CCT 324: How Least Privilege, Need-To-Know, And PAM Actually Reduce Real-World Risk

Show Notes

A router headline can feel distant until it lands in your network plan. We start with the growing chatter around possible TP-Link restrictions and what that means for ISPs, small businesses, and anyone balancing budget against risk. Then we roll up our sleeves and walk through the operational controls that actually hold the line when attackers probe, insiders slip, or vendors fail to deliver.

We break down principle of least privilege with practical steps: role-based access control reviews, automated provisioning tied to HR changes, and audit-ready logging that trims lateral movement without choking productivity. From there, we layer need-to-know onto data itself—classification that means something, ABAC for context like location and time, micro-segmentation to narrow reach, and data masking to reveal only what’s required. These moves reduce curiosity-driven access and keep sensitive information from leaking when an account gets compromised.

Money moves and high-stakes changes demand stronger gates. That’s where separation of duties and two-person control come in. We map how to split initiation and approval for transactions and admin changes, keep monitoring independent from administration, and add automation that routes approvals fast. To surface blind spots and fraud, we add job rotation and mandatory vacations—planned, documented, and measured to keep continuity while fresh eyes catch issues. For the riskiest identities, we get specific about Privileged Access Management: vaults, rotating credentials, and session recording that start with domain admins and expand carefully, with legacy integration checked up front.

Because third-party risk is your risk, we close with service level agreements that matter: clear scope, measurable uptime and response times, remedies that bite, data ownership that’s unambiguous, and explicit audit rights. Everything ties back to inventory discipline and a replacement roadmap, so regulatory shifts don’t turn into fire drills. Subscribe, share this with a teammate who owns access controls, and leave a review with the one control you’ll tighten this week.

Gain exclusive access to 360 FREE CISSP Practice Questions at FreeCISSPQuestions.com and have them delivered directly to your inbox!  Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success.

Join now and start your journey toward CISSP mastery today!

Chapters

• 0:00: Welcome And Holiday Banter
• 1:06: News: Potential TP-Link Restrictions
• 3:30: Business Risk And Compliance Impacts
• 6:10: Inventory And Replacement Planning
• 6:50: Transition To CISSP 7.4 Overview
• 7:34: Principle Of Least Privilege
• 12:24: Need-To-Know And Data Controls
• 17:00: Separation Of Duties And Two-Person Control
• 22:20: Job Rotation And Mandatory Vacations
• 25:00: Privileged Access Management Essentials
• 30:00: SLAs, MSPs, And Audit Rights
• 34:45: Wrap-Up And Resources

Transcript

Welcome And Holiday Banter

SPEAKER_00 0:00

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber, and I'm your host for this action-packed informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. Alright, let's get started. Hey I'll Sean Gerber with CISSP Cyber Training, and hope you all are having an awesomely blessed day today. We are on the short final for Christmas. So yeah, baby. If you like Christmas, you're almost there. And then the new year, and then we're into 2025, and it's just incredible to believe that another year has gone by so stinking fast. It's just crazy. But they just keep on burning by, and uh I keep getting younger and younger every year. Yes, that's what I tell myself, but uh unfortunately the mirror doesn't lie. But that's okay, because you know what? You aren't here to hear about my beauty secrets because you're here to learn about CISSP. So that's what we are going to talk about today. But before we do, right, we have our news article we kind of get into. And this one I actually I anticipated coming a while back, and I'm kind of surprised uh that it's taken this long. We'll see how this plays out because um, yeah, TP Link is is the article that we're gonna be chatting about just a little bit today. And if you all have any sort of router within your home or any sort of networking gear, in many cases you probably have a TP Link router. And that would also include aspects around some of the smart things, you know, like your light switches, little um outlet plugs, you name it. All those kind of things are tied to TP Link. And in many reasons why is because the Chinese have flooded the market with cheap electronics, especially as it relates to some of these Wi-Fi gear. And in the past, these have been incorporated with some various hacking techniques that have occurred, and we've all known that at some point in time the Chinese government does probably have some level of influence on the Chinese manufacturers of these products. Now, no one can guarantee or say that for sure, but there's just some level of understanding that that might be the case in this situation. Now, that does that mean that the U.S. government isn't doing that to other companies as well? Very possible. Other countries and their products, it's very possible. So, you know, who knows how this all is playing out. But at the end of this, the article is talking about that they're might be banning TP link routers in the United States. Now, one thing that I think for us individually