing the project manager off the curve, by the end of this, right?
So as a former project manager myself, I have a lot of empathy for project managers that have been assigned a privileged access management projects, but at the sort of the base level sort of the basic starting point for organizations, as relates to privileged access they often have no idea what's going on, right? They just know that a lot of people have a lot of brothers access And there's not a lot of insight be onto that, right? They just know it's a thing.
They don't want to mention in front of the Auditors and if the honors bring it up, they just sort of like do a lot of hand, waving things to get past it as fast as possible. And unfortunately there's a lot of organization still stuck there because historically privileged access management has been a really difficult thing to go solve. Right? It took a year to 18 months project it caused a lot of user pain and suffering a broken.
A lot of processes and it wasn't really something that organizations wanted to Embark upon. So even if they knew that they had Add that they're sort of at this stage, right? The sort of we don't really know what's going on stage or public access management. Those projects tend to get the pan projects tend to get deprioritized in that Force ranked list of ceaseless projects because it was such a hard mountain to climb.
But if you started to climb that mountain, really the next step in the maturity curve is run visibility and just getting some basic idea of which accounts have privileged access. We're right. And that is a surprisingly, constantly shifting picture. You know, when we talk to organizations, And they sort of assume, okay. Well, you know, these active directories, we groups we know that confer some privileged access. We know that these are the members of those groups, or the
nested members or whatever. And we know that the roughly, those groups confer this amount of privileged access. But then if you're able to deploy some tool to actually go about, be able to go out and numerate, all this stuff, it is shocking. Not only how underestimated the amount of coverage access is, but also how much it changes day to day, right? Like this often a big surprise.
So in our commercial Deployments we some see something like an average of 450 accounts having privileged access to the average machine on the network, right? The average laptop desktop virtual machine, you know, hybrid Cloud, whatever it is, something like 450 accounts on average having persistent pillage access on the system's. There's often a shocking number
to the organization's. When were able to show them this data because that's often an order of magnitude greater than what they thought it was right without having this visibility. So the second stage is of this maturity curve or whatever is really just getting visibility and hopefully continuous. The into the shifting state of privileged access. I think then really the third stage is control and that's where your neck, okay? I see how bad the problem is.
I see how much the house is on fire. The control stage is really about giving you a hose and getting you to be able to cool off the fire. Pull back the unnecessary amount of privileged access and really get as close to the principle of least privilege as possible and in the specific way that remediate does this. We talk about it in the concept of zero standing privilege and we didn't come up with that, that's it. Gardner term, you can look on our website read more about what
that means. But the concept that you get as close to zero standing privilege as possible is really the endpoint of the maturity curve as it relates to control and like that model. One thing that I am wondering is, you know, in theory but also in practice. What are you seeing in terms of applying these principles based on risk? Is it the focus is placed on just doing this for High-risk applications or is there a
maturity level? That's appropriate for high risk and maybe not required to be as mature on medium and low risk. Or let's just say lesser risk resources.
Yeah, there's there's two. There's two ways I want to take this answer so I'm going to pick one to jump off of first but this is a great question Jim. So I think the first thing is just being able to tie together the Pam data and the risk assessment data that's actually We a really hard problem that goes unsolved in a lot of organizations. I think that one of the, the sort of unspoken secrets in the IT world is that cmdb is were never really a solved problem.
Like we never really figured out how to do that, right? So the kind of risk assessments are talking about the tracking. Oh, these are high-risk applications. These are medium risk applications. These are low-risk applications. You know, those sort of Assessments exist in theory in a lot of organizations. But in practice are often outdated or broken or in, this is what I'm this is sort of my core Point here is there? A nun integrated with anything else, right?
So you may have an Excel sheet somewhere that lists all the applications and how risky they are, how important it is that you protect them. But that data doesn't ever leave that Excel spreadsheet and so it then doesn't benefit the Pam application or the antivirus application or the EDR solution that could really benefit from. Knowing oh this is a high-risk system or this is a medium risk for this is a low-risk.
So I think the first hurdle to get over is just getting the data about what is high risk, medium risk and low risk. Risk, sort of Federated across multiple infosec complications and then, to the second part of this answer is really okay. Like, once, you know that once the Pam application has been taught that this said, about this set of n points or whatever, is is a high risk. Like what's the level, what's
the desired level of maturity? Now, ideally you want to have visibility across everything, even your low risk or no risk applications, you really should have visibility across all those things but the level of controlled how tightly you tighten, those screws can definitely buried by the risk level. The All did I hear you mention that on average there was something like 450 accounts with access to a given resource. Is that I got that right? You did yeah it was a it's a shocker.
