août 8, 2023

EP 33 – The Evolution of Privileged Access Management (PAM)

Crystal Trawny, Optiv’s Practice Director, Privileged Account and Endpoint Privilege Management (PAM/EPM), joins host David Puner in exploring the ever-evolving identity landscape and how emerging threats impact organizations’ cybersecurity requirements. Through the eyes of an end user, Trawny shares best practices for overcoming change resistance, creating effective deployment timelines and avoiding scope creep. This episode maps the correlation between critical program elements – such as robust endpoint privilege management and dynamic access controls – and privileged access management (PAM) maturity. In the face of complexity and ransomware, insider threats and other sophisticated cyberattacks, organizations can use these insights to help assess their current strategy and chart a course for success.  

[00:00:00.280] – David Puner
You’re listening to the Trust Issues podcast. I’m David Puner, a senior editorial manager at CyberArk. The global leader in Identity Security.

[00:00:22.740] – David Puner
Enterprise cyber security deployments aren’t just about putting technology in place and flipping a proverbial switch. It’s just as much, if not more, about the people who ultimately interact with these tools. How will the rollout impact their day-to-day lives? Will they resist new processes and expectations? How best to overcome their objections?

[00:00:44.100] – David Puner
Which communication and training methods will resonate most? How will these tools alleviate their pain point and ultimately help them succeed at their jobs? At the end of the day or night, as the case may be, customers are, of course, looking at technology as business enabler rather than another complicated system that people must master.

[00:01:05.510] – David Puner
That’s where experts like today’s guest enter the picture. Crystal Trawny is a practice director supporting privileged account and endpoint privilege management teams for the cyber advisory and solutions firm Optiv. That means that, among other things, she and her team help organizations successfully manage change in constantly changing times.

[00:01:28.160] – David Puner
They’re along for that journey, as you’ll hear her refer to it, every step of the way. Crystal has been in the identity space for around 17 years, so she’s long been at the forefront of implementing cutting-edge strategies to secure organizations from internal and external threats. Here’s my conversation with Crystal Trawny.

[00:01:52.350] – David Puner
Crystal Trawny, practice director, privilege account and endpoint privilege management at Optiv. Thanks for coming on to the podcast.

[00:01:59.880] – Crystal Trawny
Thanks for having me, David.

[00:02:03.200] – David Puner
Awesome. I feel like we’ve already done the episode, but we haven’t even started yet. You’ve been in the identity space for a while with Optiv for about eight years. What’s your path been to your current role as practice director of privilege account and endpoint privilege management?

[00:02:20.950] – Crystal Trawny
The path that I’ve taken here, I think, may speak to a lot of people, quite frankly, just because identity, in the sense that we see it now, has not been around in always that same way. I started in IT and basic IT support jobs and curiosity got me into this whole journey. I worked at a retail tax company. They had seasonal employees.

[00:02:48.150] – Crystal Trawny
When I joined, they were starting to automate the user access and I thought that was really interesting. I really leaned into that process. We had some pretty fun and interesting innovations that we did into that area, which ended up being identity, to be frank. That was really before anybody really understood what it was or how we were going to define it or what to call it.

[00:03:12.420] – Crystal Trawny
From there, I joined Optiv and really was just in that whole identity space because like I said, that’s where my curiosity led me. I think it’s a very interesting area to work. I find that people that are really successful in this career are those curious learner people. How does that work and what could we do better here?

[00:03:36.770] – Crystal Trawny
They also seem to be really interconnected as far as the way that we like to share with other folks our knowledge and then learn from other people their perspective.

[00:03:47.750] – Crystal Trawny
I made the leap to Optiv of really to be closer to the technology, to be closer to see what other people are doing. When you have your own one company that you’re working for and with, you only see the things that they’ve bought and how you’re going to integrate those together.

[00:04:04.540] – Crystal Trawny
This let me give my expertise or learn my real world experience as a customer now on the consulting side. If I’m going to define my role today as the leading privilege access management and endpoint privilege, I lead a team of consultants who are really just highly skilled technologists. We have a really deep bench knowledge, years of consulting experience as well as production experience in those areas.

