The document discusses the complexities of privilege management, highlighting its evolution and the importance of secure access in cloud environments. It outlines the seven layers of Privilege Access Management (PAM), emphasizing challenges such as user activity tracking and secrets management. The conclusion stresses the need for continuous auditing, fine-grained controls, and reducing friction in two-factor authentication experiences.

1. The 7 Layers of Privilege Management
-Anirban Banerjee, Ph.D.
anirban@onionid.com

2. HELLO!
I am Anirban Banerjee.
Founder and CEO of Onion ID.
https://www.linkedin.com/in/anirbanbanerjeephd

3. Current Status
Challenges
Solutions

4. Current Status
4

5. Laptops
In house
servers
Mobile
devices
Cloud
Servers
The Landscape is ChangingIT Landscape

6. • Shift in Capex to Opex
• Cost savings – 25% on avg.
• EmployeeMobility
• Easy access – 49% on avg.
• Scaling is easier
• More efficient – 55% on avg.
• Time savings
• More time to innovate– 31% on avg.
• Choice – no traditional vendorlock in
Why is the
Cloud
Popular

7. SAML & SaaS
• Less than 25% of corporateapps have SSO support
• Less than 1% of all SaaS apps understand SAML
• Passwords are here to stay!

8. Mapping
User
Roles
• How to map to 3rd party SaaS apps?
• SAML assertions- weak support.
• No magic bullet

9. What is Privilege
9

10. Privilege Management is not just Access Control
Privilege
Management

11. PAM - 100% Coverage
Web Apps Servers and Containers

12. PAM - Layers
Shrek: Ogres are like onions
Donkey: They Stink?
Shrek: Yes. No.
Donkey: Oh.....they make you cry
Shrek: No!
Donkey: Oh, you leave 'em out in
the sun,they get all brown,start
sproutin' little white hairs
Shrek: NO. Layers.Onions have
layers.Ogres have layers.Onions
have layers.You get it? We both
have layers.[sigh]
Donkey: Oh, you both have layers.
Oh.
PAM has layers. Onions have layers. We both have layers.Get it?

13. PAM - The 7 Layers
2FA on Apps and Servers
SaaS PAM
SSH Session Control
Secret Storage
Access sharing
Reporting and Audits
Server PAM

14. Evolution of PAM
PAM 1.0
Crawl
• Password Vaulting
• SSH Key Rotation
• Video-session Recording
PAM 2.0
Walk
• Rights Management
• Time based checkout
• Credential rotation
PAM 3.0
Run
• SaaS PAM
• Adaptive authentication
• Automated auditing

15. Challenges
15

16. q Privileged Access Management
§ Full control over who has access to what and when.
§ Real time and Intuitive
Hard
Problems

17. q Vigilance
§ Keep track of user activity
§ Receive alerts for anomalous behavior
§ Gain complete visibility through detailed reports
Hard
Problems

18. q Secrets management
§ API/Machine to API/Machine authentication
§ API keys in code
Hard
Problems

19. q Reports and Auditing
§ Compliance is complex, disparate systems
§ Continuous auditing is necessary
Hard
Problems

20. Strategies
20

21. Layer on top of existing services
Dynamic Privilege Management
SSO NAC CASB
Deployment

22. User
Fatigue
2FA = Friction
• Entering 8 Digit
Codes
• Carrying Hardware
• One time Passwords
• Multiple IDs

23. Happy
Users
2FA ≠ Friction
Air-Signature
Touch ID
Proximity
Geo Fencing

24. What can an employee see
What can an employee click
What can an employee fill
What can an employee download
Use Case

25. Command Filtering
SSH Key
Management
Session Recording
URL Filtering
Action Filtering
View Filtering
Solution

26. Conclusion
2FA on Apps and Servers
SaaS PAM
SSH Session Control
Secret Storage
Access sharing
Reporting and Audits
Server PAM
q Fine Grained Control - SaaS PAM is important.
q Session recording for compliance and security.
q Secrets management - is an emerging area.
q Reports and Auditing - need continuous process.
q Simplify 2FA Experience - reduce friction.

27. THANK YOU!
www.onionid.com
anirban@onionid.com
Tel: +1-888-315-4745
https://www.linkedin.com/in/anirbanbanerjeephd