Every time we show this data in these Enterprises during our proof of Concepts. It's like I said, it's always an order of magnitude greater than what they they estimated ahead of time. Is that it, you know, I would assume well, maybe I shouldn't assume. This is what we got here is, is that direct access? Is that a combination of direct? Plus nested groups, nested accounts things. Like that.
Do you see any, you know, I guess frequent offenders, you know, on that list you see more, you know, it's sequel databases at typically have the problem versus, you know, active directory, or maybe it's even something in the cloud, right? Maybe it's AWS, or Azure, or Google Cloud platform that has different types of risks. Can you talk a little about where you see those risk coming in?
Just from the sheer volume. And if there are any crime offenders or prime, And it's that for a prioritization standpoint a risk standpoint, you typically see. Yeah, we know that usually AWS is a mess, right? There's issues are or maybe it's sequel or, you know, I'm praying a d or whatever it may be. Yeah, it's in. There is 3. Mm, three items on my FBI, Most Wanted list or my Pam, most wanted list.
I guess the, the first one is local accounts, and this is the thing that people forget about because everyone's obsessed with her directories like, you know, whatever they're using, as our director, it's like all this is gives me visibility and all the identities, right? Well that's actually not true. Because every computer has at least one local identity on it. And those often get forgotten about, but the hackers don't
forget about them. Like they love penetrating, those, especially if there's a GPO or other policy that setting the same password for all those local accounts on all those endpoints and that is a sin of our past that continues to this day, even in large organizations.
And so, those local accounts that the directory focused people, forget about that, sort of number one, on my Pam, most wanted list, I think, number two on my Pam, most wanted list is That's deeply nested, active directory groups, and it's it, it's never been a good practice. But it's a thing that just came out of necessity in a lot of cases, but it's often not clear to the IT Help Desk person or the identity group or whatever, whoever's got the ticket says, hey, let's add Jeff's account to
group XYZ. It's not clear to them that by adding Jeff's account to group XYZ, what level of privileged access that ends up conferring because group XYZ probably doesn't have a naming convention that makes any sense. With outdated or was a reorg, four years ago and this group
member got renamed. And so the knowledge sort of corporate knowledge about what amount of college access, that nested group actually confers because the Lost very easily and without some sort of monitoring tool to be able to tell you what that is, it's very difficult to discover this on your own. Yeah, and I think number three on my Pam most wanted list is
what you described. Aw. Is this sort of the emerging victim, the land I would say is aw I am in the similar control planes for the other eye as providers. They are amazing, bits of Technology, right? Like this is the kind of thing that when all of us were, you know, five ten years ago as creating role definitions and attribute-based controls and all that kind of stuff. Like this is what we wanted.
Like, we wanted to this level of fine granular control within the Enterprise and now we actually have it right? Like he'd only do us gives us, you know, literally thousands of possible entitlements. If we can assign to any any computer in a user in a Virtual identity, whatever the problem is that without the right tools, the temptation to just give the computer or the network or the user.
All the access is super tempting because it went from a problem of all I'll sign them a lot of access or no access to now it's like well this is super overwhelming these thousands of entitlements and so the default definition is just to give them a lot more entitlements that they need. So I actually think we've unfortunately moved further away from the principle of these privileged, thanks to the granularity of these Panels even though it's exactly what we
asked for. So soap, I feel like you've got a Blog article there and your your Pam. Most wanted list. I probably should write one. Yeah, you really should. And, you know, I thought it was interesting how you give the shout out to project manager? Because I feel like a lot of organizations you know, prioritize privileged access management how they will but
it's not prioritize high enough. It's the project manager who has to To try to run a Grassroots effort to get people to willingly participate, rather than being able to drop the hammer from on high. I think that's a big part of it. Right. We've worked with organizations where, you know, almost from a from a risk and security standpoint privileged access Management's almost always jumps
out as like the top priority. But maybe it's, you know, the first time that the organizations really thought about it others. They know that that's a glaring Gap, especially Like large organizations who have outsourced data center Services. A lot of times they realize that they don't have their arms around who's accessing their most critical resources, and they've got to.
