1 00:00:00,040 --> 00:00:04,480 But the first thing what I always do is check if the salt 2 00:00:04,480 --> 00:00:07,160 is closed because you really want to prevent that. 3 00:00:07,160 --> 00:00:10,480 There is a blast radius of attack of salt of course on your 4 00:00:10,800 --> 00:00:15,200 when you meet our foods. And yeah, that's also of course 5 00:00:15,200 --> 00:00:19,360 with previous access management. You cannot prevent that your 6 00:00:19,360 --> 00:00:22,880 data gets stolen, but you at least can minimize the risk. 7 00:00:23,120 --> 00:00:27,320 And that is limited data gets stolen because those so-called 8 00:00:27,320 --> 00:00:30,360 bad guys, maybe they're already in your environment, but at 9 00:00:30,360 --> 00:00:33,360 least if they steal certain credentials or whatever, do you 10 00:00:33,360 --> 00:00:37,400 want to minimize that attack? And therefore, again, it's 11 00:00:37,400 --> 00:00:40,680 really important that you have your maturity model also defined 12 00:00:40,680 --> 00:00:43,520 properly and your capabilities, which you want to have. 13 00:00:43,520 --> 00:00:46,360 So it's also, you need to be clear what are your requirements 14 00:00:46,840 --> 00:00:49,520 in your organization. And I think also important is 15 00:00:49,560 --> 00:00:52,520 how do you sell this to your organization, of course. 16 00:00:53,960 --> 00:00:56,680 I can't think anything worse than being assaulted. 17 00:00:56,800 --> 00:01:07,000 Oh, terrible fun, I know. This is identity at the center 18 00:01:07,600 --> 00:01:10,640 if it has anything to do with IAM. 19 00:01:10,680 --> 00:01:17,240 This is the go to podcast now your hosts Jim McDonald and Jeff 20 00:01:17,240 --> 00:01:19,240 Stedman. Welcome to the Identity at the 21 00:01:19,240 --> 00:01:21,120 Center podcast. I'm Jeff, and that's Jim. 22 00:01:21,120 --> 00:01:22,920 Hey, Jim. Hey, Jeff, how are you? 23 00:01:23,440 --> 00:01:25,280 Not so bad yourself. Doing great. 24 00:01:25,280 --> 00:01:27,880 And we're sitting here in the middle of the summer and we had 25 00:01:27,880 --> 00:01:31,600 a meeting earlier today to talk about conferences and all the 26 00:01:31,600 --> 00:01:34,720 conferences that are coming up. And I'm like, how are we going 27 00:01:34,720 --> 00:01:38,320 to get into actual work done if we go to all these conferences? 28 00:01:38,920 --> 00:01:41,880 Well, that's the thing, right? I think I, I'm, I'm always 29 00:01:41,880 --> 00:01:45,480 surprised at how good of a job you and I have done of 30 00:01:45,480 --> 00:01:48,040 separating our work life from this podcast. 31 00:01:48,480 --> 00:01:50,800 People don't know we actually have real jobs. 32 00:01:50,800 --> 00:01:52,800 We are identity consultants during the day. 33 00:01:53,440 --> 00:01:56,120 We're for a large company named RSM, and that's what we do, 34 00:01:56,120 --> 00:01:57,640 right? The podcast is like the separate 35 00:01:57,640 --> 00:02:01,240 thing and yeah, there is work that needs to get done, plus the 36 00:02:01,240 --> 00:02:04,520 podcasts, which is the separate thing, plus like conference 37 00:02:04,520 --> 00:02:07,760 attendance and stuff like that. So we are very busy boys 38 00:02:08,000 --> 00:02:10,479 basically throughout the year. Yeah. 39 00:02:10,479 --> 00:02:14,640 I mean, you know, we're very busy and I think it's good that 40 00:02:14,640 --> 00:02:17,840 you pointed that out because I don't think many people either 41 00:02:17,840 --> 00:02:21,280 realize that maybe they think we do the podcast full time. 42 00:02:21,680 --> 00:02:23,760 That would be great. But that probably won't happen 43 00:02:23,760 --> 00:02:26,720 until like because we retire from our day jobs. 44 00:02:27,120 --> 00:02:31,400 But I, I think the podcast is getting to the point of almost 45 00:02:31,400 --> 00:02:35,040 being like a second, you know, job like moonlighting, because 46 00:02:35,200 --> 00:02:40,200 most of the time we're recording sessions after the US business 47 00:02:40,200 --> 00:02:43,440 day, unless we are lucky enough to get a guest like we have 48 00:02:43,440 --> 00:02:48,560 today who is based in across the pond in Europe or elsewhere in 49 00:02:48,560 --> 00:02:51,040 the world. And we have to kind of have some 50 00:02:51,040 --> 00:02:53,720 kind of realistic time that works for both parties. 51 00:02:54,120 --> 00:02:56,880 Yeah, exactly. And we're going to get some heel 52 00:02:56,880 --> 00:02:58,240 in a second. I want to talk about those 53 00:02:58,240 --> 00:03:00,880 conferences though, so we can kind of take care of business 54 00:03:00,880 --> 00:03:03,760 before we get started with our main topic on privilege access. 55 00:03:03,760 --> 00:03:06,440 But you mentioned conferences. We got a bunch coming up. 56 00:03:06,480 --> 00:03:09,600 We've got Identity Week. I'm at Danny Week, America, 57 00:03:09,600 --> 00:03:11,720 September 11th and 12th, you and I are gonna be there. 58 00:03:12,000 --> 00:03:14,800 We've got Asia, which is October 22nd, 23rd. 59 00:03:15,400 --> 00:03:17,360 I'm not planning on being there. I don't know if you are, 60 00:03:17,360 --> 00:03:19,840 probably not either. But unfortunately not this year. 61 00:03:20,320 --> 00:03:21,880 Yeah, I'd love to go. I've never been. 62 00:03:21,880 --> 00:03:24,680 So I'm always happy to go any pretty much anywhere at least 63 00:03:24,680 --> 00:03:27,760 once I'll travel to. But we've got a discount code 64 00:03:27,840 --> 00:03:32,720 IDAC 30, IDAC 30 that gets you 30% off of your registration for 65 00:03:32,720 --> 00:03:37,160 both the Washington, DC America conference as well as the 66 00:03:37,160 --> 00:03:40,040 Singapore conference in Asia. So you can use that code 67 00:03:40,040 --> 00:03:42,040 interchangeably for both of those or, or both. 68 00:03:42,160 --> 00:03:43,680 And if if you end up going to both. 69 00:03:44,360 --> 00:03:46,120 So that's the one conference that we'll be AT. 70 00:03:46,120 --> 00:03:49,160 And then we just finally got our discount code thanks to the our 71 00:03:49,160 --> 00:03:51,320 friends over at Fido. So shout out to Adrian. 72 00:03:51,720 --> 00:03:54,880 The authenticate conference that's October 14th through 16th 73 00:03:54,920 --> 00:03:59,040 that's in Carlsbad, CA Super cool location as it was last 74 00:03:59,040 --> 00:04:00,920 year. Definitely recommended any 75 00:04:01,040 --> 00:04:03,200 anytime you can go to a conference that has like a good, 76 00:04:03,560 --> 00:04:06,360 you know, vibe and location that's like just like puts it 77 00:04:06,360 --> 00:04:08,840 over the top. It's like a work vacation then. 78 00:04:09,680 --> 00:04:13,480 It is kind of, but it's a great spot, kind of a resort golf 79 00:04:13,480 --> 00:04:15,040 course type things. There's plenty of things to do 80 00:04:15,680 --> 00:04:19,640 IDAC 1/5 that gets you 15% off your registration for that one 81 00:04:19,640 --> 00:04:21,560 as well. I'll have all those codes and 82 00:04:21,560 --> 00:04:24,320 stuff in our show notes so people can check that out and 83 00:04:25,120 --> 00:04:27,160 we'll have them on our website and I already put put them on 84 00:04:27,160 --> 00:04:28,520 our home page. So if you just go to 85 00:04:28,520 --> 00:04:31,800 idacpodcast.com and Scroll down just a little bit, depending on 86 00:04:31,800 --> 00:04:33,760 your minor resolution, you should see how the code's there 87 00:04:33,960 --> 00:04:35,280 and stuff like that. So hopefully we'll see people 88 00:04:35,280 --> 00:04:37,640 there. What else we've got, you know, 89 00:04:37,640 --> 00:04:38,640 Gartner's coming up with this year? 90 00:04:38,640 --> 00:04:40,240 I think you and I are trying to figure out if we're gonna make 91 00:04:40,240 --> 00:04:43,160 it out for that one. Identiverse has their regional 92 00:04:43,160 --> 00:04:45,920 events coming up in November. So there's one in Chicago, 93 00:04:45,920 --> 00:04:49,880 there's one in New York City looking at, you know, one or 94 00:04:49,880 --> 00:04:53,600 both of those as well to be at. But yeah, busy boys. 95 00:04:53,600 --> 00:04:55,480 So that's the conference stuff. Yeah. 96 00:04:55,480 --> 00:04:58,200 Well, and if you're out there listening, you're like mention 97 00:04:58,200 --> 00:05:02,920 my conference, reach out to us, Jim at IDAK podcast or Jeff at 98 00:05:02,920 --> 00:05:06,880 IDAK podcast or both, but give us a discount code so we can 99 00:05:06,880 --> 00:05:10,040 share it with our listeners. You know, everybody's looking to 100 00:05:10,040 --> 00:05:15,040 save some money these days and all days people want to save 101 00:05:15,080 --> 00:05:18,680 some money. But yeah, we we are the home for 102 00:05:18,680 --> 00:05:21,000 getting this information out there and helping people save 103 00:05:21,000 --> 00:05:25,200 money on attending conferences. Again, like from even from my 104 00:05:25,200 --> 00:05:27,320 own standpoint, I can't go to all the conferences. 