Privileged access management and work-from-home tips

[00:00:00] CS: Today on Cyber Work we're talking cloud security and we're talking work from home. If you've ever checked your work email on your personal phone, and I know you have because we've all done it, or touched up some time sensitive spreadsheets on the same iPad your kids use to play Animal Crossing, Terence Jackson of Thycotic is going to tell you how to tighten up your security protocols to ensure that work from home doesn't become breach from home.

Remember that Cyber Work listeners can access a free month of Infosec skills by going to infosecinstitute.com/skills and using the code cyberwork when signing up. That's 30 free days of high-quality security courses, hands-on cyber ranges, skills assessments and certification practice exams all when you use the promo code cyberwork on signup. Now let's start the show.

[00:00:48] CS: Welcome to this week's episode of the Cyber Work with Infosec podcast. Each week I sit down with a different industry thought leader and we discuss the latest cyber security trends, how those trends are affecting the work of infosec professionals while offering tips for those trying to break in or move up the ladder in the cyber security industry. When we're recording this episode, we're just wrapping up National Insider Threat Awareness Month, and it probably won't be on the site in time, but our guest today, Terence Jackson, who is the CSO at Thycotic knows a lot about protecting against insider threats. So we're going to talk today about smart privileged access management, which is one of his specialties, and making sure that people in your company only have the level of security clearance they need and only for the time that they need it. It's going to be a huge – Saving from a huge headache down the line.

With more than 17 years of public and private sector IT and security experience, Terence Jackson is responsible for protecting the company's information assets. In his role, he currently leads a corporate-wide information risk management program. He identifies, evaluates and reports on information security practices, controls and risks in order to comply with regulatory requirements and to align with the risk posture of the enterprise. Prior to joining Thycotic, Terence was the director of cyber security and professional services for TSI, a Virginia-based 5000 company. He has also worked as a senior security consultant for Clango, Inc., a top identity and access management consultancy. And he was featured in and was also contributor to the book Tribe of Hackers, which we've recommended several times on our website.

Terence, welcome and thanks for joining us on Cyber Work.

[00:02:28] TJ: Well, thank you. I’m glad to be here.

[00:02:30] CS: Great. So we always like to sort of start a little baseline by asking about your background. So how long have you been in the cyber security industry specifically and what got you interested in it? Was computers and tech a thing you were excited about since childhood?

[00:02:46] TJ: Oh yes. Formally I would say I've been in the cyber security industry since the year 2000. Informally I would say pretty much my whole life. I was a tinkerer as a kid. I remember my first computer was a Commodore 64. And I remember ... I remember sitting and going through the code books and typing it in and, you know, it’ll make a little sound or, a noise.

[00:03:12] CS: Yeah. A person would run across the screen or make them beep-beep-beep. Yeah. I’m thinking, I never used to do that and about 30 seconds of result. It was very satisfying.

[00:03:21] TJ: It was very satisfying and I was hooked since then. So I would probably say the first thing I actually programmed was my parents VCR.

[00:03:30] CS: Oh yeah, and we're still doing that for our parents apparently.

[00:03:34] TJ: We are. My dad brought home a VCR, it was an RCA VCS and he was like, “Son, don't touch it.” I probably was about five or six. And of course as soon as he left what did I do? I took it out of the box, I touched it. And when he got back home, not only was it plugged in configured and it's set up. I set it to record my mom's favorite soap opera.

[00:03:51] CS: There you go.

[00:03:53] TJ: Like you said earlier, to this day, no clue on how to program. Neither one of my parents. No clue.

[00:03:59] CS: Yeah, every Thanksgiving, we work it all out together. It's like, “Why is my computer doing this thing?” Yeah.

[00:04:03] TJ: Yes, tech support. Yes.

[00:04:05] CS: Uh-huh. Yep. Yep. Tech amnesty. So yeah, that's awesome, man. And like I say that's a very relatable journey here for a lot of folks of a certain age. So I want to jump into today's topic. We've gotten some great – Thank you for all of you who've been turning in your surveys. We're getting a sense of like what type of people listen to the show. We're finding that a lot of people are learning about cyber security and concepts through the show with zero background, brand-new to the industry. Thinking about joining the industry, not sure where to start and things like that. So I always like to start these things with kind of a baseline. So one of your specialties is called privileged access management or PAM. So before we talk about it, it use as a proper implementation. Could you please give us a basic first time or explanation of how privilege access management works and what it is?