And obviously, if an organization is dealt with any kind of a breach that, you know, came as a result of an Insider with with privileged access, obviously things rise to the top. But one thing I want to do is use this to kind of transition topics, use, one of the things I Really feel like is driving the realization of the importance of privileged access is the Advent or the age of the cloud, you
know, AWS devops. You know all these new forces that are entering the Enterprise had been here for a while for many organizations or really picking up a head of steam and others. But realizing that These are new technologies. They need to be dealt with in a new way and they present new privileged access challenges and organizations are realizing that they need to get their arms around. That they may be needed technology. So I wanted to throw that topic
at you broadly. You know what are some of the things that you're seeing with the age of AWS age of devops to how it affects privileged access? I think I've seen some good behaviors. I've seen some bad behaviors, right?
So I think last week when you had a slot on, he talked about having a strong identity, you know, up store whole cyber security game and that's as true 10 years ago as it is today and especially in the cloud world where if you can have, if you can maintain a really tight control over the identities that get put into your Cloud platform control plane, then that's a great place to start because often that gets out of control
pretty quick, right? Especially when you've got devops Engineers that need access right now in other things, especially things like Shadow. I You've got organizations outside of the core, it function that are needing access to specific parts of the control plane, but the default is to give them more access than they actually need. So I think there's a lot of
different possible crimes. You can commit, when it comes to managing identity within your eye as control planes, but getting a really tight control over who even has the ability to log into them is really a great first step. I think the next thing, the next layer down in the difficulty and crimes committed in the age of devops and Cloud. Is this default thinking that? It's too hard to manage the individual entitlements on an ongoing basis?
And thus I'll just assign all of them are all signed large groups of them and not think about it again in that sort of setting us up for problems down the road but it's also setting us up for problems in the immediate term because if any of those accounts can Compromise, take an attackers know how to use compromised. Aw was. I am control plane access to be able to add an additional entitlements. Users to move laterally within the the hybrid Cloud. So I think there's some real
challenges there. I think the other thing that we're setting ourselves up to repeat is all the sins of deeply nested active directory groups. So just because active directory groups were on my pan, Most Wanted look deeply nested, active directory, groups, run my Pam, most wanted list. I think we're seeing some bad behavior started to emerge even in the eye as control planes where without necessarily.
Exactly nesting them, you're creating sort of lots of different entitlement groups that Tie back to maybe one person or one account and then it becomes difficult to manage, it will become difficult to manage those in a few years. And so, I think that, unfortunately, we're setting ourselves up to repeat some of the same problems that we live through, in the days of from active directory.
I know we've been talking a lot about how, what a mess AWS and other kind of Club. We're getting wwiser, just use an example, right? But AWS Azure and the I am controls there and I kind of liken it to sometimes. You don't know where the string leads, it's just start to pull the permissions and figure out what's going on there. And I think a lot of times, a lot of these Cloud infrastructures were not really designed with, you know, proper. I am governance to start with that.
Usually a tactical thing, some group went off and said, hey, you know what, we need to stand up, you know, whatever platform for whatever reason, and it wasn't really part of the scope of a security program, or it was brought in after the fact and clean up. Never took place or anything like that. I'm curious that based on, you know, what you've seen in your travels, you know, it does that At tactical thinking resonate with what you've seen or do you
see other reasons why? You know it's been such a challenge to take whatever one said that they wanted right with these granular permissions and really didn't do a good job, maybe of setting it up initially because it wasn't a strategic approach to managing the entitlements in those areas versus again, just taking more of tactical or you know, project-based approach. Well, I'll do you one further. Let's, let's first, let's presume that.
The organization had the Foresight to do a really strong strategic stand up of their, I am control panel for AWS or whatever the equivalent was for, whatever. I as they're using, let's say that they spent six months planning it out, and they had a perfectly aligned.
