Have you heard of PAM or Privileged Access Management? Today, Jimmy Hatzell is here again to shed light on why it is crucial for MSPs to implement Privileged Access Management in their systems, especially since MSPs are becoming increasingly vulnerable to cyber-attacks.
Connor Swalm
Welcome to Gone Phishing, a show diving into cybersecurity threats that surround our highly connected lives. Every human is different. Every person has unique vulnerabilities that expose them to potentially successful social engineering. On this show, we'll discuss human vulnerability and how it relates to unique individuals. I'm Connor Swalm, CEO of Phin Security, and welcome to Gone Phishing.
Hey, everyone. Welcome back to another episode of Gone Fishing. I'm your host Connor, and I am joined once again by Jimmy, VP of Revenue at QuickPass. Sorry, that's your old name. Cyber QP. Self declared warlock of PAM. Privileged access management. How are you doing, Jim?
Jimmy Hatzell
I'm doing wonderful.
Connor Swalm
So for everyone listening, including myself, because I don't know pretty much anything about. I only know the acronym because you had said it just before we got on the show. What is Pam?
Jimmy Hatzell
So I think I can put a pin in this whole Pan PAm situation. That we have going on.
Connor Swalm
I was going to make a step brothers joke. I'm very glad you did.
Jimmy Hatzell
Privileged access management is simply making sure that the right people have access to. The right data at the right times. On a privileged basis. At an MSP level, you can call it protecting your admin accounts. Right? Making sure that all the administrative functions inside your MSP and for your end users are managed, monitored. The discovery, monitoring, and management of your privileged accounts.
Connor Swalm
The discovery, monitoring, and management of your privileged accounts. So you also mentioned, so that is. It, that all of your users don't have access to all of your data all the time. It's like you can provision it for. Certain segments of time. You can provision certain data forever. I'm a little confused by that.
Jimmy Hatzell
Sure. Yeah. There's lots of different areas. So privilege access management is a sub. Function of identity and access management. And identity and access management encompasses everything. Like MFA, SSO, everything that relates to.
People logging in or getting access to something. PrIvileged access management is a sub portion of that has to do with anything that is privileged or elevated user rights. So there's like subfactions, like what we do, where we're doing password rotations, or just in time account creation or privileged account discovery. There's other areas of privileged access management, such as privileged session recording, where you're recording what a remote machine is doing, right? When someone is accessing it and using maybe a privileged command line or privileged Powershell, or even recording the whole session. There's privilege elevation, like what Cyberfox does with auto Elevate, where they're giving ordinary users temporary access to an administrator account and then taking those rights away when they're done. Threat locker does that, too. So there's, like, a lot of different areas, and it's all emerging and becoming very important for MSPs because MSPs hold. So much privileged access. Right.
MSPs have privileged access to all of their customers, and they have, unfortunately, become a target for hackers because you hack just the MSP, and you get access. To all of them. So making sure that people inside your MSP only have privilege access when they actually need it for short periods of. Time, and limiting that privilege, and then. Also your end users as well, is extremely important. And that's, like, everything encompassed in PAM, and I think it's a wide space. It's growing. You're seeing stuff. We're doing stuff. Connectwise is doing threat locker, Cyberfox, Evo security, and we're all like. We have a little bit of overlap.
In certain things, but when you look. Up market, there's Delinea, which is psychotic cyber arc manage engine, and there's these more holistic solutions that maybe combine all these different things that we're doing in the MSP space, but is extremely expensive. It is extremely time consuming. It is cost prohibitive for small businesses, and it is not working on a multitenant basis. It's, like, segmented out in the cloud. So you're starting to see, as you do with cybersecurity and technology in general, those technology concepts coming down market, and that's how you end up with companies like us who do this stuff extremely well for MSPs and their customers more specifically. So I don't even know if I. Answered your question, but that was a long answer about PAM.
Connor Swalm
The question was, what is PAm? I think you did a great job at covering it, though you also kind. Of asked always, what I follow up. With is, why should anyone care about this? We've made an acronym. Congrats. It's like, there are so many acronyms that exist in this world, but it sounds like, if I got it correctly. It'S not having access to all of. Your data all the time and not having access to everything all the time. Provisioning it. And then you mentioned just in time accounts, you mentioned elevating privileges. You mentioned giving access to data and then taking it away when it's necessary as well.
How else is it important? Is there any other thing that is under the scope of privileged access management. What we haven't talked about?