[00:04:57] TJ: Sure. So privileged access management or PAM, is what we call it, is if you think about your average IT worker or even your normal employee of a company, they access systems. These systems have usernames and passwords. And depending on the level of privilege or access needed, these credentials, what we call the username and passwords together, those are your credentials, allow you to access certain systems with certain levels of privilege. For your IT users, that would be your system administrators, network administrator types. They'll have the ability to make configuration changes to like open ports, close ports, to create accounts, disable accounts, change passwords and whatnot. And that that's what we call privileged access or privileged credentials.

So essentially what PM is doing is managing that level of access for not only the users in the organization, but also machines, communicate with machines. So we have service accounts that are responsible for running database servers for – Now we have IoT devices. So if we're keeping the lights on, your HVAC systems. So those systems also have credentials. And if we don't change those, from the defaults, the defaults, anybody can Google what's the default password for your Linksys home router, for example. If you don't change that from Linksys-Linksys or admin-admin, you run a high risk of being exploited.

[00:06:37] CS: Someone could probably drive by, park in your driveway and have at it, huh?

[00:06:41] TJ: Exactly. Exactly. If you’re in an apartment complex. But essentially on a corporate level, there are hundreds, sometimes thousands of systems all having varying levels of credentials that need to be managed proactively, not reactively, to secure the attack surface, because attackers, number one, goal is to gain privileged access in an enterprise. And once they get that, they can do a number of things. Maybe if it's a bank or a financial institution, they can do wire transfers or exfiltrate data and sell it on the dark web.

Patient data. You've seen a lot of leaks of information in recent months, days, in that regard. So that's what we're looking to do as far as privileged access. We're trying to centralize where those credentials are stored and proactively rotate them on a predefined interval and audit who has access to them. And if needed, can justify that access. And as you alluded to earlier, the industry shifting to a more of a just-in-time elevation principle, just-in-time access. So there is no standing level of access. You get the access you need at the time you need it and then it goes away.

[00:08:02] CS: Right. Yeah. And I think that's a really important consideration, because you hear a lot of things where there's open back doors, because like a third-party software company came in to work on your system and they were given like top-level access. So they had access to everything. And then that access wasn't turned off or wasn't DXs. And so like anyone can sneak in there. And so, yeah, that's why they’re called backdoors, I guess. Right?

[00:08:28] TJ: Yep, that's right. And I hate to keep picking on them, but Target is one of the most relevant situations that highlighted that. Target was hacked through a trusted third-party vendor, the HVAC vendor, which had network access. But that's actually how Target was hacked. So that's a very good example.

[00:08:48] CS: Yeah. Yeah. Yeah. And, again, one of those things – I mean Target obviously has a lot to answer for, but at the same time like were there a lot of – They're sort of the test case. So there wasn't a lot of people before them or, say, like don't be like them. Like everyone says don't be like Target, because Target was sort of the first, or first well-known –

[00:09:09] TJ: I would say one of the first well-knowns in that regard, they really brought this whole third-party been their risk management and access –

[00:09:19] CS: They're the bad example for the rest of us.

[00:09:21] TJ: Yup. Yup. Yup. They recovered well though. I still have my Target credit card.

[00:09:26] CS: Yeah. Yeah. Yeah. Yeah. I mean there's still plenty of stories out there as well of hospitals and stuff that they'll get hit in similar ways and then don't learn the lesson and then get hit again six months later. So that's kind of a whole other story. But I want to jump on. So now that we know how PAM works, the main topic we wanted to talk about is how to best protect an organization’s protected credentials in the cloud especially in the age of mass work from home due to COVID-19. So to start with, how has making so much work remote based in such a short period of time made protecting credentials more difficult?

[00:10:05] TJ: It's been a dumpster fire for some people. But since I think – I know I've been working from home since March 13th. But since then, we've definitely seen a rise in cyber attacks. And again, instead of workers going into the offices, which we would call our traditional perimeter or boundaries, now the new boundaries have been expanded to your home, your basement. I'm in my basement right now and –

[00:10:40] CS: Dining room.

