BeyondTrust customer, Chris Stucker, Associate Director for Identity and Access Management at the University of Utah, discussed his team’s privileged access management (PAM) journey with our CTO and CISO, Morey J. Haber during a recent webinar session. The discussion covered a number of topics and unearthed a wealth of cybersecurity lessons—from how the university decided on a PAM vendor to the path to implementing a just-in-time access model, to adapting to the security and access challenges imposed by the coronavirus pandemic.
We are sharing the interview transcript below, but you may also view the webinar on-demand here: How a Major University is Leveraging Just-in-Time Privileged Access Management to Mitigate Risk.
The webinar discussion and transcript below provide candid insights into so many of the questions, complexities, challenges, and variables that are part of Chris’s role in helping to secure a major university, its assets, and its people.
We want to thank Chris again for his time, for sharing his story—and for being an awesome customer!
Webinar Interview & Q&A Transcript
Sarah: Thank you for joining our special BeyondTrust Customer webinar today: How a Major University is Leveraging Just-in-Time Privileged Access Management to Mitigate Risk. This is an awesome case study and we're really excited to have one of our customers here to share his story with you all.
We've got an incredible and highly qualified set of speakers here today, ready to talk about real life and implementation of Just-in-Time PAM, how the pandemic has affected the University's remote employees, students, and users, and how the University stays ahead of the constant change and evolution of cybersecurity. So, it's going to be a really great thought leadership piece for you all to experience.
We're going to make quick introductions of our two experts, and then include a brief overview of University of Utah, so we can set the stage for you and you can see what Chris is doing there at the University. We'll jump into a live discussion and that will take up the majority of the session today. And then we'll wrap up with live Q&A from the audience.
Our featured guests are BeyondTrust customer, Chris Stucker, Associate Director for Identity and Access Management at the University of Utah; and Morey Haber, BeyondTrust CISO and CTO. My name is Sarah Lieber and I'll be moderating the session today as well.
Please welcome, Morey and Chris.
Morey: Thank you, Sarah.
Chris: Thank you, Sarah and thank you, Morey and BeyondTrust for inviting me here today for everyone who has tuned in to listen. First of all, I'd like to dispute the term expert. I'll leave that for Morey. I'm a student of this game and I'd love to learn more about it with all of you. The other part is when Sarah mentioned that we've done a lot. We have done a lot as a team. The University has been great and BeyondTrust has been a great partner, so the things that we've accomplished here so far, they're just a good start and it's a great team effort. I also want to just lay out a couple of expectations.
Any mistakes that I make are solely my own and I will probably make mistakes. I will probably also err on the side of clarity over accuracy, so those of you who know this subject pretty well, if you catch me saying things in a clear way and not necessarily an accurate way, please forgive me. That's intentional. And finally, as a representative of the University of Utah, I can't expressly endorse any products, so we're here to talk about our methodology and how we went through this thing, how we chose the partner we did, and I'd love to talk a lot about that. And then I can have side conversations with anyone.
So, with all of that out of the way, the University of Utah, as you can see there, we're a pretty big university. We're a D1R1. We're in the PAC-12. We have about 17 colleges and 100 departments. We also have a hospital. So, when we talk about the complexity that we deal with, we are like every other university, a big and dynamic place, but then we can also tack on the fact that we have a whole healthcare system and a teaching hospital. So, we have four hospitals we have 12 health centers, 16 total locations.
A little bit of trivia also for the geeks out there—we were the fourth node on ARPANET, the precursor to the internet. So, if you didn't know that you can win some cocktail party trivia questions with that one. Fourth Node on the internet. We have a huge University. 33,000 students, we have about 1500 acres. We have a fully developed Research Park with an incubator that we're very proud of that's expanding every day. It's a really dynamic and exciting place with lots of things going on all the time.
Morey: Fantastic. Thank you so much, Chris, for that high-level overview. So, what we want to do is get into a dialogue about Just-in-Time Privileged Access Management, and really understand what happened in the university and why Privileged Access Management became so important to you. So, let's go back a little bit. Where did you first discover and realize that you had to embark on a Privileged Access Management journey for the university? What compelling event or situation were you at when PAM became important?
Chris: Great question. For me, it was taking this role. I was previously in a different role at the University and had a fair idea that we were a complex place, but I really didn't know half of it. And when I took the role in the IAM team, suddenly it became painfully obvious that, because of the size and because of the dynamic nature of—I think all universities--I don't think we're unusual in that. That's another thing I should probably say. I'll speak sometimes to the difference between the University side and the healthcare side and there is a distinct difference. And though our President Ruth Watkins has a beautiful vision of one U, there's still some historical difference and there are some differences in the two sides of the organization.
