Privileged Access Management

Interview: Joseph Carson, Chief Security Scientist and Advisory CISO for Delinea

Expert Insights spoke to Joseph Carson from Delinea about all things PAM, what the threat landscape looks like today, and how PAM solutions overcome security gaps and ease friction.

Joseph Carson Interview

Delinea is a leading vendor in the privileged access management (PAM) sector. The company was created after the merging of two well renowned PAM vendors: Centrify and Thycotic. Since the merger and 2022 rebranding, Delinea has been working hard on uniting and evolving the two technologies.

Privileged access management (PAM) falls under the wider framework of identity and access management (IAM) solutions. It manages and secures privileged access to parts of the network that require a heightened level of security and therefore stricter access protocols. Users who require privileged access traditionally include those in the C-suite, IT administrators, security teams, and developers.  

Based on policies and context, PAM solutions can grant or deny access to resources for specific users at any given time. This strict management of access and privileges reduces the risk of lateral movement attacks, theft, data destruction, and compliance violations as a result of unauthorized access. PAM solutions also offer detailed reporting and auditing capabilities, monitoring and tracking, and can ensure regulatory compliance.

As we move away from the traditional office environment, cybersecurity vendors need to rethink what the network perimeter is, and how to best secure it. Movement to the cloud, an increase in remote working, and bring your own device (BYOD) policies have made this much more challenging. 

We spoke to Joseph Carson, Delinea’s Chief Security Scientist and advisory CISO, to discuss the changing PAM landscape, the future of passwordless access, and how to keep your accounts secure.

Can you give us an overview of Delinea and your role within it?

Delinea is the end-result of merging two companies who were leaders in their respective spaces within the privileged access management market, Centrify and Thycotic. Two years ago, we merged, and then rebranded a year ago. Since then, we’ve been bringing both technology sets together into a cohesive PAM offering. 

I’m Joseph Carson, I’m the Chief Security Scientist and advisory CISO. My role has several responsibilities, one of those main responsibilities would be running research, looking at the threat landscape, and the different evolving attacks out there. I look at everything from different ransomware variants to data theft to credential abuse. From there, I look at where we can apply our technology to reduce those risks, and make sure organizations have the best practices in place. I also research new technologies, such as biometrics, passwordless technologies, authentication mechanisms, automation, machine learning and so on.

I convert a lot of research into reports, white papers, and eBooks, as well as performing a lot of webinars for the organization. I’m the Delinea evangelist. So, I go around speaking and sharing my experiences at different events. I’ve been a top speaker for RSA Conference and ISC2 Security Congress. I run the biweekly company podcast called ‘401 Access Denied’ as well, where we have a host of great and informative speakers.

Since our last interview with you, how has the threat landscape changed?

The threat landscape has, by and large, been the same but there has recently been a notable decline with ransomware. I think it’s notable and likely that the war in Ukraine has had an impact on this. A lot of ransomware gangs tend to be Russian or, at the very least, Russian speaking. We do believe the war has had an impact on this, especially with sanctions on Russia making ransomware-as-a-service the preferred option financially viable for ransomware attackers as a way around the sanctions. The devaluing of cryptocurrency recently will also have had a large impact on this and how much ransomware attackers get paid.

Of course, what’s changed with organizations is that, on the whole, we’ve gotten better at implementing things like multi-factor or two-factor authentication alongside passwords. While companies have evolved, so have attackers. What’s also notable is that we’ve seen a huge increase this past year in social engineering-based threats that, interestingly enough, are stemming from instances of multi-factor authentication fatigue. Attackers are evolving and are looking at different ways to abuse human trust. 

For security vendors, there’s been a huge shift into looking at making security frictionless because instances of friction are what social engineering attacks take advantage of. An example would be an MFA solution that sends a hundred requests over a couple of minutes, which causes frustration during constant click throughs and eventually the user will click accept just to get rid of the notification. Attackers are targeting or leveraging things like that, causing frustration, and getting users to act just to remove annoyances.

Another thing we’ve also noticed is that the target has also changed. In the past, the majority of victims were based in North America and Europe, but what we’ve seen is that the geopolitical landscape is changing and now a lot of attacks are targeting Central and South America, like Costa Rica and Peru. So, the political landscape has also changed the targets of those ransomware gangs, where they’re now targeting less noisy, and different geographical locations, because of those tensions and they tend to have less capabilities to hack back.

It was reported that the privileged access management solutions market is predicted to grow by $4500 million within the next five years. Why do you think this is, and why is it so important for businesses to invest in a PAM solution?

It’s because the traditional security programs are no longer viable anymore. This has been a transition for quite a long time. It’s not a slow progression, but it was transitioning for a while. It’s only the really large organizations that were able to make that transition and take advantage of evolving technologies. Now, PAM is much more established and much more available, meaning more companies are able to and want to get it. There are more vendors and more choices now. 