[00:10:42] TJ: And for companies that had had issue corporate devices, that journey was not as painful, because they can push down those policies. They can turn things on and off, but there was still a large portion of companies that were bring your own device environment. But regardless of method, we're all on instant messaging, Slack, Teams, we’re on Zoom all day. Emails have ticked up, that's why you've seen phishing and spear phishing and attacks go up. But now the data is being transmitted without a high-level of governance. And a lot of those are privileged credentials and access. Now your IT administrators, your help desk individuals are working remotely supporting users. And depending on how they're accessing the end users’ environments, they may be sharing passwords in Slack, in Teams, emailing passwords back and forth.

[00:11:44] CS: Yeah. No matter of expediency, they're just like send it over real quick and I'll take care of it.

[00:11:47] TJ: Exactly. And without a proper PAM solution to audit that access to govern it, we've exposed ourselves to other attacks. And I believe that's one of the causes of what you're seeing now, because emails are coming in, kids are working from home. And especially if it's on your BYOD device, but if you think about – If we go back to the Linksys example. Not a lot of employees – and it's not their fault, but they didn't know a lot about how to secure their home networks. Some of them still did have that admin-admin password on their default network and now their children are at home, their schools have issued devices that have varying levels of security. And all it takes is somebody opening an email and a piece of malware being installed and it's scanning your network. And if you have weak credentials on the computer that you're accessing corporate files and networks from, it's kind of game over at that point. And that's why we've seen that uptake.

But a PAM solution would allow us to govern that access where they can log in and we don't have to expose the password. So if it's a web-based application, you would log in two-factor authentication and then you'll get a list of resources you had access to and you just click into those and you get access and those could be proxied and monitored and you wouldn't have that standing level of privilege of somebody emailing you a password or Slacking your password.

[00:13:33] CS: Yeah.Yeah. So I think one of the big points you mentioned March 13th obviously. That was kind of when everyone started saying, “Okay, we better get home now.” And I think for a lot of people the requirement happened immediately. It’s like a door shutting, like, “All right, everybody go home. Everybody take your things.” It was like evacuating from like a hurricane or something like that. So since many of these home situations were figured out on the fly due to the extreme need to get people out of public quickly as possible, do you have any thoughts on some things that you would have liked to have seen happened had we had a month head start or something like that? What policies could have been in place before this all started that might have made this less of a, as you said, dumpster fire?

[00:14:17] TJ: Sure. Since everybody's on the endpoint, endpoint security is of like utmost importance right now. So having some sort of endpoint security product installed. Taking away local admin or reducing privilege for users that didn't need to have a standing level of administrative privilege. In a perfect world, nobody should have standing local admin on their computers in general as a CISO of a security company. I don't have admin to anything.

It's funny, people are reaching out to me and asked me, “Can you make a change?” I was like, “I don't have access to do that.,” “But you're the CISO.” I was like, “Exactly. I don’t have access to do that.”

[00:14:58] CS: Yeah. And you should be glad that I don't. Yeah.

[00:15:01] TJ: Exactly. But taking a more defense in-depth layered approach, like an onion. So it was endpoint security, least privilege and patch management is one of the things that we're seeing right now that's really biting people. Because you've seen – Just this week, CISA has released a couple of directives basically giving government entities four days to patch these Microsoft vulnerabilities that would allow domain controllers to be compromised in a very bad way. So that is difficult when all of the endpoints are in different time zones on different networks that may have different bandwidth requirements. So patch management was difficult when everything was in the data center, right? It was in one place. But now that everybody's in a thousand different locations, that's one of the things that hackers are exploiting daily that I believe just those three things can greatly reduce your attack surface, but they're difficult.

On a good day when you have proper funding, and that's another thing that has happened. Security budgets have dried up. A lot of budgets have dried up just because of the business is not there and security teams typically didn't have the level of funding of some other departments. And that's being more brought to the forefront now. And it's just one of those difficult situations on what's the path forward? You've heard things about zero-trust and VPNs, but you've also seen like some of the VPNs being exploited because of missing patches. So it's like six in one hand and a half dozen in the other one. And it's been difficult. But I believe if those things – The crystal ball, we had like a month, that's what a lot of companies would have doubled down on resiliency of their VPNs, patch management, lease privilege.