So, the campus side was like every university, very dynamic and we have people moving around all the time and we're very decentralized and the colleges and the departments, they all have administrators and many of them have IT staffs, so they can create servers and applications. And all of these things are really hard to track like you might expect. So, as I came into this job and tried to get a handle on even simple things like the CIS Top 20, and we start to say, "What do we need to protect?" No one could even tell me what those things are. So, one of the things that we decided to do very quickly is, "We need to find a solution for this," and that's when we started to look around for Privileged Access Management and for a partner in that space.
Morey: Was some of this an educational problem with the team's understanding of best practices as well as a technology solution?
Chris: Yeah, absolutely. So, again, like most universities probably, we grew up organically and administrators and departments get different levels of expertise. We have at the University some extremely smart people, but they have different interests. Their primary interests are in other areas, maybe in the performance of computing or maybe in genetics. So, they don't necessarily study a lot about security and they don't necessarily put a lot of effort into some of the things that security folks will focus on, obviously.
So, when we started to talk about the kinds of things that lead us to that, we needed to find a solution that could bring everyone to the table and let everyone kind of have an easier way to manage things. One of the things that we loved about this idea is that, not only are we going to increase security, we're also going to increase productivity, and that was a big differentiator for us in this process. Does that make sense?
Morey: It does. So, one of the things that we find when working with Higher Education is the identity challenge. You have the students' side and you have the faculty and then you have the back-end operations. The identity problem is much more pronounced because you expect that turnover, that joiner-mover-lever process to occur every single year, and sometimes, middle of the year. And then you have the privilege side of the problem, which is sometimes faculty, back-end, and then even sometimes students. How do you separate or bring together the different challenges of identity and privileged access?
Chris: Yeah, that's a great question and that's probably the biggest identity challenge in the university space, at least at my university—that and the accuracy of data. Those are the two hand-in-hand problems that challenge us. But the things you hit on are exactly right. Those are the complexities of mixing together students that come and go, but they're on a relatively predictable schedule compared to some of the staff folks. We have staff folks who move around all the time and then we have to combine that with the fact that most of these folks have multiple personas. So, we use an identity governance solution that helps us to try to manage those personalities and those personas and try to keep their roles separate.
So, as you know, the challenge is how do you keep a student in a position to be able to learn and not affect his or her ability to get to the things that he or she needs? And, at the same time, have that same person have a staff role or maybe even a hospital role with access to PHI. So, you've got someone who moves back and forth between roles and, in some cases, between organizations and, in many cases, between levels of need to know. We have to try to manage all of that. So, IGA does part of that, but we realized that it won't do all of it and again. We need to embark on a PAM journey because we needed some help in managing the privilege piece of that. I suspect you hear that a lot from your customers, right?
Morey: We do. We look at it as a journey. Some people will start with PAM, some people will start with identity, some people might have two completely separate initiatives and they'll have to figure out how to bring them together. Let's fast forward a little bit before we get into the concepts of Just-in-Time and talk about BeyondTrust really quick. What about the partnership with BeyondTrust, what's compelling to you? And then we'll back it up a little bit and start talking about the nuts and bolts. So, really, why BeyondTrust? Why us?
Chris: Yeah, that's the ultimate question for everybody starting on the journey, right? Who is it and why? And it was a big deal for us. We wanted to choose the right partner and we did a pretty thorough investigation of the market leaders and what it came down to was a couple of things. One thing was BeyondTrust seemed really eager to be a good partner and seemed really eager to engage with us and make sure that we were successful and that was a huge thing for us. When we look for a partner, we look for a partner that really fulfills the meaning of that word. Sometimes, and everyone in this industry has had a "partner," in air quotes, who has come to the table and delivered a software solution and walked out the door. We had the impression from BeyondTrust that that would not be the case, and that BeyondTrust was in it for the long haul to ensure that we would be successful.
The other piece is the technology. We wanted to make sure that we had all of the pieces that we needed and, again, for everyone out there, that's going to be a different solution potentially, because they're in different situations. We needed a couple of things. One of them we talked about was the ability to handle the dynamic changes that happen in our organization, with something like PWS, with a password safe.
The other thing that we really needed is we have a really strong use case for remote access vendors. We have thousands, literally, of vendors and consultants and outside suppliers that connect to our systems all the time, every single day, and we had to have a great solution for that. We thought that between those three pieces, the teamwork, the remote access solution and the password safe solution, for us, BeyondTrust was the best choice.