is living in our homes is one thing. But an interesting part is that they've had these um I these various routers shipped out to various ISPs throughout the United States, throughout the government, or well, actually throughout the world. But at least in the United States, there's over 300 ISPs, and then two of the top five ZNet's best Wi-Fi routerless RTP links. I will say I've used them, I have them uh in the past, and they you know what they work really, really well. They you plug them and play them and you're in business. Uh obviously, with that, you have to decide what's the risk versus reward. Um, if my home, you know what, somebody hacked into my home, well, whatever. That isn't such a big deal because I really don't have anything for anybody really to pay much attention to. That being said, if it was my company, I don't know if I would have a TP link router in there just because of some of the issues that they have had in the past. And so that's just something that you need to consider. So if you have a business and you utilize these TP Link routers, uh, it may be something that you're gonna have to address here in the near future. Now, the article talks about is the government gonna come out and say you must rip and replace all of these TP Link routers. There, the article's basically, and I'm kind of going to the lines with that person, is the fact that no, you probably will not be doing a rip and replace. That being said, they will probably put mandates and some compliance aspects to this where no future TP link routers can be purchased. And because of that, then you will have a more expensive version that you'll have to put within your network. And you we all know this that when you put more expensive equipment within your network, somebody has to pay for it. And how does that work? Well, it affects your bottom line, and then therefore it gets passed on to the customer potentially. So it's a it's an area that we knew was coming. I mean, I've seen it coming for years now, just because of the fact that there's been so much concern within the various governments about the electronics being sourced in country. So the foundries, as it relates to the chips, as it relates to the equipment themselves, all be sourced within the country that they're coming from. And it allows some level of control over that. And you've also seen this here in the United States, there's lots of new chip manufacturers rolling into the United States, creating indigenous chips versus having them outsourced to places like Taiwan, Japan, and Korea. Now that still is going to continue, but they are outsourcing some of that that's more critical within the United States will be kept here locally. Um living in Wichita, Kansas, I have there's actually two chip manufacturing facilities that are being built just down the road from us. Uh Integra is one. I think there might be, might be the same company under two different locations. But that being said, this is an area that you're going to be dealing with. So if you're in the cybersecurity space, get ready because you may have some senior leaders coming to you and saying, What do I do with this TP Link router? Now it says it's a hacking problem. And then you're going to have to work through this whole risk versus reward aspect and then come up with a compliance strategy on how you want to mitigate this risk long term. Again, this is something that you're going to have to address and deal with. And I would, if you are thinking about it, and maybe if you are leading your organization through your inventory, which we talk about routinely on CISSP cyber training, is the fact that do you have a good inventory within your network? And if you have a good inventory, maybe it would now be a good time to go check out and find out how many of these TP link systems you have, and maybe just maybe get ahead of the of the bow wave a little bit on this, get a little bit ahead of the curve and maybe start planning for how you were going to replace these. And if they are in critical locations, how would you best do that? Because again, you're going to have to deal with outage windows, you're going to deal with all kinds of nuances, uh, if, especially if these systems are in critical positions. Now, if the government comes out and says, no, we're not going to ban those, then you know what? Then it's up to you. Is it risk versus reward? Do you want to even just invest in some more different equipment and then understand that at some point this probably will come back up again, or are you just going to ride it and see what happens? Again, your margins are small, and I know your your IT budgets can be a bit of a challenge. So you need to really kind of weigh all that out, basically, what's going to happen with you and your company. So just a piece of information, food for thought. Use it as you see fit. Okay, so now let's get into what we're going to talk about today and the various aspects around 7.4. We're going to be applying foundational security operations concepts, uh, part of the CISSP. And again, if you have an ISC Square book, uh, I would highly recommend that you have one. Also the study guides that go along with it. And this is taking it out of, I think it's chapter 16, if I'm not mistaken. But 7.4 is a big part of the current version of uh ISC Squared. Now, I say that it's in chapter 16 today, but when a new version comes out, you guys have all known with I get a lot of questions of going, does my uh uh