1 00:00:00,000 --> 00:00:02,820 Anna Delaney: Hi, I'm Anna Delaney with ISMG. This is the 2 00:00:02,820 --> 00:00:06,360 final part of a three-part video series, which focuses on 3 00:00:06,360 --> 00:00:09,600 identities as assets, and answers this question: What are 4 00:00:09,600 --> 00:00:12,900 the benefits of an identity strategy to the business? And 5 00:00:12,900 --> 00:00:16,200 with me to expand on this, our CyberEdBoard members Andrew 6 00:00:16,200 --> 00:00:19,590 Abel, cybersecurity and zero trust consultant, based in 7 00:00:19,620 --> 00:00:24,450 Australia, and Chase Cunningham, CSO at Ericom Software. Great to 8 00:00:24,450 --> 00:00:27,180 have you back. In our previous video, you spoke about the 9 00:00:27,180 --> 00:00:30,600 future of identities. What should organizations be doing 10 00:00:30,600 --> 00:00:32,820 now to be best prepared for that future? 11 00:00:34,380 --> 00:00:36,780 Andrew Abel: Yeah, that's right. I think that the main thing that 12 00:00:37,050 --> 00:00:40,230 organizations can do now to set themselves up for success down 13 00:00:40,230 --> 00:00:43,770 the track with zero trust in the identity space is to start 14 00:00:43,770 --> 00:00:47,370 thinking about identities as no different to humans, like 15 00:00:47,370 --> 00:00:50,790 non-human identities, and humans have to be treated the same from 16 00:00:50,790 --> 00:00:53,310 an organizational, from a security point of view, and from 17 00:00:53,430 --> 00:00:56,940 an operational point of view. So, I put together a graphic 18 00:00:56,940 --> 00:00:58,980 that may be able to help with that. So, I'll just bring that 19 00:00:58,980 --> 00:01:03,630 up now. Okay, so everyone's sort of familiar with the traditional 20 00:01:03,750 --> 00:01:06,360 view here. Probably, all have seen these a million times about 21 00:01:06,360 --> 00:01:09,240 an organizational role. But what we've been talking about through 22 00:01:09,240 --> 00:01:12,420 the video series is to apply organizational roles to 23 00:01:12,420 --> 00:01:15,180 identities, not just to people, which was the traditional 24 00:01:15,180 --> 00:01:18,930 approach. So, where that comes into play? Now, there's two 25 00:01:18,960 --> 00:01:22,740 major benefits to that is that you understand where all these 26 00:01:22,740 --> 00:01:25,440 non-human accounts sit in your overall organizational 27 00:01:25,440 --> 00:01:28,230 structure, which, in turn, helps you define what security 28 00:01:28,230 --> 00:01:31,590 controls need to be applied to them. For example, if you've got 29 00:01:31,800 --> 00:01:34,440 this tower over here is in the finance team, and all these 30 00:01:34,440 --> 00:01:38,700 people have access to finance information. The non-human 31 00:01:38,700 --> 00:01:42,600 identities that operate in that specific space within the 32 00:01:42,600 --> 00:01:45,900 organization can also have the same controls applied and 33 00:01:46,140 --> 00:01:50,460 obviously, more unique ones for the specific process and outcome 34 00:01:50,460 --> 00:01:54,330 that they're associated with. So, I think that's the main 35 00:01:54,330 --> 00:01:59,460 initial goal to get those non-human identities into your 36 00:01:59,460 --> 00:02:01,800 org structure and start applying roles and controls. 