Interview: How PAM Solutions Can Be A Business Enabler
Mark Warren, Marketing Director at Osirium, discusses the differences between PAM and IAM, how PAM can be a business enabler, and how businesses can overcome the challenges of implementing a PAM solution.
Mark Warren is Marketing Director at Osirium. Warren has over 30 years of experience in software product development and marketing leadership, with a particular focus on brand and market presence. At Osirium, Warren leads the company’s marketing team in taking Osirium’s privileged access management (PAM), privileged endpoint management (PEM), and automation tools to market.
At RSAC 2022, we spoke to Warren to discuss why organizations should consider investing in PAM even if they already have an IAM solution, how PAM can be a business enabler, and how businesses can overcome the challenges of implementing a PAM solution.
Can you give us a brief overview of Osirium, your key use cases, and what sets you apart from other solutions in the PAM space?
Osirium are a UK-based company, primarily focused on PAM. We were founded in 2008, and we went public on the market in 2016. All of our development is here in the UK, but we have customers across five continents now, and those customers span all sizes.
Our core focus is around privileged access management, managing privileged access for key IT systems. Those could be backend servers, databases, or any shared services managed by IT. But they could also be systems outside IT. For example, corporate Facebook accounts, because of the potential for reputational damage if the account is misused. All of these systems have a large element of risk if those privileged accounts are compromised. You only want to give access to those systems to the right people, at the right time, and only for the minimum time needed. You need to make sure they have the right level of access, and you’re not just giving carte blanche power when they only need a low level of access.
We make sure that when a user connects via PAM to a back end system, they’re never connecting directly. They never have access to the admin credentials so the credentials can’t be misused or stolen as they’re so valuable for attackers.
But also, what makes PAM different to what might be called “identity and access management” is that PAM manages what users are doing with those admin credentials. PAM can monitor those sessions and break the connection if there’s any suspicious behavior. The sessions can be recorded and played back later to investigate any incidents.
You might even restrict access to systems to limit user access to just the applications, of the function within an application, they need to do their work, not the whole machine.
One of the things that separated Osirium at the very beginning was the idea of automating a lot of that admin activity. So, if you know that your task is to reset a user’s account, you could get an Active Directory expert to log into the Active Directory management console, do all the work and come back. Or, you wrap that entire task up, make sure it’s secure, and then let the help desk or even the user make the change for themselves.
A couple of years ago, we introduced what we call “privileged process automation”, which takes that to another level. A lot of IT tasks require updates to multiple systems. Imagine a new joiner process: you update Active Directory, update the HR system, update VPN access, update the CRM system for someone in marketing. That new joiner could be waiting days, weeks, or even months before they have full access. But if you can automate all of that, then it can be done immediately.
You mention session monitoring as a key differentiator between IAM and PAM. Why else should organizations consider implementing privileged access management specifically, rather than just an IAM or MFA solution?
So, IAM and PAM are somewhat complementary. Many of our customers already have an IAM solution, perhaps with single sign-on. But IAM runs out of steam it comes to managing privileged access. They typically have a group of accounts that are identified as privileged, so that only a limited number of people have access to that group of accounts. When users log in through the IAM system, it may return some credentials which have privileged access to Facebook or to a backend system via clipboard or in memory where the credentials could be stolen.
When connecting via PAM, on the other hand, we’re proxying the credentials on the backend. We’re injecting those credentials directly into the application, so they’re never exposed to the user. That means nobody can sit in the middle and get hold of them.
Now, Osirium has gone further, with two pieces of technology that really stand out. One is the automation piece: we wrap up the whole thing that people are doing, so they can’t do anything they shouldn’t do. That also means people get things right more often the first time, because they can’t do anything they shouldn’t, whether accidentally or maliciously.
The other piece is something that we call the “MAP Server”: managed application proxy, which acts as a secure sandbox for your applications. Imagine you have a database, and you have Microsoft SQL Server studio as the management tool for the database. By connecting through our PAM MAP Server, you can run that SQL Server App in a browser window. You have access to the app in a remote desktop, but you’re not seeing the whole desktop; you’re just seeing that one app. You get that flexibility for the SQL admin to use the app, but they don’t have access to anything else so they can’t install software on that machine, add a new user account or make any changes that could be dangerous.