They created the all the right roles and they signed All the Right entitlements to the right roles, the right rules, the right users Etc, and then there's a reorg or then there's a corporate MMA or then, you know, they sell off a division or then they decide to switch. I as providers like, there's so many line of business events that can just totally upped these carefully laid plans that I don't need teams make, I have
so much empathy, right? Because I've lived through this myself working in the Biotech Industry for more than a decade. You know, Biotech Industry loves nothing more than Ma, and this happened to us so many times when psycho, we've got the perfect thing. And then, oh no, it's disrupted by my life, right by the corporate events or the business
events are happening. So I think there's a lot of different things that can disrupt that I think that if I want to jump into solution instead of just, you know, admiring the problem, I think the solution Has to really be agile and how you think about these things, right? And just expect that there's going to be some disruption down
the road. And so as I say this as an IT project, managers loves nothing more than the triple constraint finishing projects Etc. But sort of plan that your project is going to take longer than you, thought it was going to and you'll probably end up repeating that project at some point in the future. Right? And so make sure you leave behind the assets and the information in the decision-making and all the other things that you use during this project to make it easier
to execute the next. Time to do the next cleanup or the next part of the m&a activity or whatever it is to go back. And revisit in this case, the I am control plan but it could be some other part of that any ecosystem as well. I think it's great advice, you know, hindsight's always 20/20, right? You're looking back and should have should have would have, could have write all the things that could have impacted that.
But if you leave those artifacts behind, you can kind of justify at least the thinking of the time and the great thing about, you know, the mind is that it can change, right? You don't have to be stuck in the same decision for It is okay to get smarter right as your Viewpoint in the world and the capabilities, you know, around it. Of also I think that's a really great point.
I, uh, you know, I think also from, you know, the strategy of managing I am as a whole there is sometimes competing priorities when it comes to who's responsible for what maybe infosec is responsible for kind of, I am at, you know, at a top level but they made. Legate privileged access management to the server team, right?
Or the it infrastructure team or whatever, it's called with any organization because they're the ones closest to, you know, those resources, those sorts of things from your Viewpoint, who do you think should own Pam? Is it what? I kind of described, is it a hybrid model in and understand, right? We know that no one, no one size fits. All right. It's going to be different every organization. But is there something that's jumped out at you as maybe
something? That people listening to take into consideration when we're thinking about, where does Pam fit within my organization? Yeah. And to be honest, I have a bit of a contrarian view on this one. So if you're living for listening, this buckle up, right? Because we're about to go on a wild ride and that contrarian views, actually, it doesn't matter. It actually doesn't matter who owns the responsibility for public access. It could be daichi operations
team. It could be the identity team. It could be the info 16 info SEC, team broadly. What actually matters is how you measure the success of the Pam function. And for me, if I was, you know, C. So for a day and I had a dashboard at operational dashboard, and I was looking at the road that said, privileged access management, it would be two measures one would be how much standing privileges are in
the environment. How many persistent privileged accounts, how many accounts with persistent Village access are there and the second one would be, how often are just in time, entitlements used. Then those were the two measures that matter the most to me if I was visiting that shoes in the
shoes of the sea. So whoever ultimately has responsibility for the information security or The organization and then as far as which organization actually runs, the the tooling for that and provides that data and you know, trains users and goes after scofflaws it that sort of matters a lot less to me. Honestly, I feel the same way, you know, as long as somebody owns it, I feel like that's kind
of the answer that I look for. I think you and I have had a conversation about this in the past on different episodes and just in our normal day jobs is, you know who owns identity access management at the end, it doesn't matter as long as someone owns it. And you know, there is Of like, you know, if you think about from a racy perspective, right? Who is the, a, who is accountable for it? And I kind of feel like, it's like Highlander there, can only be one, right? That's one.
Someone has to be able to make the decision, break the Log Jam, take ownership, you know, Falls to them and, you know, whatever it looks like and as an organization. But as long as someone owns it, I don't, you know, I don't think it really matters you talked a little bit about, you know, being see. So for a day and measuring Pam, and you mentioned some things that were kind of based on You know, indicators of risk, may be associated with number of
accounts approvals entitlements. Those are the things. What are some other methods and and you know, maybe I'm throwing on, is by here. But how else would you measure success for privileged access management beyond that? If I'm if I'm a practitioner and I'm, you know, thinking about putting in a Pam tool, you know, what are ways that I can kind of justify, not only the tool itself, but the reduction of risk the organization that people can think about.
