TalkingTrust with Thales and CyberArk - PAM

Talking Trust Series - CyberArk - PAM

 

00:10 Welcome everybody.

00:11 My name is Blair Canavan and I'm with Thales group, based out of  

00:15 freezing cold Ottawa, Canada. Today with me on the  

00:20 Talking Trust Video Series is my partner in crime

00:23 Andrew Silberman. Hi Andrew. Hey Blair, how are you?

00:27 Great, thank you. I know we're both

00:29 suffering through a little bit of the

00:30 cold weather, so hopefully this will

00:31 brighten our day just a little bit.

00:33 I just want to thank you again for joining our 2021

00:37 Talking Trust Video Series to chat about

00:41 how our two companies are partnering to

00:43 deliver a very comprehensive and highly trusted

00:47 Privileged Access Management or PAM

00:49 solution to the market.

00:50 So, just between you and I, this is just a

00:52 friendly chat. We'll try and keep this light

00:55 as everybody seems to prefer that type of  

00:58 format these days. I'm really looking

01:00 forward to just hearing what your

01:02 thoughts are on this. So

01:03 with that, I'd be more than happy to give you the

01:06 the baton and you can advance the slides

01:08 as you see fit and then we'll try and

01:10 answer a couple of each other's

01:12 questions throughout. Sound good?

01:14 Sounds good Blair. Thanks so much for

01:15 having me, looking forward to the discussion today.

01:18 As you can see, I think what

01:22 we wanted to do first is really set the stage and talk

01:24 first about the expansion of privileged identities.

01:28 Up until several years ago we mostly thought of IT

01:31 Admins as your sort of typical privileged user.

01:35 In today's environment really almost any

01:37 identity can be privileged under certain conditions.

01:40 This can be a Developer or DevOps Engineer who has

01:43 access to source code or DevOps pipeline and tools.

01:46 These are all things that can easily

01:48 impact the organization

01:50 environment and therefore they represent

01:52 high risk. As you know with any sort of typical

01:55 IT system, it can also be in the form of an application

01:59 or robotic process automation bot that

02:02 needs high privileges in order to access

02:04 corporate resources to perform various business tasks.

02:07 These privileged identities can also be

02:09 third-party or external vendors

02:11 that need to access corporate resources

02:13 from really anywhere in the world.

02:16 And it can also be a workforce team

02:19 member that you know needs to access

02:21 a financial system

02:22 with high privileges based on their role or responsibility.

02:25 The common layer here is that all

02:27 these types of privileged access

02:30 represents high risk to the organization, therefore

02:33 it requires a high level of security controls.

02:36 Privilege is really now everywhere and

02:38 so are the risks associated with it.

02:40 Privilege exists across the entire IT

02:42 stack including the data.

02:44 The applications endpoint the network

02:46 across hybrid infrastructure

02:48 all the way to hybrid cloud. So a privileged user,

02:51 or within that sort of identity

02:53 space; a privileged user is any user that

02:56 has the ability to change,

02:57 alter, or impact the operational service of

03:00 a business process.

03:02 This includes not only system admins,

03:05 but also users that you may not

03:08 typically be considered as privileged.

03:09 Like me and you Blair, you know marketing

03:11 people or business developers.

03:14 You know privileged access 

03:16 extends to non-human or machine users as

03:18 well, such as apps or service accounts.

03:20 And things like the move to the cloud

03:23 and digital transformation and this

03:25 increased use of automation,

03:26 they all dramatically expand this attack

03:28 surface and each step forward

03:30 it creates new doors that need to be locked. 

03:34 That's a theme we're going to talk a lot

03:35 about today is keys and locks and doors.

03:37 So try to bear with us. When we

03:39 take a step back it seems like an

03:41 insurmountable challenge.

03:42 How do we do this without boiling

03:44 the ocean and more importantly

03:46 how do we do this without slowing things

03:48 down?  We can't slow the speed of our

03:50 digital transformation in the sake of security

03:52 and vice versa. We can't sacrifice

03:54 security for the sake of digital transformation.