And honestly one we don't talk about a lot I would say is user awareness training. That's the other – One of the things that we focused on even before COVID and the pandemic. But having an aware user base with your employees. Some CISOs or industry professionals would say, “Employees are the weakest link.” I like to say employees are your first line of defense.

[00:17:44] CS: I like that. I like that explained a lot better. That's what we go with as well. Yeah, I don't like the whole – Your employees are not your problem. Like you say, they're there to – They don't want this any more than you do.

[00:17:55] TJ: Exactly. So I look at my employees as my security champions. If I can get them to be vigilant, and which we've seen. We get a lot of emails coming in to the help desk of like, “Is this safe? Should I click on it?” And it may generate initially more work, but I would much rather investigate –

[00:18:14] CS: Oh! That’s the call you want to take.

[00:18:17] TJ: Email versus a click. And then, “Uh-oh.”

[00:18:19] CS: Oh! We’re going to be working on this for a long time. Yeah.

[00:18:23] TJ: Exactly.

[00:18:24] CS: So that brings up a couple of questions for me here. One, you mentioned VPNs briefly. And again, a lot of people's VPNs were sort of hastily assembled at the last minute and stuff. Do you feel like VPNs are still like the most sort of like viable way to sort of keep endpoint people safe along with endpoint protection and stuff like that?

[00:18:43] TJ: If they're accessing resources that are still in a corporate boundary somewhere, whether that's a public cloud, private cloud, on-prem in some data center, I would say yes. But I think we're figuring out is it's secure to a point but it may not be the most effective or efficient method where even today, I was watching Microsoft at night. They're rolling out a service that allows an always-on VPN to their edge browser.

At Thycotic, we have a product that allows access to resources behind a corporate boundary that doesn't require actual VPN. VPN is somewhat a friction point sometimes for some of your non-technical users. It does provide encapsulation of traffic if it’s a full tunnel. Not to get too technical for your users, but that full tunnel versus split tunnel is basically all your traffic going through the firewall versus some of your traffic going through the firewall and some of them staying local.

I do think this is ushering in a new era of digital transformation has accelerated it. VPNs have been around forever, but I think we are getting away from the traditional VPN as we know it, the click to connect and to a more so always on VPN. And I think one of the approaches, like I mentioned today, Microsoft is in the browser, because probably 67% of the work that we do nowadays is browser-based. So it makes sense to secure the browser and make sure that communication is encrypted as well. So I think VPNs are transforming, I guess I would say.

[00:20:41] CS: Yeah. Yeah. Yeah, boy, a lot of things are transforming right now aren't they on a tech?

[00:20:44] TJ: Indeed.

[00:20:46] CS: To that end, if you're watching this and you're an employee and you're working from home right now and you've got your own personal worries. I don't know if my router is secured or not. Like what are some things you should be asking about your home network even if your company is not requiring you to secure this or secure that or install this endpoint software? Like what are some things you should be looking for in your own setup? Should I be checking my printer's password? Should I be checking my router? What should we be doing to help ourselves?

[00:21:20] TJ: Yes, yes, and yes. On I guess the basics. So let's I guess start with your internet. If you're still using the internet gateway that came with your service was Comcast, Verizon, or wherever you are, usually those do come with strong passwords. So typically unless you changed it from the default password, it wouldn’t be –

[00:21:45] CS: To admin-admin and forget it. Yeah.

[00:21:46] TJ: Right, exactly. You will be good there. I would say for your SSID or your Wi-Fi password, you definitely want to make sure that strong. Again, typically if you're using the company's – Your ISPs devices, those still are relatively strong. But one of the things that most people don't think about is most of those gateways have a guest network. I would put untrusted devices on the guest network and probably say what's an untrusted device? If you have Amazon, Google Homes or any of those connected devices, a lot of times you don't know where those devices are calling back home to and what type of interaction they may have with devices on your network. And sometimes, especially kids, have toys that require internet access. And those devices don't have the – I’ll just say they weren't manufactured here.

[00:22:50] CS: Yeah. The robust defense systems that they could possibly. Yeah.

[00:22:53] TJ: Exactly. So just buyer beware with those. But that's something that's pretty simple that you can do, because the guest network just allows internet access. So you can browse the internet. It's just not going to allow access to other devices that are on the network. Definitely make sure you have some sort of endpoint security there, a ton of free options that are out there. If at all possible, and I say this loosely, try not to let your kids unsupervised. Go ham on your computer, especially if it's your work computer. I get it. Trust me, I get it. But if at all possible, try to monitor what's happening there.