Morey: Thank you. That really helps set the stage for our next set of questions, the digging deep, and I appreciate the compliments. So, let's talk now about the main title of this discussion and that's Just-in-Time. For those in the audience who are not familiar with the concept of Just-in-Time specifically related to privileged access, it is creating or gaining access, authentication access in an ephemeral nature. Look, if you have a privileged account that is always on regardless if you know the password or not, it's 168 hours a week that account is waiting for connection. If you're using a traditional password technology, you're basically checking that password out of the safe to make that connection.
The main premise of Just-in-Time is to basically state that that count doesn't even exist, isn't available, is not even potentially ready to make a connection. You are basically creating a smaller window, or a smaller risk surface where that account can actually be used—and that's not just from a password standpoint, which is traditional PAM, it's actual availability. So, the concept of Just-in-Time PAM is making access or privileged account available only when it's needed, so that your risk surface is not open the entire week. Now, with that background in mind for our audience, what was your experience in implementing it in your organization, or your use cases for needing to go down the Just-in-Time route?
Chris: Yes. That's a great question. First, I should say we're still just early in the process, so we are still dealing with all of the questions and, hopefully, the answers for this every day, but the thing that really led us to the need for Just-in-Time PAM was the dynamics that we discussed earlier. We have people moving around. We needed a solution that would give that ephemeral account nature that you mentioned. We needed the ability to turn things on and only when needed, and only to the systems needed.
So, that's one of the other things that I think is interesting about the math that you mentioned, the 168 hours. For us, we also have to multiply that by some undetermined number of systems because we didn't have any idea how many service accounts were out there, we didn't have any idea how many people were using an administrator role route or where that could go. So, when we talk about just basic controls, that was a huge thing for us and being able to start the initial discovery with BeyondTrust was huge—being able to finally identify those systems and those accounts and coming to grips with that.
And, then, when we tie in some of the logical things, we can create rules and we can create groups in BeyondTrust that allow us to be able to automatically provision users if they're added to a group, if we hire someone, if they move from a group to another group, if they leave--which we all know is a nightmare—and we're rotating passwords. So, all of those things can be done for us on the fly automatically because of rules and logic and groups that we created. That's another piece from BeyondTrust that was absolutely critical to us, and that was one of the big differentiators.
Morey: So, in your mind, it wasn't “I knew Just-in-Time,” it was about threat mitigation, risk reduction because it wasn't just, "I have this set of sensitive data on these accounts, it's amplified by the number of potential transient identities, the number of changing identities, and the number of systems. You really had a model of a problem that you didn't even have the full scope of. So, you mentioned discovery as a part of that threat mitigation—how did that play into getting a handle of the entire landscape and problem that you were dealing with?
Chris: That really was the handle for us. Before that, we didn't even have a bucket, let alone a handle. We knew that we had a problem, so when one of the funny parts about when you asked the question about, "When did I discover that I needed Just-in-Time PAM?" When I heard the term Just-in-Time PAM, which is probably from your team. What I knew was that I needed to reduce risk and that I needed to be able to first identify all the systems that are out there and the accounts that we had no idea about. Second, how do we reduce that risk? And how do we start to bring all of that under some semblance of control?
And that's when I suspect that it was your sales team that initially used the term Just-in-Time PAM in front of me, and it's one of those things that once you hear it and you start to think about the concept, it's obvious you have to do that. How can you with a dynamic organization in any case? Maybe with a small organization, you don't need it. For us, now that I've seen it, I don't know how you get that genie back in the bottle. That's something that we cannot adequately control the risk in our organization without that kind of a concept.
Morey: That's a really interesting point, a little scary in some ways as well. When you went down this path and, I know this question is a little off-the-cuff, was there anything that really surprised you when starting to do this discovery? Was it those service accounts? Was it shadow IT? Was there anything that you could share that was like that wow moment as a part of this journey?
Chris: Yeah. I think when we started to get the results back from the discovery, I think we had, again, I mentioned the disparity between the two sides of the organization, so on the healthcare side, they're very regimented. They have everything, so there were really no surprises on the healthcare side. On the campus side, the only surprise was that the scope of the problem was even greater than we realized. Everyone knew that there was a lot out there that we didn't know, but no one knew exactly how much and how those service accounts, for example, had been used.
And everybody kind of knows that if you issue a service account without any controls in place, just in the standard older environment, you issue a service account and you really have not a lot of control on what that can do or you issue someone a domain administrator or root account. We had no idea how far those had spread and some of those service accounts that were created for one specific application by one specific department. As you know, they get passed around and it was really surprising to see the breadth of that.
Morey: It is an interesting problem, that sprawl type of problem that happens, especially with legacy systems and especially systems that have been around for years. It kind of leads us into the next thought and that's compliance. You have a variety of compliance mandates from PCI to HIPAA to FERPA and probably even moreso than I could even guess. How did this help you without station reporting certifications or any type of audits, so really going down this journey, what did it mean to you in terms of compliance mandates?