Why was ease of deployment so important to Osirium when developing your platform?
In the past, PAM has had a terrible reputation. We hear stories all the time of companies who started their PAM journey with big vendors, and it starts well: they’re going to send you 10 consultants to get started smoothly. But then those companies realize, well, if it needs 10 consultants to get it working, what’s it going to take to keep it running? And they’ve got an implementation plan that says they’re going to do three months of network investigation and planning which may need reconfiguration of the network. That’s a lot of work before PAM starts delivering value.
Whereas our customers tend to have their first PAM system up in hours; they start protecting their systems on the first day. We believe in protecting the most vulnerable systems first and then expanding out—start to deliver value early to encourage further PAM deployments.
And that’s kind of 180 degrees from where those big guys are, because they’ll come along and talk about a 12-month plan with 10 consultants and whatever else, and those projects never get finished. So, the customer never sees the full value.
And that’s the thing that sets Osirium apart from just about every other vendor.
Despite the availability of this technology now, many organizations are still struggling to secure their privileged accounts. Why is this?
I think there’s been a change in the last few years. I’ve been with Osirium for just over three years now and, at the beginning, a lot of our communication was about what PAM is and why it’s important. But now, it’s more about how companies can actually do PAM, without impacting their systems.
Because another myth about PAM, another legacy of these big heavyweight vendors, was that PAM is the thing that gets in the way of admins getting their work done. So, we’re trying to bust that myth and make the IT admins’ life easier. If you’re an admin and you’ve got 10,000 devices to manage, we make it easier for you to manage that list, find the devices you need to work on and securely connect as quickly as possible.
The other thing is, yes people are starting to understand that they need PAM, but they’ve got plenty of other projects to be working on, so PAM may not be top of their to-do lists. Gradually, people are starting to say, “Actually, this does need to be further up the list.”
We’ve recently published a new case study for a large university, where they were just about to start with their PAM project, starting with just a few systems because it had been difficult to get people on board with the idea. But the day the project was about to go live, they suffered an attack, and all hell broke out. But where they’d had trouble getting buy in from the university and the users to implement PAM previously, suddenly they got all the support they needed. So, they went big and deployed everywhere.
That’s often the case: we get called in after somebody’s failed an audit or had an attack. And audits are happening much more often now because Cyber Essentials, PCI, GDPR—they all have requirements around user management, and in particular, showing what you’re doing to manage privileged users. And you only get away with “I’ve got a spreadsheet” once, if you’re lucky, because that spreadsheet is not safe and it’s not up to date.
That’s another reason PAM is getting higher in people’s consciousness. Every cybersecurity tool is going to be useful for something you know. You need a firewall, you need antivirus, you need SIEM tools and more. But every one of those tools has admin accounts and, if you’re not protecting those admin accounts, and the credentials for your antivirus tool or your firewall get breached, then your security system gets taken down. It’s just like having a really strong door but leaving the key in it.
Finally, what is your advice to organizations struggling to secure their privileged accounts against credential-related breaches and data loss?
The first thing is, acknowledge that it’s something you need to do. People do worry, because if you mess up privileged access management, you will not only leave your business more vulnerable, but you can also upset a lot of staff. For example, the admin can’t log in to get their work done, because there’s extra security in the way. That’s not a win for anybody.
So, the first thing is, acknowledge that you do need to do this. Second, it’s not as scary as you think. Third, look for a solution that talks about early returns, because the faster you can show that you haven’t brought the company to a halt and you have improved security while enabling business, the better.
Our CTO is presenting at InfoSecurity Europe on the topic of how security can be a business enabler. Cybersecurity marketing is a bit like insurance at the moment; you’re buying something to stop something from happening, and the lack of attacks—or ones that you’re aware of—is your return on investment. But PAM can actually be a business enabler by reducing the amount of work that the admins have to do and reducing the downtime. So, acknowledge the problem. But be positive and look for solutions that are that offering some actual return on investment and enabling your teams to work more effectively.
Thank you to Mark Warren for taking part in this interview. You can find out more about Osirium’s privileged access management solution via their website.
Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions with confidence.