1 00:00:16,200 --> 00:00:18,800 This is the identity at the center podcast. 2 00:00:19,000 --> 00:00:22,200 This is a show that talks about identity and access management 3 00:00:22,200 --> 00:00:24,600 and making sure you know who has access to what? 4 00:00:25,000 --> 00:00:33,500 Let's get started. Welcome to the identity of the 5 00:00:33,500 --> 00:00:35,500 center podcast I'm Jeff and that's Jim. 6 00:00:35,500 --> 00:00:37,700 Hey Jim hey Jeff, how's it going? 7 00:00:37,900 --> 00:00:39,700 I'm good yourself. Good. 8 00:00:39,800 --> 00:00:42,800 I gotta observation my observation for the week. 9 00:00:42,800 --> 00:00:47,800 So ugly driving with my son, my younger son last night and I 10 00:00:47,808 --> 00:00:50,900 said you know I was giving him the rundown of where we had to 11 00:00:50,900 --> 00:00:56,300 be and when we need to leave the gym by quarter after quarter, 12 00:00:56,300 --> 00:01:00,900 quarter after what's that, you know, like 7:15. 13 00:01:00,900 --> 00:01:03,400 When I grow up, I'm just going to say 715. 14 00:01:03,400 --> 00:01:06,800 I'm not going to say quarter after why not? 15 00:01:06,800 --> 00:01:09,400 He's like well why do you have to make it so confusing? 16 00:01:09,800 --> 00:01:13,400 I thought, okay, that's Through The Eyes of babes, right? 17 00:01:13,400 --> 00:01:16,500 I mean it gives you that fresh perspective, you don't think of 18 00:01:16,500 --> 00:01:20,300 very often, I empathize with him because I'm the same way I am 19 00:01:20,300 --> 00:01:24,400 not 10:15, to type of person originally, I was always very 20 00:01:24,400 --> 00:01:28,300 specific because, you know, I'm the nerd in middle school, high 21 00:01:28,300 --> 00:01:30,900 school with the digital watch. And, you know, what time is? 22 00:01:30,900 --> 00:01:34,100 It is 723, right? It's not. 23 00:01:34,300 --> 00:01:37,500 It's about half till, you know, I don't deal in vagaries of 24 00:01:37,500 --> 00:01:40,300 time, I like to know when things are Are taking place. 25 00:01:40,300 --> 00:01:44,800 So so I can empathize and I certainly understand. 26 00:01:45,000 --> 00:01:47,600 Yeah, well he you know he followed up with. 27 00:01:47,600 --> 00:01:49,800 Why do you why do you even do that? 28 00:01:49,800 --> 00:01:53,300 Why do you say I was like, I don't know, that's what 29 00:01:53,300 --> 00:01:58,400 everybody does so he you know he made me think about it. 30 00:01:58,600 --> 00:02:00,500 I've been thinking about it several times today. 31 00:02:00,700 --> 00:02:04,300 I'm sure we could have a very philosophically discussion and 32 00:02:04,300 --> 00:02:09,400 time and the you know, human constructs that it is and all 33 00:02:09,400 --> 00:02:10,300 that good stuff. Stuff. 34 00:02:10,600 --> 00:02:13,200 But we should probably talk about identity about identity 35 00:02:13,200 --> 00:02:15,800 and access management, which is easy for me to say. 36 00:02:15,900 --> 00:02:18,000 Yeah, we don't do that. I think people are going to 37 00:02:18,300 --> 00:02:21,500 going to turn this off pretty soon so we should get to that. 38 00:02:21,500 --> 00:02:24,300 Well, let's talk about privileged access management and 39 00:02:24,300 --> 00:02:25,800 to help us with that conversation. 40 00:02:25,800 --> 00:02:27,900 We've got a guest. His name is Paul lanzi. 41 00:02:28,100 --> 00:02:31,000 He's the co-founder and CEO, a tree medians. 42 00:02:31,400 --> 00:02:34,100 He's also a member of the identity, technical working 43 00:02:34,100 --> 00:02:38,300 group 48 Arc, chair of ideas, say Beyond best practices, 44 00:02:38,300 --> 00:02:41,100 technical working group. The board advisor to the 45 00:02:41,100 --> 00:02:46,400 cybersecurity non-profit member of the order of the arrow, and a 46 00:02:46,408 --> 00:02:48,100 whole bunch more. I'm sure that if behind the 47 00:02:48,100 --> 00:02:50,700 scenes, welcome to the show. Paul, thank you so much Jeff. 48 00:02:50,700 --> 00:02:52,400 And by the way, that introduction makes me sound far 49 00:02:52,400 --> 00:02:53,900 more important than I actually am. 50 00:02:53,900 --> 00:02:56,500 So thank you for that. Well, I don't know how you find 51 00:02:56,500 --> 00:02:59,800 all the time to do all that, you know, in addition to what I 52 00:02:59,800 --> 00:03:02,600 assume is your day job working over at median and you know, 53 00:03:02,900 --> 00:03:05,900 operating you know that that is an organization, a lot of 54 00:03:05,900 --> 00:03:08,200 coffee, is it? Turns out and sleep is optional. 55 00:03:08,200 --> 00:03:09,600 So those two things makes it work. 56 00:03:09,800 --> 00:03:12,400 So there was a lot of things we mentioned there but typically, 57 00:03:12,400 --> 00:03:15,200 when we're going to have a conversation like to start kind 58 00:03:15,200 --> 00:03:18,200 of at the beginning and, you know, you've been in the IM 59 00:03:18,200 --> 00:03:22,000 space for a while, maybe you can kind of give us a synopsis of, 60 00:03:22,200 --> 00:03:24,600 how did you get into identity and access management? 61 00:03:24,700 --> 00:03:28,100 Is it something that shows you or did you choose it? 62 00:03:28,100 --> 00:03:31,600 Yeah, well, it really starts back in 1994 and I'm actually 63 00:03:31,600 --> 00:03:33,600 going to date myself pretty severely here. 64 00:03:33,600 --> 00:03:36,000 But back in 1994, I helped helped co-found. 65 00:03:36,000 --> 00:03:39,000 The first Aaron service, provider, and the rural County 66 00:03:39,000 --> 00:03:41,800 where I grew up, Humboldt County and the farther Northern reaches 67 00:03:41,800 --> 00:03:46,500 of California and one of my first jobs was the guy who had 68 00:03:46,500 --> 00:03:49,600 to go create and update and delete accounts. 69 00:03:49,600 --> 00:03:52,900 So my very first job was in managing the identities of our 70 00:03:52,900 --> 00:03:55,900 customers. So my technology career started 71 00:03:55,900 --> 00:04:00,400 off with account management fast forward about give or take 20 72 00:04:00,400 --> 00:04:02,100 years. I was at Genentech and I was 73 00:04:02,100 --> 00:04:06,400 working as an IT project manager there and one day my my manager 74 00:04:06,400 --> 00:04:09,400 called me into her office and said, hey, I think we got this 75 00:04:09,400 --> 00:04:11,800 new Checked. I think he'd be perfect fit for 76 00:04:11,800 --> 00:04:12,600 it. It's a great thing. 77 00:04:12,800 --> 00:04:16,000 Tell me about this project. Well, it turns out that 78 00:04:16,000 --> 00:04:21,100 Genentech ex-ceo is also the member of Google's board of 79 00:04:21,100 --> 00:04:24,300 directors and when Google launched, what is now called, 80 00:04:24,300 --> 00:04:27,900 Google Suite, or Google apps for domain, or it's had various 81 00:04:27,900 --> 00:04:30,400 names over the years, but basically the concept of having 82 00:04:30,400 --> 00:04:34,900 Gmail and decal. But for Enterprises the our CEO 83 00:04:34,900 --> 00:04:36,700 at Genentech decided that we were going to be one of the 84 00:04:36,700 --> 00:04:39,800 first companies to adopt it. And so the specific project I 85 00:04:39,800 --> 00:04:42,100 got assigned was trying to figure out how to hook up wave 86 00:04:42,100 --> 00:04:43,700 set. If you guys remember wave set 87 00:04:43,700 --> 00:04:47,400 from the way back days, how to hook up wave set to Google's at 88 00:04:47,400 --> 00:04:49,900 that time. Very nascent API is for account 89 00:04:49,900 --> 00:04:53,500 creation, deletion update. And we had a very limited time 90 00:04:53,500 --> 00:04:56,400 very to get that done. And it's to my knowledge. 91 00:04:56,400 --> 00:04:58,800 The first time that at that time was actually called son. 92 00:04:58,800 --> 00:05:02,100 One Source, I son, identity manager, but trying to get son, 93 00:05:02,100 --> 00:05:05,600 identity manager, hooked up to Google suite and all the 94 00:05:06,100 --> 00:05:08,100 challenges that presented and that was really what really 95 00:05:08,100 --> 00:05:10,200 launched me into the idea. World. 96 00:05:10,300 --> 00:05:12,200 So that's quite the history. Especially when you start 97 00:05:12,200 --> 00:05:15,000 talking about wave set. You know, I think of the, you 98 00:05:15,000 --> 00:05:18,400 know, Obi-Wan that's a name. I haven't heard in a long time. 99 00:05:18,700 --> 00:05:21,100 Well, they worry that I just figured a bunch of PTSD in a 100 00:05:21,108 --> 00:05:24,000 bunch of your listeners. So I apologize right off the bat 101 00:05:24,000 --> 00:05:28,100 for any mental trauma. I just caused by mentioning that 102 00:05:28,100 --> 00:05:31,300 word, it was too late. Now I guess it's easier to ask 103 00:05:31,300 --> 00:05:33,800 for forgiveness than permission right before you get into it. 104 00:05:34,700 --> 00:05:36,600 So what about some of these other organizations that you 105 00:05:36,600 --> 00:05:41,100 work with like idsa and eight? Tariq, which is the advanced 106 00:05:41,100 --> 00:05:45,300 technology academic research center and things like see, snps 107 00:05:45,300 --> 00:05:47,800 itís, pretty nonprofit. How did you get involved with 108 00:05:47,800 --> 00:05:51,200 organizations like that and maybe you could tell what about, 109 00:05:51,300 --> 00:05:53,600 you know, some of that? Yeah, well just last week you 110 00:05:53,600 --> 00:05:56,400 had sought on for my ds8. I think you got Julie on before 111 00:05:56,400 --> 00:05:58,400 that. So I will refer listeners back 112 00:05:58,400 --> 00:06:02,300 to those episodes because Juliana solder far far better 113 00:06:02,800 --> 00:06:05,600 trained on the history of. I they say that I am but I can 114 00:06:05,600 --> 00:06:07,700 talk a little bit about the cybersecurity non-profit. 