37 00:02:02,460 --> 00:02:04,620 Chase Cunningham: Yeah, I think that this is really useful 38 00:02:04,620 --> 00:02:07,260 because I know I haven't seen a graphic like this yet, where 39 00:02:07,260 --> 00:02:10,830 someone said, "Here's an organizational structure, here's 40 00:02:10,830 --> 00:02:14,910 who does what. But, by the way, there's these other things that 41 00:02:14,910 --> 00:02:17,730 are identities and entities within that that you need to 42 00:02:17,730 --> 00:02:20,820 manage, as well." And I mean, it can get even bigger from this. 43 00:02:20,820 --> 00:02:24,270 It's a really small picture of a really small problem. But so, 44 00:02:24,300 --> 00:02:27,690 there's a lot of value in understanding that you're also 45 00:02:27,690 --> 00:02:31,740 responsible for all these other identities within the context of 46 00:02:31,740 --> 00:02:35,280 the organization. And if you think about a typical day at 47 00:02:35,280 --> 00:02:38,250 work, think about how many things that you touch or 48 00:02:38,250 --> 00:02:41,490 leverage or use that have those other accesses that you would 49 00:02:41,490 --> 00:02:42,540 need to take care of. 50 00:02:43,440 --> 00:02:44,790 Andrew Abel: Yeah. That's right. Exactly. 51 00:02:45,810 --> 00:02:48,150 Anna Delaney: Andrew, what are the main operational benefits of 52 00:02:48,150 --> 00:02:50,310 an identity strategy to the organization? 53 00:02:51,330 --> 00:02:54,330 Andrew Abel: Yeah, sure. That's a great question. So, I drew a 54 00:02:54,330 --> 00:02:57,810 graphic. I think everyone, all of us in IT, in security, 55 00:02:57,810 --> 00:03:00,990 understand that, you know, the main thing to do, the best 56 00:03:00,990 --> 00:03:04,080 projects are the ones that get built, get delivered, and but 57 00:03:04,080 --> 00:03:07,560 then, they're easy to operate. We've all sort of seen in 58 00:03:07,590 --> 00:03:10,740 situations where you either buy a platform or onboard a product 59 00:03:10,740 --> 00:03:13,410 or finish a project, and then six months later, there's still 60 00:03:13,410 --> 00:03:16,590 an operational impact. And you're probably spending more to 61 00:03:16,590 --> 00:03:20,490 run the solution than you ever intended. So, the goal for 62 00:03:20,490 --> 00:03:23,370 anything, particularly identity, is to operate it in a lean 63 00:03:23,490 --> 00:03:28,710 cost-out effective manner. So, I sort of drew two graphics that 64 00:03:28,710 --> 00:03:31,470 will go through here - the simple identity life cycle - so 65 00:03:32,130 --> 00:03:35,730 the normal approach to provision and identity based on standard 66 00:03:35,730 --> 00:03:40,140 repeatable processes. You assign your access and controls as a 67 00:03:40,140 --> 00:03:42,690 starting point to what it needs to have access to, because it's 68 00:03:42,690 --> 00:03:46,080 doing a certain thing. And again, that's along with your 69 00:03:46,080 --> 00:03:48,390 organizational role that we covered in the previous slide, 70 00:03:48,600 --> 00:03:51,390 and then the governance. So we want to govern the activities of 71 00:03:51,390 --> 00:03:54,210 the identity. And again, with continuous assessment, which is 72 00:03:54,210 --> 00:03:57,000 one of the principles of zero trust, which is, again, the 73 00:03:57,000 --> 00:03:58,920 governance - the identity governance - rather than the 74 00:03:58,920 --> 00:04:01,710 identity access management approach. So, it has to be a 75 00:04:01,710 --> 00:04:04,890 mix. You have to know what your identity is doing in real time, 76 00:04:04,920 --> 00:04:09,060 where possible. And then the fourth one, the conclusion of 77 00:04:09,060 --> 00:04:11,610 the simple life cycle is the offboarding or the suspension. 