Chris: Like you mentioned, we have to comply with a lot of different regulations. What this did for us was, first of all, it gives us a place to collect all of that, so in any of those audits, we finally have a place to go. Collecting information for audits, like probably everyone on the call, it's not a lot of fun. But the other thing that it does is it allows us to show that we have administrative and technical controls in place for all of those compliance requirements. It allows us to show that we have a segregation of duties.
It was really difficult before to say, "Here's the group of people that has access to this set of information, whether that's PHI or whether that's FERPA data about the students or whether that's, we have kind of a separate PCI subsystem that it's a little easier to monitor. But even when we start talking about things like GDPR and CCPA, how can you show that you have the ability to segregate that data, let alone audit to touch that data later. And this brings it all neatly into the one bucket that we talked about earlier. It makes it much easier for us to prove that we are complying and to make sure that we have a way to improve as we go forward. It's been a night and day difference for us. I'm sure you hear that a lot.
Morey: We do and compliance is on the top of everybody's mind and data privacy and secrecy, especially with things like TikTok, et cetera, and even questions about COPPA for many people that don't even deal with minors in Education and you do as well on top of all of that. It's one thing to have all these compliance mandates in a row and have that central place to report on them, but you got to demonstrate value back to the business on why you invested in this technology stack. What was the biggest thing that you think you found that you could demonstrate back to the business as a benefit from this investment?
Chris: I think this investment, I think having one place that we can pull it all together makes it much easier for us to enumerate the risks. So, when we talk about the things that we have done with this solution, one thing we can do is we can use simple math, like what we talked about earlier with demonstrating the attack exposure reduction, right? We can say we have this much attack service before, we have less attack surface now.
One of the things that we've also tried to do is through the use of governance and steering teams and champions in the community, we've tried to do a good job of illustrating, "Look, these are the kinds of things that are happening in the world and these are the kinds of things that we have in place to prevent those from happening or to mitigate the damages," right? Because for most of us, it's only a matter of time before a breach will happen, but what have we done to, first of all, make it harder and second, mitigate damages once it's done, and then when we go back in the cleanup mode and we go under the post-incident response, how does this help us in delineating what happened and becoming more ready for the future? How do we get better?
So, I've been able to be pretty successful through the use of good champions in our community and illustrating risk that way is making believers. Again, we're early in our journey, but I think we have some believers—we have people that are banging on our door as we onboard people into the PAM system. They're banging on our door to get their systems in because they understand that they can reduce the risk this way. And I take that as a pretty good measure of success when people are beating on your door to get into a solution and then things are going pretty well.
Morey: That is interesting. And do you think that there has actually been a man-hour type of improvement, cost improvement in terms of the amount of time it may have taken to do those audits or establishing connectivity based on taking this approach?
Chris: Oh, absolutely and I think we're going to be able to demonstrate. We're a little bit early. We haven't done any of our bigger audits since we've had this in place, but we have pretty good records on, as you go back through meeting notes, it's pretty easy to show how much time we used to spend on audits and some of the items that we used to struggle with were specifically around the processes around identity and controlling access and the administrative and technical safeguards that we have in place around data. We'll be able to lay those out so much more quickly now.
When we talk about onboarding, we talked about all of the things that IAM does, provisioning accounts and making someone productive quickly. We can absolutely demonstrate productivity gains there, and in terms of how quickly we can bring a new system on and provision users to the right levels of access. And, in most cases, it's just a matter of being a member of a group. So, as soon as someone is hired, they're dropped in. So, yeah, we're going to be able to show all kinds of actual return, actual dollars from this investment, that's going to be easy for us.
Morey: That's great. Chris, I want to shift gears a little bit. You're working from home. I'm working from home. We saw Sarah working from home. COVID-19. We see a ton of webinars around it, we see a ton of topics, tons of blogs and material, but when COVID-19 hit and impacted the University, there were a lot of changes to internal users, faculty, staff, customers, everything. What do you think has been the biggest challenge in adapting to the new normal and how you overcame it? And this may not be related to PAM, it may be, but really, how are you and the University of Utah adopting or adapting to this change?
Chris: Yeah. I think that's the question of the year for everyone in IT and being on both the University and healthcare side, we've changed everything. We are literally rethinking almost everything we do. In terms of education, we've had to be able to move the education, the experience from classrooms to remote, just like every other university, minus the few that we're doing all remote before, they were in a pretty good position for this. So, we've rethought all of that and all of the folks that deliver content, all of the folks that teach our students, they've had to rethink everything they do and we had to facilitate that.