115 00:06:07,700 --> 00:06:09,600 That's an area. I have a lot of passion around. 116 00:06:09,800 --> 00:06:11,900 The cybersecurity non-profit only has two missions. 117 00:06:11,900 --> 00:06:15,100 The first one is to increase the diversity of the cyber security 118 00:06:15,100 --> 00:06:17,900 practitioner community. And then the second mission is 119 00:06:17,900 --> 00:06:20,800 to sort of increase the level of information security. 120 00:06:20,800 --> 00:06:24,000 Knowledge among the populace in general, right? 121 00:06:24,300 --> 00:06:26,300 And demonstrably, nonprofits, amazing. 122 00:06:26,300 --> 00:06:29,300 They've got over 7,000 members globally and they've got 123 00:06:29,300 --> 00:06:33,700 chapters in cities that stretch from San Francisco to Chicago to 124 00:06:33,700 --> 00:06:35,300 parts of Africa and parts of Asia. 125 00:06:35,300 --> 00:06:38,900 Now, as well and being aboard a visor to that organization has 126 00:06:38,900 --> 00:06:42,300 been just a fantastic Fantastic way to look at this problem from 127 00:06:42,300 --> 00:06:45,400 a different area, a different sector because the members of 128 00:06:45,500 --> 00:06:48,900 see SNP by and large are, those were just getting started in 129 00:06:48,900 --> 00:06:51,900 their cybersecurity careers and you know, us the three of us 130 00:06:51,900 --> 00:06:53,900 have been around. This been around the block a 131 00:06:53,907 --> 00:06:55,900 while. It's often easy to forget how 132 00:06:55,900 --> 00:06:58,300 hard it is to break into cyber security. 133 00:06:58,500 --> 00:07:01,100 We talk all the time about this, massive shortage we have in 134 00:07:01,100 --> 00:07:03,900 cyber security practitioners, but at the same time like I hear 135 00:07:03,900 --> 00:07:06,200 stories every day about how difficult it is to break into 136 00:07:06,200 --> 00:07:10,300 this as a entry level. Insurance. 137 00:07:10,300 --> 00:07:14,100 So csmp is trying to help bridge that Gap and find ways to make 138 00:07:14,100 --> 00:07:16,200 that easier for new practitioners and Community, 139 00:07:16,200 --> 00:07:19,500 especially those who are a diverse background. 140 00:07:19,700 --> 00:07:22,900 So Paul, I'm very interested in your background with room, 141 00:07:22,900 --> 00:07:25,700 medium. My understanding is that you 142 00:07:25,700 --> 00:07:30,900 guys are focused on privileged access management and Jeff and 143 00:07:30,900 --> 00:07:35,100 I, you know, we work with our clients and developing their I 144 00:07:35,100 --> 00:07:39,500 am strategy. We typically start that with 145 00:07:39,700 --> 00:07:44,700 With an assessment process kind of a maturity assessment and one 146 00:07:44,700 --> 00:07:47,600 of the areas that we look at is privileged access management. 147 00:07:47,600 --> 00:07:53,500 And so you know kind of taking the look at the privileged 148 00:07:53,500 --> 00:07:57,900 access management capability and organization and assigning a 149 00:07:58,000 --> 00:08:03,000 value say somewhere between like one in five in terms of kind of 150 00:08:03,000 --> 00:08:05,700 current state maturity and then targets 8 maturity. 151 00:08:06,000 --> 00:08:08,700 And so what I'm wondering is kind of do you have you 152 00:08:08,700 --> 00:08:12,300 formulated Maturity model similar to that or could you 153 00:08:12,300 --> 00:08:14,900 maybe talk through some of the capabilities that least in your 154 00:08:14,900 --> 00:08:19,900 mind that are kind of at that Baseline level of maturity of 155 00:08:19,900 --> 00:08:23,400 privileged access management and then how an organization we kind 156 00:08:23,400 --> 00:08:27,100 of move up the scale in terms of increasing their maturity? 157 00:08:27,300 --> 00:08:29,000 Yeah, for sure. Well, I want to start off by 158 00:08:29,000 --> 00:08:32,000 endorsing your son, or your kid's perspective of we don't 159 00:08:32,000 --> 00:08:33,900 need to do it the way we've always done it, right? 160 00:08:33,900 --> 00:08:36,799 And so that's one of the reasons why I helped start remediation 161 00:08:36,799 --> 00:08:40,299 was when we looked at privileged access management for Basically 162 00:08:40,299 --> 00:08:42,700 the 20 years of privileged access management existed as a 163 00:08:42,708 --> 00:08:45,800 concept, it always sort of revolves around this idea of 164 00:08:45,800 --> 00:08:48,100 past revolting, right? And over the years, password 165 00:08:48,100 --> 00:08:51,000 vaults have evolved to be better, faster cheaper, but at 166 00:08:51,000 --> 00:08:54,000 the end of the day, it's all about taking some credential and 167 00:08:54,000 --> 00:08:56,900 sticking it in a password Vault and then making users go fetch 168 00:08:56,900 --> 00:08:58,900 it when they wanted to do something privileged. 169 00:08:59,300 --> 00:09:01,200 And so that's sort of the way that it's sort of one of Point 170 00:09:01,200 --> 00:09:04,700 always been done and when we started Romanian, it was really 171 00:09:04,700 --> 00:09:07,200 with this idea that there should be a better way of doing this. 172 00:09:07,600 --> 00:09:10,700 And that we should have strapped out the Concepts of 173 00:09:10,700 --> 00:09:14,000 authentication from the concept of authorization or access 174 00:09:14,000 --> 00:09:17,200 rights after V sort of merge. Those two things together that 175 00:09:17,200 --> 00:09:19,500 if you can, authenticate then you should have all these access 176 00:09:19,500 --> 00:09:21,000 rights in. Generally, speaking that sort of 177 00:09:21,000 --> 00:09:22,700 access rights to a lot of things, right? 178 00:09:23,500 --> 00:09:27,400 And in the remediate perspective really authentication, should 179 00:09:27,400 --> 00:09:28,900 happen. However, then occasion happens, 180 00:09:28,900 --> 00:09:32,500 biometric, cards, whatever. And the authorization is really 181 00:09:32,500 --> 00:09:35,300 the thing where we can apply the controls, the principle of least 182 00:09:35,300 --> 00:09:37,800 privilege. So, getting into the concept of 183 00:09:37,800 --> 00:09:41,300 a maturity model, it's really about Sort of call it three, 184 00:09:41,300 --> 00:09:44,000 three major stages, that we've seen organizations sort of go 185 00:09:44,000 --> 00:09:48,400 through, as they try to climb the Pam maturity curve and 186 00:09:48,400 --> 00:09:50,300 often, you know, they're pushing the project manager off the 187 00:09:50,300 --> 00:09:51,600 curve, by the end of this, right? 188 00:09:51,600 --> 00:09:54,700 So as a former project manager myself, I have a lot of empathy 189 00:09:54,700 --> 00:09:56,800 for project managers that have been assigned a privileged 190 00:09:56,800 --> 00:10:00,300 access management projects, but at the sort of the base level 191 00:10:00,300 --> 00:10:03,700 sort of the basic starting point for organizations, as relates to 192 00:10:03,700 --> 00:10:06,400 privileged access they often have no idea what's going on, 193 00:10:06,400 --> 00:10:07,900 right? They just know that a lot of 194 00:10:07,900 --> 00:10:10,500 people have a lot of brothers access And there's not a lot of 195 00:10:10,500 --> 00:10:13,300 insight be onto that, right? They just know it's a thing. 196 00:10:13,300 --> 00:10:15,900 They don't want to mention in front of the Auditors and if the 197 00:10:15,908 --> 00:10:18,100 honors bring it up, they just sort of like do a lot of hand, 198 00:10:18,100 --> 00:10:20,400 waving things to get past it as fast as possible. 199 00:10:20,900 --> 00:10:23,100 And unfortunately there's a lot of organization still stuck 200 00:10:23,100 --> 00:10:25,300 there because historically privileged access management has 201 00:10:25,300 --> 00:10:27,000 been a really difficult thing to go solve. 202 00:10:27,000 --> 00:10:29,200 Right? It took a year to 18 months 203 00:10:29,200 --> 00:10:32,400 project it caused a lot of user pain and suffering a broken. 204 00:10:32,400 --> 00:10:34,700 A lot of processes and it wasn't really something that 205 00:10:34,700 --> 00:10:37,700 organizations wanted to Embark upon. 206 00:10:37,900 --> 00:10:40,600 So even if they knew that they had Add that they're sort of at 207 00:10:40,600 --> 00:10:42,400 this stage, right? The sort of we don't really know 208 00:10:42,400 --> 00:10:44,100 what's going on stage or public access management. 209 00:10:44,100 --> 00:10:47,300 Those projects tend to get the pan projects tend to get 210 00:10:47,300 --> 00:10:50,200 deprioritized in that Force ranked list of ceaseless 211 00:10:50,200 --> 00:10:53,000 projects because it was such a hard mountain to climb. 