105 00:05:27,320 --> 00:05:30,160 I want to day job. Yeah. 106 00:05:30,800 --> 00:05:33,040 Well, why don't we talk about privileged access management? 107 00:05:33,120 --> 00:05:36,000 And to that end, very excited that we have Mihiel Stope. 108 00:05:36,000 --> 00:05:38,840 He's the director of Identity management at Phillips, joining 109 00:05:38,840 --> 00:05:40,240 us all the way from the Netherlands. 110 00:05:40,760 --> 00:05:44,560 Welcome to the show. Thanks Jim and Jeff for the 111 00:05:44,560 --> 00:05:48,040 introduction and I'm looking forward to be a guest in your 112 00:05:48,040 --> 00:05:50,600 Identity at the Center Show podcast. 113 00:05:51,720 --> 00:05:54,120 Well, thanks for joining us. I want to take care of some 114 00:05:54,120 --> 00:05:57,440 downer business right up front. I know that you were cheering 115 00:05:57,440 --> 00:06:01,240 for the Netherlands against England in the Euro 24 match 116 00:06:01,240 --> 00:06:04,840 that took place recently. I, I, you and I had a little bit 117 00:06:04,840 --> 00:06:06,360 of a bet going. Well, at least that kind of 118 00:06:06,360 --> 00:06:08,640 sounds like Jim usually starts off with something negative. 119 00:06:09,040 --> 00:06:10,320 And so that was like our inside joke. 120 00:06:10,320 --> 00:06:12,160 And so I was like, all right, well, you know, just listen, see 121 00:06:12,160 --> 00:06:14,160 if it happens. I don't think today was super 122 00:06:14,160 --> 00:06:15,000 negative. I think it was great. 123 00:06:15,000 --> 00:06:17,840 So kudos to Jim for keeping on the positive note, but I'm the 124 00:06:17,840 --> 00:06:19,320 one who's going to drop it down a little bit. 125 00:06:19,480 --> 00:06:22,920 Unfortunately, not the ones lost in the last minute to England. 126 00:06:22,920 --> 00:06:27,840 How are you feeling? Yeah, it's, it's a, it's a sad 127 00:06:27,840 --> 00:06:31,960 loss of course, but as Gary Lineker always said from the 128 00:06:32,080 --> 00:06:36,480 England, the game is 19 minutes and always the Germans will win 129 00:06:36,480 --> 00:06:40,120 at the end, but this time it's already 2 matches in a row. 130 00:06:40,120 --> 00:06:43,880 It's like exactly for England. So they won't let a game in the 131 00:06:43,880 --> 00:06:47,200 19 in the last 19 minutes or they won the game. 132 00:06:47,200 --> 00:06:52,760 So except for the Netherlands, but luckily for the England. 133 00:06:53,880 --> 00:06:56,400 And in either case, identity and access management goes on. 134 00:06:56,400 --> 00:06:58,600 I mentioned when I introduced you that you're a director of 135 00:06:58,600 --> 00:07:00,000 identity management for Phillips. 136 00:07:00,480 --> 00:07:03,360 Tell us a little bit about your journey into this field of 137 00:07:03,840 --> 00:07:06,520 digital identity or identity and access management or or maybe 138 00:07:06,520 --> 00:07:08,640 both. How did you get into the space? 139 00:07:08,640 --> 00:07:10,920 Is it something that you chose or did it choose you? 140 00:07:12,600 --> 00:07:15,280 No. So my journey at the Identity 141 00:07:15,280 --> 00:07:19,480 Nexus Management started after I graduated my Master of 142 00:07:19,480 --> 00:07:22,160 Information Management at the university. 143 00:07:22,560 --> 00:07:28,320 So just posted my resume on the Internet and hopefully some 144 00:07:28,320 --> 00:07:32,080 recruiters would reach out to me and then one of the companies 145 00:07:32,080 --> 00:07:35,760 would reach out to me was a consultancy firm in the identity 146 00:07:35,760 --> 00:07:39,800 and access management space. And yeah, I, I really like the 147 00:07:39,800 --> 00:07:42,920 conversation. So I joined it and from there 148 00:07:42,920 --> 00:07:45,560 onwards, I'm only in identity and access management. 149 00:07:45,560 --> 00:07:49,200 But looking back, I think I already had some background in 150 00:07:49,200 --> 00:07:53,120 identity and access management because I started as a System 151 00:07:53,320 --> 00:07:55,880 Administrator, network administrator when I was a 152 00:07:55,880 --> 00:07:58,080 student. So they also needed to do 153 00:07:58,080 --> 00:08:01,240 account management and ensure that the people had the right 154 00:08:01,240 --> 00:08:06,440 access, the right time. And so now you're with Phillips. 155 00:08:06,440 --> 00:08:09,760 Tell us I, I feel like, I know like maybe what part of what 156 00:08:09,760 --> 00:08:13,760 Phillips does kind of everywhere, but what is it that 157 00:08:13,760 --> 00:08:15,680 Phillips does for people who aren't aware of that? 158 00:08:16,720 --> 00:08:20,520 Yeah, Phillips is a company that has been founded more than 130 159 00:08:20,520 --> 00:08:23,880 years ago and since then, of course we are improving people's 160 00:08:23,880 --> 00:08:27,160 lives with steady flow, ground breaking innovations. 161 00:08:27,200 --> 00:08:31,920 But as technology comes and go, the same applies for company. 162 00:08:31,920 --> 00:08:35,919 So in the last decade Philips transforms as a company in a 163 00:08:35,919 --> 00:08:39,919 health technology company. So we only held technology 164 00:08:40,000 --> 00:08:42,799 focused with a lot of brands, licensed companies. 165 00:08:43,080 --> 00:08:46,040 So the light bulbs are not from Philips anymore, that's 166 00:08:46,360 --> 00:08:48,440 different company. And the same is for the kitchen 167 00:08:48,440 --> 00:08:51,680 appliance and the television. So nowadays we are really 168 00:08:51,680 --> 00:08:53,680 focusing only on the health technology. 169 00:08:54,000 --> 00:08:57,080 And at the center of the Philips health journey is then of course 170 00:08:57,080 --> 00:09:00,200 that's we want to ensure that people are living healthy. 171 00:09:00,360 --> 00:09:02,320 So we want to prevent that you get diseases. 172 00:09:02,320 --> 00:09:04,800 So we have products there, but in case you need to go to the 173 00:09:04,800 --> 00:09:09,800 hospital, for example, then we supply products for the health 174 00:09:09,800 --> 00:09:13,120 professionals. So they can also do some 175 00:09:13,120 --> 00:09:17,040 diagnosis threats. You help you with treatment, not 176 00:09:17,040 --> 00:09:18,600 a treat because it's something else. 177 00:09:21,240 --> 00:09:25,400 And of course, if you are recovering from, you need to 178 00:09:25,400 --> 00:09:27,240 recover. We also have products there, so 179 00:09:27,240 --> 00:09:31,280 we can monitor you from 1:00. So I'm always curious about the 180 00:09:31,360 --> 00:09:34,080 sort of the day-to-day jobs that people have when it comes to 181 00:09:34,080 --> 00:09:35,560 identity. You know, Jim and I mentioned we 182 00:09:35,560 --> 00:09:38,240 do kind of consulting that kind of we do consulting during the 183 00:09:38,240 --> 00:09:39,960 day, right? We talk identity all day. 184 00:09:40,560 --> 00:09:41,680 Tell me about about your day-to-day. 185 00:09:41,680 --> 00:09:44,920 What's it like to be a director of, you know, identity 186 00:09:44,920 --> 00:09:46,880 management? Help people understand what that 187 00:09:46,880 --> 00:09:48,320 means? Yeah. 188 00:09:48,400 --> 00:09:52,040 So I need to ensure in Phillips that we define our strategy 189 00:09:52,040 --> 00:09:57,320 division and the road map. So and also ensure that we get 190 00:09:57,320 --> 00:10:00,920 the buy in from the management and get funding of course to get 191 00:10:01,080 --> 00:10:03,560 the things implemented to improve our security. 192 00:10:03,840 --> 00:10:07,960 And then I'm leading A-Team who is like a product owner subject 193 00:10:07,960 --> 00:10:10,760 matter experts who are doing the actual implementation. 194 00:10:12,680 --> 00:10:15,680 So Mahila, I'd like to transition to our topic for the 195 00:10:15,680 --> 00:10:19,240 day privilege access management. I'm going to start real simple, 196 00:10:19,240 --> 00:10:23,440 like how do you define it? Which simple question, but maybe 197 00:10:23,440 --> 00:10:26,480 a complex answer because when you think about privilege, 198 00:10:27,800 --> 00:10:30,680 obviously I think we all think domain administrators privilege, 199 00:10:30,720 --> 00:10:33,880 right? But if somebody can make a 200 00:10:33,880 --> 00:10:37,800 journal entry or there are power users that privilege, I want to 201 00:10:37,800 --> 00:10:40,600 know how you define or how Phillips defines. 