03:57 So you know Blair, obviously we're

03:59 both doing this from home today. I have

04:00 to imagine you're seeing a

04:01 a mass proliferation of the

04:03 workforce right across all different places.

04:06 Absolutely, and we take it for granted  

04:09 you know. We're just users. But it's not

04:10 just the users that you just mentioned

04:12 you mentioned. It's  

04:14 users, it's machines, it's apps, it's everything.

04:17 That all was under the same cloud per se.

04:21 Definitely. That's again sort of under this theme of

04:24 privileges everywhere, and so with that

04:26 introducing the CyberArc Identity

04:28 Security Platform which focuses on three main pillars.

04:32 One of which, I'll dive into a little

04:33 bit further detail than the other. The

04:35 first one being privilege.

04:37 But the other being just as important with access,

04:40 as well as DevSecOps, which you

04:42 know is continuing to emerge.

04:44 A quick background…

04:48 I know we're on the Thales side

04:49 but a quick scoop on how the

04:51 solution access works.

04:52 To access the privileged account, a

04:54 user first enters the CyberArk web portal,

04:57 and checks out an account

04:59 which they have access to

05:01 and the Cyborg Digital Vault, which is

05:03 protected by multiple layers of security,

05:05 then provides the user with that credential.

05:08 The vault retrieves the credential for

05:10 the user and the user can then go on and

05:12 access their target system whether it

05:14 exists, as you said, in a hybrid

05:15 or a cloud environment. CyberArk provides

05:19 powerful capabilities to automatically

05:21 discover and onboard privileged accounts

05:23 and credentials into the vault, and once

05:26 these accounts have been centrally secured

05:28 they're rotated automatically either at

05:30 a regular cadence determined by organizational policy,

05:33 or through regulatory requirements after each use

05:36 or on demand as necessary. The automated

05:39 password rotation helps to strengthen security

05:42 and address audit requirements, all while

05:44 eliminating time-intensity

05:46 and manual processes for the IT teams.

05:49 We talked earlier on the slide prior

05:51 about not sacrificing

05:52 operational efficiency for the sake of

05:54 security and vice versa,

05:56 but to further ensure that authorized users

06:01 are always able to access privileged

06:02 accounts when needed,

06:04 the CyberArk vault proactively checks

06:06 that account passwords are synchronized

06:07 between target systems and the vault

06:09 and any conflicts are automatically

06:11 resolved, or the administrator can go in

06:13 and do it themselves.

06:14 The vault also offers centralized

06:16 policy management which allows admins to

06:18 set policies for password length

06:21 and strength, and the frequency of password rotations

06:24 which users may access which

06:27 safes. For instance, Blair might have

06:28 access to a different set of

06:30 accounts and systems than I would, and

06:33 which account credentials

06:34 exist in each safe. Finally I

06:37 want to break this up a bit, but you know

06:38 we also there's an Active Directory integration

06:41 which helps to simplify the policy

06:43 creation process. That enables you as

06:46 a Cyborg customer to set policies based on

06:48 80 user groups. Based on your security

06:51 needs you can opt to

06:53 show the user the password or copy that password

06:56 and hiding the characters of the

06:58 password but enabling it to be copied

07:00 into a needed application or a direct connect.

07:03 This sets off a workflow to seamlessly

07:05 establish a session

07:07 on a target system without allowing the

07:08 user to see or copy the password.

07:11 To put this into context, Blair have you ever  

07:14 maybe shamefully or not ever reused a password across

07:17 different applications or accounts of your own just in your own

07:20 sort of personal space?