212 00:10:53,000 --> 00:10:55,700 But if you started to climb that mountain, really the next step 213 00:10:55,700 --> 00:10:59,100 in the maturity curve is run visibility and just getting some 214 00:10:59,100 --> 00:11:02,400 basic idea of which accounts have privileged access. 215 00:11:02,400 --> 00:11:06,100 We're right. And that is a surprisingly, 216 00:11:06,100 --> 00:11:09,000 constantly shifting picture. You know, when we talk to 217 00:11:09,000 --> 00:11:10,900 organizations, And they sort of assume, okay. 218 00:11:10,900 --> 00:11:13,700 Well, you know, these active directories, we groups we know 219 00:11:13,700 --> 00:11:15,400 that confer some privileged access. 220 00:11:15,400 --> 00:11:17,600 We know that these are the members of those groups, or the 221 00:11:17,600 --> 00:11:20,100 nested members or whatever. And we know that the roughly, 222 00:11:20,100 --> 00:11:22,300 those groups confer this amount of privileged access. 223 00:11:23,100 --> 00:11:25,900 But then if you're able to deploy some tool to actually go 224 00:11:25,900 --> 00:11:29,600 about, be able to go out and numerate, all this stuff, it is 225 00:11:29,600 --> 00:11:32,400 shocking. Not only how underestimated the 226 00:11:32,400 --> 00:11:35,800 amount of coverage access is, but also how much it changes day 227 00:11:35,800 --> 00:11:38,100 to day, right? Like this often a big surprise. 228 00:11:38,500 --> 00:11:41,300 So in our commercial Deployments we some see something like an 229 00:11:41,300 --> 00:11:45,100 average of 450 accounts having privileged access to the average 230 00:11:45,100 --> 00:11:47,700 machine on the network, right? The average laptop desktop 231 00:11:47,700 --> 00:11:50,600 virtual machine, you know, hybrid Cloud, whatever it is, 232 00:11:50,800 --> 00:11:54,200 something like 450 accounts on average having persistent 233 00:11:54,200 --> 00:11:56,800 pillage access on the system's. There's often a shocking number 234 00:11:56,800 --> 00:11:58,500 to the organization's. When were able to show them this 235 00:11:58,500 --> 00:12:01,300 data because that's often an order of magnitude greater than 236 00:12:01,300 --> 00:12:03,700 what they thought it was right without having this visibility. 237 00:12:03,700 --> 00:12:06,900 So the second stage is of this maturity curve or whatever is 238 00:12:06,900 --> 00:12:09,500 really just getting visibility and hopefully continuous. 239 00:12:09,600 --> 00:12:12,500 The into the shifting state of privileged access. 240 00:12:13,100 --> 00:12:15,900 I think then really the third stage is control and that's 241 00:12:15,900 --> 00:12:18,400 where your neck, okay? I see how bad the problem is. 242 00:12:18,400 --> 00:12:20,700 I see how much the house is on fire. 243 00:12:21,400 --> 00:12:24,400 The control stage is really about giving you a hose and 244 00:12:24,400 --> 00:12:27,000 getting you to be able to cool off the fire. 245 00:12:27,200 --> 00:12:30,200 Pull back the unnecessary amount of privileged access and really 246 00:12:30,200 --> 00:12:33,600 get as close to the principle of least privilege as possible and 247 00:12:33,600 --> 00:12:35,500 in the specific way that remediate does this. 248 00:12:35,500 --> 00:12:38,300 We talk about it in the concept of zero standing privilege and 249 00:12:38,300 --> 00:12:39,400 we didn't come up with that, that's it. 250 00:12:39,600 --> 00:12:42,100 Gardner term, you can look on our website read more about what 251 00:12:42,100 --> 00:12:44,300 that means. But the concept that you get as 252 00:12:44,300 --> 00:12:47,400 close to zero standing privilege as possible is really the 253 00:12:47,700 --> 00:12:51,000 endpoint of the maturity curve as it relates to control and 254 00:12:51,000 --> 00:12:55,100 like that model. One thing that I am wondering 255 00:12:55,100 --> 00:12:59,800 is, you know, in theory but also in practice. 256 00:12:59,800 --> 00:13:04,400 What are you seeing in terms of applying these principles based 257 00:13:04,400 --> 00:13:08,300 on risk? Is it the focus is placed on 258 00:13:08,600 --> 00:13:12,500 just doing this for High-risk applications or is there a 259 00:13:12,500 --> 00:13:15,400 maturity level? That's appropriate for high risk 260 00:13:15,500 --> 00:13:21,300 and maybe not required to be as mature on medium and low risk. 261 00:13:21,300 --> 00:13:24,800 Or let's just say lesser risk resources. 262 00:13:24,900 --> 00:13:28,000 Yeah, there's there's two. There's two ways I want to take 263 00:13:28,000 --> 00:13:31,100 this answer so I'm going to pick one to jump off of first but 264 00:13:31,100 --> 00:13:33,500 this is a great question Jim. So I think the first thing is 265 00:13:33,500 --> 00:13:38,000 just being able to tie together the Pam data and the risk 266 00:13:38,000 --> 00:13:40,600 assessment data that's actually We a really hard problem that 267 00:13:40,600 --> 00:13:42,500 goes unsolved in a lot of organizations. 268 00:13:42,700 --> 00:13:45,600 I think that one of the, the sort of unspoken secrets in the 269 00:13:45,600 --> 00:13:49,000 IT world is that cmdb is were never really a solved problem. 270 00:13:49,000 --> 00:13:51,700 Like we never really figured out how to do that, right? 271 00:13:51,700 --> 00:13:54,400 So the kind of risk assessments are talking about the tracking. 272 00:13:54,400 --> 00:13:56,000 Oh, these are high-risk applications. 273 00:13:56,000 --> 00:13:57,200 These are medium risk applications. 274 00:13:57,200 --> 00:14:00,100 These are low-risk applications. You know, those sort of 275 00:14:00,100 --> 00:14:03,300 Assessments exist in theory in a lot of organizations. 276 00:14:03,300 --> 00:14:06,800 But in practice are often outdated or broken or in, this 277 00:14:06,800 --> 00:14:09,400 is what I'm this is sort of my core Point here is there? 278 00:14:09,600 --> 00:14:11,900 A nun integrated with anything else, right? 279 00:14:12,000 --> 00:14:14,700 So you may have an Excel sheet somewhere that lists all the 280 00:14:14,700 --> 00:14:18,100 applications and how risky they are, how important it is that 281 00:14:18,100 --> 00:14:21,300 you protect them. But that data doesn't ever leave 282 00:14:21,300 --> 00:14:25,700 that Excel spreadsheet and so it then doesn't benefit the Pam 283 00:14:25,700 --> 00:14:29,300 application or the antivirus application or the EDR solution 284 00:14:29,300 --> 00:14:31,800 that could really benefit from. Knowing oh this is a high-risk 285 00:14:31,800 --> 00:14:34,700 system or this is a medium risk for this is a low-risk. 286 00:14:34,700 --> 00:14:37,300 So I think the first hurdle to get over is just getting the 287 00:14:37,300 --> 00:14:39,400 data about what is high risk, medium risk and low risk. 288 00:14:39,500 --> 00:14:44,400 Risk, sort of Federated across multiple infosec complications 289 00:14:44,800 --> 00:14:47,500 and then, to the second part of this answer is really okay. 290 00:14:47,500 --> 00:14:50,200 Like, once, you know that once the Pam application has been 291 00:14:50,200 --> 00:14:52,500 taught that this said, about this set of n points or 292 00:14:52,500 --> 00:14:55,700 whatever, is is a high risk. Like what's the level, what's 293 00:14:55,700 --> 00:14:58,500 the desired level of maturity? Now, ideally you want to have 294 00:14:58,500 --> 00:15:01,100 visibility across everything, even your low risk or no risk 295 00:15:01,100 --> 00:15:04,000 applications, you really should have visibility across all those 296 00:15:04,000 --> 00:15:06,500 things but the level of controlled how tightly you 297 00:15:06,500 --> 00:15:08,700 tighten, those screws can definitely buried by the risk 298 00:15:08,700 --> 00:15:10,700 level. The All did I hear you mention 299 00:15:10,700 --> 00:15:15,200 that on average there was something like 450 accounts with 300 00:15:15,200 --> 00:15:18,300 access to a given resource. Is that I got that right? 301 00:15:18,400 --> 00:15:20,300 You did yeah it was a it's a shocker. 302 00:15:20,300 --> 00:15:23,400 Every time we show this data in these Enterprises during our 303 00:15:23,400 --> 00:15:25,700 proof of Concepts. It's like I said, it's always an 304 00:15:25,700 --> 00:15:28,500 order of magnitude greater than what they they estimated ahead 305 00:15:28,500 --> 00:15:30,300 of time. Is that it, you know, I would 306 00:15:30,300 --> 00:15:31,800 assume well, maybe I shouldn't assume. 307 00:15:31,800 --> 00:15:35,200 This is what we got here is, is that direct access? 308 00:15:35,200 --> 00:15:38,700 Is that a combination of direct? Plus nested groups, nested 309 00:15:38,700 --> 00:15:40,300 accounts things. Like that. 310 00:15:40,700 --> 00:15:46,000 Do you see any, you know, I guess frequent offenders, you 311 00:15:46,000 --> 00:15:49,700 know, on that list you see more, you know, it's sequel databases 312 00:15:49,700 --> 00:15:52,200 at typically have the problem versus, you know, active 313 00:15:52,200 --> 00:15:55,900 directory, or maybe it's even something in the cloud, right? 