202 00:10:41,120 --> 00:10:44,520 Maybe less about Phillips, but in your mind, how do you define 203 00:10:44,520 --> 00:10:46,920 privilege access management? Yeah, yeah. 204 00:10:46,920 --> 00:10:50,200 From me Privilege access management is an umbrella 205 00:10:50,200 --> 00:10:56,360 terminology which consists of multiple let's say capabilities 206 00:10:57,640 --> 00:11:04,000 to manage the elevated non restrictive access of on the 207 00:11:04,000 --> 00:11:06,960 accounts in the application layers or platform or 208 00:11:06,960 --> 00:11:09,520 infrastructure layer. Yeah. 209 00:11:09,680 --> 00:11:15,360 And so kind of thinking, one of the areas that I always kind of 210 00:11:15,360 --> 00:11:18,520 start my thinking when it comes to privilege access management 211 00:11:18,520 --> 00:11:22,800 is your policy framework. So having good policies around 212 00:11:23,280 --> 00:11:27,640 what is privilege? So what types of access do all 213 00:11:27,640 --> 00:11:31,320 these rules that we're going to lay out apply to? 214 00:11:31,320 --> 00:11:34,520 And then what are the rules? So, but then it goes beyond 215 00:11:34,520 --> 00:11:37,640 that, right? If you get the, the foundation 216 00:11:37,640 --> 00:11:41,200 of the policies, right? You talked about this, right? 217 00:11:41,200 --> 00:11:45,000 So the way we we got introduced was you're doing some 218 00:11:45,000 --> 00:11:48,480 presentation on privileged access management. 219 00:11:48,480 --> 00:11:52,360 You have a kind of a story and one of the parts that you talk 220 00:11:52,360 --> 00:11:55,800 about is kind of the framework for how you look at kind of 221 00:11:56,000 --> 00:12:01,320 initial maturity up to more mature in terms of privileged 222 00:12:01,320 --> 00:12:04,680 access management. So given that, can you kind of 223 00:12:04,680 --> 00:12:06,280 talk about that framework a little bit? 224 00:12:07,320 --> 00:12:10,760 Yep. So it's really important, of 225 00:12:10,760 --> 00:12:12,960 course, that you also first understand the risk in your 226 00:12:12,960 --> 00:12:14,920 organization. So you need to have a risk 227 00:12:14,920 --> 00:12:17,240 register. So there you will define all the 228 00:12:17,240 --> 00:12:19,400 observations which you have in the organization. 229 00:12:19,400 --> 00:12:22,360 You will the observations you will link to the to the risk. 230 00:12:22,360 --> 00:12:24,920 Then you will define your mitigation actions, of course, 231 00:12:24,920 --> 00:12:27,800 and your road map items. And the second thing is indeed 232 00:12:27,800 --> 00:12:31,120 what is really important to show maturity and you need to define 233 00:12:31,120 --> 00:12:34,440 a maturity model in your organization to understand where 234 00:12:34,440 --> 00:12:38,880 are you today and where do we want to be in the future. 235 00:12:38,960 --> 00:12:42,560 So what what do you want to achieve now? 236 00:12:42,560 --> 00:12:45,400 What does that then look like? I think do you want to zoom into 237 00:12:45,400 --> 00:12:47,080 that, Jim? Yeah, let's zoom in. 238 00:12:47,440 --> 00:12:49,840 Let's get get right into this. The Identity at the Center 239 00:12:49,840 --> 00:12:51,520 podcast, man, we're all about this. 240 00:12:52,160 --> 00:12:53,720 Perfect. So yeah, if you're looking at 241 00:12:53,720 --> 00:12:57,240 the maturity, you will. No, OK. 242 00:12:57,640 --> 00:13:00,960 Everybody knows when maybe what a maturity is, but we define our 243 00:13:00,960 --> 00:13:03,440 maturity metal from level one to level 5. 244 00:13:03,720 --> 00:13:10,800 And that's based on the, let's say from the analyst companies. 245 00:13:10,920 --> 00:13:13,920 Yeah, from the analyst companies like Gardner, Copernicul or 246 00:13:13,920 --> 00:13:17,760 Forrester, they also provide a framework which you can use and 247 00:13:17,760 --> 00:13:20,120 then vendors as well. A framework. 248 00:13:21,080 --> 00:13:25,360 Yeah, that's nice guidance. But within Philips, we defined 249 00:13:25,360 --> 00:13:30,920 our own maturity model that's applicable across multiple 250 00:13:30,920 --> 00:13:33,280 domains, not only for the identity and access management 251 00:13:33,280 --> 00:13:36,400 domains, because my peers, for example, are responsible for 252 00:13:36,400 --> 00:13:39,040 trend management or data protection. 253 00:13:39,480 --> 00:13:42,400 So we have a standard model defined across these domains. 254 00:13:43,440 --> 00:13:45,480 Now, if you're looking into what does it look like to have 255 00:13:45,480 --> 00:13:48,520 capabilities, what I explained on the left side, then you have 256 00:13:48,520 --> 00:13:51,600 your functions defined and the functions really like from level 257 00:13:51,600 --> 00:13:56,160 12345 S think about session recording, faulting or whatever. 258 00:13:58,040 --> 00:14:02,040 And these relink capabilities will link to controls and 259 00:14:02,040 --> 00:14:03,520 controls. You need to think about the 260 00:14:03,520 --> 00:14:07,120 standards which are existing around the globe is like the sys 261 00:14:07,120 --> 00:14:10,160 controls, the NISH controls or the ISO. 262 00:14:10,440 --> 00:14:14,040 And these controls we have defined in, in our security 263 00:14:14,040 --> 00:14:17,120 management framework. And then we link these controls 264 00:14:17,120 --> 00:14:21,520 to the threats and that's defined in the Metra track 265 00:14:21,520 --> 00:14:23,600 framework. So then you understand really 266 00:14:23,720 --> 00:14:26,520 the risks which you have in your organization, you link them to 267 00:14:26,520 --> 00:14:28,440 the controls and the capabilities. 268 00:14:28,440 --> 00:14:31,280 And then with the matrix, you can define, OK, where are we 269 00:14:31,280 --> 00:14:34,000 today? And it gives you a very clear 270 00:14:34,000 --> 00:14:37,640 overview where you are in your organization and what you need 271 00:14:37,640 --> 00:14:41,440 to do in the next coming year. So first, I want to acknowledge 272 00:14:41,440 --> 00:14:44,920 what you just said there around framework thinking. 273 00:14:44,920 --> 00:14:48,160 And I think this is something as a consultant, I learned very 274 00:14:48,160 --> 00:14:52,840 early on, but I think for our the practitioner community, 275 00:14:52,840 --> 00:14:57,600 which I consider myself part of, you know, being able to talk in 276 00:14:57,600 --> 00:15:01,640 terms of industry frameworks makes you sound well prepared, 277 00:15:01,680 --> 00:15:05,600 not just sound well prepared, but be well prepared and tapping 278 00:15:05,600 --> 00:15:10,560 into, you know, some of these industry defined frameworks like 279 00:15:10,560 --> 00:15:14,960 you mentioned, like NIST and ISO and ITIL and being able to say, 280 00:15:14,960 --> 00:15:18,760 OK, this is what the industry's doing. 281 00:15:18,840 --> 00:15:22,560 But then being able to make it make sense for your 282 00:15:22,560 --> 00:15:30,040 organization, I think is a very proper way to communicate, you 283 00:15:30,040 --> 00:15:33,640 know, what the expectations are to your organization. 284 00:15:33,640 --> 00:15:35,720 Because let's face it, when we're talking about privileged 285 00:15:35,720 --> 00:15:40,520 access management, you're not just you're not defining the the 286 00:15:40,520 --> 00:15:44,720 policies and rolling out the tools and then implementing the 287 00:15:44,720 --> 00:15:47,440 controls and then doing the work, right? 288 00:15:47,640 --> 00:15:50,960 These are you're setting up tools for other people to use to 289 00:15:50,960 --> 00:15:56,880 securely manage access. And so being able to come up 290 00:15:56,880 --> 00:16:04,280 with a proper program and then communicate that in terms of a 291 00:16:04,280 --> 00:16:06,960 framework, I think is is very key. 292 00:16:07,960 --> 00:16:09,400 But you also brought something else up. 293 00:16:09,400 --> 00:16:11,880 And so I'm going to shift the conversation to that, which is 294 00:16:12,320 --> 00:16:15,720 the importance of privileged access management relative to 295 00:16:15,720 --> 00:16:19,360 securing the organizational's IT assets, right? 296 00:16:19,600 --> 00:16:25,280 And so I think a big part of what privileged access 297 00:16:25,280 --> 00:16:27,680 management. So I think privileged access 298 00:16:27,680 --> 00:16:30,280 management we think of as the lane of like controlling the 299 00:16:30,280 --> 00:16:33,600 accounts and controlling the entitlements, maybe check in and 300 00:16:33,600 --> 00:16:35,120 check out. But it's more than that, right? 301 00:16:35,320 --> 00:16:39,640 It also taps into areas like all manual controls. 