It’s also because the perimeter of the traditional office is no longer protected, because the perimeter has changed so much. It’s no longer office firewalls and network security or protecting the network itself. With bring your own device and the cloud it’s become more about protecting and securing the device and identities. We’ve literally expanded that into the public Internet. And that’s where the technologies that would have typically secured the network are no longer viable on the traditional and the public Internet. And this means that we have to look at where to work and what security controls can be applied. Can you still control security on the public internet?

The pandemic forced many organizations to accelerate towards cloud transformation, to remote work, and to access from anywhere. It means that most, if not all, organizations have had to accelerate their identity, access controls, and their access management much quicker than they had initially planned. In the future, identity is the perimeter and access is the security for that perimeter. Organizations must evolve into that, which is why we’re seeing such an increase in market growth.

How do you see the PAM space adapting in the future to combat more sophisticated and evasive threats?

I think a lot of technologies currently have very reactive approaches. They are very policy based with static controls. In the future, I think PAM is going to start moving to a much more dynamic based security. It will look at current baselines and how they change, and then modifies the security controls and policies in real time to be much more flexible, dynamic, and frictionless. It will become much more context aware, looking at different security parameters and measurements, assessing risk, and then, based on that, you get the right type of access at the right time for the right user.

It’s almost like becoming a living organism where security is a lot more proactive. It’s evolving and able to change in real time, based on threats; that means organizations will have to know how to integrate. There’s going to be much more interoperability between technologies, more sharing of sensor data and information in order to modify those security controls in real time.

It really means much more orchestration, and a lot of machine learning as well in order to learn from events of the past. I believe that, right now, we’re in that kind of static security world. We’re definitely moving to much more of a dynamic security, context-based security, which means security controls will evolve based on the threats that we see.

The identity security industry is taking steps towards a completely passwordless future. How do you see PAM solutions fitting into this future?

It’s a good question. I think we have to take a step back and think about what passwordless is. There’s a misconception about what it actually means. 

To the user it appears passwordless, but on the technology-side, there is still a password exchange and a transaction of credentials happening in the backend. There’s still an exchange of authentication. It’s more of a passwordless authentication experience.

There’s still the exchanging of credentials, a token, or secret PIN. This is still technically a password. It still needs to be managed and it still needs to be secured. Passwordless, in the sense that users no longer need to create and use passwords, is great because that’s one of the biggest weak points that attackers take advantage of. Users aren’t great at choosing complex and long passwords that are also easy to remember. That’s the number one flaw in the process. Removing the password from the equation and making it as complicated, but automated so the user is not managing it, is a huge step in security and securing passwords. PAM fits right into that.

Access management will still manage those tokens and authentication mechanisms. We think of it as the segregation of duties: the authentication portion is that passwordless experience, and the privileged access portion is the authorization side of things. It’s what you can do to prove who you are. It’s really about working together. 

So, I believe that passwordless and privileged access management have a very strong collaboration and integration to change that experience and make the authentication and authorization experience much more secure, much more automated. What we’re really doing is moving passwords into the background. That’s what the reality is. It’s not just about humans, it’s also about machines, it’s about automation, and it’s about code. 

What are some of the challenges organizations face when trying to implement PAM?

Organizations’ environments can be quite complex. A lot are using many different systems and platforms, across multiple clouds and hybrid clouds, from code to machines to humans. So, it’s really making sure you map that journey. 

Sometimes organizations try to go too quickly. Rather than phasing it out and thinking about it – looking at accounts and identities and which access is higher risk – it’s about making sure you take the right path to make that journey smooth. It’s also about integrating it so that it works with the authentication experience, or your single sign-on, or your identity service provider. So, it’s about making sure that all of those work together seamlessly. 

One of the things that causes a lot of friction is when things are overly complex. We want to make sure that users have a good experience. When a company goes to implement a PAM solution, they need to think if there’s anything that needs to be changed to the way users work. Or is it something that’s going to create more friction with the employee when they need to access something. If it increases friction, employees look for ways around it – they will look for ways to simplify their job. They will go back to writing things down, they will go back to saving things in the browser password store – again, this is a major risk because attackers can easily access that. So really looking at making sure it is frictionless and making it easy to learn.

Do you have any final words of advice to organizations looking to implement a PAM solution or to those who are on the fence?

That’s a great question. I will say: partner with experts. Don’t do this alone. Go to other companies who have implemented it and are willing to share their experiences. Read up on it. I have written some books on the topic which cover the pains and experiences and some tips on implementing PAM.

I’ve also created what’s called this privileged access management checklist. This is where you can go and ask the right questions about the journey:

  • How do I want this to work?
  • What do I want to prioritize? 
  • What problem am I trying to solve?
  • Can I make it much more efficient? 

So that checklist really helps you guide yourself into some of the best practices that you can apply to your business.

Aside from looking at resources, there are a lot of great events that companies can go to and listen to experts, share knowledge, and speak with others in a similar position. 

Get a vendor who doesn’t just sell to you, but also partners with you and help you look at your environment, provide knowledge and expertise. Look to where others have seen success in similar environments. So, look for vendors who are more of a partner, and go on that journey together. 

Thank you to Joseph Carson for taking part in this interview. You can find out more about Delinea’s PAM solutions via their website.

Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions with confidence.