[00:04:34.710] – Crystal Trawny
It’s been really exciting because then you get to help customers really go down that path and achieve their goals. As I mentioned just a little bit ago, my background was originally a little bit in that user lifecycle management area where we’re doing a lot of automation and that thing and access certification.

[00:04:53.410] – Crystal Trawny
When I came over to Optiv and I started getting exposed to privileged access management, I started asking a lot of questions. How do does this work? What does this mean?

[00:05:02.090] – David Puner
Did you know what privileged access management was at that point?

[00:05:05.720] – Crystal Trawny
Yes. I had peripheral knowledge of that. The group that I was in didn’t control that particular piece of the puzzle. It was a little more user lifecycle management. From a technology’s perspective, I was asking a lot of those questions of how does this component per se work? Why would we use these kinds of things?

[00:05:27.160] – Crystal Trawny
What I loved about the team is a fantastic set of people that are really willing to educate me on anything that I asked. It didn’t matter which product it was. If there was a new product that came in, I’d say, « Okay, I understand this piece. Let’s talk about this other product and how does that lay into what we’re saying here? How does that solve the customer problem? »

[00:05:47.070] – Crystal Trawny
That’s really what I think is special and what we seek to do here at Optiv is we really want to walk alongside you on your security journey. We advise you on the leading practices, how to deploy the technology. We want to show you how to operate that after we leave. It’s really important to us that you use the item that you implemented so you can get the best return on investment and really reduce your risk exposure in that way.

[00:06:15.550] – Crystal Trawny
If you need somebody to do some of those other things for you, like operate after the tool is implemented, we can do those operational pieces as well. We really just bring our expertise of the product and the deployment experience. We pair it with the customer’s knowledge of their space, and then that’s how we work the program.

[00:06:36.760] – David Puner
You mentioned curiosity a few times. Do you think that this curiosity has helped you put yourself in a client’s shoes and helped you solve problems for them or with them?

[00:06:49.340] – Crystal Trawny
Absolutely. Because I think many times we see clients explain something and everyone explains something from their perspective. There’s a lot of conversation that has to be had where you’re seeking to really understand what do they mean and how does that affect them or what is the impact?

[00:07:09.540] – Crystal Trawny
Because what I think it means and what you think it means may be something completely different. The magic of what we do in the identity space when you’re doing the consulting piece of it is really just pair that up. You have to have a place where everyone feels comfortable to share. Inevitably, there’s going to be a little dip in the road, you’re going to have a problem. The idea is you come to the table and say, « Okay, what are options that we can talk through? »

[00:07:41.260] – Crystal Trawny
How can we make this work for the customer in a way that still is in line with the tool, the base functionality of what they purchased? Or do we need to switch a process around so they maybe change the way that they do something so that the automation can pick it up more seamlessly? Then how does that impact them?

[00:08:04.050] – Crystal Trawny
You have to be curious about all of those things because I can say, technically, something works and we’ll check the box and technically it works. But technically, there’s a door to your garage, but I’m asking you to walk all the way around into your neighbor’s yard and down the street to get to it. That seems silly. You want the easiest functionality and that ease of use for the client because that’s how they get some buy in.

[00:08:29.660] – Crystal Trawny
Then that’s also how they get that return on investment to say, « Hey, we are really getting efficient at the way that we’re processing some of this stuff and the way we think about it. » That’s where I think the magic is when you’re able to collaborate and you trust the expertise that they have and they trust the expertise that you have.

[00:08:49.180] – David Puner
What about PAM, piqued your curiosity when you started eight years ago with Optiv and how has it evolved, PAM and your curiosity of PAM during your time in the space?

[00:09:01.730] – Crystal Trawny
They probably went hand in hand, to be fair, because I was starting at the ground level as far as implementations eight years ago. Before it was, « Hey, we have a lot of green space. Here’s, we’re going to do a small implementation. We may come back later and do an upgrade. We may come back later and do a Phase 2. »

[00:09:21.990] – Crystal Trawny
Now I’m seeing a lot more large and complicated environments. They’re leveraging several tools to achieve a goal. There’s a lot more like that technology sprawl. I think just partially because as you put your identity program together, which does include privilege access management, you are taking chunks off of that a little bit at a time.