302 00:16:39,840 --> 00:16:47,160 It taps into areas like governance, but it also taps 303 00:16:47,160 --> 00:16:53,760 into some areas like, OK, how do you shrink your scope, shrink 304 00:16:53,760 --> 00:16:58,440 your attack surface as much as possible so you have the least 305 00:16:58,440 --> 00:17:04,839 amount of area surface area that you need to protect. 306 00:17:05,079 --> 00:17:09,400 And so my question to you is like what is your approach when 307 00:17:09,400 --> 00:17:14,480 it comes to minimizing that attack surface or that blast 308 00:17:14,480 --> 00:17:17,240 radius that's sometimes called? Yep. 309 00:17:17,760 --> 00:17:21,920 So I use always an example. I also explained it one time to 310 00:17:21,920 --> 00:17:24,280 Jeff. So about the example of a salt. 311 00:17:24,760 --> 00:17:31,240 So I was we're attending a conference and was sitting on 312 00:17:31,280 --> 00:17:33,040 the table and had a conversation. 313 00:17:33,040 --> 00:17:36,040 And of course, if you have to get your food served on the 314 00:17:36,040 --> 00:17:39,360 table, maybe you want to have more little bit more salty or 315 00:17:39,360 --> 00:17:41,440 whatever you saw and you take the salt. 316 00:17:41,840 --> 00:17:45,840 So and then you want to put the salt of course on your these 317 00:17:45,840 --> 00:17:48,800 potatoes or whatever. But the first thing what I 318 00:17:48,800 --> 00:17:53,880 always do is check if the salt is closed because you really 319 00:17:53,880 --> 00:17:56,120 want to prevent that. There is a blast radius of 320 00:17:56,560 --> 00:18:00,360 attack of salt of course on your when you meet our food. 321 00:18:00,400 --> 00:18:05,160 And yeah, that's also of course with previous access management. 322 00:18:05,160 --> 00:18:08,640 You cannot prevent that your data gets stolen, but you at 323 00:18:08,640 --> 00:18:13,440 least can minimize the risk. And that is limited data gets 324 00:18:13,440 --> 00:18:16,800 stolen because those so-called bad guys, maybe they're already 325 00:18:16,800 --> 00:18:19,840 in your environment, but at least if they steal certain 326 00:18:19,840 --> 00:18:23,000 credentials or whatever, do you want to minimize that attack? 327 00:18:23,240 --> 00:18:26,680 And therefore, again, it's really important that you have 328 00:18:26,680 --> 00:18:30,280 your maturity model also defined properly and your capabilities 329 00:18:30,280 --> 00:18:32,480 which you want to have. So it's also you need to be 330 00:18:32,480 --> 00:18:35,720 clear what are your requirements in your organization. 331 00:18:35,840 --> 00:18:38,720 And I think also important is how do you sell this to your 332 00:18:39,160 --> 00:18:43,000 organization, of course. I can't think anything worse 333 00:18:43,000 --> 00:18:45,360 than being assaulted. Oh, terrible fun. 334 00:18:45,360 --> 00:18:49,440 I know. I was thinking of the analogy 335 00:18:49,440 --> 00:18:51,880 and male you and I were talking about this the other day of kind 336 00:18:51,880 --> 00:18:55,160 of like a submarine, right? If there is like a, you have 337 00:18:55,160 --> 00:18:58,160 these little doors throughout and they can, if one park gets 338 00:18:58,160 --> 00:19:01,440 flooded, close the door and sort of prevent the rest of the of 339 00:19:01,440 --> 00:19:04,120 the boat going down. Your example is way more 340 00:19:04,120 --> 00:19:06,560 positive than mine, so we'll stick with yours. 341 00:19:07,040 --> 00:19:10,080 You mentioned there briefly about getting support for 342 00:19:10,080 --> 00:19:12,520 privileged access management. Now that we kind of understand, 343 00:19:12,520 --> 00:19:14,360 right, We have definition of what it is and why it's 344 00:19:14,360 --> 00:19:17,160 important. This is the next step in my mind 345 00:19:17,160 --> 00:19:20,040 is how do you get support to actually do something about it? 346 00:19:20,080 --> 00:19:23,240 It's like, OK, at some point we have to like stop talking and 347 00:19:23,240 --> 00:19:28,000 start doing something to better secure lower risk, maybe make 348 00:19:28,000 --> 00:19:29,520 maybe make people's lives easier. 349 00:19:29,520 --> 00:19:32,080 I'm not sure. But how do you work through that 350 00:19:32,080 --> 00:19:37,760 process of selling the Pam program or the Pam project or 351 00:19:37,760 --> 00:19:41,520 initiative, whatever you want to call it to your organization to 352 00:19:41,520 --> 00:19:44,720 say, OK, yes, we've got buy in now. 353 00:19:44,720 --> 00:19:46,960 Here's the funding or the resources to go get it. 354 00:19:47,760 --> 00:19:50,080 Yeah, yeah. I think that's the hardest thing 355 00:19:50,080 --> 00:19:54,120 of course, because it's not really visible for everyone 356 00:19:54,120 --> 00:19:56,480 because I'm just, it's only limited. 357 00:19:56,480 --> 00:19:59,680 So it's really that only to the IT department from a lot of 358 00:19:59,680 --> 00:20:01,680 people I think. But it's not only limited to 359 00:20:01,680 --> 00:20:05,080 your own IT, maybe it's also to manufacturing your OT or your 360 00:20:05,080 --> 00:20:07,320 R&D. But yeah, that's the hardest 361 00:20:07,320 --> 00:20:09,720 point of course, in previous action, man. 362 00:20:09,720 --> 00:20:13,920 How do you, how do you sell it? Because it is not really fancy 363 00:20:13,920 --> 00:20:16,600 or whatever. It's like maybe you need to see 364 00:20:16,600 --> 00:20:19,040 it like your electricity or water, it's working. 365 00:20:19,040 --> 00:20:22,520 So why should I invest something which is working? 366 00:20:22,520 --> 00:20:24,800 Because their services are running fine so. 367 00:20:25,360 --> 00:20:27,720 Why should I do it? And I think from my perspective, 368 00:20:27,720 --> 00:20:31,320 from my own platform or application or infrastructure 369 00:20:31,320 --> 00:20:34,200 perspective, I have the feeling that I'm really well controlled 370 00:20:34,200 --> 00:20:37,120 because here there has been an audit done and according to this 371 00:20:37,120 --> 00:20:41,680 audit to this, it's fine. So you never should treat this 372 00:20:41,680 --> 00:20:44,040 individually per application. So you'll need to look at the 373 00:20:44,040 --> 00:20:47,480 bigger picture. And I think it's important if 374 00:20:47,480 --> 00:20:51,520 you look at the bigger picture that you sit together with your 375 00:20:51,520 --> 00:20:54,200 compliance and audit department and that you have clearly 376 00:20:54,200 --> 00:20:56,480 defined, OK, what do we want to measure? 377 00:20:56,480 --> 00:21:00,000 What do we what, what do we want to have as a result of looking 378 00:21:00,000 --> 00:21:02,440 into these audit reports? Because there's, there are a lot 379 00:21:02,440 --> 00:21:05,200 of findings in it. And then also explain that to 380 00:21:05,200 --> 00:21:06,840 your management, make that visible. 381 00:21:06,840 --> 00:21:12,280 So just as an examples, like just look into how many of the 382 00:21:12,280 --> 00:21:15,280 software using are using the default accounts which are 383 00:21:15,280 --> 00:21:18,120 provided by the vendor. So the audit reports will give 384 00:21:18,120 --> 00:21:22,560 you this data or how do you deal with access review even its 385 00:21:22,560 --> 00:21:25,760 privileged access, Do you review these access rights? 386 00:21:25,760 --> 00:21:28,800 Who has access to it when it's revoked for the last time or 387 00:21:28,800 --> 00:21:31,360 already elevated access revoked or whatever. 388 00:21:31,360 --> 00:21:34,200 So you need to look at all these kind of things and get that data 389 00:21:34,200 --> 00:21:37,040 that will help you. And then it's going back to your 390 00:21:37,040 --> 00:21:39,920 risk register again because that helps you with your observations 391 00:21:39,920 --> 00:21:42,240 which you have to provide the evidence. 392 00:21:42,760 --> 00:21:46,240 And if you have this, then yeah, you can show to your management 393 00:21:46,240 --> 00:21:48,800 what the risks are in your organization or why they should 394 00:21:48,800 --> 00:21:51,840 invest in it. Do you find that your message 395 00:21:52,360 --> 00:21:54,760 changes context based on who you're talking to? 396 00:21:55,000 --> 00:21:57,840 I would assume you'd have to, you know, talk one language 397 00:21:57,840 --> 00:22:01,680 maybe to more technical crowd versus less technical language 398 00:22:01,680 --> 00:22:04,720 to a different crowd. How do you manage that context 399 00:22:04,720 --> 00:22:08,280 switching to make sure that your message is being communicated 400 00:22:08,280 --> 00:22:10,720 effectively to whoever your target is? 401 00:22:11,160 --> 00:22:13,800 And maybe there's examples like if you're talking to, you know, 402 00:22:13,800 --> 00:22:18,840 maybe a, let's call it, you know, CIO or ACEO versus maybe a 403 00:22:18,840 --> 00:22:21,440 manager in another area or maybe even someone from the business. 