And actually one thing you may – As an employee, may ask. If you are sharing your company or corporate device, maybe ask your IT help desk to create a local profile that's separate from core profile so that at least if you have to do that –

[00:24:01] CS: Some off-hours work.

[00:24:03] TJ: Exactly. You're not interacting with the work applications. What happens on that profile will kind of insulate something bad happening as far as data infiltration or access to things that some people didn't have access to.

Another thing not a lot of people think of back to the IoT or the smart home devices, but if you're having confidential conversations in front of your smart speaker with numerous stories of those being recorded. Those recordings –

[00:24:38] CS: – Infosec has demonstrated that for news companies. We have a guy here who broke into a news reporters Alexa in his home in Seattle so that he could see his – So he could wave to his family and play Rage Against the Machine for them. So yeah, that is a thing we're unfortunately well aware of. Yeah, they very easy to pop into. Yeah.

[00:24:58] TJ: They are. So just be mindful of that if you're working on the cure for COVID, everybody’s gambles on Alexa. It’ll get out there.

[00:25:07] CS: Yeah, exactly. Yeah, keep the sales numbers away from the breakfast table.

[00:25:12] TJ: Exactly. Those are just a couple things you can do.

[00:25:15] CS: Yeah. I mean that's great. I had not heard – I had not thought of sort of double partitioning the laptop or having like an alternate sign on. That's a really good idea. Since this is Insider Threat Awareness Month, can we talk a little bit about insider threats? With COVID, again, there's a lot of onboarding of people that's happening with no interaction, no face-to-face communication and people just kind of – Despite all attempts, are kind of left to their own cognizant. So there're a lot of people who are suddenly having a lot of access to things without a lot of people looking over their shoulders. So do you have any thoughts on privileged management in these regards? I mean, obviously it's be vigilant, but –

[00:25:59] TJ: Oh yeah, back to the crystal ball, if we had it, DLP, or data leak protection would have been another one of those things that we probably would have ratcheted up.

[00:26:12] CS: Can you talk about what that is a little bit?

[00:26:14] TJ: Yeah, essentially DLP is – So it's been said the data is the new oil. So every company, basically, data is what's important to them, whether it’s intellectual property, patient records, financial records. This is what allows them to do business and the data is confidential. So DLP allows you to go through basically discover and classify your documents; public, confidential, secret, top secret, government, or corporate entities. But DLP systems will allow you to prevent the improper leakage of confidential proprietary data. And some systems will actually go to the point to let you recall that information if it has been sent out or you can invalidate it so it can't be assessed.

I'd say one of the – Everybody's familiar probably with Box or Dropbox. So instead of you sharing an actual document, you share a link to a document. So you could think about that as being a form of DLP. If you share that link with 10 people and you give them read only access, they can't download it, they can't modify it, manipulate it. And as the owner of the document, you could actually revoke access. So that's essentially what DLP is on a corporate level. There are millions and millions of documents.

Again, DLP, it seems easy, but it's one of those things that's hard. Finding, classifying and tracking all of your documents. But now because email, people emailing documents back and forth, that they may have not had to have a need to do if they were still working in the office. So that's again has been one of those things that there's a lot of lessons learned that are going on right now that I think will make us more secure going forward. But just back to the whole insider threat, you're exactly right with people being on-boarded remotely and some people having too much privilege just because it's easier to give too much than to actually granularly fine-tune it in the absence of privilege access management solution.

So inside a threat is always one of those that most people don't leak information on purpose. But when we look at like the Verizon data breach investigation reports and you see those numbers around inside of threats, those are people who are maliciously intent on taking documents elsewhere. There's a lot of –Even though the economy's relatively – I think employment is still hovering around 9%, 10%, in information security and cyber security, there's still a lot of hiring going on. There's a lot of job and company hopping going on. So you always look at that as people – People like to take things with them when they leave. If I’ve worked on this project and I got all these accolades and I have this nice template or document.

[00:29:35] CS: Take a copy with me. Yeah, sure.