Yeah spoken. Like a guy who says the time is 7 23, right? So you and I are cut from the same cloth, my friend numbers, don't lie unless you want them to. We are. We're both data-driven decision makers, I suspect and I think that, you know, a good Pam effort, whether it's a project or an ongoing function is run the same way it's driven off of data. So the two data measures, I just mentioned would be for me if I had to pick two k pi as those
would be that right? How much persistent privilege accesses are in the environment that number should be going down? That number should be trending downward and how often are just in time. Privileged access. Entitlements. Utilized in that number should be out or flatter trending upward based on the organization's situation. I think beyond that you can certainly get into other measures like how frequently are n points assessed for how much
Public Access they have? And then in an organization that has I would say a distributed it function it could call it Shadow it or call it you know Department a lie to. You can call it whatever how well integrated are those sources of privileged access integrated back into whatever, the core Pam function is with us, run by it or Someone else.
How how cohesive a picture across all the different Departments of the privileged access management is available within the organization would be another critical measure. I think another one is how the Pam project or solution or service is evolving over time? I think this is one of the things that really gets us really bites us. Is that we don't think about the evolution of the Pam technology.
And so, when organization started to do hybrid cloud rollouts, like the Pam, Solutions at the time just didn't keep up with that. I did just weren't ready and so they fell behind right? And so that's one of the reasons why I think a lot of these ideas deployments in large companies, still have a lot of unmanaged Public Access because the tooling wasn't available when the organization started it, and they never went back to update the tooling or apply it to these
new sources. So thinking about what is, what is my Pam service look like a year from now, two years from now? Five years from now is another key measure and it can't necessarily put that into Data but it's a critical. Thing to be thinking about and planning for ahead of time. I'm glad that Jeff joined in and agreed because I'm going to take the contrarian View and I don't want to be arguing with you, Paul.
I'd rather argue with you and Jeff now, but the point that I was going to make is that I do think where Pam sits does matter. And I say that from the perspective that when I've seen Pam project, struggle or fail, it's because of resistance from the end user, The users of that system, you can come up with reasons. It takes me longer to do my job. What if, what, if what, if, what if the Pam servers down and, you know, all these reasons why I might not be able to save the world?
Even though I have my Cape, you're putting this piece of technology in front of me. That's a piece of junk. So, how do you flip that script? How do you get those folks to be on board with it? Why don't you put them in charge of it? They run it. And then you say, well, you know, Oh, is that kind of not fulfilling our duty? Well, I think what you need on top of handing, over the Pam system, to the users of the Pam
system. In other words, the system administrators is you need a checks and balances. So you need to have some kind of oversight and administrative capabilities, whatever that balances, so that you have a checks and balance, but that those users of the system are not quote, unquote disenfranchised or you know that They feel like their ability to perform their job function is being jeopardized. So that's, that's my two cents on it. Is that I want to see those end
users on that system. Well, I think we're actually in violent agreement on this point. In the measures, I mentioned are ways of measuring. Whether the onions are our end users are actually using the system. Right? Because I think, one of the other things, one of the other skeletons in the closet of society folks, is that these Pam Solutions were often rolled out. This password Vault Solutions Rock and rolled out and then
bypassed, right? So some really smart sysadmin would just go up and go and set check out the account right, or whatever. And then create themselves some local accounts on the endpoints, and they would just use those local accounts, not have to worry about the password Vault, any longer. So I think that the measures I mentioned are ways to detect if and users are bypassing the Pam
tool. So that adjustments can be made in the way that it works or the training that's provided or the value is provided to the end user so that they actually adhere to the Pam. Practices of the organization. I think. The other thing to say is that you're absolutely right, these Pam, projects are historically, have been very hard and they just didn't get done.
If they didn't have the right level of executive support, which I think, is the point you're trying to make is like, if you don't have the backing of whoever matters in the organization, whether it's the CIO or the sea. So or headed the line of business or whatever it is, it's CTO, whatever it is. If you didn't have their backing then these Pam projects would just fail, right?
Because it would get partially deployed and there would be a bunch of resistance from new users and then the project would just sort of shut down, right? They would just never really get done on average. We see that password mold. Technology is only ever get to 30% deployment 30% of the planned deployment because of exactly the reasons you
mentioned. And so, I think the solution is really twofold, one is the increased level of executive support, but I think the second thing is we need to provide a better solution, password Vault suck and here. I'm standing on my soapbox is a founder of a company that directly competes with basketballs. So, you know, grains of grains of salt for everyone. But Getting away from this idea that you have to in introduce additional friction in order to better manage privileged access.