404 00:22:21,440 --> 00:22:23,600 How do you how do you approach those conversations to get that 405 00:22:23,600 --> 00:22:26,880 buy in and get that support? Yeah, that's a very quick 406 00:22:26,880 --> 00:22:31,240 question, Jeff saw. So yeah, first of all, first to 407 00:22:31,240 --> 00:22:34,640 get the buy in from your own management because try to sell 408 00:22:34,640 --> 00:22:37,200 the story to your own management which you have because I think 409 00:22:37,200 --> 00:22:40,280 if you convince them, then it's all they will also guide you how 410 00:22:40,280 --> 00:22:43,160 you can convince other people. And then you can sell it as 411 00:22:43,160 --> 00:22:45,320 well. For example, your CEO or CEO or 412 00:22:45,320 --> 00:22:48,560 the Avenue organization can also sell it to to the CIO where it's 413 00:22:48,560 --> 00:22:52,800 needed or they can help you to tell your story to the CEO and 414 00:22:53,360 --> 00:22:55,200 get the challenge. Of course, that's different than 415 00:22:55,200 --> 00:22:57,640 if you're talking to a service manager, because a service 416 00:22:57,640 --> 00:23:00,840 manager, it's always looking from their perspective. 417 00:23:00,840 --> 00:23:04,480 So they always will get the questions like what's in it for 418 00:23:04,480 --> 00:23:05,840 me? So why? 419 00:23:06,080 --> 00:23:08,400 Why should I do that? I'm fine. 420 00:23:08,400 --> 00:23:11,160 So yeah, maybe my colleague is not fine, but I'm fine. 421 00:23:11,160 --> 00:23:15,400 So and there you need to use a different approach of course 422 00:23:15,400 --> 00:23:17,280 always and explain what the benefits are. 423 00:23:17,480 --> 00:23:23,240 So, Mahil, I wanted to talk a little bit about running a 424 00:23:24,040 --> 00:23:26,680 privileged access management program within your 425 00:23:26,680 --> 00:23:30,680 organization. And I want to start at the very 426 00:23:30,680 --> 00:23:37,320 top in terms of, you know, kind of the approach to governing the 427 00:23:37,320 --> 00:23:41,320 program. And my question is, you know, do 428 00:23:41,320 --> 00:23:44,560 you see privileged access management as being its own 429 00:23:44,560 --> 00:23:48,880 program or part of the identity program? 430 00:23:49,160 --> 00:23:53,000 And I'm talking about in terms of philosophically speaking, but 431 00:23:53,000 --> 00:23:57,040 also in terms of actually like do you have separate steering 432 00:23:57,040 --> 00:24:02,040 committees for the two? Because I do see them as to a a 433 00:24:02,040 --> 00:24:05,480 large extent being a different audience. 434 00:24:06,520 --> 00:24:07,840 What? What are your thoughts? 435 00:24:08,480 --> 00:24:10,360 Yeah, Yeah. First of all, it's always 436 00:24:10,360 --> 00:24:12,440 related to of course to your company strategy. 437 00:24:12,440 --> 00:24:15,240 So you have company strategy and you have security strategy and 438 00:24:15,240 --> 00:24:18,600 then you have your IM strategy. But indeed, what just you 439 00:24:18,600 --> 00:24:22,600 mentioned you have for let's say identity next management 440 00:24:22,600 --> 00:24:24,760 umbrella terminal. So you have separate domains and 441 00:24:24,760 --> 00:24:26,520 one is then the privileged access management. 442 00:24:26,520 --> 00:24:28,080 So you have different stakeholders there. 443 00:24:28,280 --> 00:24:30,040 So you need to do stakeholder management. 444 00:24:30,040 --> 00:24:34,080 So you need to identify who are you stakeholders are. 445 00:24:34,320 --> 00:24:37,040 Then also per stakeholder, you need to define, it's like, OK, 446 00:24:37,040 --> 00:24:41,200 should keep them informed, should I manage them closely or 447 00:24:41,480 --> 00:24:43,280 etcetera. So that's what you'll need to do 448 00:24:43,280 --> 00:24:44,560 with your stakeholder management. 449 00:24:46,240 --> 00:24:48,960 Yeah. Now, OK, so let's take it down a 450 00:24:48,960 --> 00:24:50,680 level. So when you get you're talking 451 00:24:50,680 --> 00:24:54,040 about kind of is organization dependent, maybe that's the 452 00:24:54,040 --> 00:24:58,040 answer for all these. But I'd also like to get kind of 453 00:24:58,040 --> 00:25:01,920 like a hot take on some of this. So in terms of like operations, 454 00:25:02,400 --> 00:25:06,920 you know, building out privilege access management capabilities, 455 00:25:07,160 --> 00:25:09,240 running them on a day-to-day basis. 456 00:25:09,240 --> 00:25:13,680 So let's take an example of password vault. 457 00:25:14,160 --> 00:25:16,240 So you're deploying a password vault. 458 00:25:16,400 --> 00:25:20,520 Who does that deployment? Is that the identity team? 459 00:25:20,880 --> 00:25:25,400 Is that the system engineers who are going to use the identity 460 00:25:25,400 --> 00:25:28,160 vault? And then in terms of operations, 461 00:25:28,320 --> 00:25:32,200 who owns and runs that thing after it's deployed? 462 00:25:32,600 --> 00:25:35,680 You know, you get that, that 3:00 somebody, 3:00 in the 463 00:25:35,680 --> 00:25:40,440 morning, somebody's working on a server and the password vault is 464 00:25:40,440 --> 00:25:43,160 down. Do they call the identity team 465 00:25:43,280 --> 00:25:47,320 or do they call the vendor and fix it within their their group? 466 00:25:47,800 --> 00:25:50,200 Or how does that work it work best? 467 00:25:50,320 --> 00:25:53,640 I think there are three models and it depends on your company. 468 00:25:53,640 --> 00:25:59,200 So you have maybe a central model, Federated model I call or 469 00:25:59,200 --> 00:26:01,240 decentralized. If your organization using a 470 00:26:01,240 --> 00:26:05,480 central model, then you are defining the strategy, you're 471 00:26:05,480 --> 00:26:08,280 doing the implementation, you're defined, apologies, you have 472 00:26:08,280 --> 00:26:12,880 everything in control sensory. You can also use a Federated 473 00:26:12,880 --> 00:26:16,400 model and then the Federated model dare you define your 474 00:26:16,400 --> 00:26:20,920 policies, the processes you do, the actual deployment, but the 475 00:26:20,920 --> 00:26:24,360 responsibility is then in the business because the business 476 00:26:24,360 --> 00:26:27,000 needs to make sure that they comply to your policies and 477 00:26:27,000 --> 00:26:29,000 everything. So they need to support you with 478 00:26:29,520 --> 00:26:33,120 doing the actual implementation and the decentrally. 479 00:26:33,120 --> 00:26:36,200 Then everybody is has their own responsibility and we are using 480 00:26:36,200 --> 00:26:38,160 a Federated model in the organization. 481 00:26:38,160 --> 00:26:39,960 So we drive everything centrally. 482 00:26:40,200 --> 00:26:42,640 But the business is, in the in the end, of course, responsible 483 00:26:42,640 --> 00:26:48,840 and accountable for that. Do you have a a rule of thumb in 484 00:26:48,840 --> 00:26:52,360 terms of like if you have the central model or the decentral 485 00:26:52,360 --> 00:26:57,400 model, how many people you need on your digital identity team to 486 00:26:57,400 --> 00:27:02,160 support those models? If you're looking into the 487 00:27:02,160 --> 00:27:08,200 number of FTE in Philips, we have a lot of outsourced say 488 00:27:08,200 --> 00:27:10,480 like that. So we have like one SME product 489 00:27:10,480 --> 00:27:14,080 owner who is responsible for that and then we outsource 490 00:27:14,080 --> 00:27:17,000 everything to a managed service park provider or an 491 00:27:17,000 --> 00:27:21,720 implementation partner. Yeah, it depends on how pick you 492 00:27:21,720 --> 00:27:24,400 are as a company and what you want to achieve of course with 493 00:27:24,400 --> 00:27:27,760 you during your deployment. So if you want to and how many 494 00:27:27,760 --> 00:27:30,080 servers you have in your organization and what that's so 495 00:27:30,080 --> 00:27:33,480 there's a lot of dependencies. So to the size of of that 496 00:27:33,480 --> 00:27:35,040 varies. And then you have of course an 497 00:27:35,040 --> 00:27:36,960 operation team who manage the platform. 498 00:27:37,520 --> 00:27:40,080 We also outsource that in the company. 499 00:27:40,080 --> 00:27:42,680 So it could be in house outsourced or whatever. 500 00:27:43,000 --> 00:27:45,800 So we have it outsourced in our organization. 501 00:27:46,160 --> 00:27:49,440 So if you're looking into the number of people who are 502 00:27:49,440 --> 00:27:52,520 currently involved in that entire privileged access 503 00:27:52,520 --> 00:27:55,320 management area, then I think we have around 15 people. 504 00:27:56,800 --> 00:27:59,200 OK. Well, that's pretty. 