78 00:04:12,000 --> 00:04:14,970 So obviously, if there's a security incident or some sort 79 00:04:14,970 --> 00:04:18,030 of flag on an identity, you want to suspend access to everything 80 00:04:18,030 --> 00:04:20,940 immediately till you can investigate. And then every 81 00:04:20,940 --> 00:04:24,180 identity, when it's created, also needs to have a clear 82 00:04:24,210 --> 00:04:27,810 offboarding trigger as well, so that we don't get to, you know, 83 00:04:27,810 --> 00:04:31,680 a situation where we're spending money on auditing identities in 84 00:04:31,680 --> 00:04:34,440 the organization to work out what is safe, what it's supposed 85 00:04:34,440 --> 00:04:37,320 to do, and doesn't really need access to these resources and 86 00:04:37,320 --> 00:04:41,430 assets. So that's an important part. The offboarding part is 87 00:04:41,430 --> 00:04:44,100 often one of the big misses, but it's definitely one of the keys 88 00:04:44,100 --> 00:04:47,370 to a zero trust - a good zero trust outcome. Chase, do you 89 00:04:47,370 --> 00:04:48,480 want to add anything to that one? 90 00:04:48,480 --> 00:04:51,540 Chase Cunningham: Oh, well, I think what's, you know, number 91 00:04:51,540 --> 00:04:54,480 one: everybody likes simple, right? Simple's more manageable. 92 00:04:54,480 --> 00:04:57,600 Businesses do better with some simple approaches to problems. 93 00:04:57,600 --> 00:04:59,250 So I think that there's a lot of value in that and then, the 94 00:04:59,250 --> 00:05:02,940 other piece to me that stands out is the piece about 95 00:05:03,300 --> 00:05:07,560 governance and then offboarding. Really, that's where things go 96 00:05:07,560 --> 00:05:09,900 wrong. Like you were talking about another one, Andrew, it's 97 00:05:09,930 --> 00:05:12,810 anybody can create provision accesses and accounts and 98 00:05:12,810 --> 00:05:15,750 whatever else. But the management of that and making 99 00:05:15,750 --> 00:05:19,320 sure you have it in there continuous assessment is super 100 00:05:19,320 --> 00:05:22,110 critical. This is not a one and done, this is going to have to 101 00:05:22,110 --> 00:05:24,240 continue to happen for the life of the business. 102 00:05:24,900 --> 00:05:28,860 Andrew Abel: Yep, that's right. So that's a simple life cycle. 103 00:05:28,860 --> 00:05:32,520 So the idea is that that's pretty easy to follow and easy 104 00:05:32,520 --> 00:05:36,270 to operate. So the only real change to move from simple to 105 00:05:36,270 --> 00:05:40,080 complex is it's still the same, govern access, and controls and 106 00:05:40,080 --> 00:05:43,110 provisioning, but there's the modify role as well. So that's 107 00:05:43,110 --> 00:05:48,420 where you've got identities or people or other, all types of 108 00:05:48,420 --> 00:05:50,520 identities and access requirements that change over 109 00:05:50,520 --> 00:05:53,430 time. So someone may move between departments. So if 110 00:05:53,430 --> 00:05:56,490 you've got good organizational roles and security controls 111 00:05:56,490 --> 00:05:59,370 defined, you know, you've got to go back and visit them. And 112 00:05:59,370 --> 00:06:01,890 those controls are contextual to the person's role in the 113 00:06:01,890 --> 00:06:05,790 organization. And it's the same with server or non-human 114 00:06:05,790 --> 00:06:09,180 identities, you know, if you make a change, and again, we 115 00:06:09,180 --> 00:06:12,240 talk about being outcome-focused, you know, so if 116 00:06:12,240 --> 00:06:15,660 the non-human identity exists to complete business processes to 117 00:06:15,660 --> 00:06:19,350 achieve a specific outcome, and then that process changes or the 118 00:06:19,350 --> 00:06:22,680 outcome changes, you've got to shift those controls that sit 119 00:06:22,680 --> 00:06:25,500 over the top of that identity operation and then we get back 120 00:06:25,500 --> 00:06:29,280 to the suspending off board. So the idea here is to continue, 121 00:06:29,310 --> 00:06:31,350 you know, that continuous assessments always happening, 122 00:06:31,350 --> 00:06:34,920 that modification, so you don't over-provision people, because 123 00:06:34,920 --> 