314 00:15:55,900 --> 00:16:00,600 Maybe it's AWS, or Azure, or Google Cloud platform that has 315 00:16:01,100 --> 00:16:03,300 different types of risks. Can you talk a little about 316 00:16:03,300 --> 00:16:05,200 where you see those risk coming in? 317 00:16:05,200 --> 00:16:08,400 Just from the sheer volume. And if there are any crime 318 00:16:08,400 --> 00:16:11,400 offenders or prime, And it's that for a prioritization 319 00:16:11,400 --> 00:16:13,800 standpoint a risk standpoint, you typically see. 320 00:16:13,800 --> 00:16:17,400 Yeah, we know that usually AWS is a mess, right? 321 00:16:17,400 --> 00:16:20,900 There's issues are or maybe it's sequel or, you know, I'm praying 322 00:16:20,900 --> 00:16:22,600 a d or whatever it may be. Yeah, it's in. 323 00:16:22,600 --> 00:16:25,200 There is 3. Mm, three items on my FBI, Most 324 00:16:25,200 --> 00:16:26,900 Wanted list or my Pam, most wanted list. 325 00:16:26,900 --> 00:16:30,100 I guess the, the first one is local accounts, and this is the 326 00:16:30,100 --> 00:16:32,300 thing that people forget about because everyone's obsessed with 327 00:16:32,300 --> 00:16:34,300 her directories like, you know, whatever they're using, as our 328 00:16:34,300 --> 00:16:37,100 director, it's like all this is gives me visibility and all the 329 00:16:37,100 --> 00:16:39,400 identities, right? Well that's actually not true. 330 00:16:39,500 --> 00:16:42,900 Because every computer has at least one local identity on it. 331 00:16:43,000 --> 00:16:45,900 And those often get forgotten about, but the hackers don't 332 00:16:45,900 --> 00:16:47,800 forget about them. Like they love penetrating, 333 00:16:47,800 --> 00:16:51,400 those, especially if there's a GPO or other policy that setting 334 00:16:51,400 --> 00:16:54,200 the same password for all those local accounts on all those 335 00:16:54,200 --> 00:16:57,900 endpoints and that is a sin of our past that continues to this 336 00:16:57,900 --> 00:16:59,700 day, even in large organizations. 337 00:16:59,700 --> 00:17:02,500 And so, those local accounts that the directory focused 338 00:17:02,500 --> 00:17:05,900 people, forget about that, sort of number one, on my Pam, most 339 00:17:05,900 --> 00:17:09,400 wanted list, I think, number two on my Pam, most wanted list is 340 00:17:09,500 --> 00:17:13,099 That's deeply nested, active directory groups, and it's it, 341 00:17:13,300 --> 00:17:16,400 it's never been a good practice. But it's a thing that just came 342 00:17:16,400 --> 00:17:20,400 out of necessity in a lot of cases, but it's often not clear 343 00:17:20,400 --> 00:17:25,000 to the IT Help Desk person or the identity group or whatever, 344 00:17:25,000 --> 00:17:28,600 whoever's got the ticket says, hey, let's add Jeff's account to 345 00:17:28,700 --> 00:17:31,800 group XYZ. It's not clear to them that by 346 00:17:31,800 --> 00:17:34,800 adding Jeff's account to group XYZ, what level of privileged 347 00:17:34,800 --> 00:17:37,300 access that ends up conferring because group XYZ probably 348 00:17:37,300 --> 00:17:39,300 doesn't have a naming convention that makes any sense. 349 00:17:39,500 --> 00:17:42,500 With outdated or was a reorg, four years ago and this group 350 00:17:42,500 --> 00:17:46,800 member got renamed. And so the knowledge sort of 351 00:17:46,800 --> 00:17:50,100 corporate knowledge about what amount of college access, that 352 00:17:50,100 --> 00:17:53,700 nested group actually confers because the Lost very easily and 353 00:17:54,000 --> 00:17:56,900 without some sort of monitoring tool to be able to tell you what 354 00:17:56,900 --> 00:17:59,900 that is, it's very difficult to discover this on your own. 355 00:18:01,300 --> 00:18:03,800 Yeah, and I think number three on my Pam most wanted list is 356 00:18:03,800 --> 00:18:04,900 what you described. Aw. 357 00:18:04,900 --> 00:18:08,900 Is this sort of the emerging victim, the land I would say is 358 00:18:08,900 --> 00:18:12,900 aw I am in the similar control planes for the other eye as 359 00:18:12,900 --> 00:18:15,700 providers. They are amazing, bits of 360 00:18:15,700 --> 00:18:18,300 Technology, right? Like this is the kind of thing 361 00:18:18,300 --> 00:18:21,500 that when all of us were, you know, five ten years ago as 362 00:18:21,700 --> 00:18:25,000 creating role definitions and attribute-based controls and all 363 00:18:25,000 --> 00:18:26,600 that kind of stuff. Like this is what we wanted. 364 00:18:26,600 --> 00:18:29,600 Like, we wanted to this level of fine granular control within the 365 00:18:29,600 --> 00:18:31,500 Enterprise and now we actually have it right? 366 00:18:31,500 --> 00:18:34,500 Like he'd only do us gives us, you know, literally thousands of 367 00:18:34,500 --> 00:18:37,600 possible entitlements. If we can assign to any any 368 00:18:37,600 --> 00:18:42,100 computer in a user in a Virtual identity, whatever the problem 369 00:18:42,100 --> 00:18:47,300 is that without the right tools, the temptation to just give the 370 00:18:47,400 --> 00:18:49,400 computer or the network or the user. 371 00:18:49,400 --> 00:18:52,900 All the access is super tempting because it went from a problem 372 00:18:52,900 --> 00:18:55,700 of all I'll sign them a lot of access or no access to now it's 373 00:18:55,700 --> 00:18:58,000 like well this is super overwhelming these thousands of 374 00:18:58,000 --> 00:19:01,400 entitlements and so the default definition is just to give them 375 00:19:01,600 --> 00:19:03,100 a lot more entitlements that they need. 376 00:19:03,100 --> 00:19:05,800 So I actually think we've unfortunately moved further away 377 00:19:05,800 --> 00:19:08,200 from the principle of these privileged, thanks to the 378 00:19:08,200 --> 00:19:11,200 granularity of these Panels even though it's exactly what we 379 00:19:11,208 --> 00:19:13,400 asked for. So soap, I feel like you've got 380 00:19:13,400 --> 00:19:16,400 a Blog article there and your your Pam. 381 00:19:16,400 --> 00:19:18,600 Most wanted list. I probably should write one. 382 00:19:18,600 --> 00:19:22,400 Yeah, you really should. And, you know, I thought it was 383 00:19:22,400 --> 00:19:26,800 interesting how you give the shout out to project manager? 384 00:19:27,200 --> 00:19:30,900 Because I feel like a lot of organizations you know, 385 00:19:31,200 --> 00:19:34,600 prioritize privileged access management how they will but 386 00:19:34,700 --> 00:19:39,200 it's not prioritize high enough. It's the project manager who has 387 00:19:39,200 --> 00:19:42,800 to To try to run a Grassroots effort to get people to 388 00:19:43,200 --> 00:19:46,300 willingly participate, rather than being able to drop the 389 00:19:46,300 --> 00:19:49,000 hammer from on high. I think that's a big part of it. 390 00:19:49,000 --> 00:19:51,000 Right. We've worked with organizations 391 00:19:51,000 --> 00:19:55,200 where, you know, almost from a from a risk and security 392 00:19:55,200 --> 00:19:59,200 standpoint privileged access Management's almost always jumps 393 00:19:59,200 --> 00:20:03,400 out as like the top priority. But maybe it's, you know, the 394 00:20:03,400 --> 00:20:05,500 first time that the organizations really thought 395 00:20:05,500 --> 00:20:08,200 about it others. They know that that's a glaring 396 00:20:08,200 --> 00:20:11,200 Gap, especially Like large organizations who have 397 00:20:11,200 --> 00:20:15,800 outsourced data center Services. A lot of times they realize that 398 00:20:15,808 --> 00:20:18,200 they don't have their arms around who's accessing their 399 00:20:18,200 --> 00:20:20,900 most critical resources, and they've got to. 400 00:20:20,900 --> 00:20:23,500 And obviously, if an organization is dealt with any 401 00:20:23,500 --> 00:20:29,000 kind of a breach that, you know, came as a result of an Insider 402 00:20:29,000 --> 00:20:32,800 with with privileged access, obviously things rise to the 403 00:20:32,800 --> 00:20:35,200 top. But one thing I want to do is 404 00:20:35,200 --> 00:20:39,200 use this to kind of transition topics, use, one of the things I 405 00:20:39,400 --> 00:20:45,400 Really feel like is driving the realization of the importance of 406 00:20:45,400 --> 00:20:52,700 privileged access is the Advent or the age of the cloud, you 407 00:20:52,708 --> 00:20:59,100 know, AWS devops. You know all these new forces 408 00:20:59,100 --> 00:21:03,000 that are entering the Enterprise had been here for a while for 409 00:21:03,000 --> 00:21:06,400 many organizations or really picking up a head of steam and 410 00:21:06,400 --> 00:21:10,000 others. But realizing that These are new 411 00:21:10,000 --> 00:21:11,800 technologies. They need to be dealt with in a 412 00:21:11,808 --> 00:21:16,400 new way and they present new privileged access challenges and 413 00:21:16,400 --> 00:21:20,200 organizations are realizing that they need to get their arms 414 00:21:20,200 --> 00:21:21,600 around. That they may be needed 415 00:21:21,600 --> 00:21:25,100 technology. So I wanted to throw that topic 416 00:21:25,100 --> 00:21:27,800 at you broadly. You know what are some of the 417 00:21:27,800 --> 00:21:32,700 things that you're seeing with the age of AWS age of devops to 418 00:21:32,700 --> 00:21:34,400 how it affects privileged access? 