505 00:28:00,080 --> 00:28:03,760 I, I think those rules of thumb are just helpful for the 506 00:28:03,760 --> 00:28:06,600 listeners in terms of when they think of standing up a program 507 00:28:06,600 --> 00:28:09,320 like this. I think the other interesting 508 00:28:09,320 --> 00:28:12,280 aspect is like everybody's coming into this at a different 509 00:28:12,600 --> 00:28:16,040 point. I think a lot of what we talked 510 00:28:16,040 --> 00:28:22,360 about probably it's easy to picture from like an on Prem, we 511 00:28:22,360 --> 00:28:26,120 run the data center kind of model and that's how privileged 512 00:28:26,120 --> 00:28:28,760 access management was designed from the beginning. 513 00:28:29,080 --> 00:28:32,760 Then you had this thing called cloud spin up, right. 514 00:28:32,760 --> 00:28:36,920 And it's, I don't know if it's going to be around, I don't know 515 00:28:36,920 --> 00:28:40,240 if it's going to make it, but this cloud concept, it seems to 516 00:28:40,240 --> 00:28:44,280 have created a lot of privileged access management use cases, 517 00:28:44,280 --> 00:28:47,720 scenarios that put things on its head. 518 00:28:47,720 --> 00:28:53,320 And not only that, I think developers tended to be the ones 519 00:28:53,320 --> 00:28:57,920 to kind of lead the charge or developers, not the security 520 00:28:57,920 --> 00:29:01,720 department led the charge to stand up clouds. 521 00:29:02,160 --> 00:29:05,280 And then the security department had to come along and, and 522 00:29:05,280 --> 00:29:09,640 figure out how to secure it. And so I'm wondering, do you 523 00:29:09,640 --> 00:29:14,200 kind of share that perspective and have you any techniques to 524 00:29:14,200 --> 00:29:19,360 share with our listeners in terms of how to take an 525 00:29:19,360 --> 00:29:22,680 environment that's spun up that maybe doesn't have all the 526 00:29:22,680 --> 00:29:28,360 controls that you would want or maybe a, you know, a nuance set 527 00:29:28,360 --> 00:29:31,720 of products that differs from kind of the approach that you 528 00:29:31,720 --> 00:29:37,760 had to date? So just using the example from 529 00:29:37,760 --> 00:29:40,760 us, so we started with the program in 2018, now it's 530 00:29:40,760 --> 00:29:45,320 already 2024. So back then we had like 531 00:29:45,320 --> 00:29:47,160 physical data centers, for example. 532 00:29:47,160 --> 00:29:49,720 So we want to implement a password for to manage the 533 00:29:49,960 --> 00:29:54,000 credentials of in the physical data centre on the platform 534 00:29:54,000 --> 00:29:56,120 layers. But in the meantime, the world 535 00:29:56,120 --> 00:29:59,560 was of course changing because cloud came there, which you also 536 00:29:59,560 --> 00:30:01,080 mentioned. So you need to adopt your 537 00:30:01,080 --> 00:30:03,160 strategy after well and change it. 538 00:30:03,160 --> 00:30:06,320 So it's not just like, hey, I define like this now, maybe 539 00:30:06,320 --> 00:30:08,720 because the world is constantly changing, you also need to look 540 00:30:08,720 --> 00:30:12,920 again at your risk. So yes, you set your North star 541 00:30:12,920 --> 00:30:16,680 or whether or whatever on the horizon, but there's never a 542 00:30:16,680 --> 00:30:18,520 straight line. So it will always go like this. 543 00:30:18,520 --> 00:30:20,240 So you need to adapt to that as well. 544 00:30:20,240 --> 00:30:23,080 So it's like, OK, maybe there's some other risk are no more 545 00:30:23,080 --> 00:30:25,800 important than that we thought of. 546 00:30:25,800 --> 00:30:27,680 So yeah, then adapt your strategy. 547 00:30:28,000 --> 00:30:31,720 I can excel that story to your management why you need to make 548 00:30:31,720 --> 00:30:34,520 these changes, Why? Why there is a higher risk, why 549 00:30:34,520 --> 00:30:37,440 we should invest there? Because now so also you see with 550 00:30:38,800 --> 00:30:41,720 there's like capability for cloud infrastructure entitlement 551 00:30:41,720 --> 00:30:43,520 management. Now we were not aware of that, 552 00:30:43,520 --> 00:30:44,760 of course, a couple of years ago. 553 00:30:44,760 --> 00:30:48,200 But there's something which is now important because if those 554 00:30:49,240 --> 00:30:51,920 hackers get access to the OR the bad guys get access to these 555 00:30:51,920 --> 00:30:54,520 environments, yeah, then they get their access to a lot of 556 00:30:54,520 --> 00:30:57,600 information, of course, or maybe they can shut down your business 557 00:30:57,600 --> 00:30:59,160 even if they get the wrong credentials. 558 00:30:59,160 --> 00:31:01,200 So you, yeah. So you need to adapt your 559 00:31:02,040 --> 00:31:03,880 strategy. Wow. 560 00:31:03,880 --> 00:31:06,720 And it's a challenge because there, but you also mentioned at 561 00:31:06,720 --> 00:31:08,960 the introduction, there are so many credentials. 562 00:31:08,960 --> 00:31:12,280 So think about SSH keys. Yeah, if your API credentials 563 00:31:12,280 --> 00:31:15,760 you have like your domain admin accounts, there are so many. 564 00:31:15,960 --> 00:31:18,640 So where you will start. So yeah, you need to define 565 00:31:18,640 --> 00:31:23,960 really where the risks are and accept that also that there are 566 00:31:23,960 --> 00:31:26,040 other risks and you cannot do everything in Mongo. 567 00:31:26,240 --> 00:31:31,480 So I feel like this is go ahead. I feel like this is an area 568 00:31:31,480 --> 00:31:35,840 where, you know, policy and process only take you so far and 569 00:31:35,840 --> 00:31:39,080 it's one of the areas where it's like you really need technology 570 00:31:39,120 --> 00:31:42,320 to have this be effectively controlled and managed and so 571 00:31:42,320 --> 00:31:46,200 forth. Would you agree with that 572 00:31:46,200 --> 00:31:49,360 statement that this is really something that you do need 573 00:31:49,360 --> 00:31:51,440 technology, whereas maybe something like an identity 574 00:31:51,440 --> 00:31:55,080 governance, you could always sort of brute force the 575 00:31:55,360 --> 00:31:57,200 provisioning or deprovisioning of things. 576 00:31:57,200 --> 00:32:01,880 But if you really want to effectively manage SSH keys, you 577 00:32:01,880 --> 00:32:06,600 know certificates, you know APIs, you need to have some 578 00:32:06,600 --> 00:32:08,920 technology there to effectively do that. 579 00:32:09,520 --> 00:32:12,160 Yeah, I fully agree with you. So it's nice to have your soft 580 00:32:12,160 --> 00:32:13,920 controls defined in your framework. 581 00:32:14,600 --> 00:32:18,280 But yeah, soft controls, never a heart control, so you cannot 582 00:32:18,280 --> 00:32:20,560 enforce it really. So you really need to have 583 00:32:20,560 --> 00:32:24,320 technology in place to enforce these controls. 584 00:32:25,520 --> 00:32:27,680 So let's talk a little bit about that technology because they 585 00:32:27,680 --> 00:32:30,560 think this is an area where there's a lot of good choices 586 00:32:30,560 --> 00:32:33,480 that are out there. You know, it's, it's kind of 587 00:32:33,480 --> 00:32:35,680 like the, the, the, the, the pro and the con, right? 588 00:32:35,680 --> 00:32:38,320 Great news is there's a solution out there that will probably fit 589 00:32:38,320 --> 00:32:41,040 your needs and there's lots of solutions that you can be 590 00:32:41,040 --> 00:32:43,960 successful with. The trick is always finding the 591 00:32:43,960 --> 00:32:47,720 right solution that's the right fit for your use cases, You 592 00:32:47,720 --> 00:32:49,280 know, your company, those sorts of things. 593 00:32:49,840 --> 00:32:53,000 How what's a, you know, what's a methodology or a framework that 594 00:32:53,000 --> 00:32:56,240 people can use to think about to say, OK, how do I go about this? 595 00:32:56,320 --> 00:33:00,120 Do I try to find, you know, one privileged access management 596 00:33:00,120 --> 00:33:01,480 project that kind of does it all? 597 00:33:01,960 --> 00:33:03,640 You mentioned cloud infrastructure, time, memory. 598 00:33:03,640 --> 00:33:06,280 That's kind of a growing space that has its own dedicated tool 599 00:33:06,280 --> 00:33:08,640 set. And sometimes it's a dedicated 600 00:33:08,640 --> 00:33:10,440 tool and sometimes it's part of another tool. 601 00:33:10,800 --> 00:33:14,800 Walk me through how you select you know the right product or 602 00:33:14,800 --> 00:33:18,240 right mix of products to better secure your organization. 