As we do that, we have to make sure that we can do it in a relatively secure way. We have to figure out what's the best way we can provide those services while keeping people secure. Same thing on the healthcare side. Everyone used to go to the hospital. For the past few months, very few people go to the hospital anymore. They do tele-visits and we had to figure out how to do that in conjunction, obviously, with all of the medical providers. We had to figure out how do you do that securely? How do you protect that patient data? And that's a huge challenge and being able to use something, part of the solution.
PAM isn't the whole solution. Part of the solution is all the things we talked about, exploiting the perimeter and moving the protection to where it needs to be, moving the protection to the users and to the Cloud. We talked about endpoint protection, we talked about things like MFA, being able to better secure the identity since the perimeter has exploded, so we've had to adjust. So, all of those things play a part, and it's been a huge thing. I think, for this solution, in particular, the nice thing to know is that as the perimeter expands, we still have some control if anyone happened to get past that, the old perimeter.
If we have credential theft, if we have any of the typical problems, we at least have some safeguards in place that the PAM solution provides as well. The other thing it’s helped us with a ton is the remote access piece, because we have that option available, which gives us truly secure remote access that we can use in any way we need to. Typically, that's only for vendors, but that option is available for anyone, so it's been an adventure and I expect the next few months will be an adventure as well. What are you hearing from other clients?
Morey: We hear a lot of things and anecdotally, my youngest daughter is going to do virtual school and she has a laptop like most kids. I gave her a second monitor and I got the instant response, "I don't want a second monitor." You plug it in and then she started seeing the classroom on a bigger screen, "How did I ever do anything without a second monitor?" So, you know that everyone's dealing with these challenges in one way or the other and you have to think about securing that remote workforce, especially in this pandemic.
When we think about the remote access technology that you mentioned in the Just-in-Time approach, using BeyondTrust technology, it's not just about putting that second monitor in, it's about "Should I get a VPN? Should I do this? Is it in the Cloud?" How do you think it may have increased productivity or increased your security to go down this route with Just-in-Time PAM versus just going, "Take your home computer, plug in another monitor, and go?" What do you think it's actually changed for you and the people that are using it?
Chris: Yeah. It's changed almost everything because the people who have been onboarded and into the PAM system now have a much easier way of connecting to things. They have one front door that they can connect to. So, pretend it's me, and I connect as Chris Ducker. I only need one password. I don't have to carry around extra passwords. I connect to that one front door. It knows all of the systems that I'm enabled to connect to, it knows the times, it knows the attributes, it knows everything about when. We talked about the risk reduction, right? But we don't talk as much about the facilitation of connections. It makes it so easy.
An administrator doesn't have to remember all of the different IP addresses and all of the different passwords anymore. You connect as yourself and then you say, "I want to connect to that system." It can do checks. One of the really great things—well, maybe one of the not so great things for people about working from home—is there's this kind of an expectation that we're on 24/7, which there's some good and some bad things about. One of the challenges and one of the benefits in something like a PAM solution—if you didn't have a dynamic PAM solution that was able to respond to those kinds of things, you might get an administrator who tried to log in at 2:00 AM. If that is unusual for him or her the request might be rejected.
One of the really cool things about a good PAM solution that's put in correctly, that's escalation paths and you have the ability to look at attributes. So, if I connect at 2:00 AM, it's going to look at "Well, yeah, it's 2:00 AM, but it is from his home IP address, we've seen that before and it is to a system that he always connects to. So, we can build in rulesets around that, or we can escalate it and it pops it to another level that says, "Hey, this is okay. This is okay for him to do that." Or, we can check it against a ServiceNow ticket, we can check it against any attributes that we define. So, the ability to do that and the ability to build that flexibility in for our workforce, that's been huge for us.
Morey: Well, do you remember before corona or B.C.? No, we're now used to the new norm here. This is kind of where we are. And I kind of have gotten used to working from home because I've traveled a lot before. Do you really think people will want to continue to work from home, or educate from homework, or teach from home after this is all over, if it will ever be all over?
Chris: Yeah. I'd love to ask you the same question, what you're hearing from everyone else, but for us, I think it's going to be interesting. We've taken some polls in our organization. And the last poll number I saw, I believe 6% was the number that doesn't like working from home and, if you read through some of the written descriptions, some of those are really interesting, like "My dog bothers me." So, it's kind of interesting to see what some of the justifications were. But by and large, I think IT folks like working from home and I think some teams have been very, very effective. So, it's going to be interesting to see what happens when we move forward.