Jimmy Hatzell
Well, so, by default, it. People like myself want access to everything. I want God mode level access to every system I want the Developer Options admin settings, right? And that's just the way I am. I like to tweak things, I like. To play with it. And that is like horrible practice for information security, because if something happens to. Me, so much more damage can get done.
And we need to change our way of thinking as MSPs to get away from that and move to least privilege. So, for example, if you're an MSP CEO listening, if you have domain admin access to all of your clients, or you have whatever God mode access to a bunch of your internal systems and you never log in, you don't actually need access. And by having that access, you're setting a culture of the higher you get in the organization, the more access you get. And you want to keep that and you want to hold it, but all you're doing is creating standing privilege or risk for yourself. Standing privilege is having admin access to something when you're not using it, or admin access to something all the time.
And we need to switch to a. Culture of least privilege and zero standing privilege, where if you need admin access, you get it for a little bit. And then you turn it back off. And cyber insurers have noticed this and they're usually years behind, but they are asking questions about this. Regulators have known about this and are. Starting to implement it. And auditors, and a lot to do with accountability, because in MSP, for example, you end up with a lot of shared accounts, right? And with a shared account, you lose the auditing of who was accessing what.
At what time for the most critical. Privileged accounts, because everyone's using the same one. And yeah, we help do stuff like password rotation that mitigates a lot of that and helps with it. But ultimately, we're seeing everything is going. To move to named accounts where if. Somebody'S doing something on a system, it needs to get tied back to an actual human being. And there's just a lot more eyes on it now. And there will continue to be even more. So if you're not getting cyber insurance questions or regulatory requirements for named accounts or privileged access management, there's a high probability that you will in the future, which is helping drive this adoption, on top of the fact that people are just getting hacked and getting popped for having access to things that they shouldn't all the time.
Connor Swalm
I forget who said this, but a. Statement that I always enjoyed was, you're not too small to get hacked, you're. Just too small to make the news. Like a big question that a lot of MSPs get from their clients is, why would I bother doing this? Why would I bother spending all this. Money when I'm too small?
Jimmy Hatzell
Yeah, that's all part of it, right? That's like part of why we are existing and why, if you went to it nation secure, it seemed like there was tons of Pam vendors with the new Soxim, the new MDR, right? Like, just moving in, taking over, because this was just completely cost prohibitive for small businesses. And even, like, Microsoft, they're coming out with Microsoft Pim, which is privileged identity management. It's a focus for everyone. And now people like us are trying. To bring it to all the small businesses.
Connor Swalm
So one thing that always shocked me. Is whenever I'd listen to an MSP. Talk to their clients or even listen to an MSP talk, they always assumed. Like, the C suites, the managers, whatever. The people at the top were like.
I don't need this. There's no way I'm going to get hacked. There's no way that I'm the reason my organization is going to go under. This is just a roadblock. Don't put it in front of me. And they honestly, sometimes they get really angry, especially when they're MSP or when their security provider is like, no, you have to do this. And I always came back with, aren't. You also the person with the most access? Don't you have the most keys in your organization? Aren't you the busiest person here? Or you believe to be that you're. The busiest person here? All right, can we see a world. Where you make a mistake or where somebody targets you because they know this?
d that's when they have to. They either double down and, no, you. Don'T know what you're talking about. Or they're like, okay, yeah, I can see that. And it sounds like Pam protects from that happening. It's like, don't be your own worst enemy. Someone's going to get hacked in your organization. It's a when, not if mentality. That's what a lot of people are saying these days. That's what I believe as well. So it's like, in the event that. It does happen, we should be the most prepared, which means having access to. Almost nothing at the time of hack.
Jimmy Hatzell
Yeah, that's true.
Connor Swalm
What other vulnerabilities does spam protect?
Jimmy Hatzell
The discovery of privileged accounts? So a lot of it is you.
Don'T know, like, say you inherit a new client or you buy an MSP or anything like that. There isn't a great process for discovering all of the administrator accounts or privileged accounts that are existing and there are some cool tools to do it and there's scripts to do it. But you get multiple environments, right? You get local admins, you get Azure.
Ad or enter ID, whatever they change Office 365 to be called these days, and then active directory, all different servers as well. And RMMs can help and monitor a lot of this and find a lot of the information in it and Powershell scripts and stuff like that. But being able to pull all that information into one place and knowing what the footprint is and what the risk is, that is a huge part of privileged access management and that's something that we do.