603 00:33:19,320 --> 00:33:20,880 Yeah. So, yeah. 604 00:33:20,880 --> 00:33:23,640 And also the market is a little changing of course, Jeff. 605 00:33:23,640 --> 00:33:27,320 So there you see a lot of vendors are now investing in 606 00:33:27,320 --> 00:33:31,800 other companies and spend buying so, and there's a little merging 607 00:33:31,800 --> 00:33:34,920 of companies to say like that. So the, the, the privileged 608 00:33:34,920 --> 00:33:37,200 access management is really changing in the market there as 609 00:33:37,200 --> 00:33:40,960 well. So I think it's important that 610 00:33:40,960 --> 00:33:43,200 you go back to your maturity model where you define your 611 00:33:43,200 --> 00:33:45,320 capabilities and your functionalities, because that 612 00:33:45,320 --> 00:33:47,840 also gives you already good understanding on the 613 00:33:47,840 --> 00:33:50,840 requirements which you have. Sometimes you need to detail out 614 00:33:50,840 --> 00:33:52,560 a little bit more the requirements because the 615 00:33:52,560 --> 00:33:54,960 maturity in that level is off to a high level. 616 00:33:54,960 --> 00:33:59,240 So you need to define your use cases and and then use these use 617 00:33:59,240 --> 00:34:01,360 cases requirements which you defines. 618 00:34:02,120 --> 00:34:05,240 Go for example, to Garner and also to the Copernico Law 619 00:34:05,480 --> 00:34:09,560 Forrester and then do a mapping on your requirements, what they 620 00:34:09,560 --> 00:34:14,000 product vendors offer to define your shortlist, for example, and 621 00:34:14,000 --> 00:34:16,600 to get an understanding, but also have conversations with the 622 00:34:16,600 --> 00:34:22,040 analysts choose like, OK, do we did we properly define our 623 00:34:22,040 --> 00:34:24,320 requirements? What do we overlook or what do 624 00:34:24,320 --> 00:34:28,440 you see changing in the market? So I think that's really 625 00:34:28,440 --> 00:34:31,239 important to do to see. Also listen to your peers. 626 00:34:31,320 --> 00:34:35,400 So in other companies, what they are doing, learn from them to 627 00:34:35,560 --> 00:34:38,239 ensure that you make the right product selection for your 628 00:34:38,239 --> 00:34:41,719 company or multiple products maybe I need to see, I mean. 629 00:34:42,679 --> 00:34:44,760 This is definitely an area where you can talk with other people, 630 00:34:44,760 --> 00:34:46,199 right? You're, you're probably not the 631 00:34:46,199 --> 00:34:49,679 first person to do it. So, you know, why not get that 632 00:34:49,679 --> 00:34:51,320 knowledge? You know, maybe it's yeah, at a 633 00:34:51,320 --> 00:34:54,120 conference or maybe maybe it's a local network or or things like 634 00:34:54,120 --> 00:34:58,320 that for sure. Oh, go ahead, Jim. 635 00:34:58,920 --> 00:35:01,880 No, I'd like to throw in there, I think the that's the two sided 636 00:35:01,880 --> 00:35:05,520 coin, right? I think we should tap into our 637 00:35:05,920 --> 00:35:10,920 peer network to learn, but you also have to be willing to be on 638 00:35:10,920 --> 00:35:14,480 the other side and tap into your peer network and educate. 639 00:35:15,080 --> 00:35:16,720 You've got to be willing to share. 640 00:35:16,720 --> 00:35:20,200 Like that's one of the things that Jeff and I really wanted to 641 00:35:20,200 --> 00:35:24,360 do with the podcast was make this a community of sharing 642 00:35:24,360 --> 00:35:26,800 information. So you can't only take you've 643 00:35:26,800 --> 00:35:29,080 got to give as well. That's the only point that I 644 00:35:29,080 --> 00:35:31,320 wanted to make. Yeah, I fully agree. 645 00:35:31,320 --> 00:35:33,560 And that's the reason I loved your introduction about the 646 00:35:33,600 --> 00:35:36,840 upcoming conferences because they're this where you need to 647 00:35:36,840 --> 00:35:38,960 share your knowledge and experience and learn from each 648 00:35:39,000 --> 00:35:42,360 other because what Jeff also mentioned, you're not alone. 649 00:35:42,360 --> 00:35:44,560 So other people have faced these challenges as well. 650 00:35:44,560 --> 00:35:47,840 So please reach out to your peer, share also your knowledge 651 00:35:47,840 --> 00:35:49,360 because we can also learn from it. 652 00:35:49,360 --> 00:35:53,600 So forever, a lot of people, things are new, so the best ways 653 00:35:53,600 --> 00:35:57,440 to team up with each other and in the end, we all have the same 654 00:35:57,440 --> 00:35:59,760 goal to improve the security of your organization. 655 00:36:00,600 --> 00:36:03,360 Yeah, For most of us, security is not secret sauce to the 656 00:36:03,360 --> 00:36:05,280 success of the organization. That's other things. 657 00:36:06,160 --> 00:36:07,920 I get it right. There's security vendors and 658 00:36:07,920 --> 00:36:09,280 things like that. Of course it is. 659 00:36:09,280 --> 00:36:11,640 But for the most part, we're kind of all in it together as a 660 00:36:11,640 --> 00:36:14,000 community from a digital identity perspective. 661 00:36:15,800 --> 00:36:18,800 Let's I want to kind of close out the conversation by you 662 00:36:18,800 --> 00:36:25,080 putting on your future looking baseball hat to say what is a 663 00:36:25,080 --> 00:36:29,520 upcoming feature of or capability or something in this 664 00:36:29,520 --> 00:36:31,520 privileged access management space that you get really 665 00:36:32,000 --> 00:36:34,280 interested in Like, oh, that could be something that could 666 00:36:34,280 --> 00:36:36,640 really kind of change the game. Is there anything like that that 667 00:36:36,640 --> 00:36:40,520 you've seen? Yeah, I hope that the Signal 668 00:36:40,520 --> 00:36:44,000 framework will help because the big challenge currently in the 669 00:36:44,160 --> 00:36:46,680 privileged access management areas, there's still, we are 670 00:36:47,040 --> 00:36:51,000 everybody saying we need to have zero trust and 0 standing 671 00:36:51,000 --> 00:36:53,560 privileges. But you're still depending on 672 00:36:53,560 --> 00:36:56,720 technology from application platform, infrastructure layer, 673 00:36:56,720 --> 00:36:59,480 but also what the vendors offer. So now you need to find the 674 00:36:59,480 --> 00:37:03,880 right balance between these privileges and 0 standing 675 00:37:04,480 --> 00:37:07,240 privileges, and I think the Signal framework can also help 676 00:37:07,240 --> 00:37:11,720 you with that. So I'm putting my hope there 677 00:37:11,720 --> 00:37:14,640 that it will solve a lot of privilege access management 678 00:37:14,640 --> 00:37:18,200 challenges. Yeah, and I'm that's totally 679 00:37:18,200 --> 00:37:20,880 unprompted. That reminds me of the panel 680 00:37:20,880 --> 00:37:24,440 that I did at Identiverse with my friends Tool and, and Sean 681 00:37:24,720 --> 00:37:27,440 talking about that shared signals framework and being able 682 00:37:27,440 --> 00:37:30,800 to adapt and use, right, the same kind of parlance to be able 683 00:37:30,800 --> 00:37:34,080 to have security events going through there for whatever it 684 00:37:34,080 --> 00:37:35,480 may be, right? Whether it's continuous 685 00:37:35,480 --> 00:37:37,640 authentication or evaluation or whatever it may be. 686 00:37:37,840 --> 00:37:40,880 Or even just having a, a pipeline that we can all agree, 687 00:37:40,880 --> 00:37:44,160 like here's the language we're speaking and have those data 688 00:37:44,160 --> 00:37:46,720 signals, you know, work through and take advantage of the data 689 00:37:46,720 --> 00:37:49,280 that we're already collecting. Jim, you got thoughts on this? 690 00:37:50,280 --> 00:37:52,600 Yeah. I mean, I think that the Signal 691 00:37:52,600 --> 00:37:56,960 framework is a great proactive preventative control. 692 00:37:57,200 --> 00:38:00,960 I'm also just thinking on the detective side that you need to 693 00:38:00,960 --> 00:38:05,280 be monitoring your environment. You need to look for the unusual 694 00:38:05,280 --> 00:38:10,640 activity at the identity layer to say, OK, well, this person is 695 00:38:10,640 --> 00:38:14,440 in our environment and switching identities, and that's an 696 00:38:14,440 --> 00:38:19,040 abnormal behavior. And then taking a proactive step 697 00:38:19,040 --> 00:38:24,280 to maybe disable those accounts. You know, another word, stop the 698 00:38:24,280 --> 00:38:28,600 threat in its tracks. And today we call itdri don't 699 00:38:28,600 --> 00:38:31,080 know what we'll call it five years from now when maybe it's 700 00:38:31,080 --> 00:38:36,400 just everybody's doing it. But I think, I think that's 701 00:38:36,400 --> 00:38:41,240 probably in my mind, potentially the most important thing about 702 00:38:41,240 --> 00:38:47,120 privileged access management is being able to detect when the 703 00:38:47,120 --> 00:38:54,040 wrong actor is using Pam. I think recording it, I think, 704 00:38:54,200 --> 00:38:59,160 you know, sharing or storing credentials, I think the signal 705 00:38:59,160 --> 00:39:02,080 framework, all those things have huge benefit. 