Interview: CTO Q&A with David McNeely
In any C-Suite role, governance is paramount. But a CTO needs to help drive value using technology to help it achieve its business objectives. To hear more about his role as CTO and his journey down the road of privileged access management, I was happy to chat with my long-time friend and colleague, David McNeely.
Tony: Welcome, David.
David: Thanks Tony, a pleasure to be here.
Tony: You’ve been with the company for over 15 years, and you’ve seen it evolve from an Active Directory bridging company to a full-service Privileged Access Management, or PAM, company. So just take a couple of minutes and share some of the highlights of that journey.
David: Sure. So, I started at Centrify in 2004 as the first non-engineer hired. Less than ten people. They then had an Active Directory bridging technology and a vision of integrating Linux and Unix machines into Active Directory to operate as a Windows machine. I thought that was a great idea, given that I’d worked for many years over at Netscape around the Netscape directory product.
The goals were similar; to integrate everything into a directory. Therefore, just put them in the directory if you want to add a new employee or grant someone access. And when they leave, you can take them out of the directory, and then they don’t have access to anything. That dramatically simplifies how you do account administration since you don’t have to go out and do it on every machine.
We then expanded by adding privilege elevation to manage sudo. Except back then, sudo didn’t exist on all the operating systems, and it was only on Linux. So, we built our own using open source and ported it to Linux, Solaris, HP-UX, and AIX.
Tony: Fast forward, we’ve now merged with Thycotic.
David: Yes. As ThycoticCentrify (now Delinea), blending what is arguably the industry’s best vault technology with Secret Server along with the best privilege elevation technology with Server Suite and Cloud Suite, we have a much more robust solution set.
Tony: So how is that all coming together?
David: We already have some great integrations under our belt in a very short time. There was so little technology overlap. We’re continuing to work with product management, engineering, and architecture teams to integrate all products into our native SaaS platform. The platform is a real enabler for our goal of providing customers with transparent PAM – PAM that doesn’t get in the way but addresses all the requirements modern organizations need in a hybrid cloud world.
Tony: All right. Good stuff. So, let’s take a short break from the technical. If you had to leave the world of PAM behind. If you had to leave technology in general behind, what would you spend your time doing?
David: I love road bikes and riding bikes every weekend in my spare time. I’ve got a small team of people that I ride with. I started doing that with Team and Training doing century rides with them. I’ve done a couple of those, one in Las Vegas. I’ll never do another Las Vegas century ride again. It’s way too hot. The last one, it was over a hundred degrees, and the wind was up to 40 miles an hour. Brutal. But the best century rides that we’ve done is the sponsored ride around Lake Tahoe, all the way around the lake of 72 miles. But if you go out to Truckee and back, it’s a hundred, but it’s not too bad. It’s a beautiful bike ride. The challenge is the altitude, getting used to the oxygen deprivation. You just have to get there a day early and acclimatize.
I also love hiking and camping and stuff like that.
Tony: OK, back to the fun stuff. Many organizations have some PAM maturity, but as their IT infrastructure extends to the cloud, they struggle to protect it all. What’s your advice on how to approach that PAM journey?
David: I would have to break it down into a couple of different areas. You need to get a handle on how you control administrator access to the cloud infrastructure. You know, the web admin consoles for AWS, Azure, and Google. They all support Federation so, if you have an IDaaS product, you should be using SAML-based Federation to control login. You will need to create roles and assign roles to those users as they log in. But that’s the best way to make sure you don’t have statically assigned rights to those consoles and that user roles tie back to your identity management system, which should tie back to a group you control tightly for access permissions and rights.
The other thing is the virtual machines you spin up on the cloud environment. We’ll talk about those first and then the other workloads, but as you’re building out virtual machines in a cloud-based environment, most of the time, people struggle with how to enable administrators to log in.
If you just use the base tools from each of those cloud providers, there is a way for you to deploy an SSH key for the root account and then use that root account SSH key to log in. But the problem is you’re probably copying that key around all the staff that needs to log in, and then you end up with a challenge. Who has permission? Who’s logging in? So, you should vault away those SSH keys and schedule frequent rotations so that at least every single machine has got a different key pair on it. A better way is to set up an SSH certificate login with a broker.
We do that with our Cloud Suite technology, which provides self-service workflows where an admin can request access to a particular server. Then once they gain access, they’re going to get the set of rights to execute privileged commands via privilege elevation – via sudo and a sudo plugin that talks back to the platform to or its access and MFA policies. So that’s the new solution. That’s more granular than using, let’s say, a vault to check out your superuser accounts.
Tony: What about containers?
David: We have several customers that have moved to containerization and adopted a microservices architecture. This problem space is different. It’s not about enabling humans to log in. It’s more about how I ensure that the net-new instance is functional. Often, there’s automation, tooling set up to deploy the container or deploy the application, but it needs to be configured so that it will operate.