all my products meet the current 2024 guidelines? And they do. Uh, we are the one good thing about the recent changes is they've been very, very small. So I was able to make some very minor tweaks to it. But as of right now, as the writing or the making of this uh uh training session, it is around or podcast, I should say. It's an ad dealing with chapter 16 of 7.4. Okay, so again, 7.4 applying foundational security operations concepts. Okay, we are going to start off this wonderful adventure with the principle of least privilege. Now, I saw this out there as far as an acronym of pulp. Uh P-O-L-P. Pulp. Yeah, not pulp, like the tree pulp, but pulp. I can't say it. But principle of least privilege. So if you're dealing with any sort of security aspects, principle of least privilege is an important part of your security program. And you really need to consider this as you go forward. And you are going to be mandated it depending upon what your regulatory requirements may have. Now, the reason around this is that users and processes and systems, they're granted only the permissions necessary to perform their specific task. Again, only what they're supposed to do. Nothing more, nothing less. That's the ultimate goal, is to keep it very limited, and it restricts the access to minimize damage potentially from an unauthorized use or a breach. Now, there's some benefits and challenges that are going to roll into this. Just like with anything else, there are pros and cons. Now, the benefit of this is it reduces the overall attack service. This limits where people can exploit. Now, we talk about the guys living on the land, the bad guys and girls, and then what they're doing, and they try to get and live in the land, and they will then migrate throughout your organization. Well, this reduces the ability for them to do that because if they have a privilege, they have the principle of least privilege, then they're only allowed what kind of credentials they were able to steal. And if those credentials that they stole were limited, then they have limited them to what they can do within your organization. So it does limit the opportunities for exploitation. It does also minimize the insider threat. So again, if you have an individual who is an insider risk problem, you that's decided to go rogue and it's just going to be ONRI, then what ends up happening is they try to gain access to different systems. But if you have a principle of lease privilege in place, they can only they can limit them to what they actually have access to. Now, this comes down to being a bit of a challenge, though, is you put people with IT credentials typically have much more access to things. So that you need to also watch them very closely with the principle of lease privilege. Compliance, again, this aligns with very various regulatory standards out there, GDPR, HIPAA, PCI, DSS, and they they keep coming. There's more regulatory uh requirements on the horizon. So just anticipate and plan for that. Now the challenges are is it over provisioning due to improper role assessment? What does that mean? Well, say you assessed Sean to be, have access to this, to just whatever, to why. And now, but Sean actually gave you gave Sean access to why, but he really only needed access to A. So you gave him access to a whole plethora of different things because you weren't really true on his role assessment. And so therefore he has much more access than he should. So that's over provisioning. Now, also you got to balance out the security with the operational efficiency. One of the big areas you're gonna run into is the more you tighten down these credentials for least privilege, then you limit what people can do. It causes more drama with your service desk, it also causes more drama with the business leaders, it just brings drama. And you know what? I don't like drama. And so what do people, a lot of people don't like drama? So what do they do? Open it up, baby. Just let people have access they need and don't worry about it. So again, it can cause some challenges there. And then also frequent role and permission updates as responsibles change responsibility parties change or the responsibilities change. I can't speak. No, but what it comes down to is on that is that you're now your responsibilities change in your role and you should have more access. Well, there's a whole litany of things you have to go do to get the access you want, and then it causes more drama. So again, it can cause drama. We want to avoid drama, but we need a little bit of drama. Implementation strategies. You should conduct role-based access control reviews. So RBAC, right? We talked about RBOC in a couple of the podcasts ago, but one of the things that consider around RBAC is the fact that you should understand what are the roles that people should have within your organization. And then you should look at those reviews and make sure those match up with what they're supposed to do. The other thing is to automate privilege provisioning. Now, this is an interesting part that you will have, and I would highly recommend it. There's lots of different companies out there that will do this. It can be very challenging to implement, but if you do it, then what ends up happening is as people roll into new roles, move into new roles, they will automatically be provisioned with the right accounts and the right sort of access they're supposed to have. This does take someone to manage it. It does take some complexity