419 00:21:34,600 --> 00:21:36,400 I think I've seen some good behaviors. 420 00:21:36,400 --> 00:21:38,100 I've seen some bad behaviors, right? 421 00:21:38,200 --> 00:21:41,700 So I think last week when you had a slot on, he talked about 422 00:21:41,700 --> 00:21:44,400 having a strong identity, you know, up store whole cyber 423 00:21:44,400 --> 00:21:49,400 security game and that's as true 10 years ago as it is today and 424 00:21:49,400 --> 00:21:53,000 especially in the cloud world where if you can have, if you 425 00:21:53,000 --> 00:21:55,800 can maintain a really tight control over the identities that 426 00:21:55,800 --> 00:21:59,900 get put into your Cloud platform control plane, then that's a 427 00:21:59,900 --> 00:22:02,200 great place to start because often that gets out of control 428 00:22:02,200 --> 00:22:03,900 pretty quick, right? Especially when you've got 429 00:22:03,900 --> 00:22:07,200 devops Engineers that need access right now in other 430 00:22:07,200 --> 00:22:09,200 things, especially things like Shadow. 431 00:22:09,200 --> 00:22:11,700 I You've got organizations outside of the core, it function 432 00:22:11,700 --> 00:22:14,200 that are needing access to specific parts of the control 433 00:22:14,200 --> 00:22:17,000 plane, but the default is to give them more access than they 434 00:22:17,000 --> 00:22:18,600 actually need. So I think there's a lot of 435 00:22:18,608 --> 00:22:22,200 different possible crimes. You can commit, when it comes to 436 00:22:23,000 --> 00:22:26,100 managing identity within your eye as control planes, but 437 00:22:26,100 --> 00:22:28,500 getting a really tight control over who even has the ability to 438 00:22:28,500 --> 00:22:31,000 log into them is really a great first step. 439 00:22:31,300 --> 00:22:35,500 I think the next thing, the next layer down in the difficulty and 440 00:22:35,600 --> 00:22:39,000 crimes committed in the age of devops and Cloud. 441 00:22:39,400 --> 00:22:44,300 Is this default thinking that? It's too hard to manage the 442 00:22:44,300 --> 00:22:46,800 individual entitlements on an ongoing basis? 443 00:22:46,800 --> 00:22:49,900 And thus I'll just assign all of them are all signed large groups 444 00:22:49,900 --> 00:22:53,800 of them and not think about it again in that sort of setting us 445 00:22:53,800 --> 00:22:57,300 up for problems down the road but it's also setting us up for 446 00:22:57,300 --> 00:22:59,100 problems in the immediate term because if any of those accounts 447 00:22:59,100 --> 00:23:02,100 can Compromise, take an attackers know how to use 448 00:23:02,100 --> 00:23:03,600 compromised. Aw was. 449 00:23:03,600 --> 00:23:07,800 I am control plane access to be able to add an additional 450 00:23:07,800 --> 00:23:11,100 entitlements. Users to move laterally within 451 00:23:11,100 --> 00:23:14,200 the the hybrid Cloud. So I think there's some real 452 00:23:14,200 --> 00:23:16,000 challenges there. I think the other thing that 453 00:23:16,000 --> 00:23:18,700 we're setting ourselves up to repeat is all the sins of deeply 454 00:23:18,700 --> 00:23:22,300 nested active directory groups. So just because active directory 455 00:23:22,300 --> 00:23:24,600 groups were on my pan, Most Wanted look deeply nested, 456 00:23:24,600 --> 00:23:26,900 active directory, groups, run my Pam, most wanted list. 457 00:23:26,900 --> 00:23:29,700 I think we're seeing some bad behavior started to emerge even 458 00:23:29,700 --> 00:23:33,200 in the eye as control planes where without necessarily. 459 00:23:33,300 --> 00:23:37,000 Exactly nesting them, you're creating sort of lots of 460 00:23:37,000 --> 00:23:40,700 different entitlement groups that Tie back to maybe one 461 00:23:40,700 --> 00:23:43,600 person or one account and then it becomes difficult to manage, 462 00:23:43,600 --> 00:23:45,800 it will become difficult to manage those in a few years. 463 00:23:45,800 --> 00:23:48,100 And so, I think that, unfortunately, we're setting 464 00:23:48,100 --> 00:23:50,500 ourselves up to repeat some of the same problems that we live 465 00:23:50,500 --> 00:23:52,900 through, in the days of from active directory. 466 00:23:53,100 --> 00:23:56,200 I know we've been talking a lot about how, what a mess AWS and 467 00:23:56,200 --> 00:23:58,800 other kind of Club. We're getting wwiser, just use 468 00:23:58,800 --> 00:24:01,400 an example, right? But AWS Azure and the I am 469 00:24:01,400 --> 00:24:04,000 controls there and I kind of liken it to sometimes. 470 00:24:04,000 --> 00:24:06,400 You don't know where the string leads, it's just start to pull 471 00:24:06,400 --> 00:24:09,200 the permissions and figure out what's going on there. 472 00:24:09,700 --> 00:24:12,000 And I think a lot of times, a lot of these Cloud 473 00:24:12,000 --> 00:24:16,900 infrastructures were not really designed with, you know, proper. 474 00:24:16,900 --> 00:24:19,000 I am governance to start with that. 475 00:24:19,000 --> 00:24:22,000 Usually a tactical thing, some group went off and said, hey, 476 00:24:22,000 --> 00:24:24,400 you know what, we need to stand up, you know, whatever platform 477 00:24:24,400 --> 00:24:27,200 for whatever reason, and it wasn't really part of the scope 478 00:24:27,200 --> 00:24:30,300 of a security program, or it was brought in after the fact and 479 00:24:30,800 --> 00:24:32,700 clean up. Never took place or anything 480 00:24:32,700 --> 00:24:35,300 like that. I'm curious that based on, you 481 00:24:35,300 --> 00:24:39,400 know, what you've seen in your travels, you know, it does that 482 00:24:39,500 --> 00:24:43,300 At tactical thinking resonate with what you've seen or do you 483 00:24:43,300 --> 00:24:46,400 see other reasons why? You know it's been such a 484 00:24:46,400 --> 00:24:50,500 challenge to take whatever one said that they wanted right with 485 00:24:50,500 --> 00:24:53,700 these granular permissions and really didn't do a good job, 486 00:24:53,700 --> 00:24:58,000 maybe of setting it up initially because it wasn't a strategic 487 00:24:58,100 --> 00:25:01,000 approach to managing the entitlements in those areas 488 00:25:01,000 --> 00:25:03,800 versus again, just taking more of tactical or you know, 489 00:25:03,800 --> 00:25:06,000 project-based approach. Well, I'll do you one further. 490 00:25:06,000 --> 00:25:08,000 Let's, let's first, let's presume that. 491 00:25:08,000 --> 00:25:11,400 The organization had the Foresight to do a really strong 492 00:25:11,400 --> 00:25:14,900 strategic stand up of their, I am control panel for AWS or 493 00:25:14,900 --> 00:25:16,400 whatever the equivalent was for, whatever. 494 00:25:16,400 --> 00:25:19,000 I as they're using, let's say that they spent six months 495 00:25:19,000 --> 00:25:21,200 planning it out, and they had a perfectly aligned. 496 00:25:21,200 --> 00:25:23,200 They created the all the right roles and they signed All the 497 00:25:23,200 --> 00:25:25,400 Right entitlements to the right roles, the right rules, the 498 00:25:25,400 --> 00:25:29,400 right users Etc, and then there's a reorg or then there's 499 00:25:29,400 --> 00:25:32,400 a corporate MMA or then, you know, they sell off a division 500 00:25:32,400 --> 00:25:35,500 or then they decide to switch. I as providers like, there's so 501 00:25:35,500 --> 00:25:39,700 many line of business events that can just totally upped 502 00:25:39,700 --> 00:25:43,700 these carefully laid plans that I don't need teams make, I have 503 00:25:43,700 --> 00:25:45,400 so much empathy, right? Because I've lived through this 504 00:25:45,400 --> 00:25:48,800 myself working in the Biotech Industry for more than a decade. 505 00:25:48,800 --> 00:25:52,000 You know, Biotech Industry loves nothing more than Ma, and this 506 00:25:52,000 --> 00:25:54,600 happened to us so many times when psycho, we've got the 507 00:25:54,600 --> 00:25:56,500 perfect thing. And then, oh no, it's disrupted 508 00:25:56,500 --> 00:26:00,200 by my life, right by the corporate events or the business 509 00:26:00,200 --> 00:26:02,500 events are happening. So I think there's a lot of 510 00:26:02,508 --> 00:26:04,700 different things that can disrupt that I think that if I 511 00:26:04,700 --> 00:26:07,200 want to jump into solution instead of just, you know, 512 00:26:07,200 --> 00:26:10,200 admiring the problem, I think the solution Has to really be 513 00:26:10,200 --> 00:26:12,300 agile and how you think about these things, right? 514 00:26:12,300 --> 00:26:14,900 And just expect that there's going to be some disruption down 515 00:26:14,900 --> 00:26:17,400 the road. And so as I say this as an IT 516 00:26:17,400 --> 00:26:20,100 project, managers loves nothing more than the triple constraint 517 00:26:20,100 --> 00:26:23,600 finishing projects Etc. But sort of plan that your 518 00:26:23,600 --> 00:26:25,800 project is going to take longer than you, thought it was going 519 00:26:25,800 --> 00:26:29,000 to and you'll probably end up repeating that project at some 520 00:26:29,000 --> 00:26:30,100 point in the future. Right? 