[00:29:36] TJ: I don't want to have to recreate that when I go to my new job. So I might want to borrow that.

[00:29:42] CS: It might even be a thing you tacked on your resume to show them when you were interviewing.

[00:29:45] TJ: Exactly. I might want to borrow that work. So those things it's just still difficult to detect, but we've gotten better in that. But again, with the amount of people that are working remotely, still, if you weren't set up for that pre-COVID, you trying to roll out a DLP program during the pandemic with all your people remote is just going to be a best effort at this point. Just definitely lock down – Well, first, you can't protect what you don't know exists. So find out what your most critical data, your most critical sensitive credentials are and implement some sort of role-based access control, RBAC, to secure those to where only the people that need to access those have the right to access those. And look at the audit logs. The audit logs will tell you whose access what, when.

The unfortunate thing about the log is it's already happened. So if you're going down that path, something has already happened that you're investigating. But even – A lot of companies are in GSuite or Microsoft Office 365, they do have built-in systems that will detect when mass amounts of documents are being downloaded or sent via email to other places. So I would just say utilize the native tools that you probably already have. A lot of security teams including my own had to get creative during this time. So this is a great time to complete those projects that you otherwise may not have had the opportunity to do. And a lot of them are around identity and access management and data governance.

[00:31:39] CS: So it's assumed and hope that things will essentially eventually return to a semblance of normalcy and we're all going to go back to our offices to some degree and in-office work will resume even for a couple days a week or whatever. So what are some strategies that we hopefully learned during COVID-19 that we can take back with us and we don't – Everyone says, “Well, it'd be nice to go back to normal.” but obviously old normal wasn't great because there was a lot of data leak back then. So what are some things that we've learned in the interim that you think we should reapply once we have these more you know more defensive perimeters and so forth?

[00:32:19] TJ: I think one of the biggest ones is that remote work can be successful. People can work and collaborate remotely and be as effective as they were in the office space. What's really missing now is the ability for us to assemble in the office space during those regular intervals to catch up, to chat, to have those brain sessions, those brain dumps. So the physical element is missing. But remote work pre-pandemic, you kind of had two different types of companies. Those that were like, “Hey, it's open, it's flexible.” Then you had companies that it was almost like requesting PTOs. Like, “Can I work from home?”

And I think a lot of that has changed, the perspective of a lot of the corporate executives and seeing that workers do want to work whether they're in the office or remotely. And productivity honestly across the board in most industries for remote work has gone up, because you’re getting the extra two hours a day that people aren't commuting to and from work. So I hope that's one of the big takeaways from, I guess, security control perspective that DLP is important. That your disaster recovery and incident response planning is important. Because, again, we've seen those incidents and phishing attempts go up. And user training is definitely paramount, because now everybody is, again, remote. And if you don't have an aware workforce, they may make those mistakes. They may not have the acumen to inspect that email a little bit with a high-level of scrutiny.

So just training is important not only for your technical people, but for the entire organization. And not just – I call it the Powerpoint by – Powerpoint death, the click exercise. The way that we deliver our security awareness training, we use a gamified approach, and monthly we push out fresh content and little three to four minute videos that are engaging and relevant to the point where if we don't send them out in a timely fashion, the users are like, “Hey, where's the video?” So they're actually asking for the training videos. But just try to use the carrot and not the stick approach of security with your users, because they want to do the right thing. They want to be empowered to help you. So use your employees as, again, that front line of defense for threats, because most of the threats are coming in on endpoints that you no longer have on your traditional network.

[00:35:29] CS: Right. So we want to pivot over to the cyber work side of things here. Obviously, a big part of this is helping people find jobs in the industry and find out more about jobs in the industry. So I want to talk about um this type of work as a job, as credential and privilege management, a job position unto itself, say, in a big company, or is it part of other security positions?

[00:35:52] TJ: I think it's both, right? So you have in security teams or even in, let's say, your traditional IT team, everybody just take active directory. Active directory basically has users and accounts, passwords, groups. So that is a level of privileged access management, because you can assign roles to users, administrator, schema admin, domain admin, those type. So on the, I guess, basic or foundational level, that is privileged access management. For companies that are leveling up their program that do have a solution like ours, back out of secret server, yes, there absolutely is a discipline and demand for individuals who specialize in privileged access management. And that's under identity and access management, because those are kind of tied together now. They're converging, identity and access management, privileged access management, because you're assigning privilege to an identity. So those two kind of have to go hand in hand.