[00:09:46.510] – Crystal Trawny
I think we’ve seen over the course of the years, not just PAM, but identity in general, has shifted from a tactical, I need to check a compliance checkbox to I’m getting more of my executives involved. We understand we have to have a strategy to move forward in order to implement this.

[00:10:07.430] – Crystal Trawny
So we’re seeing a lot more recognition from the executive standpoint on the importance, and then they’re the ones that are championing the cause internally. I think we’re seeing some of the things that we’ve talked about in the identity space start rippling through being a little more common knowledge than they were.

[00:10:27.270] – Crystal Trawny
For example, we have presentations from probably five or six years ago where we were saying identity is the center of security, and now it feels like that message is proliferated out there to the general public. You’re hearing other people say that identity has been in the center, it’s the new perimeter, however you want to say it, all the zero trust things that are coming out, that’s where we live.

[00:10:50.670] – Crystal Trawny
Part of it is, that’s not where everyone else lives. So part of our job is to help them understand and see the opportunity and get there. We’re getting people that are willing to start planning things out a little more beyond the Phase 1 password management. It used to be just your domain administrators.

[00:11:10.610] – Crystal Trawny
Now we’re getting several phase projects utilizing password management. People are getting the secrets management. They’re getting into endpoint management, and they’re doing all the things in a phased and specific and intentional way.

[00:11:25.470] – David Puner
Working with customers, are there any common PAM misconceptions or other misconceptions you and your team deal with a lot in today’s landscape?

[00:11:34.700] – Crystal Trawny
I think there’s a misconception that everyone does it the same way. We talk a lot about what used to be best practices. Now people are saying leading practice. I think there’s a conception of like, if I work with a financial institution, then I will tell that next financial institution to do it the exact same way.

[00:11:53.250] – Crystal Trawny
Or that every single person has done the particular use case that they want to do. I think customers are seeing that they are unique and they may have something that is unique that pushes the edge of what the traditional use case is. They think it’s normal and we’re saying, « Hey, we need to figure that out together and make some decisions on how much time and effort we want to spend to solve this issue, either technically or can we change that process a little bit and stay within the sweet spot of the tool that we’re implementing?

[00:12:28.280] – Crystal Trawny
I think there are some misconceptions around that that maybe it’s easier than it really is. If you think about some of the other things that people implement, I could see how they would say, « Well, it’s just vaulting accounts. » But it ends up not being just vaulting accounts, right? You end up vaulting accounts, then it’s session management and some of those things that go along with that in the process for people to work.

[00:12:50.770] – Crystal Trawny
That’s the other thing is it’s super impactful to the way people work. That’s why you get a lot of push back because they’re trying to be effective.

[00:12:59.360] – David Puner
Are there any particular challenges that you’re seeing from customers these days, common challenges that have evolved over time?

[00:13:05.970] – Crystal Trawny
I would say the common challenge is really just maybe biting off more than they can chew and understanding what each phase should look like. I think that’s probably a common challenge. Then getting that organizational buy in to do it and get the momentum that they need in order to get at least Phase 1 of those projects done.

[00:13:30.050] – Crystal Trawny
Then sometimes I think they have an idea, again, back to our last conversation about maybe people think it’s too easy. Sometimes we have some requests of our teams from the customer side where they just don’t have the ammunition to push back on their leadership to say, « Hey, this isn’t feasible in the time frame that we’re talking about, » or « Hey, this actually isn’t the most important thing for us to do now that we’ve pulled back the covers a little bit from a risk perspective. »

[00:13:59.990] – Crystal Trawny
Getting the right level of return on investment and that organizational change to understand what can we actually implement in the time that we’re talking about. When looking at what I’ve seen over the years, we’re consistently seeing that organizations who plan early communicate changes. They’re the ones that have the most successful deployments.

[00:14:22.290] – Crystal Trawny
It’s not always about the technology, it’s actually about how you make the users feel when you’re deploying the technology and does it feel as hard as they thought it would or less.

[00:14:33.250] – David Puner
I would imagine that organizational buy in piece cannot be underestimated. It’s probably a big part of what you do.