07:23 I'm going to say in quotes

07:26 no question mark, but I think we all

07:29 agree that that is fundamentally one of the biggest

07:32 challenges is that we do what we got to

07:34 do to get through the day and oftentimes

07:36 we repeat what we're used to and what we're

07:38 comfortable with remembering or

07:39 or following the password

07:44 specifics in terms of format and so

07:46 on. I think we're all guilty

07:48 definitely and we've done a study

07:51 recently that showed sort of the

07:52 percentage of people that are reusing

07:54 passwords across different applications

07:55 and it's something to certainly

07:58 think about. It's human nature as you said

08:00 and there's not much that we can do to avoid that. 

08:03 There's only so much room in everyone's

08:05 brains to figure that out.

08:06 But the next component that's really

08:09 critical within the Cyborg solution is

08:10 this concept of session isolation monitoring and recording.

08:16 The Cyborg solution acts as a secure

08:18 IP server which isolates privileged user sessions

08:22 and it establishes a single point of

08:23 control from which security

08:25 and audit teams can then monitor, record,

08:27 suspend, and terminate sessions.

08:30 Here's how it works and

08:31 I'll do a little click through here.

08:33 A user would log in to

08:35 CyberArk to the Cyborg web portal like

08:37 they were on the prior slide and then

08:38 select their needed account

08:40 to access their AWS cloud management console.

08:43 Their privileged session to this

08:45 console is isolated via proxy server

08:47 and their behavior is recorded. To

08:50 accommodate SysAdmin’s preferred tools

08:52 and workflows, we also

08:54 offer native session management to Linux

08:56 systems through our native command line.

08:58 SSH connectivity. This is also applicable

09:01 for native access through

09:02 windows clients like RDP or SSMS.

09:06 Upon selecting or defining the needed account

09:11 our solution validates the

09:13 user's permissions. It retrieves the

09:15 privileged password or SSH key from the digital vault

09:18 and sends it directly to the target

09:20 system for authentication.

09:22 CyberArk then establishes this

09:24 secured, isolated remote session

09:26 and records all this activity during the session. 

09:30 These recordings are then securely stored in

09:32 the Cyborg vault

09:33 so that users are unable to edit their

09:35 audit histories and the vault also

09:37 provides the credential and user to the system.

09:40 This has really two additional

09:44 purposes. First, because the user is

09:47 never actually directly connecting two target systems

09:50 and the target system is locked

09:52 down any potential malware that might reach the

09:55 the end user's workstation, in this animation, a laptop.

09:59 It can't you know be used to jump

10:01 onto the critical system

10:03 and second credentials are retrieved

10:05 by the solution and sent directly to the target system.

10:07 Neither the end user nor the machine

10:09 is exposed to the credential.

10:11 This is really critical. We see endpoints

10:13 being the weak point in the attack chain

10:16 all over the place today. This is a

10:17 really critical thing that 

10:19 all organizations should be

10:21 implementing in regards to privileged

10:23 access management.

10:25 Now to get into this a little bit more and

10:29 and in terms of talking about why are we

10:31 talking today is what's the CyberArk plus

10:34 Thales story. It's all about securing

10:36 the keys to the kingdom, right Blair?

10:38 Absolutely, and we all talk

10:40 about keys as if everybody's following

10:43 succinctly with every use of or what

10:45 they are, but I think what we're trying to talk about are

10:48 from the digital key point of view, the

10:50 SSL key pairs that

10:51 most of us are fundamentally

10:54 comfortable talking a little bit about.

10:56 I'd be curious as to how critical are these keys

10:59 within a PAM infrastructure? Maybe you

11:02 could describe a little bit about

11:03 the keys to the kingdom per se?

11:05 Definitely. as sort of alluded to, privileged account

11:10 credentials are really the keys to the

11:11 IT kingdom as you said.

11:13 External attackers and malicious insiders know

11:16 that by gaining access to a privileged

11:18 account or privileged account credential,

11:20 this is really their most effective

11:22 way to gain access to your critical data.

11:24 Safely generating and storing the

11:26 keys used for these access credentials

11:28 is a really, really critical part of the security solution.

11:32 Together with Cyborg, Thales offers two

11:34 solutions that can actually generate and

11:35 store the server keys

11:37 providing private key protection and

11:39 strong entropy for cool generation

11:41 for the Cyborg Privileged Access Manager.