So corporations have privileged access management teams. Consultants that deploy these solutions including Thycotic or any of I think the big four consultancies that are out there. You mentioned some of my previous work as a consultant. I was deploying privileged access management solutions. So yes, absolutely. Discipline of industry. There are certifications from vendors that will get you trained up on that solution. But I look at it as the overall quiver, arrow and a quiver to just make you a more well-rounded security individuals.

[00:37:49] CS: Okay. All right. Yeah, like you say, it really is both. Then you can do a whole meal out of it or you can just have it as a side dish.

[00:37:57] TJ: Yup.

[00:37:58] CS: So what type of person does well at jobs like this? Are there particular sort of soft skills or traits that make people especially good at sort of understanding credential management?

[00:38:10] TJ: I think you have to have a curious mindset, but just a willingness to learn. So I think anybody can learn anything as long as they have a willingness to do so. But it's – I wouldn't say it fits any one personality or individual more than the other one.

[00:38:33] TJ: Is it heavily detail-oriented or –

[00:38:35] TJ: It is heavily detail-oriented. When you get into mapping attributes or defining roles that may apply to a group of individuals. The group may contain 100 people, may contain 10,000 people. And how you deploy the solutions to maximize efficiency. So there is a level of soft skill in there and being able to communicate and ask the right questions. And then you know seek that feedback to make sure that you're in lockstep with your customer, whether that's your internal organization or you're working as a consultant for anything that brought you in to do this. It's a lot of documentation. So the soft skilling is I would say probably is equally as important as the technical side of that, which in IT is kind of a transition coming now to that anyway as far as the documentation side. If things go to the cloud, they need to be documented, because it's just somebody else's computer now, but you still need to document where that is and how it's been configured and set up. And that's one of the things that's also kind of been highlighted during this time. People ask like, “Where's the document to do this? Where's the operating procedure for this?” A lot of times if you sit next to somebody, it's that tribal knowledge. Just like, “Hey, man. Can you help me out with this?”

[00:40:09] CS: Oh yeah. So much of it is oral history or storytelling. Yeah.

[00:40:15] TJ: Right. And now this is a great time to work on that documentation.

[00:40:18] CS: Yeah. Yeah, for real. So are there sort of particular – Can you sort of do privileged access management better than other people? Are there things you can learn that will sort of put you in a more desirable position when applying for jobs or show sort of a personal acumen for doing this? You always hear like when you program a certain thing, like certain programs have a certain style about them or it has a certain elegance to their coding or whatever. Are there things that you can do to sort of like put yourself ahead of other people who might want that same job doing that same work?

[00:40:57] TJ: I think if you have a strong understanding of directory structures as LDAP, active directory, some of the legacy systems out there like it’s on one directory. Br but just having an understanding of identities in itself and how those attributes map back to individuals, role-based access control and how least privileged or having too much privilege can affect an environment. Those are a great foundational tenants, because PAM just layers on top of the structures that are already in place.

So I'll give you an example of that. If you're a consultant and you're going in to implement a PAM solution, the controls that you implement via the PAM solution are only going to be as strong as the underlying directory that you're connecting to. So if that directory is flat and basically everybody's a domain admin, you really didn't accomplish much on the RBAC side of that, because people still have too much access. So it's understanding that and being able to deconstruct it and provide a better way to break that out and map it out in a security model that doesn't introduce friction and keep people from doing the jobs that they were hired to do, but makes actually their jobs easier based off some – Maybe it takes some re-architecture of their active directory or building out a new forest or something of that. But just having that understanding of how the underlying connectivity and systems and data stores will tie into and feed a PAM solution.

[00:42:43] CS: Okay. Can you give me a sense of like – There're a lot of sort of ladders to the top, shall we say, but what would be sort of like the job position prior if you were working towards a job in sort of credential management and stuff like that. what would be the job you would do before that. And then what is your sort of end point? Are you aiming for CISO? Are there sort of like levels above on privileged manager that you want to sort of work towards?