[00:14:40.010] – Crystal Trawny
Yes, it is a big part of what we do knowing that ahead of time, that a customer needs that help is always helpful on our end. We’re happy to have those conversations and talk about resistance management and just having some of the conversations about what a typical deployment would look like. We’ve had customers come to us saying, « Hey, we think we want to do this. Here’s what we think the deployment timeline would look like. Does this look right? »

[00:15:05.140] – Crystal Trawny
I appreciate those conversations because it gives us a chance to help level set before you start getting down the path of where expectations are already misaligned. That’s where that communication is invaluable, understanding who they’ve talked to, how they’re communicating this out to their teams.

[00:15:24.570] – Crystal Trawny
I’ve had a customer, probably one of my favorite kickoffs ever, we were talking about the scope in the kickoff call and someone from the customer team started laying in another use case and said, « What about X? » The customer sponsor came in without any prompting from us and said, « That is not in scope and we are doing Y by this date. »

[00:15:51.560] – Crystal Trawny
I couldn’t applaud him loudly enough. That’s the thing is, what are we trying to achieve and what’s the time frame and try not to get into so much scope creep. You can always put that in the next phase.

[00:16:05.780] – David Puner
Well, connect me with that guy after the podcast. We got to get him onto the podcast. He sounds like a good one. How do you measure PAM program maturity and what are some signs that organizations are making their way through the PAM lifecycle?

[00:16:21.890] – Crystal Trawny
I think as we’ve talked about, traditionally, people start with some of those base use cases, which is local administrator, the core admin accounts. Then as we see them expanding out, then we see things like database, if you still want to go with just the vaulting.

[00:16:40.940] – Crystal Trawny
We see people going into… Once they have things vaulted, getting into session management and maybe a little bit of threat analytics to understand, can I automatically shut down those sessions if Suzy is working on something and we see that she has done certain commands in order? Then we want to be able to cut that down.

[00:17:03.760] – Crystal Trawny
Obviously, being able to have at least the visual of the recording to understand what was done so you can undo it, is valuable. But then layering that next level of the threat analytics and having that automated shutdown, that’s another one where you’re getting in that prevention mode.

[00:17:20.680] – Crystal Trawny
Aside from that, we’re seeing people advance from the regular administrative use cases to then talking about service accounts. That’s not only how do I rotate passwords on service accounts or vault them, but also what does that life cycle of a service account look like? What are we using it for? Who do we even know that is the owner of that? Do we use that thing anymore?

[00:17:44.810] – Crystal Trawny
That’s the whole process, which is a little more advanced in that regard because it takes a lot of time to track those things down and get the organizational buy in to really say this is what the process is now going to be. Then we see things like application integrations when the applications are talking to each other, evolving into that the secrets and the CICD pipeline, and then endpoint management.

[00:18:11.130] – Crystal Trawny
Some of those, you’ll mix those phases up a little bit based on what the customer wants to achieve, but that’s where we’re seeing that trend going. We see people that have done the core implementation come back for successive phases that include one of those things.

[00:18:29.370] – David Puner
Shifting gears to ransomware, which is a key risk consideration for any organization in 2023, what recommendations would you share to protect endpoints and critical infrastructure from ransomware and other forms of malware?

[00:18:44.520] – Crystal Trawny
The thing that we have talked about just a little bit, endpoint privilege manager, managing those local administrative rights, and application access, so that we can understand who has rights to execute things on desktops. That privilege elevation is super important. Some of the things that are outside of the PAM space, particular antivirus, that thing, obviously, is something that they would want to look at as well.

[00:19:13.090] – Crystal Trawny
But we’re really looking at that endpoint privilege management and then detection and response from there. What happens when you perceive an attack on the endpoints? I think from an end point privilege manager perspective, we get a lot of those data points of what people are really using and understand what makes sense from an elevation perspective and what doesn’t.

[00:19:34.510] – David Puner
Over the years, there’s been a lot of innovation in the infrastructure that’s powering digital initiatives with things like infrastructure as a service and more advanced OT systems. How are requirements for PAM and Identity Security programs adapting?