when you build it. However, when you do build it, it's going to be make your life a whole lot easier. So the question is that when you just decide to deploy this, understand the program that you set up is going to take a while to do. But once you do it, if you follow through with it, you'll be very, very happy with it. And then use tools for permission auditing and logging, right? So you always want to have the different tools out there so that you can log and audit your everything that's happening within your organization. Need to know. Okay, so the need to know principle does restrict the information or the resources based on the individuals that they need to be required or actually what they have to do to perform their job. So when I was in the military, you had a need to know certain criteria. So if you had a clearance that gave you top secret clearance, just because you had a top secret clearance doesn't necessarily mean you had the need to know that information. So it's one more level of compartmentalization around the data. And it does help a lot. Now, this is it always followed? No, but it is a really good principle to follow as much as you possibly can. And it emphasizes the limiting on the dissemination of sensitive or classified data. You'll see a lot of need-to-know within the US government, within the militaries. I suggest not just US, right? The Chinese, Russians, everybody pretty much has this need-to-know thought process, but you want to limit that to just the roles and justify the access. Now, some objectives to consider is you does it minimizes a risk for potential data breaches, incidents, and so forth, and it does limit your overexposure, over your, it doesn't overexpose you, it limits your overexposure of the data. Talking too fast gets you into trouble. Enhance confidentiality, obviously, it protects your data to ensure you it's only shared with those that are essential to the task, and then it helps you meet the regulatory requirements that we like we talked about earlier that continue to grow with the various aspects around it. Now, some implementation strategies around this would be information classification. To make this happen really well, is you do need to have a good information classification or data classification strategy in place. Now, this includes public, internal, confidential, top secret, secret, that kind of thing, right? So if you have something like that in place and ready to go, and you follow it and you have the guidelines that are set up and you also have someone to help manage it, your need-to-know process will work very well, okay, or has the potential to work very well. Now, it does reply restrictions based on the classification level, like I mentioned earlier, secret to top secret. But realistically, you need to have a good data classification strategy in place. You also have to have access control mechanisms. We talked about RBOC. And then another one that we've mentioned here on the podcast is the attribute-based access controls or ABAC. And these are when they get contextual factors such as location and time of access can be added to it. So this is another part that you can have. Again, if Sean has a need to know, but Sean is his identity is logging in from Seoul Korea, and Sean lives in Wichita, Kansas. Yeah, there's a problem. Maybe, maybe Sean's in a trip to Seoul Korea, but if it's showing up in my daughter's uh hometown of Kampala, Uganda, yeah, probably not. Don't go there very often. So something to consider there. Now, some other areas you need to consider as found the implementation's implementation strategies is a granular access permissions. This ensures that all access is assigned to the smallest possible scope. This includes micro-segmentation and it can restrict access within these various networks. Another piece is data masking. I've done this multiple times with various tools, and the tools may have it inherent within them, or you may have to invest in another third-party tool to do the data masking for you. Now it presents only the necessary portions of the data to the authorized users. And one of the examples in the United States is social security numbers. Could be your identification number of some kind. And you know what? To me, it shows my ID, but if it was my wife logging in, it would only show maybe the last four of my social security. So those are different pieces of around data masking. It also goes into the zero trust principle where it verifies access and requests dynamically to ensure no unnecessary privileges are allowed. Again, it works really well with Need to Know. Now, again, we talked about benefits. Security postures, awesome. Enhanced focus. Again, employees are not distracted by irrelevant information or the fun, juicy facts, like going from secret to top secret. I get to know all the details. Yeah, we you keep that to a minimum. And the cool part is on this, is it does help if you teach your people this and you have a good program, then you have your individuals becoming the watchers for you. I've had multiple times where I've been into a classified briefing and somebody just shows up and we're like, uh, who are you? What are you doing here? Why do you have a need to know? And we would ask them and challenge them and then boot them out of the room. And that's the whole purpose, right? So just because Billy Bob has a clearance doesn't mean Billy Bob needs to come in and watch what's going on because it's not relevant to them. And