Some teachers, some professors, who maybe were hesitant Initially, I think, are learning to adjust and are learning to like it. And it's going to be interesting to see what the students do, even the ones who were initially hesitant. So, yeah, I think that the jury is still out and I'm excited to see what happens but it's exciting to see everyone rethinking everything and, particularly, in the educational space, you just see everything that's being rethought.
Morey: We're seeing it everywhere. And the one thing that constantly reoccurs is the theme of Groundhog's Day, working from home is Groundhog's Day, but then again, I've never had a job of getting on a train and going into the office every single day, and to me, that would probably be even more of a Groundhog Day than coming on and doing a webinar and an interview of this nature. It is now the new normal and returning to whatever normal is later may not look anything like what we were B.C., before coronavirus.
What security policies and initiatives do you think you have to permanently enact to handle these changes? I know, as the CISO for BeyondTrust, we made many changes in terms of access and BYOD and things like that in order to ensure that remote access is secure. What are you doing for the University in consideration of that?
Chris: Yeah, we're doing some of the same things you are. We have expanded the use of MFA. So, historically, we had MFA for all faculty and staff on most resources and we had struggled to get it in place for email. One of the things that we've been able to do as a result of all of this work from home is we've been able to further some of those initiatives. So, we have recently turned on MFA in front of email for everyone who touches PHI, basically, and some other sensitive and restricted, so that's helped.
We've been able to start to look at things like how people access data and we've been able to make the case that we need to have a better solution for unstructured data, so, we're going to add that to our bookshelf of tools. So, as we've gone forward, we've been able to further the case for IGA and for being able to do better LCM. One of the things I think people have struggled with, and I bet you hear this from everybody you talk to, is onboarding new people. So, when we hire someone new—and we have the same thing, whether it's students, faculty, staff, whoever it is--it's difficult, and we've reimagined some of those processes.
The team that I work with, my IAM folks, I'm absolutely the most fortunate guy in the world to be able to work with them because they're brilliant and they've completely rethought a lot of the processes on how we bring people on and how we in-process people into our organization and provision those accounts, so that's been huge. We've been able to, the PAM thing, being able to move that forward much more quickly than we might have otherwise. One of the things that I think has been good for us is that, because it's been such a cultural shift for everyone, and the fact that everyone is rethinking how they do their job, all the way from A to Z, that's enabled us to be able to bring some time and some focus to some of the things that we needed to do to protect the workforce and to be able to enable them to work remotely.
Morey: So, we started the conversation with the concept of a PAM journey and it sounds like you've done a lot of identity work, you've done privileged work for password management, for remote access. You've adapted to the changes. You know what new policies you need to do. What's next? Is it starting to remove admin rights? Is it DevOps? Is it getting ahold of labs? Something in the Cloud? What would you say is your next step that you would think of requires PAM attention?
Chris: For us, the biggest thing we need to do now, I think in PAM, we need to continue to roll it out and get everyone truly onboard because we've had very good success with the discovery, and now, we can finally say we mostly know what's out there. Now, we need to get everyone onboarded, and then, like you said, the next thing we need to do is to start to narrow those avenues of approach, right? So, today, we're focusing on productivity and how do we make people able to perform their job a little bit easier. But, as they get comfortable with that, then what we want to do is continue to narrow down that attack surface by removing the channels that are there today.
So, I think it's going to be a long-term program for us. I think we're going to be working on this for a long time and I'm looking forward to it because it's exciting. It's exciting to be able to articulate the differences in what we can do and how we do it and the attack surface, but I think that's really the big win for us now is to be able to really show the reduction in risk to our stakeholders.
Morey: It is an interesting way of thinking of it because you basically prioritized your biggest problems and then started tackling down the list. And you and I had spoken a little bit before this call, as a shameless plug. You did get a copy of the Privileged Attack Vectors book, which basically helps outline the steps to solving privileged problems. What would you recommend to someone just starting on PAM along their journey? What guidance would you give them in order to be successful out of the gate versus a long drawn out professional services project with years of work before any ROI occurs?
Chris: It's a great journey, so my first bit of advice would be don't be intimidated. Yes, you're looking at a mountain. For us, I think the best bit of advice that I can give to people just starting this journey is don't be intimidated. Educate yourself upfront and find a good partner. Do good reading like, and again, Morey plugged his book and I warned him ahead of time that I was going to do that, but he beat me to it, because his books are fantastic. And the website, the BeyondTrust website has just a ton of information that educated me a lot. To be fair, all of the PAM vendors have good information out there. Don't limit yourself on what you learn. Learn everything you can learn and then make the best choice you can. You know the choice we made.