706 00:39:02,320 --> 00:39:07,120 But I think that they're, you know, you, you, I'm not going to 707 00:39:07,120 --> 00:39:09,560 call them point solutions, but they solve a problem at a 708 00:39:09,560 --> 00:39:13,320 certain point, whereas monitoring should be an umbrella 709 00:39:13,320 --> 00:39:17,920 that looks at everything. It's not completely true either. 710 00:39:18,000 --> 00:39:22,320 It has to integrate points, but that could be the fall back and 711 00:39:22,320 --> 00:39:25,840 you have to do you have to do monitoring anyway. 712 00:39:26,600 --> 00:39:31,880 So that's my my input. I think that's a good spot where 713 00:39:31,880 --> 00:39:34,520 we can probably close up the conversation. 714 00:39:35,280 --> 00:39:37,320 I do want to end on a later note, as usual. 715 00:39:38,520 --> 00:39:40,840 Mikhail, I've never been to the Netherlands. 716 00:39:42,000 --> 00:39:45,160 What is something that I should do my first time there? 717 00:39:45,280 --> 00:39:50,880 Like any activities, food locations, like what should I do 718 00:39:50,880 --> 00:39:52,840 as a first timer? And then I'm going to compare 719 00:39:52,840 --> 00:39:55,280 that against Jim 'cause I think you've been to the Netherlands 720 00:39:55,280 --> 00:39:57,200 before, and see if we're on the same page. 721 00:39:59,280 --> 00:40:03,000 OK, yeah, I'm from the South of the Netherlands. 722 00:40:03,000 --> 00:40:06,520 So I would recommend to go, for example, to a city that's called 723 00:40:06,520 --> 00:40:09,480 Certovan Boss. It's a medieval city which is 724 00:40:09,480 --> 00:40:13,520 really, really nice. And then it's you. 725 00:40:13,520 --> 00:40:16,920 It was said about food it possible so that's like. 726 00:40:17,760 --> 00:40:20,120 Whipped cream inside with chocolate on top of it. 727 00:40:20,160 --> 00:40:22,440 It's really like a bump. But if you eat, it's really 728 00:40:22,440 --> 00:40:24,800 nice. So that's I really recommend to 729 00:40:24,800 --> 00:40:28,480 go to to eat and also visit the city because it is a beautiful 730 00:40:28,480 --> 00:40:32,080 city, Yeah. OK, you had me at whipped cream 731 00:40:32,080 --> 00:40:36,520 and chocolate for sure. Jim, what is something that 732 00:40:36,520 --> 00:40:38,280 you'd recommend that I would do having been there? 733 00:40:38,680 --> 00:40:41,520 So I'd been there and I was there for work. 734 00:40:41,520 --> 00:40:46,400 So fortunately I have to go and have all my bills paid for on 735 00:40:46,400 --> 00:40:50,560 the weekend. I wound up staying in a town by 736 00:40:50,560 --> 00:40:53,160 the North Sea. So it was a beach area. 737 00:40:53,360 --> 00:40:57,120 I mean, it was fantastic. And I will say that there was a 738 00:40:57,120 --> 00:41:01,480 vendor outside of the beach and they were selling, I think it 739 00:41:01,480 --> 00:41:06,240 was sandwiches with like raw fish or maybe fish that was like 740 00:41:06,240 --> 00:41:08,200 pickled. I didn't try that. 741 00:41:08,200 --> 00:41:13,080 All right, so that's not my food recommendation, but North Sea I 742 00:41:13,080 --> 00:41:15,200 definitely recommend. I was staying in a city called 743 00:41:15,200 --> 00:41:20,040 Leiden during the week and my food recommendation is not 744 00:41:20,040 --> 00:41:23,760 really a surprise anymore. So I had never heard of shrimp 745 00:41:23,760 --> 00:41:25,960 waffles prior to going to Holland. 746 00:41:25,960 --> 00:41:30,360 And basically they're like a cookie with like a waffle 747 00:41:30,680 --> 00:41:34,360 looking cookie and there's caramel in between and you put 748 00:41:34,360 --> 00:41:39,080 it on top of your coffee and it was heated up and oh, it was 749 00:41:39,080 --> 00:41:43,160 like a gooey, wonderful thing. Now McDonald's started mixing 750 00:41:43,160 --> 00:41:45,760 them in with with their Mcflurries. 751 00:41:45,760 --> 00:41:49,840 So now everybody, there's no surprise for everybody, but wow, 752 00:41:49,840 --> 00:41:51,480 fantastic. And you get them on United 753 00:41:51,480 --> 00:41:53,400 Airlines too. Like that used to be like one of 754 00:41:53,400 --> 00:41:54,400 the things they do in the morning. 755 00:41:54,880 --> 00:41:58,040 Are Stroop waffles a thing? Or is that something that we've 756 00:41:58,040 --> 00:42:00,680 taken to America and like turned it into like something that 757 00:42:00,680 --> 00:42:04,120 isn't really our thing? I don't know. 758 00:42:04,240 --> 00:42:06,960 Mahil is that like is are stir waffles something there? 759 00:42:07,040 --> 00:42:08,880 From typical from the Netherlands, indeed. 760 00:42:09,000 --> 00:42:11,440 Yeah. So, so Jim is right. 761 00:42:11,440 --> 00:42:13,760 And I think it's indeed one of the nice things in the 762 00:42:13,760 --> 00:42:15,120 Netherlands which you need to try. 763 00:42:15,480 --> 00:42:17,920 But yeah, you already had it from the United States and you 764 00:42:17,920 --> 00:42:19,880 shut in the during your flights, so. 765 00:42:19,920 --> 00:42:22,480 Yeah. I can't imagine the United 766 00:42:22,600 --> 00:42:25,840 Airlines version of a Stroop waffle is like the Creme de la 767 00:42:25,840 --> 00:42:28,200 Creme, the tip top. Like if I'm going to have a 768 00:42:28,200 --> 00:42:30,520 Stroop waffle, like what? Where should I go for a Stroop 769 00:42:30,520 --> 00:42:32,400 waffle? Yeah, volume fresh on the 770 00:42:32,400 --> 00:42:34,200 market. So if you're visiting a market 771 00:42:34,200 --> 00:42:37,280 or whatever, there's always you can buy a stroke waffle and then 772 00:42:37,280 --> 00:42:40,040 they're really nice. OK, all right. 773 00:42:40,040 --> 00:42:42,000 Sold. I think I need to make a fact 774 00:42:42,000 --> 00:42:43,680 finding mission to go get some Stroop waffles. 775 00:42:43,680 --> 00:42:46,760 Thanks for setting me up for that one, Jim, because I, I, I'm 776 00:42:46,800 --> 00:42:49,200 a big fan of strip waffles. I'd never heard of it until, you 777 00:42:49,200 --> 00:42:52,120 know, a few years back when, when United started giving them 778 00:42:52,120 --> 00:42:54,440 out like, what is this delicious treat? 779 00:42:55,160 --> 00:42:56,280 Very good. I got hooked on them. 780 00:42:57,160 --> 00:42:59,320 OK, let's go ahead and wrap it up for this week. 781 00:42:59,600 --> 00:43:01,960 Neil, thank you so much for being part of this conversation. 782 00:43:02,240 --> 00:43:05,040 We'll have a link in our show notes to your LinkedIn if you're 783 00:43:05,040 --> 00:43:07,960 comfortable with sharing that so that people can reach out with 784 00:43:07,960 --> 00:43:12,240 questions or concerns or strip waffle locations that people 785 00:43:12,240 --> 00:43:15,480 should be checking out. You know, we'll have the links 786 00:43:15,480 --> 00:43:17,080 for Jim and I as well as LinkedIn. 787 00:43:17,080 --> 00:43:19,240 We always love to hear from folks who have ideas for shows 788 00:43:19,240 --> 00:43:22,160 or questions or comments or concerns or heck, if you want to 789 00:43:22,160 --> 00:43:24,000 high risk, if you want any consulting that too. 790 00:43:24,560 --> 00:43:26,840 We're on the web, idacpodcast.com. 791 00:43:26,840 --> 00:43:29,200 We're on X Twitter or whatever it's called. 792 00:43:29,200 --> 00:43:33,720 By the time this gets to your ears or face at IDAC podcasts. 793 00:43:33,960 --> 00:43:39,280 I did set up our DNS entry. So now we have idacpodcast.tv. 794 00:43:39,520 --> 00:43:41,200 We'll take you right to our YouTube channel. 795 00:43:41,640 --> 00:43:45,720 We are trying to grow this, so please don't hesitate to like 796 00:43:45,720 --> 00:43:48,480 subscribe to all that fun, you know, YouTube stuff to help us 797 00:43:48,480 --> 00:43:50,920 grow this channel and get the community built out even 798 00:43:50,920 --> 00:43:53,160 further. And let's see what else masted 799 00:43:53,160 --> 00:43:56,440 on at IDC podcast at infosec dot exchange. 800 00:43:56,920 --> 00:44:00,360 And yeah, I think that's it. So with that, we'll go ahead and 801 00:44:00,360 --> 00:44:03,200 leave it for this week. Thanks everyone for watching and 802 00:44:03,200 --> 00:44:05,840 or listening and we'll talk with you all in the next one. 803 00:44:08,000 --> 00:44:10,960 You've been listening to Identity at the Center. 804 00:44:11,280 --> 00:44:15,400 We hope you've enjoyed the show. Make sure to like, rate and 805 00:44:15,400 --> 00:44:19,000 review, and we'll be back soon. But in the meantime, hit the 806 00:44:19,000 --> 00:44:22,440 website at identity@thecenter.com. 807 00:44:23,040 --> 00:44:27,120 See you next time on Identity at the Center.