If it’s an additional node within a web pool at the front door of your website, it’s probably going to need some configuration data that matches the other nodes in that cluster. And that configuration data should come from a secrets vault-like our Secret Server and DevOps Secret Vault. That will enable those workloads to spin up, authenticate, and gain access to the vault to pick up the dataset.
That’s something where we can use the computer’s identity assigned by AWS, Azure, and Google to authenticate those instances and provide their access to the secrets. Often, the secrets repository and its platform can also generate ephemeral tokens. A workload or a microservice needs to gain access to other computers or cloud services, an ephemeral token that is short-lived is so much better than just pulling static passwords from a vault.
Tony: So, David, what’s the most exciting aspect of your role as a CTO?
David: For me, the most exciting is to talk with customers about the challenges they face, to hear about new problems, and then work with the architects, engineers, and product managers to define a solution to that problem and then see it built, delivered, and solving the problem.
Tony: In the last couple of years, we’ve seen a sea change in the way companies work, the way their employees work. How is ThycoticCentrify positioned to address these new dynamics?
David: First, I would say that we have also adopted a work from home and work from anywhere policy at ThycoticCentrify. We’re seeing many employees moving from the city they were in before the pandemic to a different location. It’s pretty freeing for employees to do that and work from anywhere and perhaps buy a house further away from the physical office that’s now affordable. Our customers are doing the same.
Cybercriminals see this as an expanded attack surface to exploit. So, there’s an even greater need to protect endpoints. We’re finding an excellent business around ransomware prevention with our products that require strong security on both workstations and servers. But none of that has changed much other than more employees are working from home a lot more often, using mobile laptops instead of being in the office.
So, secure remote access is now more critical than ever for all users, primarily for the IT administrative staff. We’re finding organizations want to stay off the VPN so, browser-based, VPN-less remote access for admins is just a whole lot easier for them. There are no clients, no VPNs, access from anywhere using any machine with a browser and an internet connection—convenient and low maintenance. But from a security perspective, I don’t want the laptop on the corporate network through the VPN to potentially spread viruses and malware. This VPN-less approach also better supports contractors and outsourced support staff to gain access, reducing the overhead on internal IT and removing dependence on tools such as NAC and SNAC to police their laptops.
Through the SaaS vault, we can set up workflow-based just-in-time access to checkout credentials or for permission to log into a server. Then we can provide that session over a connection that does not require a VPN.
Tony: You mentioned ransomware. That’s big on corporate agendas, as is zero trust and securing the supply chain, which was both a focus of President Biden’s recent executive order. Cyberattackers are getting smarter. How are PAM vendors getting smarter?
David: The move to zero trust has accelerated the adoption of PAM best practices. We have several customers trying to adopt better methods of doing things like eliminating standing rights. So, if you look at most PAM products, they perpetuate the use of broadly privileged accounts. Best practices such as zero trust advocate least privilege, no implicit trust, and continuous verification. This means granting rights only when there’s a legitimate job or trouble ticket. The user is provisioned rights to work on a specific server, constrained to only executing admin tools and commands for the job at hand, with a defined expiration of those elevated rights. Just-enough privilege granted just-in-time, for a limited time.
And then one more layer of security on top is multifactor authentication to make sure that it’s a live human at the keyboard and not a bot and not using a credential that has been stolen. So, for example, if a Pass the Hash attack happens and the attacker is using my account to log onto a target, I’m going to get a challenge for MFA, and I can reject it and alert IT Security. Now we have a clear indicator of an adversary on the network trying to gain access to a server.
Tony: Final question. Let’s peer into the crystal ball. What do you think is just over the horizon?
David: More organizations move their servers out to cloud-based environments and then re-platform their applications into a microservices architecture. I’ve heard a lot of customers talking about wanting to close all their data centers. Many have thousands of applications, and there are no humans involved anymore. But machines are talking to other machines. There will be more demand to control access where it’s only machines involved.
Those access control mechanisms will need to operate a lot faster. We already help to some degree, but we’ll probably learn some more things and build new capabilities into our PAM solutions. So, PAM is no longer about only humans gaining access or doing privileged operations, and it’s now a lot more about machines doing that.
There’s another category of applications called robotic process automation. The robots learn by watching what a human does and taking over the more predictable, repetitive tasks, freeing up the human to do the more complex jobs that a robot can’t do. It’s that automation that’s going to drive the need for controlling the machine level access at machine speed, and I think that’s the area that we’ll start seeing a lot more interest and a lot more requirements around capabilities to protect that kind of access and those kinds of connections.
Human administrators logging in won’t go away completely, though. Privileged administrators will still access and manage administrative interfaces such as the cloud consoles or these DevOps tools that govern and control all that automation. So, the automation tools get more powerful, but we need to start managing and locking down access to those now more powerful automation tools.
Tony: OK. That just about wraps it up. Thanks, David, for your time and your insights.