Connor Swalm
Sweet. Are MSPs behind the game or ahead. Of the game when it comes to. Implementing Pan in your humble opinion?
Jimmy Hatzell
I don't know. I don't like to come down and say blah blah like cybersecurity is an ongoing process. MSPs are put in a situation where they are forced to implement cybersecurity without necessarily having the best training or teachings or time to adapt and prepare because they're the only ones there to do the job. And I know some amazing MSPs who have experts in security for sure, but a lot are just trying to learn and catch up on things. So there's always work to do and there's always improvements to make for cybersecurity. But I wouldn't say that MSPs are. Ahead or behind, because everyone's always behind in cybersecurity. There's always improvements you can make. It's a game where everyone loses at some point. You're just trying not to lose the worst.
Connor Swalm
Try not to lose so bad you make the news. Yeah, exactly.Where could people go to learn more about PAM or cybersecurity? Because you had just mentioned a lot of people are just in this game to be educated. They're the only people at the front. Lines helping the small businesses. And sometimes it's not ideal, but where could people go? Educate themselves in your know, check out.
Jimmy Hatzell
Actually we have a pretty good resource center on our website, Cyberqp.com. Click on the Resource Hub. There's a bunch of stuff on Pam and identity and access management and cyber in general. But I would also look at CIS framework, cybersecurity framework and start implementing it. In your organization and read up a. Little bit on it. And if you're not aligning yourself to a framework, that's a great way to start. And you'll read a lot about Phin security and how they can help you and what is it, Control 14 or. Something on Control 14. Yeah, you'll read Control four and five and you'll see, hey, actually, Cyber QP. Is a good fit for this, but. A lot of it is process oriented. But it's a good place to start on. Here's the basic security things that I need. How can I put the processes in. Place and where do my tools fit in?
Yeah.
Connor Swalm
For those of you listening who are. Hearing about this for the first time. CIS stands for the center for Internet Security, and they've created a group of. Best practices to follow the controls. And I think there's, what, 18 of them and there are sub points and all there. And it's like, okay, if you're looking. To have a decent security program or. Know what a decent security program would look like, and the things that you should care about, go to CIS, find the framework, look at all those things. And check the boxes. Do you have tools that help you with these things or do you have processes that actually, I guarantee you said four and five. I guarantee some of them are actually like, do you actually de escalate access when needed? And do you not provision everything all the time?
So for those of you listening, just. That'D be a great place to start. And there are probably a hundred million people on YouTube that have made wonderful videos and cybersecurity experts there that have. Made videos on it.
Jimmy Hatzell
Yeah, there's the cyber call, or the cyber cast now it's called. Did a whole series on all the controls. I don't know if they're done it yet, but they go through each one by one. It's very good. So that's a good place to learn, too. Sweet.
Connor Swalm
Any last minute advice? This is where we always wrap up with folks, is what's one thing they. Should take from your expertise today on learning Pam or learning about cybersecurity?
Jimmy Hatzell
Just look inward on yourself and think, what do I have access to? And is there an actual reason for this? And can I make a culture change. In my organization by giving up this God mode access for no reason? No good reason.
Connor Swalm
No good reason. Is there a good reason to have.
Jimmy Hatzell
God mode is my follow up. It's fun.
Connor Swalm
Okay. It's fun. You heard it, folks. Awesome. Well, thank for joining me today. This has been super helpful, not only to myself, but I imagine to everyone listening. I had no idea what Pam was before we started this call, and now I feel like I'm an expert, so watch out. I might be coming for your job. Jimmy. I'm going to be the spokesperson for. Pam and we'll go from there. Yeah, you got it, man. You come take it. Sweet.
Thanks everyone for listening or watching. If you're watching us, and as always, all the links we mentioned today, they'll be in the show notes, Jimmy's contact information, whatever you'd like to share with us, be in the show notes as well. If you'd like to ask him more questions about Pam or AI, he's the Warlock of the democratically elected Warlock of Pam. He also talks about AI, A and.
That'S a lot of fun. But thanks everyone for joining. Have a great rest of your day and we will see you next time. Thanks so much for tuning in to gone fishing. If you want to find out more about high quality security awareness training campaigns, how to launch them in ways that actually engage employees to change their habits, then check us out. Phin Security at Phinsec IO. That's P-H-I-N-S-E-C io. Or click all of the wonderful links. In our show notes. Thanks for fishing with me today and. We'll see you next time.