521 00:26:30,100 --> 00:26:32,700 And so make sure you leave behind the assets and the 522 00:26:32,700 --> 00:26:34,700 information in the decision-making and all the 523 00:26:34,700 --> 00:26:38,300 other things that you use during this project to make it easier 524 00:26:38,300 --> 00:26:40,800 to execute the next. Time to do the next cleanup or 525 00:26:40,800 --> 00:26:44,100 the next part of the m&a activity or whatever it is to go 526 00:26:44,100 --> 00:26:47,300 back. And revisit in this case, the I 527 00:26:47,300 --> 00:26:49,200 am control plan but it could be some other part of that any 528 00:26:49,200 --> 00:26:51,600 ecosystem as well. I think it's great advice, you 529 00:26:51,600 --> 00:26:53,200 know, hindsight's always 20/20, right? 530 00:26:53,200 --> 00:26:55,400 You're looking back and should have should have would have, 531 00:26:55,400 --> 00:26:57,700 could have write all the things that could have impacted that. 532 00:26:57,700 --> 00:27:01,900 But if you leave those artifacts behind, you can kind of justify 533 00:27:01,900 --> 00:27:04,700 at least the thinking of the time and the great thing about, 534 00:27:04,700 --> 00:27:06,800 you know, the mind is that it can change, right? 535 00:27:06,800 --> 00:27:10,600 You don't have to be stuck in the same decision for It is okay 536 00:27:10,600 --> 00:27:14,300 to get smarter right as your Viewpoint in the world and the 537 00:27:14,308 --> 00:27:16,000 capabilities, you know, around it. 538 00:27:16,100 --> 00:27:18,900 Of also I think that's a really great point. 539 00:27:19,500 --> 00:27:23,100 I, uh, you know, I think also from, you know, the strategy of 540 00:27:23,100 --> 00:27:29,200 managing I am as a whole there is sometimes competing 541 00:27:29,200 --> 00:27:34,100 priorities when it comes to who's responsible for what maybe 542 00:27:34,100 --> 00:27:38,000 infosec is responsible for kind of, I am at, you know, at a top 543 00:27:38,000 --> 00:27:41,000 level but they made. Legate privileged access 544 00:27:41,000 --> 00:27:43,300 management to the server team, right? 545 00:27:43,300 --> 00:27:45,300 Or the it infrastructure team or whatever, it's called with any 546 00:27:45,300 --> 00:27:50,200 organization because they're the ones closest to, you know, those 547 00:27:50,200 --> 00:27:54,500 resources, those sorts of things from your Viewpoint, who do you 548 00:27:54,500 --> 00:27:57,900 think should own Pam? Is it what? 549 00:27:57,900 --> 00:28:02,000 I kind of described, is it a hybrid model in and understand, 550 00:28:02,000 --> 00:28:04,200 right? We know that no one, no one size 551 00:28:04,200 --> 00:28:04,700 fits. All right. 552 00:28:04,700 --> 00:28:06,200 It's going to be different every organization. 553 00:28:06,200 --> 00:28:09,100 But is there something that's jumped out at you as maybe 554 00:28:09,100 --> 00:28:10,800 something? That people listening to take 555 00:28:10,800 --> 00:28:14,200 into consideration when we're thinking about, where does Pam 556 00:28:14,200 --> 00:28:16,100 fit within my organization? Yeah. 557 00:28:16,100 --> 00:28:18,400 And to be honest, I have a bit of a contrarian view on this 558 00:28:18,400 --> 00:28:19,600 one. So if you're living for 559 00:28:19,600 --> 00:28:20,800 listening, this buckle up, right? 560 00:28:20,800 --> 00:28:24,000 Because we're about to go on a wild ride and that contrarian 561 00:28:24,000 --> 00:28:25,400 views, actually, it doesn't matter. 562 00:28:25,700 --> 00:28:28,100 It actually doesn't matter who owns the responsibility for 563 00:28:28,100 --> 00:28:29,700 public access. It could be daichi operations 564 00:28:29,700 --> 00:28:31,100 team. It could be the identity team. 565 00:28:31,100 --> 00:28:34,100 It could be the info 16 info SEC, team broadly. 566 00:28:34,400 --> 00:28:38,400 What actually matters is how you measure the success of the Pam 567 00:28:38,400 --> 00:28:41,900 function. And for me, if I was, you know, 568 00:28:41,900 --> 00:28:43,800 C. So for a day and I had a 569 00:28:43,800 --> 00:28:46,200 dashboard at operational dashboard, and I was looking at 570 00:28:46,200 --> 00:28:48,700 the road that said, privileged access management, it would be 571 00:28:48,700 --> 00:28:51,600 two measures one would be how much standing privileges are in 572 00:28:51,600 --> 00:28:53,500 the environment. How many persistent privileged 573 00:28:53,500 --> 00:28:56,200 accounts, how many accounts with persistent Village access are 574 00:28:56,200 --> 00:28:59,300 there and the second one would be, how often are just in time, 575 00:28:59,300 --> 00:29:01,400 entitlements used. Then those were the two measures 576 00:29:01,400 --> 00:29:04,600 that matter the most to me if I was visiting that shoes in the 577 00:29:04,600 --> 00:29:06,900 shoes of the sea. So whoever ultimately has 578 00:29:06,900 --> 00:29:09,600 responsibility for the information security or The 579 00:29:09,600 --> 00:29:12,400 organization and then as far as which organization actually 580 00:29:12,400 --> 00:29:16,000 runs, the the tooling for that and provides that data and you 581 00:29:16,000 --> 00:29:21,200 know, trains users and goes after scofflaws it that sort of 582 00:29:21,200 --> 00:29:23,800 matters a lot less to me. Honestly, I feel the same way, 583 00:29:24,000 --> 00:29:26,400 you know, as long as somebody owns it, I feel like that's kind 584 00:29:26,400 --> 00:29:28,700 of the answer that I look for. I think you and I have had a 585 00:29:28,708 --> 00:29:31,500 conversation about this in the past on different episodes and 586 00:29:31,800 --> 00:29:34,500 just in our normal day jobs is, you know who owns identity 587 00:29:34,500 --> 00:29:37,000 access management at the end, it doesn't matter as long as 588 00:29:37,000 --> 00:29:39,900 someone owns it. And you know, there is Of like, 589 00:29:40,100 --> 00:29:42,300 you know, if you think about from a racy perspective, right? 590 00:29:42,300 --> 00:29:44,500 Who is the, a, who is accountable for it? 591 00:29:44,500 --> 00:29:47,300 And I kind of feel like, it's like Highlander there, can only 592 00:29:47,300 --> 00:29:48,700 be one, right? That's one. 593 00:29:49,200 --> 00:29:52,700 Someone has to be able to make the decision, break the Log Jam, 594 00:29:52,700 --> 00:29:55,700 take ownership, you know, Falls to them and, you know, whatever 595 00:29:55,700 --> 00:29:57,300 it looks like and as an organization. 596 00:29:57,300 --> 00:30:00,800 But as long as someone owns it, I don't, you know, I don't think 597 00:30:00,800 --> 00:30:03,700 it really matters you talked a little bit about, you know, 598 00:30:03,700 --> 00:30:07,000 being see. So for a day and measuring Pam, 599 00:30:07,000 --> 00:30:09,900 and you mentioned some things that were kind of based on You 600 00:30:09,900 --> 00:30:13,700 know, indicators of risk, may be associated with number of 601 00:30:13,700 --> 00:30:15,600 accounts approvals entitlements. Those are the things. 602 00:30:16,300 --> 00:30:18,700 What are some other methods and and you know, maybe I'm throwing 603 00:30:18,700 --> 00:30:20,500 on, is by here. But how else would you measure 604 00:30:20,500 --> 00:30:23,400 success for privileged access management beyond that? 605 00:30:23,400 --> 00:30:26,900 If I'm if I'm a practitioner and I'm, you know, thinking about 606 00:30:26,900 --> 00:30:31,000 putting in a Pam tool, you know, what are ways that I can kind of 607 00:30:31,000 --> 00:30:33,900 justify, not only the tool itself, but the reduction of 608 00:30:33,900 --> 00:30:37,000 risk the organization that people can think about. 609 00:30:37,000 --> 00:30:39,100 Yeah spoken. Like a guy who says the time is 610 00:30:39,100 --> 00:30:41,600 7 23, right? So you and I are cut from the 611 00:30:41,608 --> 00:30:44,800 same cloth, my friend numbers, don't lie unless you want them 612 00:30:44,800 --> 00:30:46,600 to. We are. 613 00:30:46,600 --> 00:30:49,800 We're both data-driven decision makers, I suspect and I think 614 00:30:49,800 --> 00:30:53,300 that, you know, a good Pam effort, whether it's a project 615 00:30:53,300 --> 00:30:56,600 or an ongoing function is run the same way it's driven off of 616 00:30:56,600 --> 00:30:58,500 data. So the two data measures, I just 617 00:30:58,500 --> 00:31:01,500 mentioned would be for me if I had to pick two k pi as those 618 00:31:01,500 --> 00:31:03,200 would be that right? How much persistent privilege 619 00:31:03,200 --> 00:31:05,300 accesses are in the environment that number should be going 620 00:31:05,300 --> 00:31:06,400 down? That number should be trending 621 00:31:06,400 --> 00:31:09,400 downward and how often are just in time. 622 00:31:09,600 --> 00:31:10,800 Privileged access. Entitlements. 623 00:31:10,800 --> 00:31:13,000 Utilized in that number should be out or flatter trending 624 00:31:13,000 --> 00:31:15,400 upward based on the organization's situation. 