I think that idea is outdated and there are better approaches to doing this and that we can achieve both better user experience and increase secured around privileged access at the same time. Absolutely great points. So, Paul were coming up on time but I just have to imagine that in your role you've come across some interesting.
Ting use cases. So, would you mind maybe taking us out with one or two of those kind of were stories that maybe you've gone through and hopefully, some of them come to a bright and happy ending. Yeah. Well, there's a longer version of this story on our website.
If anyone wants to hear the longer version of this but Romanians, first commercial customer was Lockheed Martin and there's, they continue to be a public reference customer for us. Very happy, customer of ours, in their use case, was really around Regulatory Compliance and it was a random Special kind of Regulatory Compliance something that they call instrumented compliance.
So Lockheed Martin had been in compliance with all the rules that they needed to be in around the federal government for forever, but they really didn't have the instrumentation to live instrumentation to show themselves to prove to themselves that they were continuously in compliance, right? And that's what our technology was used for. Was to bring about this instrument to compliance around the specific Regulatory Compliance rules around the DeForest or defense Federal
acquisition rules. And so that's An interesting one is to think not just about through the lens of Regulatory Compliance, but continuously enforced and continuously insured compliance with regulations and there's a bunch of them out there that have to do with college access, right? So that was one, interesting one, another one. Interesting one is zero trust. You guys talked about it on your
show last week. Actually, zero trust came up, but I'm sure it's come up with as many times in the past and hopefully we'll come up many times in the future and thinking about how does privileged access fit into zero trust because I think zero trust is often seen through the lens of device and network security and less often through the Identity security, in fact, sometimes I see dirt rust denoted is zero. Trust network. Access writers?
Each DNA. And so how do you introduce identity Concepts into that and I firmly believe that privileged access is the correct bridge between the identity world and the device and network-centric security world of zero trust today. I think the privileged access makes that bridge work really well. So much of Concepts around zero trust, another really interesting use case for us. And the last one I'll leave in this actually does end in a very bright story.
Which Which is incident response and privileged access management, and incident response have never been considered to be even in the same side of the planet. Much less adjacent Technologies are adjacent approaches. And again, there's a talked about this on the risky business podcast, this past week, with country of gray, in longer form
of anyone's interested. But the idea that you can actually roll out a Pam solution during an incident response, there's some malware that's spreading across the organization. You're watching compromise privileged accounts being used to spread the malware, you know? Starkly. We've only ever been able to bring ETR XTR Technologies to bear in those situations.
We now have about a half dozen cases where remediate has deployed pen technology over the course of a weekend to help slow down or stop those malware spreads as well. So, instant response yet. Another interesting use case, it's come up more recently for us as pretty. Those are some pretty cool examples.
Yeah, I guess you could call me a fan of Lockheed Martin just from the aircraft perspective and some of the things they put out there like the SR-71 Blackbird the F16, the F-22, they have to T5. I'm a big nerd. So what can I say that's going to be a fascinating kind of client to work with when it comes to kind of thing. So and you have been very gracious with your time. We really do appreciate it. Before we wrap things up for
this week. Are there any other Pearls of Wisdom that you want to lay Upon Us Paul before we close things out? You know, I think just think expansively about what's possible the end of the world. I think that just like, Jim's kid we should break with the old habits, right? There's a lot of emerging. Technology. I think identity is seen an amazing amount of investment in Innovation from the VC world and
from from others. And I think it's time for all of us to think more holistically about what's possible and identity and sort of break with saying it's 7:15 and say that it's 7:23 instead I like that it's okay to get smarter right? I mean it's okay to grow and think about things in new ways, Jim anything you want to bring up before we close it out. Back in my day we said 11:15. And we liked it so much.
I do my best for sure, send me, LinkedIn connections and me Twitter. On the Tweet things. And then if there's folks out there that are brand new to cybersecurity, definitely encourage them to join the cybersecurity nonprofit cost zero dollars and you get a lot of value for that zero dollars. It's tough and I'll have links to all that stuff in our show notes for people to check out in their podcast app of choice or a tide any at the center.com.
Another place you can find that information Paul greatly, appreciate it, Jim greatly appreciate it. We're going to go ahead and close it out for this week. Thanks everybody for listening and we'll talk with you all in the next one. You've been listening to the identity at the center podcast, if you like what you heard, don't forget to subscribe and visit us on the web at identity at the center.com.