What I would do if I were going back again, is be a little quicker to start because we were pretty hesitant to pull the trigger. We wanted to make sure that we had everything right and I wish we had engaged a little sooner with a vendor that we trust and started this process sooner. I told you I became aware we needed to do this when I first took the job, and it took me a year to pull the trigger. Don't take that long, find a good partner, move forward.
I would argue that it's the most important thing that we have done for security in my time here. 2FA was initially turned on just before me, so I'd say that's right up there, but in terms of what we've accomplished, it's huge. We could not have come to the level of understanding of the threat that we have, the risks that we have, the accounts that are out there, the machines that are out there, without this tool. And we could not have begun to address those. So, really the main thing is educate yourself, don't be intimated by this process, dive in, and enjoy it. You're going to have a good ride. You're going to be amazed at what you can do.
Morey: Chris, we really appreciate the partnership and working with the University of Utah. We want to continue to strengthen our relationship and help you with any of the challenges that you have. And I fully agree that partnership or that one-on-one working with sales, professional services, and even the executive team, from the University to the organization, makes such a difference because it's not only the relationships you build, it's when things go right you know who to call and when things go wrong.
With that, I'm going to turn it back to Sarah, to ask us a couple of questions. I think we have some of them that came through live. Chris, thank you so much for your time. Let's see what the audience has got for us now.
Chris: Excellent. Thank you.
Sarah: Let's go ahead and dive in to questions right now, because I did receive a couple. Chris, this came in from one of our attendees. How do you balance the open exchange of ideas with security? Was your staff afraid of "Big Brother" looking over their shoulder?
Chris: Yeah. That's a great question. And everyone who works in the University knows that the answer to that is yes, they were afraid. One of the challenges, I think, is in bringing the staff and faculty of the University to the kind of the agreement that it doesn't necessarily need to be mutually exclusive. That we can still participate in the free exchange of ideas and do the best we can to provide security, and that we can provide a balance. And one of the things that I think we can do with a good solution, the combination of people and the technological tools and practices, is that we can build in some safeguards that don't get in the way of that exchange, but they facilitate that exchange in the way that we can be more open, knowing that we have some control and some safeguards around it.
We know we have some boundaries that before we really could never say we had. So, if we allowed someone in any particular door, we didn't really have a great grasp on what the limits of their access was. That necessitated lots of checking, that necessitated lots of background work. We're better at that now that we have kind of started to participate in this and some of our other security things is we really haven't, in most, cases impacted the ability to exchange ideas. And, in some cases, we've been able to facilitate new partnerships that we couldn't have, or would have been much more difficult without it. Does that make sense?
Sarah: Yeah, absolutely. Do you want to add anything else to that, Morey?
Morey: No, I think Chris is right on target and I think he would agree that identity governance and PAM solutions benefit the best when it's not run from single department and it includes ITIS and, more recently, we see a lot more involvement with Human Resources, helping to design roles, helping to define those roles and those personas. The more organizations or more departments within an organization that you can get to sign off on the process, ultimately, and obviously, which is kind of weird, the more successful you will be. Because when Human Resources says the person has to have this title or this role or this responsibility in order to get access or to be classified this way, they're the ultimate stopping block for complaints, and their buy-in actually helps to implement it.
Chris: If I can add just a couple of things to what Morey said. ChrisThat would be right on, but one thing is the ephemeral access that is the Just-in-Time access that Morey mentioned earlier, that's a facilitator for this kind of exchange of ideas, right? Because we can create access for someone that isn't long-lasting, and we don't have to worry about that it's left open, so that's a big deal. The other thing that I should have mentioned, and Morey mentioned it as buying. I should have mentioned this in my hints upfront, get governance, get a steering committee, do whatever you need to do to bring stakeholders together to get that buy-in that Morey mentioned. And, if you can do that, if you can get those stakeholders from different parts of the organization together to agree and feel like they've got a hand on the tiller, you can be a lot more successful that way.
Sarah: So, what I'm going to do right now is actually go over to be really quick, the BeyondTrust overview because we have 10 minutes left and we can wait for additional questions to come in.Morey
Morey: So, organizations choose BeyondTrust for a variety of reasons. We are a market leader according to the leading analysts, and we do have the broadest portfolio of PAM solutions available for password management, endpoint privilege management, and secure remote access. Any of our products can be used individually or integrated together as Chris was indicating from some of those use cases of tying remote access into Privileged Access Management in order to have a real journey or a really integrated solution to solve privileged problems. In other words, our products can operate as best of breed or be integrated.
We have a global presence with over 20,000 clients worldwide, present in over 80 countries, with about 900 employees and many of the features that you'll find in our technology are unique, especially the integrations to other products and between the products. We do this because we can, obviously and as silly as it sounds, it provides the benefits to you as a company by handling the challenges that you need that are unique to you, like exchanging remote access information with password technology. We back this up with over 75 patents to make sure that we do stay unique and the feature set matches the use cases that you need.