00:06:37,980 you have no process, you know, someone's moving from the 124 00:06:38,310 --> 00:06:41,280 finance department to the manufacturing department, you 125 00:06:41,280 --> 00:06:43,590 know, we'll just copy someone in manufacturing, and we'll give 126 00:06:43,590 --> 00:06:45,660 them those rights. So, they get working because we didn't get to 127 00:06:45,660 --> 00:06:48,750 this ticket in time. And now they've got cumulative privilege 128 00:06:48,750 --> 00:06:51,510 to finance into manufacturing, you know, and straightaway 129 00:06:51,510 --> 00:06:55,170 introduce risk. So that's what it's about, is keeping it 130 00:06:55,170 --> 00:06:58,290 simple, keeping it operable, keeping it lean, but also 131 00:06:58,290 --> 00:06:59,250 keeping it effective. 132 00:06:59,520 --> 00:07:01,560 Chase Cunningham: What fits in well here is when you look at 133 00:07:01,560 --> 00:07:04,920 these, the structure of this approach, these sort of vectored 134 00:07:04,920 --> 00:07:08,400 approaches make a lot of sense. And this to me is indicative of 135 00:07:08,400 --> 00:07:11,880 the fact that you need application that will solve that 136 00:07:11,880 --> 00:07:14,970 problem for you, you know, you're doing this as one person 137 00:07:14,970 --> 00:07:18,330 on a spreadsheet by yourself trying to manage, that's five or 138 00:07:18,330 --> 00:07:21,300 seven pieces that you're trying to take care of at speed and 139 00:07:21,300 --> 00:07:24,600 scale of business. Whereas if you're using a solution 140 00:07:24,630 --> 00:07:28,350 correctly, they're built for this type of process of one to 141 00:07:28,350 --> 00:07:32,160 two to three to four to five. That's what you want. So they do 142 00:07:32,160 --> 00:07:33,240 fit into this model. 143 00:07:33,960 --> 00:07:38,250 Andrew Abel: Yeah, for sure. And I think that that is also a 144 00:07:38,250 --> 00:07:41,370 common mistake that people sort of buy a platform and think - an 145 00:07:41,370 --> 00:07:44,790 AI or machine learning - and think it's going to do, you 146 00:07:44,790 --> 00:07:47,160 know, all the calculations for them, but you've got to put good 147 00:07:47,160 --> 00:07:51,510 info in to get good outcomes out, so you definitely use a 148 00:07:51,510 --> 00:07:53,640 platform, but you've got to structure and build it the right 149 00:07:53,640 --> 00:07:55,950 way. So that it's doing, it's working for you, and not 150 00:07:56,040 --> 00:07:57,480 creating more work down the track. 151 00:07:59,400 --> 00:08:01,530 Anna Delaney: So Andrew, looking at the broader business 152 00:08:01,530 --> 00:08:04,500 benefits, what are the broader business benefits when it comes 153 00:08:04,500 --> 00:08:05,850 down to the dollars invested? 154 00:08:07,500 --> 00:08:09,780 Andrew Abel: Yeah, that's right. So obviously, you know, one of 155 00:08:09,780 --> 00:08:12,300 the issues with zero trust is, you're not the only person in 156 00:08:12,300 --> 00:08:14,640 the queue looking to get a check signed, or looking for an 157 00:08:14,640 --> 00:08:17,280 investment, or looking for resource time, or all the other 158 00:08:17,280 --> 00:08:21,180 things that go into operating security, or doing a zero trust 159 00:08:21,180 --> 00:08:23,790 project. So you've got to be able to demonstrate the value 160 00:08:24,000 --> 00:08:26,910 and what the return for every dollar you put in are. So I 161 00:08:26,910 --> 00:08:29,400 think specifically in the identity strategy, having a good 162 00:08:29,400 --> 00:08:32,160 identity strategy that's contextual to your operation, 163 00:08:32,160 --> 00:08:36,300 your organization and the skill levels, and there's security 164 00:08:36,300 --> 00:08:39,180 awareness within