this is the part where you teach your people so that they learn that if somebody shows up that is not part of the overall organization or not part of even that specific, in our case, mission, they're gone. Adios muchacho uh or munchacha, whatever you want to choose. So that it works really well. And then it also helps support for audit and accountability. It limits access, ensures only authorized individuals are able to gain access to it, and it's responsible for the specific actions. So again, need to know. Now we're getting into separation of duties and the responsibilities. Now, separation of duties, this is a critical around dividing up multiple individuals to prevent conflicts of interest, right? And reduce the fraud or errors. Now, when you're dealing this with separation of duties, I've had this multiple times dealing with sending money. Money's a really good example of this. Um, where you have individuals that have the ability to wire funds to a certain location. But what you want to have set up is the separation of duties that if Sean has the ability to say, yes, send one million dollars to Sean's bank account, then um there has to be a second person to say, uh yeah, no, I don't think so, uh, because that's not that doesn't help our company. So you I've got caught so many times, not me getting caught because I wasn't a fraudster, but caught people trying to fraud, defraud our company in the fact that what they would do is they would send an email, basically, it's called a business email uh compromise, is what it is, and they act as our CEO saying, I want you to send money to X, and they send it to the right person who has the control, and this right person goes, Oh, okay, this is the CEO. This is out of the ordinary, but okay, sure, I'll send them a million dollars to X. And then the second person who is in that chain of command that deals with the overall separation duties goes, uh no. No, he did not say that. This is not him. Why are you doing that? So there's that second person, right? It works really, really well when you're dealing with the finance side of the house. It also works really well within IT, and this is separating system administration from security monitoring. Again, you don't want the security monitoring folks to have access to all of the system administration. And I've seen this happen where because of lack of people, they will do this. And I understand the reasoning, but if you're going to have uh the watchers of your network have full access within your network, then you need to have a level of oversight on that. You need to be some level of overwatch, you need to have Sauron, the big eyeball, watching everything that's going on because you never know people can do stupid things or their accounts can do stupid things. And so it's important for you to keep tabs on that. Now, the implementation, you need to define the processes and identify the points of potential compromise. Again, understanding your processes is an important part of all of this. If you don't have your processes defined and written down, this will fall apart. So you need to make sure you have that done. You need to review and adjust your duties to reflect these changes, and then you need to use technology as much as you possibly can to help you deal with these, enforce these SOD policies. Done that, where we had they didn't have it in place, we helped them put in a good automation step, and it was as simple as emails, but it was a very specific email that went to a very specific person with big red flashy letters, and it forced them to go, oh wait, this isn't right. So again, it's a really important part in your overall separation of duties, responsibilities, tasks. Two-person control. Okay, this is where you launch nuclear weapons to annihilate the other user. Yeah, no, well, but could could happen that way. This is where you have two individuals who either approve or execute critical tasks. So, what that basically means is like in the case of when I was in the military, if you were going to drop a weapon in anger, you had I had the ability to do that on my own, but you had a certain level of sequences that you had to state before you did drop that weapon in anger. And so you would go, uh, my clear to clear to proceed. You are clear to proceed. Okay, we're clear in proceeding, uh, we're engaging the target. Target's engaged, we are flipping the switch, flipping the switch. You know, you you have people that are responding to you as you are doing these various tasks. And so therefore, they are consenting. They may not have their finger on the switch to push at the same time as you, which the nuclear codes do, but they are consenting by their verbal accountability. Now, if they didn't come back, you would question wait a minute, am I cleared to proceed? Am I cleared to proceed? If you decide, hey, I'm gonna drop this thing in anger no matter what, anyway, well, then yeah, there you could do that, but there's consequences for that as well. So, again, that's the whole point is that you have to have an approve or execute the critical tasks. You need to have two people, at least two people, to agree. There's again, we talked about nuclear launch codes, access to sensitive data, you know, physical or logical systems may require dual authentication. So if you're going into a maybe a data center and it's a restricted data center and you want to get into it, well, you have to take take a buddy with you, and your swim buddy comes in