Interview: CA Technologies talks privileged access management
At CA World last week we got the inside scoop on security and privileged access management with Mike Dullea, CA Technologies senior director of product management for the privileged access management portfolio and Lim Teng Sherng, CA's VP of security for Asia Pacific and Japan.
CA Technologies has enhanced its focus on security as part of its mission to enable what it calls the Modern Software Factory.
Teng Sherng says that CA offers an integrated security suite. That suite covers areas such as single-sign-on to authentication and identity governance.
It also covers privileged access management, also known as PAM. He believes that is a key area where the company can strengthen its position in the identity and access management space.
“Together with the acquisition of Veracode earlier in the year, that strengthens our position. We're looking at the market in terms of where the biggest risk would be. Beyond risk we're looking at where we can help our clients gain competitive advantage,” he says.
Dullea explains that from a thematic level, there are three key themes in security: data breach prevention, hybrid enterprise protection and ecosystem integration.
“Anything we do is around data breach prevention and hybrid enterprise protection for a mix of on-premise, SaaS applications and virtualised platforms. We need to be able to protect all of that.
“For the hybrid enterprise products need to be cloud ready, developer-friendly and analytics driven. For privileged access management we're heading towards automation that will be able to identify what the risks are,” Dullea says.
Ecosystem integration surrounds the concept of ensuring customers received controlled access management quickly and in a way that fits their own ecosystem.
Teng Sherng notes that the Asia Pacific region is a diverse mix of economies that are at different stages of the maturity cycle. Australia, Singapore and Japan.
“Risk is different in those different countries. I think the biggest risk is mindset. It's the perception of what they are doing currently versus what they really have and versus what's out there.
Dullea says the biggest risk is not knowing what your risk exposure is in the first place.
“With PAM the very first conversation we have is ‘I need help to figure out where those privileged credentials reside and who has access to them because I have no idea'. It's about identifying what that exposure is.
“The second thing is that if you look at the cost of a data breach. The most expensive type of breach is the insider threat. Customers are most concerned about figuring out who they are. If you think about analytics-driven solutions where you're monitoring the person who's accessing the credential. You understand what their behaviour is and then you identify anomalies and the risk,” Dullea continues.
“You can then perform automated mitigation around that. If you have something like that in place, it's one of the most powerful things you can have you can protect against an insider threat or data breach.
Dullea explains that it's not just the insiders organisations need to consider. External contractors can also access systems. Often those are privileged credentials. “Sometimes it's unintentional but damage can be done. Organisations should have a zero-trust approach.
Teng Sherng adds that if a security system is too restrictive, it can stop customers and partners coming back to an organisation.
“The service experience is important so we have to balance those things. Trust on one hand and ease of use on the other. That is where we will always continue to strive for.
Anomaly detection and machine learning often go hand in hand – but how is it important to CA?
“One of the key things of our strategy going forward is about being analytics-driven. It is about understanding what is going on and leveraging the historical data to figure out what the possible risks are and taking action on those risks,” Dullea says.
Teng Sherng adds that analytics are useful but it's not all about risk management.
“Security helps the customer experience. If an organisation is less risky in terms of identity for example, we let the whole experience be a lot more seamless. If there is a high risk person coming into a system, there is obviously security in place.
Dullea says that in future CA Technologies will be honing its hybrid enterprise support in the months ahead.
“We have platform support for AWS and VMware. Beyond that, the number one item on the list is Microsoft Azure. We're also concentrating on DevOps and DevSecOps as part of the Modern Software Factory,” Dullea says.
Security and automation must be in place so the developers can deliver value faster. That means integrating products and third party tools such as vulnerability scanning.
Teng Sherng says that for DevOps environments, the key is integrating security as early as possible instead of facilitating a ‘built-on' system. This makes security an integral part of any development process.
He says security and agility are part of what CA products are designed for.
“Security fatigue is also in the market. There are so many security events coming in and only so many resources in a security operations centre to manage some of this. In future, automation and analytics will also become part of the process to manage that fatigue,” Teng Sherng concludes.