[00:19:49.760] – Crystal Trawny
As it relates to infrastructure as a service, I think that it’s causing people just to have a little bit more, I don’t say specialization, but obviously you have to understand cloud environments and help the customer understand how these components will be deployed. There’s a consideration for the service provider access. People have to get in and be able to service those things from the infrastructure piece.

[00:20:14.630] – Crystal Trawny
Advanced OT, we are seeing more and more of that, not just from the privilege remote access perspective, depending on which tools customers are using, but having an awareness of the security required around some of those systems, and they’re unique. Traditionally, they were air gapped, and now we’re collecting more data in those areas. So people are trying to segment that privilege off.

[00:20:41.200] – Crystal Trawny
What does that look like? There’s a little bit of segmentation pieces from a networking perspective that I think people have to understand. Then from a practitioner perspective as well, how do you deploy in those type of environments, either including the cloud or from an operational technology place as well.

[00:21:01.860] – David Puner
I’m glad you mentioned cloud because specifically with cloud, there’s a lot of interest in just in time access. Where can just in time, elevation and similar controls help existing PAM programs expand to new use cases?

[00:21:16.320] – Crystal Trawny
When I think about does the cloud change what we’re talking about as far as just in time access? The technology for just in time from an end point perspective has been around for quite some time. Maybe the question is, is the cloud really the driving factor for some of these things, or is it that we have successfully deployed these things in our on prem versions?

[00:21:42.470] – Crystal Trawny
Now we’re comfortable with that. Perhaps it’s the comfort level with the tool that allows us to expand into that next phase of the project. Now that I’m comfortable with capturing these things and mitigating this risk, now I see how I can apply that over here and then we continue on through that process. I think it’s the perception of the unknown that drives people back to how do we now mitigate this risk?

[00:22:10.470] – Crystal Trawny
We would consider that a normal progression in the program. We’ve always been able to do some of the just in time. Now, if we’re talking about ephemeral access, where an account is created and then granted permission to do the task and then it’s deprivisioned, that has maybe gives us more encouragement because now I don’t have to do the administrative function of provisioning that account.

[00:22:39.790] – Crystal Trawny
Traditionally, it was standing privilege on an account and then we vault it. So if I’m an administrator, I have my core account and then I have my privileged account that’s vaulted. That’s an administrative overhead. I think the ability to automate these has been, from a just in time access, has allowed us to say, « Hey, now we can go take on these other things that maybe weren’t as important before. »

[00:23:03.410] – David Puner
That’s really interesting. Thank you. Moving over to insider threats for a moment, how much are you thinking about or talking about insider threats these days? How much does the removal of all standing privileges address that threat?

[00:23:16.550] – Crystal Trawny
I would say in general, we are talking less with clients about insider threats. I think that goes back to that expansion of use cases and how this has evolved from a PAM perspective. As we mentioned, if I have my particular standing privilege accounts, being able to rotate that automatically, I’m really getting more on that zero trust journey.

[00:23:41.830] – Crystal Trawny
Even as an administrator, if I’m an administrator, because before, if I vaulted, then I can see the password, maybe. Maybe we allow them to just vault it and see the password. I still have some level of privilege, right? But now you’re saying, « Hey, Crystal, you’re authorized to go in there and check out that password. »

[00:23:58.560] – Crystal Trawny
If we start implementing other things like password rotation and PSM, then my level of privilege or the risk goes down, even though I have access. Now we’re implementing things like MFA to say you have must multifactor in there so that I know that you’re supposed to have access to this. You check out your account and then it auto rotates after you use it. You never see the password.

[00:24:23.200] – Crystal Trawny
I think we’re seeing a little bit less of that versus as people start talking about external threats and privilege elevation. How do people get in and then elevate their privileges? I think that’s much more what customers are talking about. Also from the perspective of if I’m outsourcing some of my IT space to someone else, now I have a third party. What does that look like? How do I manage those privileges?

[00:24:54.560] – Crystal Trawny
Because maybe that is not the same set of people working on my account every single day. I’m not giving one person access, I’m giving a set of 10 people at that organization access to log in to service my accounts. I think people think about it a little more expanded versus now there’s just more threats. That sounds horrible, but I think that’s the universe we’re in. Is there just more. There’s more to think about. It’s more complicated.