[00:43:13] TJ: Right. I was system administrator, network administrator. I mean the help desk analysts are often on the front lines of IT. So they get to touch a whole bunch of different systems. So a lot of times they have a broad skillset that they can feed into a lot of different places in the organization. But I’m going to throw one out, math teacher, and the reason I throw out math teacher is a couple of jobs ago I hired a young lady who's a math teacher and she wanted to be a security consultant. She's like, “Cool!”

So we trained her. I mean she picked up everything very quickly and she quickly excelled security consultant, senior security consultant. And now she's a security architect for a major, like top five bank. So you hear a lot about the skill shortage in IT.

[00:44:16] CS: Right. Oh, we're talking about all the time.

[00:44:19] TJ: I think if we broaden the scope of who we're actually recruiting and hiring, that skill shortage would evaporate overnight.

[00:44:31] CS: Yeah. Yeah, I’m with you. I think a lot of that – Yeah, we talk about that a lot about, the importance of not looking for unicorn candidates and people getting every cert and every kind of thing like that. So as we start to sort of circle the landing here, where do you see cloud security going in the next five years pandemic or no?

[00:44:50] TJ: It's only going to increase. As more companies now have been forced to really re-evaluate where their workloads live the, companies that haven't already started that transformation to the cloud are actually going to kick it into high gear. And sometimes people forget to share a responsibility model for moving stuff into the clouds. It’s like, “Hey, just because you put your stuff in Amazon, Microsoft or Google Cloud, they have no security for the physical data centers that your stuff is in. But from the application layer up, the responsibilities on you to secure those. So those skillsets are increasing in demand and it's only going to keep growing as more of these traditional companies that had legacy systems are going to start migrating their systems to the cloud. That means developers are going to be writing new code. They're trying to adapt, rewrite, rework code that's going to go into the cloud. So it's really going to be a team effort from developers, security, the cloud architects, cloud administrators. But security is going to be everybody's job. So it's only going to increase.

[00:46:05] CS: Yeah. Yeah. No. I think you're right. So as we wrap up today, tell us a little bit about your company, Thycotic, and some of the projects or products that you're working on that you are interested and excited to talk about right now.

[00:46:18] TJ: Sure. Well, Thycotic, we're a PAM company. We prevent cyber attacks by securing passwords, protecting endpoints and controlling application access. And we have more than ten thousand customers. So basically from the endpoint to the cloud we have access solution that will you on your PAM maturity. So as far as projects that I would say that I’m working on that I’m excited about that I can actually share is we're undergoing a massive, I guess, security rebuild of the internal architecture and workings, because we are a cloud company. But just optimizing the way that we run our security operations. And the focus has really been on people and processes and technology has kind of been last, because all the technology doesn't really mean a lot if you don't have the right people and process it. So the focus has really been on getting the right people in the right seats and then you're flushing out those processes.

But I’m a builder by nature. So I like building things. So just building out a world-class robust security operations center that provides internal security for our corporation, but more so for our partners, which I call our customers, our partners who trusted us to secure their crown jewels, their credentials. So that that's what excites me and gets me up every day is providing that world-class security protection not only for my internal people but for our customers.

[00:48:09] CS: Oh. Yeah, love to hear it. So last question, if people want to know more about Terence Jackson or Thycotic, where can they go online?

[00:48:17] TJ: Sure, www.thycotic.com is our website. Or if you want to reach out to me directly, you can find me on LinkedIn or on twitter, which my Twitter handle is TJackson78.

[00:48:30] CS: Okay. Terence, thank you so much for being on Cyber Work. This is a real blast.

[00:48:34] TJ: Thank you. I appreciate the invitation.

[00:48:37] CS: And thank you all today for listening and watching. If you enjoyed today's video, you can find many more of them on our YouTube page. Just go to youtube.com and type in Cyber Work with Infosec to check out our collection of tutorials, interviews and past webinars. If you'd rather have us in your ears during your workday, all of these videos are also available as audio podcasts. Just search Cyber Work with Infosec in your podcast catcher of choice. As a reminder, as I said in the video at the top of the show, to download our free Wild Wild Net security awareness campaign, which includes posters, infographics newsletters, email templates presentations and more to keep your employees safe, go to infosecinstitute.com/ncsam2020. That's infosecinstitute.com/ncsam2020 to go get it all.

Thank you once again to Terence Jackson and thank you all today for listening and watching. We'll speak to you next week.