your organization, they support a 165 00:08:39,180 --> 00:08:41,820 range of benefits to the business. So obviously, you 166 00:08:41,820 --> 00:08:44,760 reduce risk, which everyone's about in the cybersecurity 167 00:08:44,760 --> 00:08:49,200 space, you drive productivity, you know, security should always 168 00:08:49,200 --> 00:08:51,870 be transparent and contextual, the user shouldn't even know 169 00:08:51,870 --> 00:08:55,470 that they're being assessed continually or having security 170 00:08:55,470 --> 00:08:57,990 controls applied, because it should never get in the way of 171 00:08:58,020 --> 00:09:01,800 them doing what they're hired to do. And again, that touches on 172 00:09:01,800 --> 00:09:04,740 the enable users as well. Let them do what they've got to do, 173 00:09:04,740 --> 00:09:10,050 but securely. And then privilege execution. So, set your 174 00:09:10,080 --> 00:09:12,930 just-in-time elevation processes, use platforms and 175 00:09:12,930 --> 00:09:16,080 products that support that, understand how long you want to 176 00:09:16,080 --> 00:09:20,070 assign privilege, never leave standing privilege against an 177 00:09:20,070 --> 00:09:23,370 account, that kind of stuff. And then the activity monitoring, 178 00:09:23,370 --> 00:09:26,760 which is, of course, a big part of zero trust, more broadly is 179 00:09:26,970 --> 00:09:29,160 to know what's going on, when it's going on, and what risk 180 00:09:29,160 --> 00:09:30,000 it's introducing. 181 00:09:31,080 --> 00:09:33,240 Chase Cunningham: Yeah. There's a lot of business value that can 182 00:09:33,240 --> 00:09:36,750 be seen right here. There was a study, I think IBM published it, 183 00:09:36,750 --> 00:09:40,200 that said that an organization that had zero trust even 184 00:09:40,200 --> 00:09:43,350 partially in place saved themselves about $2 million in 185 00:09:43,350 --> 00:09:48,630 the course of a response operation. So, $2 million is 186 00:09:48,630 --> 00:09:51,300 pretty significant money to a lot of organizations, looking 187 00:09:51,300 --> 00:09:54,780 here to find me a business that doesn't want to reduce their 188 00:09:54,810 --> 00:09:59,070 risk or have more productivity or have more enabled users, and 189 00:09:59,070 --> 00:10:02,310 be able to know what's going on and where it's going on within 190 00:10:02,310 --> 00:10:05,880 an organization. The value proposition here for the 191 00:10:05,880 --> 00:10:09,480 approach is clearly evident. These are all business specific 192 00:10:09,480 --> 00:10:13,290 things. And it's not even about security. This is about if you 193 00:10:13,290 --> 00:10:15,900 do the right things in the context of enabling a security 194 00:10:15,900 --> 00:10:18,210 strategy, it benefits the business. 195 00:10:18,900 --> 00:10:22,380 Andrew Abel: Yeah, for sure. And I think that's also something 196 00:10:22,380 --> 00:10:25,620 that I talk about a lot is that the actual dollar bottom-line 197 00:10:25,620 --> 00:10:28,650 benefits to an organization by taking a zero trust approach 198 00:10:28,650 --> 00:10:33,480 because when you look at the amount of, you know, over 199 00:10:33,480 --> 00:10:36,900 investment in minimal outcomes that organizations go through, 200 00:10:37,230 --> 00:10:41,610 you can see so much cost saving by putting in an effective 201 00:10:41,610 --> 00:10:42,210 strategy. 202 00:10:42,750 --> 00:10:44,640 Anna Delaney: Well, this has been an educational series. 203 00:10:44,640 --> 00:10:48,300 Thank you both for your time and insight. I do hope you found 204 00:10:48,300 --> 00:10:51,390 this useful. Please do check out the two previous parts of this 205 00:10:51,390 --> 00:10:54,330 video series. For ISMG, I'm Anna Delaney.