Technology Interview : PAM (also called privileged access management or privileged identity management)

Privilege account security is becoming CISO’s Top Priority now a days, I was happy to chat with my long-time friend Ajay Bongirwar, Country Manager at Delinea (formed through the 2021 merge of Thycotic and Centrify). Delinea is global leader in privileged access management, or PAM.

Praveen: Welcome, Ajay , First of all congratulation for your new role. Why do you think PAM is the need of hour? Why PAM should be a CISO’s Top Priority ?

Ajay : Thanks Praveen. I am very excited to be here in the PAM space and particularly at Delinea. Both Thycotic and Centrify were Leaders in the privileged access management and this merger of these 2 leaders makes Delinea a stronger global PAM solutions provider.Firstly, PAM as a market has seen significant growth in the recent years. Cyberattacks including malwares, ransomwares and supply chain attacks have given sleepless nights to cybersecurity folks. It’s well documented now that cyber-attackers no longer “hack” in, they simply log in using weak passwords. After that, ‘privilege elevation’ becomes their goal so they can find sensitive or valuable data, extract it, and leverage it. This pattern has increased the awareness about use of PAM. And while there are numerous things organisations can do, Privilege Access Management (PAM) is a very important prevention solution. Secondly, if you look at the PAM maturity model, you will realise that the majority of orgnisations who use PAM primarily focus on implementing PASM (Privilege Access and Session Management) capabilities, most commonly password vaulting. On one part, I believe that maturity grows with time, and organisations will slowly realise that PEDM (Privilege Elevation and Delegation Management) for both Endpoints and Servers is also critical. In addition, the majority of other solutions in the market do not really have good PEDM capabilities which enforce cybersecurity best practices like Just in Time Privilege or Zero Standing Privileges.

Praveen : Tell me about you new assignment ?

Ajay : I like the fact that I have to “challenge the status quo”. There are organisations who have not implemented PAM capabilities at all and then there are others who have implemented traditional PAM with only PASM capabilities. As country manager, on the operations side, I also need to hire and build a team. While I have done that in the past a few times, this time with the potential that we see in the market, I really need to do it very quickly. I will also be leveraging a lot of partners for this purpose.

Praveen : Pls take a couple of minutes and share some of the highlights of your PAM solution.

Ajay : Firstly, Delinea has a Platform with a lot of modules one can say. The modular structure helps organisations to plug in what they need today and slowly add modules to mature to the highest level. If I want to talk about the highlights of Delinea, I would say

#1 –Speed of adoption — from fast deployments, to automation templates that let you do a variety of things faster, to the best UI/UX, to inbuilt customisation capabilities — Delinea offers a seamless experience.

#2 — Lowest TCO — from huge performance with lowest infra required, to extensive documentation, to very large community of users for knowledge share / use cases, to extensive documentation, to low resource requirements to maintain the solution, to zero downtime upgrades — Delinea offers the lowest TCO.

#3 — Full set of Privilege Management capabilities — from default Server admins, to business users, applications, service accounts, vendor users and across your datacenters, network devices, cloud, endpoints, DevOps and even IOT — Delinea has the everything covered.

Praveen : What are the important use cases for PAM ? , is your PAM solution covering all these important use cases ?

Ajay : There are lots of use cases for PAM. For simplicity, I would like to group them as below

#1 — PASM (Privilege Account and Session Management) — which primarily includes vaulting of privilege credentials and then brokering or granting access to required users, applications and services as and when required. It also includes active management of credentials like rotation of passwords etc

#2 — PACA (Privilege Account Compliance and Auditing) — one important compliance use case is around session recording and auditing capabilities. One should note that session recording is needed for any activity happening on the target machine irrespective whether the session was initiated thru the PAM solution or some rogue user / service account /malware activity is accessing the device.

#3 — PEDM (Privilege Elevation and Delegation Management) — this means that in an ideal scenario, users should log into the target machine with least privilege user access and get elevation when needed only with the required rights (this is referred to as Just-in-Time privilege, or JIT PAM)

#5 — DevOps — In today’s digital world filled with microservices and APIs for everything, the DevOps teams should be able to safeguard access credentials in vaults and integrate with DevOps tools like Jenkins, chef, puppet, terraform, ansible, docker, kubernetes etc.

Praveen : Most of organizations are looking at AI and machine learning as a way to relieve some of the burden on security teams by sifting through automation. Is your PAM solution automated enough ?

Ajay: There is a lot of automation that is available inside our products. From automated discovery tool (to discover privilege accounts), to taking actions on discovered accounts, to “templates” that allow you to map a variety of actions you want to perform after a particular action is done, to automation in generation of compliance reports… the list is very long. We at Delinea take pride in automation capabilities that our solutions provide and this has also proved a key aspect of our success.

There is also use of ML — like in our Privileged Behavior Analytics module and most importantly the cherry on the cake is our AI Engine that provides Adaptive Security to challenge the user with MFA etc based on various parameters and usage behaviour. Finally, our solutions have a vast range of integrations with best-in- class solutions that can bring automation expertise into the Delinea platform.

Praveen : In current scenario (Covid-19) , Privilege users are working from home and assets are moving to cloud. Is your PAM solution compatible to these new requirement ? Please explain ?

Ajay : Absolutely. With remote work now the norm for a large percentage of workers, employees, contractors, partners, and more are more reliant than ever on cloud-delivered services and applications to do their jobs. This is absolutely the case for privileged access to critical infrastructure, both in terms of ensuring productivity for those who need it and stopping access for those who shouldn’t have it. Our cloud-ready, cloud-delivered PAM solutions leverage the benefits of the cloud to ensure privileged access is available whenever, wherever needed. Furthermore, our solution actually creates more secure remote access sessions by removing the requirement for a VPN. Users can login as themselves to the target machine, have their entitlements verified through their identity repository, authenticate with MFA, and do the job required just-in-time, with just enough access needed for that target only. They don’t need the full access to the entire network that a VPN could open up, and could therefore be exploited

Praveen : Does the solution provide out-of-the-box controls to meet several crucial regulatory requirements such as GDPR, HIPAA, NIST 800–171 or ISO 27001?

Ajay : Short answer — Yes. Long answer — Delinea is a global company with thousands of customers including more than half of the Fortune 100. We also serve a long list of Government and Defense customers across the globe, as well as other highly-regulated industries such as financial services and healthcare. They all need a variety of regulatory requirements and the OOTB reports help them achieve it. Apart from the ones you have mentioned, Delinea Cloud solutions are also very secure and we have SOC2 Type2 certification, FedRAMP, FIPS, CSA Star certifications and more.

Praveen : how responsive is your customer support team?

Ajay : I think you should hear what our customers say. Delinea enjoys a Customer Satisfaction Rating of 4.8 out of 5.0, and has more than 700+ 5 star ratings on Gartner Peer Insights. This would not have been possible without our highly-capable customer support and professional services team, which offers 24x7 support services for Premium and Premium+ Support customers.

Praveen : What is the product’s road map? And how often is the product updated to ensure the latest feature set and security patches?

Ajay : In general, there are product releases every quarter. Smaller releases like patches for bugs or security are released in a monthly cycle (if need arises). But an interesting aspect that I would like to stress here is that upgrades and patch deployments are also seamless and in most cases there is no down time, especially for our PAM-as-a-Service solutions where the latest updates are instantly available via the cloud.PAM in general is a mission critical product for clients and it touches or integrates with a lot of systems, hence, our product roadmap always has many features that we foresee a demand for, or that clients ask for across our solution modules.

Praveen: OK. That just about wraps it up. Thanks, Ajay, for your time and your insights.