and you go in, and your swim buddy lets you in. So now you also have dual authentication. Financial transactions, we kind of talked about that as well a little bit earlier. Again, it helps mitigate some of the insider risks required by having multiple visits. Individuals involved. And if you have to have multiple visual individuals colluding to really make things go sideways. And if they collude, you what ends up happening is if there's more people involved, better chances people are going to get caught. So it works really well. But the downside is yeah, it can slow operations down substantially. Right? If you're going, hey, can I flip this switch? Let me go check with Bob. Okay, Bob says maybe. Okay, what about Bill? Bill says yes. Okay, I'm gonna go flip the switch. I can flip the switch now. Yes, you can flip the switch. That took like way too long, right? So if you have to do a lot of these flipping switches, it could really interact and cause problems with your operations. And then it adds more people, right? The more we got to add another person to get approval, you now have to pay that person and put them on the payroll. Job rotation. What is job rotation? It means I'm tired of my job, I'm quitting and moving on. Well, that's the job rotation, is right. But this job rotation is one within a company where you decide, you know what, we're going to have Bill, who's been in charge of finance, now gonna go work the loading dock. And the loading dock person is gonna go work finance. You hope the loading dock guy understands finance because yeah, that could really be bad for your company. But if not, let's say he does or she does, then you want them to go do that. The ultimate goal of this is that your employees will periodically rotate through different roles in your organization. It reduces fraud because what happens is it reduces that one person from having long-term control over a single process. That person's been with the company for 35 million years and they know everything about it and where all the dead bodies are, and they know how to move money around. And oh, by the way, they can move money around pretty quickly without anybody knowing. And guess what? Oh, Gina's up for a new promotion and she doesn't get it. And now Gina wants to retire, so she's just gonna take a little bit of cash for her own well-being. Yes, that's when it happens. So you have employees that are then rotating in, and they can see, well, hey, Gina's been funneling off some cash a little bit here and there to her birthday party. And by the way, it's now up to about$20 million in her birthday party. Wow, that's gonna be a heck of a big birthday party, right? Nothing like Jeff Bezos, but it's gonna be good. So I identify the potential insider threats through diverse oversight, and it again it comes down to is understanding the different roles. Now, again, like we mentioned, the truck driver or the warehouse loader needs to have the same skills as the person in finance and vice versa, because if you're just putting people in different roles, you're gonna add a lot of drama, and we all hate drama within your company. You implement this through uh rotation schedules to ensure knowledge transfer. You avoid rotation during critical phases. Obviously, if you're gonna have a turnaround or if you're gonna have a shutdown or anything like that, you don't do this. Uh, use logs and monitoring to ensure that there's operational continuity continuity. Continue. Yeah, it's they're just it stays good, right? You have operational contingencies set up. Yeah, that's a big word. I can't say that one. All right, mandatory vacations. This is where you are forced people to leave and hopefully they come back. But you're telling them, oh, by the way, Bob, you never take any vacation. You are now taking two weeks. Have a nice day. And the purpose of that is that others can handle their job in their absence, and then just like we did before with job rotation, they find out potential fraudulent activities. And again, this is a big part. It also helps reduce burnout and improve the employee well-being. Again, though, I say that this is something I this in the book, it talks about that, and I've I've heard people say that, but change is hard for people. People do not like change. You need to make sure that if you were going to force job rotation and mandatory vacations with people, they know that coming in because they will not be happy campers if they say, by the way, you're taking a two-week vacation, and they don't want to take a two-week vacation. Now, the other problem with the vacation is that it's you sometimes will force them to take the vacations when you want them to take it, not when they want to take it. So that's an important part that it's if they need to know that coming in, that hey, I'm gonna set up a two-week mandatory vacation in and I'm not gonna tell you about it. You're just gonna say you got to take it. So you better sweeten the pot a little bit if you're gonna do that, because you're gonna irritate some people by just saying, okay, I'm gonna have you take it off in January 15th through the first of February. Okay, what am I gonna do then? Yeah, that would be a bad time. So you just want to make sure that you can you put these policies together that is also beneficial to the employee. Otherwise, you'll be rolling through employees because when he comes back off a vacation, he or she, they won't come back because they're gone. So consider