[00:25:26.970] – David Puner
The universe that we’re in now, of course, is going to be different than the universe that we’re going to be in a week, a month, a year. Excuse the terrible pun here, but if we’re to look into the crystal ball with crystal, what do you think we’re looking at in a year? How are things changing?

[00:25:43.520] – Crystal Trawny
I think we’re going to see more people doing… I’m already seeing this trending up toward the EPM implementations. We’re seeing more secrets management journeys from an endpoint perspective. I do think people are going to start implementing more just in time access and starting to seek out what areas of risk where they can use that so they don’t have to do the standing privilege piece anymore.

[00:26:10.950] – Crystal Trawny
I think we’re going to really see a push toward just in time. I think that companies are going to really embrace that as well as end point because I think they’re seeing that the end user from a malware perspective and ransomware perspective, that’s really dangerous.

[00:26:29.360] – David Puner
One of one other thing I wanted to ask you about, there’s considerable underwriting scrutiny around endpoint privilege controls, especially a company’s ability to remove local admin rights from all users. How can organizations find the right balance between least privileged control and operational efficiency?

[00:26:46.980] – Crystal Trawny
I think that’s something that the business itself and users definitely let you know from a security perspective. They will work with the security team to identify what the risk are, what controls make sense based on risk scores that they’ve established. When is the right scenario to require adaptive authentication based on what you’re securing? How do we use analytics to understand when someone’s operating outside of normal behavior patterns?

[00:27:12.150] – Crystal Trawny
I think you see from that perspective, people will push back on the process when it becomes arduous. I’ll defer back to way back when I was doing security certifications, one of the instructors said, « How much security is enough? The answer is just enough. » It’s enough to secure the thing without making it so hard that someone is going to go around you and do something else.

[00:27:38.150] – Crystal Trawny
That’s where you have to have that good conversation about how do you balance that and make sure you’re listening to your users and is what they’re citing a valid complaint? I would give you an example. I have a customer that moved off a particular tool onto another one of the same sort. The first tool did something very specific for a set of users that the second tool does not inherently do.

[00:28:06.020] – Crystal Trawny
It’s really a process change. Then I think you have to think about as a business, do we want to go down this customization route in order to make a group of, say, 10 users happy, or do we want to tell them this is the process we’re going to use and this is the decision that we’ve made, and so therefore, I don’t want to say I don’t care what the old tool did, but it’s irrelevant if you can’t replicate that in the new tool.

[00:28:33.140] – Crystal Trawny
It doesn’t make sense because now we have to spend time every time we upgrade, going and retesting that code and making sure that it’s still working. Then to be fair, just change the process and then move forward. In 30 or 60 days, do you think they’re going to be talking about that? Probably not. I think those are some of the scenarios. But as leaders, we have to understand is it a big deal or is this a short term I don’t like it because it’s different, which is a little bit of where that organizational change management comes from.

[00:29:11.070] – David Puner
That’s really interesting. You must deal with that all the time. I don’t like it because it’s different because people don’t like change.

[00:29:17.670] – Crystal Trawny
Yes, they do not like change. I think when we talk to folks in the discovery process and we’re talking through what are you doing today? What pain points are you having? That’s a really important place for us because we really want to hear from them how do they do it today and what do they like or don’t like about that process.

[00:29:38.430] – Crystal Trawny
Because if it’s feasible, we want to make sure that the new tool is configured to do that as effectively as possible. So it’s less change for you. Having that open conversation is really important.

[00:29:51.740] – David Puner
Crystal Trawny, thanks so much for coming on the Trust Issues. It’s been great. Appreciate it.

[00:29:57.000] – Crystal Trawny
Thank you, David. It’s been fantastic.

[00:29:58.920] – David Puner
Thanks for listening to Trust Issues. If you like this episode, please check out our back catalog for more conversations with cyber defenders and protectors. Don’t miss new episodes. Make sure you’re following us wherever you get your podcasts. Let’s see, oh yeah, drop us a line if you feel so inclined. Questions, comments, suggestions, which come to think of it are like comments. Our email address is trustissues, all one word, @cyberark.com. See you next time.