11:44 So Blair, did you want to talk a little bit

11:46 more here about Luna?

11:49 Yeah absolutely. You know Luna has

11:51 been around for decades and

11:53 and for some people Luna fundamentally means

11:57 root of trust. It's the hardware security module that

12:01 that keeps the keys to the kingdom in

12:04 a tamper-resistant hardware appliance.

12:06 This is FIPS 140-2 Level 3 Validated

12:10 which gives comfort but also compliance and

12:14 regulatory support for implementing your infrastructure

12:18 such that all keys at all times never leave,

12:22 stay in the same place and are managed

12:25 according to that type of

12:26 of validation. For a lot of us who

12:30 again, take that sort of thing for

12:31 granted, it's generally because it's

12:34 transparent.  It sits in the back, you

12:35 don't see it, feel it, touch it,

12:36 other than when you generate for the

12:38 first time or when the operational requirements

12:41 push some type of application or request

12:44 to have some key signed or some object signed.

12:48 That's really where these boxes silently do their job

12:52 and because they're network connected

12:53 devices you can point multiple

12:56 devices and multiple applications at the

12:59 same time to the same device that sits

13:01 in the network environment.

13:02 So again, these are very simple

13:06 solutions, but very complex

13:08 architecturally from a cryptographic

13:09 point of view to make sure that again

13:11 those keys are sort of the safest place imaginable.

13:17 Absolutely. So within that and as we were

13:20 talking to put this together some

13:22 concept that came up to me that I

13:23 wasn't as familiar with and maybe

13:25 you know people listening as well.

13:27 Random number generation is really

13:29 something that I like to think most people don't know

13:31 about. Our HSM’s are better suited to

13:34 provide that random number generation.

13:37 Yeah, it's a simple component but a very

13:39 essential component of generating keys.

13:41 RNG as it's often called, is something

13:44 that is under intense scrutiny these days primarily

13:48 because just the whole scope of

13:49 of a cloud environment and the sheer span of the internet.

13:53 So more than ever RNG means that a good

13:56 key must be random.

13:58 When keys are generated in these devices,

14:02 the key and use policies in force and

14:04 the system's more resistant to this type

14:06 of attack by using again hardware based entropy creation.

14:10 This is the seed that's

14:11 necessary to generate the SSL key pair.

14:14 Again, HSM protects it

14:16 and stores this in the root of trust.

14:18 Another element of of cryptography not a lot of

14:21 people care or talk about, but

14:23 when someone asks you that question

14:25 about RNG, it simply asks we've got an HSM.

14:28 It's FIPS Validated Level-3 and it's

14:29 the highest level of RNG available in the market.

14:32 They're isolated from the host environment and  

14:35 again these keys don't need the device

14:37 under any circumstances.

14:39 I think we've covered most of

14:41 that. I've covered the FIPS

14:43 the boundary, and of course, I should

14:44 mention the life cycle hardware key management.

14:47 Any time that there is

14:50 a key rollover or changes or exchanges

14:52 the HSM is in step and

14:55 maintains that continuity from a key

14:57 management point of view.

15:00 So you know, I've talked a little bit

15:03 about what our stuff does but

15:05 from your perspective, I'd like to

15:07 hear from you Andrew.

15:08 What do you think the risks are? What

15:12 risks are introduced, I should say when

15:13 when you store keys just in software alone?

15:17 Isn't software good enough? It's a

15:19 good question, and it's one that that I

15:21 think a lot of organizations sort of

15:22 grapple with, but the

15:23 the challenge with this is that keys 

15:25 used to secure credentials that control

15:27 access to privileged accounts,

15:28 they're vulnerable frankly if

15:30 stored in software or it's not

15:32 as secure as it maybe should be.

15:34 Individual password and accounts

15:36 stored each have their own unique

15:38 file key, it's an AES-256

15:40 encryption key while the passwords are stored in safes,

15:44 which have their own individual key, the server key.