that. Okay, PAM, privileged account management. We've talked about PAMs various through various parts of the CISSP. And these are what they are is it controls and monitors access to privileged accounts. This is an aspect we talked about, Cyber Arc, there's some other ones, Identity One, I think, is another one. And what they do is they will monitor and record privilege user activities. They're super cool. So if you want to go check out a uh password, you have to go through the PAM, check it out, and then what happens is it watches what you do. So you it it'll do password rotation, it'll do storage, it does all these things. It'll connect to your servers, it'll connect to your workstations, all of that. It's awesome. Problem though is it's quite expensive, very expensive, by the way, and it takes a lot of maintenance to get it set up and running. Once it's up and running, oh yeah, baby, it's like nectar from the gods. But before then, it is painful, very painful, like just super bad painful. So you need to consider how you want to deploy this within your organization. Now, the benefits are it reduces the risk of privilege escalation, right? So I can't just go in and steal something, steal a password, because if it's stored in the PAM vault, then now I gotta go in and check it and check it out. I gotta then use it, or if they rotate the passwords, the one password that I have doesn't work. Um, again, it's really, really good. It also records you. So if you go into your PAM and you start um getting access to a password, it will record that you did that. So then if you say, I didn't do that, that was not me, and it goes, uh looky lucky, this is you, and then you go, Oh no. So the point of it is it will monitor all that. It ensures compliance with regulatory requirements. It's sometimes they get called up as a mandatory requirement that you do have a PAM, and it does enhance the visibility into privileged account usages. So again, this works really well for IT folks. I highly recommend a PAM within your organization if at a minimum you only use like your domain admin type folks, the ones that have the ability to just nuke your company, put those in a PAM of some kind. It doesn't have to be the super Gucci expensive kind, but that would be nice. But I would at least use some level of a PAM solution to manage monitor and manage your passwords. So you get a balance of security with user convenience, it that will be a challenge. So if you force all of your people to go use this, um, then you could get a lot of revolt. So you got pitchforks and torches. But if you just use your IT folks who are used to being able to manage their passwords in a much more secure manner, then you that would be good for adoption. Uh if you want to roll it out to all of your companies, start with your IT folks and then slowly, gradually, baby crawling kind of steps to go get that done. Uh and it does ensure legacy systems will integrate with the PAM. That's one thing you need to make sure. They don't all do that very well. And so if you buy this whole beautiful PAM and you've got like circa 1990s equipment, you might have just spent a bunch of money for not much of anything. So you want to make sure that whatever you purchase will meet your equipment that you have. And again, we go back to yes, the inventory list, how important it is. Now, the various Pam solutions there are. We have CyberArc, Beyond Trust, Psychotic. I have never heard of that one. And then HashiCorp Vault. I've heard of CyberArc, Beyond Trust, and HashiCorp. I've worked with two or the three of those. Uh so each of those will provide some level of PAM solution. Now, again, the Psychotic, um, that's really kind of a scary name, Psychotic. Uh, it's for most for small to medium-sized organizations, so it depends on the size of your company. Uh, CyberArc works really well for an enterprise. Again, though, it is very expensive. I'm not joking. It's super expensive. And it's considered one of the critical applications uh on any security tool that you have is CyberArc. Uh, it's got the DR strategy where when you're dealing with uh disaster recovery, it's cure, it's critical. So it's tier one kind of stuff. Uh it features the evaluating the PAM solution. It's credential management, password vaulting and rotation, session monitoring and recording, task automation, all kinds of different things it can do. So again, PAMs are awesome. And if your name is PAM, you are awesome. So again, that's the PAM. Service level agreements, SLAs. Okay, so if you've all dealt with SLAs, what they what are they? Well, they're just basically an agreement between a service provider and a customer defining expected performance standards. So these are the standards in which you have to follow to meet their needs, right? So you have for dealing with scope of services, that's clearly defined deliverables and exclusions when you're dealing with an SLA. You may have metrics and you may have penalties and remedy remediation aspects for these different things. So if I have an agreement with a company and I have an SLA with them, um, I'm giving them specific services and it's called out. If they want specific metrics, I have to provide them those metrics. And then the define is there's penalties if for some reason I don't meet my end of the bargain or they don't eat their and meet their end of the bargain, then there's consequences for mailing failing to meet the SLA. So an example of this would be AWS, right? They guaranteed 