In this portfolio, we have Privileged Access Management available in the form of the secure remote access technology. This is for Help Desk personnel, for vendors, contractors, and employees to gain access to an environment. In the middle, which we did not discuss today, is endpoint privilege management. That is the removal of admin rights from Windows, Mac, Unix, Linux, and network devices. And also, what we briefly touched upon in terms of discovery and password management, it is the management of passwords on the left hand side, which is the check-in, check-out, rotation, and session recording of any type of privileged session. Again, all of these three solution can be used standalone and you can get distinct use case benefits from them or integrated together as a part of the platform to get integration use cases that exists nowhere else.
Sarah: So, one question that did come through. Morey, was talking about the integration with ServiceNow and our Privileged Access Management platform, so can you just give a really brief overview of how and why and where we connect with ServiceNow?
Morey: Sure. So, we have over seven integrations with ServiceNow that are unique, including the ability to watch sessions directly from a ticket, open tickets, verify tickets, as well as a variety of other use cases to basically make it simpler for the end user to do management of privileged accounts. The most common one is being directly in a session within ServiceNow and saying, "I need remote access to Box X." In a traditional PAM portfolio, you would have to go to the PAM solution, check out the password, copy it, write it down, open up the session, paste it in, and go. The primary integration with ServiceNow in that use case is there's a button and as soon as you click it, it opens the RAD or SSH Box directly, retrieves the credentials, and auto-injects it. The end user doesn't even know what the username and password is, and the session just starts.
This is just as one of the features in terms of those advanced use cases. And, like I mentioned, there's seven of them today from ticketing to that launching to validate an application launch for privileges that any current client of ServiceNow can benefit from with that integrations I talked about.
Chris: So, Morey, unless Sarah cuts me off here, one of the questions that you asked me and one of the things that I think is one of the most fascinating questions of 2020, you threw it to me of what's going to happen in the future with your organization? I'm really interested, because you talk to guys like me every day. What other interesting things are you hearing out there? What are other people planning, and what are other people thinking for the rest of the 2020 and beyond?
Morey: It is interesting. We already know remote workers are sticking around. How much it sticks around, really, only time will tell. We are seeing organizations trying to shed some of the costs of providing laptops and tools to those remote workers and allowing more BYOD. That becomes an interesting set of security challenges, not only for remote access, but connectivity to the Cloud, et cetera. MFA everywhere, every time. I am absolutely a firm believer, but to not put all your laurels on that. There are plenty of good techniques, hacking techniques to bypass MFA today, and they are successful, so you have to be cognizant of that. It increases the confidence of the identity and the account, but it is not bulletproof.
So, as we allow employees to choose their own devices, work from home on unsecured networks, we have to think of the security policies and procedures to get there. Many of the tools that Chris and I have spoken about today can help you harden those environments, resist attacks, and, especially, on the endpoint, removing admin rights if they are corporate-owned devices significantly help, way beyond any EDR solution, for example.
Most of my conversations, Chris, with other CISOs and executives are, "What is the new normal and how do I make it secure?" We've already gotten past the hump, and I'm happy to discuss that with anybody on the call that'd like to explore further.
Sarah: So, any closing thoughts before I wrap it up. Chris, anything that you just want attendees to just really take away from the session or anything else, any words of advice, or inspirational quotes or anything else that you'd like to share with audience before we go?
Chris: My best inspirational quote is don't do most of the things that I've done. But in terms of PAM, I think the best thing is, this is depending on how your organization is at the moment, this is maybe the best thing you can do for the security of your organization. If you don't have already some kind of a good answer for how you limit privileged access, there's probably a hole somewhere and you probably should investigate that very quickly. It's been huge for us. It's been a great journey. Pick the right partner. Pick somebody that inspires confidence in their ability to help you fulfill your dreams and meet your goals and move forward. Thank you all.
Morey: Thank you, Chris. Those are great words.
Matt Miller, Senior Content Marketing Manager, BeyondTrust
Matt Miller is a Senior Content Marketing Manager at BeyondTrust. Prior to BeyondTrust, he developed and executed marketing strategies on cyber security and cloud technologies in roles at Accelerite (a business unit of Persistent Systems), WatchGuard Technologies, and Microsoft. Earlier in his career Matt held various roles in IR, marketing, and corporate communications in the biotech / biopharmaceutical industry. His experience and interests traverse cyber security, cloud / virtualization, IoT, economics, information governance, and risk management. He is also an avid homebrewer (working toward his Black Belt in beer) and writer.