15:47 If the attacker is able to actually

15:49 break AES-256 for one file or one password

15:53 that only works for one password and one file

15:56 and by having the HSM level three compliant module

15:59 that generates the key which never leaves the HSM.

16:02 Now, what we've done is that we have

16:04 top level cryptographic keys that's

16:06 under the strictest controls

16:08 which protects the password vault from

16:10 brute force, or really any other

16:12 type of attack out there. The HSM integrates

16:15 with Cyborg to protect fiber arc itself

16:18 with top level encryption so

16:20 no key is exposed to any user at any time.

16:23 Attackers who gain access to these keys and software

16:27 have access to the keys to the

16:28 kingdom and obviously we want to

16:30 prevent that at all costs and we do

16:33 so by protecting keys within HSM boundaries.

16:36 I guess and Blair feel free to chime in here, but

16:40 to summarize it, you can see some of the

16:42 points written on the right side here

16:43 but together the solution really does help

16:48 to securely store keys to ensure that

16:50 only authorized users

16:52 are accessing your vault similar to a

16:53 bank vault. You only want the authorized users

16:56 accessing their own safes. Same goes for

16:59 cyber security, same goes for the IT kingdom.

17:02 And what this out of the box

17:03 integration does, it enhances security,

17:05 reduces risk.  That's what we're all about.

17:08 It provides all the bells and whistles along with it for

17:11 reporting for audit. It's flexible, scalable

17:14 and it integrates with all sorts of different workflows.

17:18 But Blair I can pass things over to

17:20 you if there's anything on top of that

17:22 that you wanted to add.

17:23 Definitely. I welcome that sort of insight, but

17:27 other than that, I think we can maybe

17:28 talk about some next steps here.

17:31 Thank you very much Andrew. 

17:33 I think we've walked through in pretty good specifics the

17:38 the overall value of our two solutions coming together.

17:41 We have the CyberArk Privileged Access

17:43 Management piece which on its own has

17:45 its merits, and absolute

17:47 capabilities in the PAM space.

17:50 Combine that with leading HSM technology from Thales.

17:54 And to your point, no compromise

17:56 required when you get these two products

17:58 and solutions together. They offer a very

17:59 comprehensive, very simple

18:01 implementation which requires very little

18:05 care and feeding at the end of the

18:07 day. I just wanted to say that I think

18:09 you did a great job of walking us

18:10 through the value and certainly the way

18:12 that we work together as two companies

18:14 in the marketplace speaks volumes

18:16 to again the acceptance of this type of

18:18 solution as a standard

18:20 implementation throughout the industry.

18:22 I'll say that the last thing I think

18:24 from an agenda point of view is that

18:25 we've got a bunch of resources

18:29 available to those who are

18:31 interested in looking a little bit further.

18:34 We've got our solution briefs,

18:36 we've got our integration guides.

18:38 These are very good resources in terms of

18:42 simplicity as I mentioned and for anyone

18:45 who's embarking upon this on the first time.

18:48 It's quite surprisingly

18:51 simple for something as complex from a

18:53 implementation point of view so I don't

18:55 know if I've covered everything?

18:57 Oh excuse me, I almost forgot about

18:58 cyberark.com, the marketplace

19:01 if you can't get it from CyberArk you can get it from

19:04 Thales and that's what we do is we

19:07 we co-brand each other's solutions on

19:09 our partner pages and just want to point

19:11 out that you can get it from

19:13 either directly through myself or

19:14 yourself but I would say the best bet is

19:16 just go straight to our website get those resources.

19:20 Again, thanks for having me on the talk today.  I hope it

19:23 was informative. I think it went pretty well and  

19:26 hopefully we can talk soon. I look forward to it Andrew. 

19:29 Again thanks a lot for your time today. It was a

19:31 pleasure having you on the

19:32 Talking Trust Video series. My pleasure.

19:35 Thank you.