99.9999999 times upgrade on their SLA. That being said, uh they've had some recent outages where they're not 9999, it's like 13.9s or something crazy stupid. They're down to like 99s. So it isn't quite as good as what they had said, and so they have a breach in their SLA. So when they breach their SLA, somebody has to pay. And that's kind of how that plays out. Managed service providers, MSSPs, they're committing to an incident response within a specific time frame. So if they, if an MSP says, I've got your back, you get pwned, I'm coming to bail you out like uh Bruce Willis coming in there on the I don't know, die hard, whatever. He's coming in, right? Guns are blazing. Well, they're committed to telling you that they will do it within X amount of time, within it within a day, within a couple hours, within whatever. If they don't meet that, then they are in breach of their SLA. And if they're in breach of their SLA, there's penalties that go along with breaching your SLA. Okay, money, free services, you know, all those kinds of things, right? Ferraris, you name it. They have it all called out in their SLA, you get it. It becomes Christmas again, but then you're dealing with a breach, and yeah, that's no fun. So that's your SLA. Another thing to consider around this when you're dealing with SLAs is data ownership. Who owns the data stored in these systems? This is a big factor. So just because you get work with a third party and they have your data, you need to really have defined in the SLA who actually owns it, who's responsible for it. Get that very clearly understood. If you don't, if the legal worded wording does not match with what they've told you, make sure it does because at the end of the day, once you sign that piece of paper, boom, baby, you both are on the hook. Regulatory requirements, make sure it meets your your different needs from GDPR, HIPAA, and so forth. Audit rights. Again, this is something that I brought up a lot and I would bring up to these different companies as going, I want the right to be able to audit you. Now, it could, I could either do one of three things. I could bring in a third-party auditor, I could have them do a self-assessment, so it's like an audit slash assessment, or three, I could do an assessment of them. But I wanted to build that into my SLAs that we have the right to do that, especially as it relates to data that is critical to your organization. So if you have intellectual property, big thing, put it in there, okay? Big nugget, clanging a big old hammer right now on a bell. Ding, ding, ding, ding. Yeah, doing that. You want to make sure you have that in place if somebody else is storing your most important data. So some best practices, again, regularly review the SLA performance reports, align your SLA terms and business continuity and disaster recovery plans. Again, that comes back to your data knowledge. Where is your data stored? And then make sure you involve legal, technical, and operational teams when you're doing this. I never go anywhere without my legal team. They don't like me. Well, I can say I don't have them anymore, but then they didn't, they were, they were, they took a lot of back and forth drama to make this happen. You know, we hate drama, but it took a lot of that back and forth to make this happen. So you just need to make sure you have a good lawyer on staff or you got a third party that you can reach out to outside council. It's an important part. Again, operational teams, you need they also need to be aligned because you may sign something saying, oh yeah, this is what we're gonna do. And the ops teams go, What the heck are you thinking? Right? This isn't gonna work. You need to make sure everybody's aligned doing the drink and duck. We talk about the drinking duck, it's that little bird, you know, that drinks. You probably are all way too young for this, but the little bird that goes up and down, you know, hits his nose in the water and goes back up, goes up. That's what we call it the drinking duck. That you need everybody needs to be nodding their head in the same direction that they're in alignment with this. Okay, that is all I have for today. I hope, I hope, I hope, I hope you all have a wonderful, Merry Christmas. And the reason for the season is amazing, and I hope that you guys have a great new year as we go into this next new year. Uh 2025 is going to be amazing. I know, I know it is. And we're excited about where our the world is, well, the world's kind of scary right now, but we're excited where it's going, and I'm sure it's gonna go to a great place. But anyway, hope you all have a Merry Christmas. This podcast, there'll be one coming out on Thursday, but this will be the last podcast for the before Christmas. So have a wonderful day. I hope you're listening to this while you're drinking your eggnog. Go to CISSP Cyber Training, check out all the stuff I have there, amazing stuff. I gotta cut a plug in for me. I almost forgot. You gotta put a plug in, CISSP Cyber Training, go there, lots of great stuff. Also, go to reducyberrisk.com. Reduce Cyber Risk is my consulting spot. Again, that's just still being built up, but if you need cybersecurity consulting expertise, I got it for you. If I can't help you, I got a whole team of people that will be able to help and get you what you need. So again, go to CISSP Cyber Training and ReduceCyberrisk.com and check everything out and have a Merry, Merry Christmas. We'll talk to you all soon. See ya.