625 00:31:15,900 --> 00:31:18,400 I think beyond that you can certainly get into other 626 00:31:18,400 --> 00:31:22,500 measures like how frequently are n points assessed for how much 627 00:31:22,500 --> 00:31:25,300 Public Access they have? And then in an organization that 628 00:31:25,300 --> 00:31:28,500 has I would say a distributed it function it could call it Shadow 629 00:31:28,500 --> 00:31:30,300 it or call it you know Department a lie to. 630 00:31:30,300 --> 00:31:33,600 You can call it whatever how well integrated are those 631 00:31:33,600 --> 00:31:36,800 sources of privileged access integrated back into whatever, 632 00:31:36,800 --> 00:31:40,200 the core Pam function is with us, run by it or Someone else. 633 00:31:41,000 --> 00:31:44,900 How how cohesive a picture across all the different 634 00:31:44,900 --> 00:31:47,800 Departments of the privileged access management is available 635 00:31:47,800 --> 00:31:50,200 within the organization would be another critical measure. 636 00:31:50,900 --> 00:31:54,700 I think another one is how the Pam project or solution or 637 00:31:55,200 --> 00:31:58,400 service is evolving over time? I think this is one of the 638 00:31:58,400 --> 00:32:01,100 things that really gets us really bites us. 639 00:32:01,200 --> 00:32:04,200 Is that we don't think about the evolution of the Pam technology. 640 00:32:04,200 --> 00:32:07,800 And so, when organization started to do hybrid cloud 641 00:32:07,800 --> 00:32:10,600 rollouts, like the Pam, Solutions at the time just 642 00:32:10,600 --> 00:32:13,600 didn't keep up with that. I did just weren't ready and so 643 00:32:13,600 --> 00:32:16,300 they fell behind right? And so that's one of the reasons 644 00:32:16,300 --> 00:32:19,500 why I think a lot of these ideas deployments in large companies, 645 00:32:19,500 --> 00:32:23,000 still have a lot of unmanaged Public Access because the 646 00:32:23,000 --> 00:32:26,200 tooling wasn't available when the organization started it, and 647 00:32:26,200 --> 00:32:29,000 they never went back to update the tooling or apply it to these 648 00:32:29,000 --> 00:32:31,300 new sources. So thinking about what is, what 649 00:32:31,300 --> 00:32:34,600 is my Pam service look like a year from now, two years from 650 00:32:34,600 --> 00:32:36,300 now? Five years from now is another 651 00:32:36,300 --> 00:32:38,500 key measure and it can't necessarily put that into Data 652 00:32:38,500 --> 00:32:40,400 but it's a critical. Thing to be thinking about and 653 00:32:40,400 --> 00:32:44,900 planning for ahead of time. I'm glad that Jeff joined in and 654 00:32:44,900 --> 00:32:48,000 agreed because I'm going to take the contrarian View and I don't 655 00:32:48,000 --> 00:32:50,100 want to be arguing with you, Paul. 656 00:32:50,100 --> 00:32:53,200 I'd rather argue with you and Jeff now, but the point that I 657 00:32:53,200 --> 00:32:59,300 was going to make is that I do think where Pam sits does 658 00:32:59,300 --> 00:33:01,500 matter. And I say that from the 659 00:33:01,500 --> 00:33:06,300 perspective that when I've seen Pam project, struggle or fail, 660 00:33:06,600 --> 00:33:11,100 it's because of resistance from the end user, The users of that 661 00:33:11,100 --> 00:33:12,900 system, you can come up with reasons. 662 00:33:12,900 --> 00:33:17,400 It takes me longer to do my job. What if, what, if what, if, what 663 00:33:17,400 --> 00:33:21,300 if the Pam servers down and, you know, all these reasons why I 664 00:33:21,300 --> 00:33:24,200 might not be able to save the world? 665 00:33:24,300 --> 00:33:26,700 Even though I have my Cape, you're putting this piece of 666 00:33:26,700 --> 00:33:29,100 technology in front of me. That's a piece of junk. 667 00:33:29,500 --> 00:33:33,400 So, how do you flip that script? How do you get those folks to be 668 00:33:33,400 --> 00:33:35,900 on board with it? Why don't you put them in charge 669 00:33:35,900 --> 00:33:37,400 of it? They run it. 670 00:33:37,400 --> 00:33:42,900 And then you say, well, you know, Oh, is that kind of not 671 00:33:43,500 --> 00:33:46,200 fulfilling our duty? Well, I think what you need on 672 00:33:46,200 --> 00:33:50,300 top of handing, over the Pam system, to the users of the Pam 673 00:33:50,300 --> 00:33:51,800 system. In other words, the system 674 00:33:51,800 --> 00:33:54,800 administrators is you need a checks and balances. 675 00:33:54,800 --> 00:33:58,100 So you need to have some kind of oversight and administrative 676 00:33:58,100 --> 00:34:01,400 capabilities, whatever that balances, so that you have a 677 00:34:01,400 --> 00:34:05,100 checks and balance, but that those users of the system are 678 00:34:05,108 --> 00:34:09,300 not quote, unquote disenfranchised or you know that 679 00:34:09,500 --> 00:34:14,900 They feel like their ability to perform their job function is 680 00:34:15,100 --> 00:34:19,900 being jeopardized. So that's, that's my two cents 681 00:34:19,900 --> 00:34:22,500 on it. Is that I want to see those end 682 00:34:22,500 --> 00:34:24,900 users on that system. Well, I think we're actually in 683 00:34:24,900 --> 00:34:28,000 violent agreement on this point. In the measures, I mentioned are 684 00:34:28,000 --> 00:34:30,199 ways of measuring. Whether the onions are our end 685 00:34:30,199 --> 00:34:31,800 users are actually using the system. 686 00:34:31,800 --> 00:34:33,400 Right? Because I think, one of the 687 00:34:33,400 --> 00:34:36,500 other things, one of the other skeletons in the closet of 688 00:34:36,600 --> 00:34:39,300 society folks, is that these Pam Solutions were often rolled out. 689 00:34:39,400 --> 00:34:41,699 This password Vault Solutions Rock and rolled out and then 690 00:34:41,699 --> 00:34:44,699 bypassed, right? So some really smart sysadmin 691 00:34:44,699 --> 00:34:47,800 would just go up and go and set check out the account right, or 692 00:34:47,808 --> 00:34:49,900 whatever. And then create themselves some 693 00:34:49,900 --> 00:34:52,300 local accounts on the endpoints, and they would just use those 694 00:34:52,300 --> 00:34:54,300 local accounts, not have to worry about the password Vault, 695 00:34:54,300 --> 00:34:56,699 any longer. So I think that the measures I 696 00:34:56,699 --> 00:35:00,700 mentioned are ways to detect if and users are bypassing the Pam 697 00:35:00,700 --> 00:35:03,200 tool. So that adjustments can be made 698 00:35:03,200 --> 00:35:05,600 in the way that it works or the training that's provided or the 699 00:35:05,600 --> 00:35:07,900 value is provided to the end user so that they actually 700 00:35:08,100 --> 00:35:10,900 adhere to the Pam. Practices of the organization. 701 00:35:11,400 --> 00:35:12,600 I think. The other thing to say is that 702 00:35:12,600 --> 00:35:15,800 you're absolutely right, these Pam, projects are historically, 703 00:35:15,800 --> 00:35:18,600 have been very hard and they just didn't get done. 704 00:35:18,600 --> 00:35:20,600 If they didn't have the right level of executive support, 705 00:35:20,600 --> 00:35:22,100 which I think, is the point you're trying to make is like, 706 00:35:22,100 --> 00:35:25,200 if you don't have the backing of whoever matters in the 707 00:35:25,200 --> 00:35:27,200 organization, whether it's the CIO or the sea. 708 00:35:27,200 --> 00:35:30,800 So or headed the line of business or whatever it is, it's 709 00:35:30,900 --> 00:35:34,100 CTO, whatever it is. If you didn't have their backing 710 00:35:34,100 --> 00:35:36,500 then these Pam projects would just fail, right? 711 00:35:36,500 --> 00:35:38,400 Because it would get partially deployed and there would be a 712 00:35:38,400 --> 00:35:41,400 bunch of resistance from new users and then the project would 713 00:35:41,400 --> 00:35:43,600 just sort of shut down, right? They would just never really get 714 00:35:43,600 --> 00:35:46,200 done on average. We see that password mold. 715 00:35:46,200 --> 00:35:49,400 Technology is only ever get to 30% deployment 30% of the 716 00:35:49,400 --> 00:35:51,500 planned deployment because of exactly the reasons you 717 00:35:51,500 --> 00:35:53,900 mentioned. And so, I think the solution is 718 00:35:53,900 --> 00:35:56,200 really twofold, one is the increased level of executive 719 00:35:56,200 --> 00:35:58,200 support, but I think the second thing is we need to provide a 720 00:35:58,207 --> 00:36:02,000 better solution, password Vault suck and here. 721 00:36:02,000 --> 00:36:04,300 I'm standing on my soapbox is a founder of a company that 722 00:36:04,300 --> 00:36:05,600 directly competes with basketballs. 723 00:36:05,600 --> 00:36:08,200 So, you know, grains of grains of salt for everyone. 724 00:36:08,700 --> 00:36:13,000 But Getting away from this idea that you have to in introduce 725 00:36:13,000 --> 00:36:16,300 additional friction in order to better manage privileged access. 726 00:36:16,300 --> 00:36:19,500 I think that idea is outdated and there are better approaches 727 00:36:19,900 --> 00:36:23,600 to doing this and that we can achieve both better user 728 00:36:23,600 --> 00:36:26,700 experience and increase secured around privileged access at the 729 00:36:26,700 --> 00:36:29,000 same time. Absolutely great points. 730 00:36:30,000 --> 00:36:35,900 So, Paul were coming up on time but I just have to imagine that 731 00:36:35,900 --> 00:36:39,300 in your role you've come across some interesting. 732 00:36:39,400 --> 00:36:42,100 Ting use cases. So, would you mind maybe taking 733 00:36:42,100 --> 00:36:46,600 us out with one or two of those kind of were stories that maybe 734 00:36:46,600 --> 00:36:49,200 you've gone through and hopefully, some of them come to 735 00:36:49,200 --> 00:36:51,800 a bright and happy ending. Yeah. 736 00:36:52,300 --> 00:36:54,700 Well, there's a longer version of this story on our website. 737 00:36:54,700 --> 00:36:57,200 If anyone wants to hear the longer version of this but 738 00:36:57,700 --> 00:37:00,300 Romanians, first commercial customer was Lockheed Martin and 739 00:37:00,300 --> 00:37:03,600 there's, they continue to be a public reference customer for 740 00:37:03,600 --> 00:37:05,400 us. Very happy, customer of ours, in 741 00:37:05,500 --> 00:37:08,600 their use case, was really around Regulatory Compliance and 742 00:37:08,600 --> 00:37:11,500 it was a random Special kind of Regulatory Compliance something 743 00:37:11,500 --> 00:37:13,900 that they call instrumented compliance. 744 00:37:14,100 --> 00:37:16,900 So Lockheed Martin had been in compliance with all the rules 745 00:37:16,900 --> 00:37:19,600 that they needed to be in around the federal government for 746 00:37:19,600 --> 00:37:23,300 forever, but they really didn't have the instrumentation to live 747 00:37:23,300 --> 00:37:25,800 instrumentation to show themselves to prove to 748 00:37:25,800 --> 00:37:28,000 themselves that they were continuously in compliance, 749 00:37:28,000 --> 00:37:30,600 right? And that's what our technology 750 00:37:30,600 --> 00:37:32,000 was used for. Was to bring about this 751 00:37:32,000 --> 00:37:34,900 instrument to compliance around the specific Regulatory 752 00:37:34,900 --> 00:37:37,400 Compliance rules around the DeForest or defense Federal 753 00:37:37,400 --> 00:37:40,000 acquisition rules. And so that's An interesting one 754 00:37:40,000 --> 00:37:42,000 is to think not just about through the lens of Regulatory 755 00:37:42,000 --> 00:37:44,500 Compliance, but continuously enforced and continuously 756 00:37:44,500 --> 00:37:47,200 insured compliance with regulations and there's a bunch 757 00:37:47,200 --> 00:37:49,600 of them out there that have to do with college access, right? 758 00:37:49,800 --> 00:37:51,600 So that was one, interesting one, another one. 759 00:37:51,600 --> 00:37:53,600 Interesting one is zero trust. You guys talked about it on your 760 00:37:53,600 --> 00:37:55,500 show last week. Actually, zero trust came up, 761 00:37:55,500 --> 00:37:57,600 but I'm sure it's come up with as many times in the past and 762 00:37:57,700 --> 00:38:00,300 hopefully we'll come up many times in the future and thinking 763 00:38:00,300 --> 00:38:03,400 about how does privileged access fit into zero trust because I 764 00:38:03,408 --> 00:38:06,800 think zero trust is often seen through the lens of device and 765 00:38:06,800 --> 00:38:10,500 network security and less often through the Identity security, 766 00:38:10,500 --> 00:38:13,900 in fact, sometimes I see dirt rust denoted is zero. 767 00:38:13,900 --> 00:38:15,300 Trust network. Access writers? 768 00:38:15,300 --> 00:38:17,900 Each DNA. And so how do you introduce 769 00:38:17,900 --> 00:38:22,100 identity Concepts into that and I firmly believe that privileged 770 00:38:22,100 --> 00:38:25,700 access is the correct bridge between the identity world and 771 00:38:25,700 --> 00:38:28,500 the device and network-centric security world of zero trust 772 00:38:28,500 --> 00:38:29,700 today. I think the privileged access 773 00:38:29,700 --> 00:38:31,800 makes that bridge work really well. 774 00:38:31,800 --> 00:38:34,500 So much of Concepts around zero trust, another really 775 00:38:34,500 --> 00:38:37,300 interesting use case for us. And the last one I'll leave in 776 00:38:37,300 --> 00:38:39,100 this actually does end in a very bright story. 777 00:38:39,100 --> 00:38:41,700 Which Which is incident response and privileged access 778 00:38:41,700 --> 00:38:44,100 management, and incident response have never been 779 00:38:44,100 --> 00:38:47,000 considered to be even in the same side of the planet. 780 00:38:47,000 --> 00:38:50,200 Much less adjacent Technologies are adjacent approaches. 781 00:38:50,700 --> 00:38:53,000 And again, there's a talked about this on the risky business 782 00:38:53,000 --> 00:38:56,500 podcast, this past week, with country of gray, in longer form 783 00:38:56,500 --> 00:38:58,700 of anyone's interested. But the idea that you can 784 00:38:58,700 --> 00:39:02,200 actually roll out a Pam solution during an incident response, 785 00:39:02,200 --> 00:39:04,200 there's some malware that's spreading across the 786 00:39:04,200 --> 00:39:06,500 organization. You're watching compromise 787 00:39:06,500 --> 00:39:09,200 privileged accounts being used to spread the malware, you know? 788 00:39:09,400 --> 00:39:10,900 Starkly. We've only ever been able to 789 00:39:10,900 --> 00:39:14,900 bring ETR XTR Technologies to bear in those situations. 790 00:39:14,900 --> 00:39:17,400 We now have about a half dozen cases where remediate has 791 00:39:17,400 --> 00:39:20,600 deployed pen technology over the course of a weekend to help slow 792 00:39:20,600 --> 00:39:22,700 down or stop those malware spreads as well. 793 00:39:22,700 --> 00:39:25,600 So, instant response yet. Another interesting use case, 794 00:39:25,600 --> 00:39:27,400 it's come up more recently for us as pretty. 795 00:39:27,500 --> 00:39:28,800 Those are some pretty cool examples. 796 00:39:29,800 --> 00:39:33,100 Yeah, I guess you could call me a fan of Lockheed Martin just 797 00:39:33,100 --> 00:39:35,200 from the aircraft perspective and some of the things they put 798 00:39:35,200 --> 00:39:38,900 out there like the SR-71 Blackbird the F16, the F-22, 799 00:39:38,900 --> 00:39:40,600 they have to T5. I'm a big nerd. 800 00:39:40,600 --> 00:39:43,100 So what can I say that's going to be a fascinating kind of 801 00:39:43,107 --> 00:39:44,800 client to work with when it comes to kind of thing. 802 00:39:44,800 --> 00:39:47,000 So and you have been very gracious with your time. 803 00:39:47,000 --> 00:39:50,200 We really do appreciate it. Before we wrap things up for 804 00:39:50,200 --> 00:39:53,400 this week. Are there any other Pearls of 805 00:39:53,400 --> 00:39:57,800 Wisdom that you want to lay Upon Us Paul before we close things 806 00:39:57,800 --> 00:39:59,200 out? You know, I think just think 807 00:39:59,200 --> 00:40:01,900 expansively about what's possible the end of the world. 808 00:40:02,000 --> 00:40:07,400 I think that just like, Jim's kid we should break with the old 809 00:40:07,400 --> 00:40:09,200 habits, right? There's a lot of emerging. 810 00:40:09,400 --> 00:40:11,300 Technology. I think identity is seen an 811 00:40:11,300 --> 00:40:14,900 amazing amount of investment in Innovation from the VC world and 812 00:40:14,900 --> 00:40:18,300 from from others. And I think it's time for all of 813 00:40:18,300 --> 00:40:20,900 us to think more holistically about what's possible and 814 00:40:20,900 --> 00:40:25,000 identity and sort of break with saying it's 7:15 and say that 815 00:40:25,000 --> 00:40:28,700 it's 7:23 instead I like that it's okay to get smarter right? 816 00:40:28,700 --> 00:40:33,100 I mean it's okay to grow and think about things in new ways, 817 00:40:33,900 --> 00:40:36,100 Jim anything you want to bring up before we close it out. 818 00:40:36,200 --> 00:40:43,300 Back in my day we said 11:15. And we liked it so much. 819 00:40:45,400 --> 00:41:06,900 I do my best for sure, send me, LinkedIn 820 00:41:06,900 --> 00:41:10,500 connections and me Twitter. On the Tweet things. 821 00:41:11,400 --> 00:41:13,500 And then if there's folks out there that are brand new to 822 00:41:13,500 --> 00:41:15,900 cybersecurity, definitely encourage them to join the 823 00:41:15,908 --> 00:41:19,100 cybersecurity nonprofit cost zero dollars and you get a lot 824 00:41:19,100 --> 00:41:21,800 of value for that zero dollars. It's tough and I'll have links 825 00:41:21,800 --> 00:41:25,400 to all that stuff in our show notes for people to check out in 826 00:41:25,400 --> 00:41:29,500 their podcast app of choice or a tide any at the center.com. 827 00:41:29,600 --> 00:41:32,600 Another place you can find that information Paul greatly, 828 00:41:32,600 --> 00:41:34,800 appreciate it, Jim greatly appreciate it. 829 00:41:35,300 --> 00:41:37,500 We're going to go ahead and close it out for this week. 830 00:41:37,500 --> 00:41:40,100 Thanks everybody for listening and we'll talk with you all in 831 00:41:40,100 --> 00:41:45,500 the next one. You've been listening to the 832 00:41:45,500 --> 00:41:48,900 identity at the center podcast, if you like what you heard, 833 00:41:49,000 --> 00:41:52,300 don't forget to subscribe and visit us on the web at identity 834 00:41:52,300 --> 00:41:53,600 at the center.com.