Identity Management for Attack Prevention - Europe

[MUSIC PLAYING] Thank you so much for joining us today for our webinar. This is Identity Management for Attack Prevention, and we're looking forward to hearing from some subject matter experts today on this topic. My name is Jason Moody. And you may have heard from the accent, I am based in America. I'm based in Austin, Texas, And I am the PAM PMM for One Identity, and especially for our Safeguard product. And so we've got a couple of panelists with us today. I have Stuart Sharpe and Alan Radford, and I'd love to get some background on each of these folks if they could join us real quick. Alan, do you want to tell us a little bit about yourself? That's great. Thank you, Jason. Yes. My name is Alan Radford. I'm part of the Global Field Strategy Team here at One Identity. 15 years in the industry. I cut my teeth as an Identity Implementation Consultant down in Perth, Australia, moved to the UK in 2012, where I joined Quest Software through the Dell acquisition journey and the ongoing investments we've been making in Identity security ever since. My specialism is in privileged access management, but as a multi-disciplinary vendor and individual, we also cover identity governance and access management. Excellent. Awesome. I'm also joined today by Stuart Sharp. Stuart, tell us a little bit about yourself. Yeah, hi, so by my accent, you might tell that I'm Canadian, but I am based in the UK. But I have a global role One Identity as VP of product strategy. My background is in networking and security going back to being a product manager for database security at Oracle, worked in cloud encryption for CASB, but the last five or six years, I've focused on Identity and Access Management and specializing on access management. And particularly, as we've seen the rise of cloud based access management challenges and requirements. Awesome. Great. Thank you guys so much for joining me today for this call. I wanted to start out with Identity Management for Attack Prevention and really wanted to find out what's going on with the cybersecurity landscape from both of your perspectives. It's obviously very complex. Attackers are continuing to develop new and ingenious methods of compromising systems. There's different intrusion tools that were originally developed by intelligence agencies but then leaked, reverse engineered, and made available. There's online stores that have been created where people can go out and actually purchase different tools. Security breaches with credential breaches and so forth are also published, so we know that there's a lot going on. I would love to get your perspectives on how you see things happening right now, what the security landscape looks like. Yeah, I'd like to maybe kick this off and just lay some groundwork that it's really important that we never forget to cover the fundamentals of Identity Management. So before you know we talk about some of the latest things that you can do, you know your greatest point of vulnerability is if you do not have a deterministic, systematic way to grant and revoke and modify people's access to application and to resources. So I think a lot of what we need to assume is that you've made those-- you've made progress in those fundamental challenges in securing the basics. You know that you don't leave people with lingering access to resources after they've changed the role or left the company, et cetera, and you've put MFA in place a standard for your employees, things like that. Excellent. Alan? Yeah, well, that I think that-- I risk of stating the obvious. We're continually moving to a fragmented state when we look at the individual and you look at-- you ask yourself how many accounts we got and then look at that back into your work life how many accounts do you have. And there's an ongoing effort in many organizations to reduce that number of accounts. Hence, proliferation of single sign on and so forth. But when you then look at the infrastructure and the applications themselves, the legacy view is the data center and the modern view is the cloud. And the more Cloud we consume, the more fragmented that application landscape becomes and the more distributed the accounts we have but also the entitlements we have as well. The more federation that we're consuming, the more of those protocols that we're using through things like SAML or open interconnect and so on. All of that is really an effort to try and start reining that fragmentation back in, and so I find it very, very interesting that that's leading to a number of organizations today looking at that issue and going, well, how do I start consolidating around this, particularly when I consider how I fund and feed and water, my security strategy, and how I simplify that security strategy as that complexity continues to grow. Excellent. Well, that-- excellent. Thank you both for your points. That leads me to my next point in my next slide talking a little about what's going on. With 85% of organizations facing huge security problems and that both of you just said this, their employees have more privileged access than necessary. More access than necessary, because identity sprawl, and you both mentioned that as well. But it does make these prime targets for cyber criminals, because if cyber criminals can get to the privileged access, they can get to the data that they want, and so I'd love to get your opinion on that type of thing. Well, I'd love to jump in here, Jason, because I think it's not very well understood that the concept of a privileged user has in and of itself evolved. So we always used to think of a privileged user as say somebody who could change a system, whereas a normal user would use a system. So if I log in to my Windows laptop at home. If I log into my Windows laptop, as a user, I would use that laptop. If I logged in as a privileged user, I would change stuff on that laptop. Maybe go so far as to change something in the bios or maybe simply change something in the Windows OS layer. Now, times have changed, and privileged access is no longer just about what can be done to a system. It's about the damage that can be done full stop, so I'll give you an example. You think about big brands out there. Big, big brands like Coca-Cola, Nestle, IKEA. Think of a brand. Think of any brand, and then think to yourself-- like Apple is a good one as well and Amazon. Think to yourself, what is the strength of that brand? What is the value of that brand? I use the word brand specifically. OK, if there's bad press if somebody goes to say the Coca-Cola website or the Coca-Cola Facebook page it talks about Pepsi or somebody on the Pepsi Facebook page starts talking about Coca-Cola, then that can actually have-- especially if it's an employee, that can actually have an impact on share price. And so a privileged user for an organization with a very, very strong brand may very well be a Facebook admin. They're not changing the Facebook database. They're using Facebook as a user, so the concept of a privileged user comes down to one core principle risk. Stuart, to your question for you, we've obviously cemented the work from home as a viable option for many employees over the past couple of years during the pandemic. There's been a lot of budget cuts with organizations and massive attacks going on with systems toward mid-market. Tell me about what you're seeing and what you're hearing from our customers on your site. I was at a conference in Manchester yesterday, and I was on a panelist discussion about the concept of zero trust, what does it actually mean. And it was very interesting, because the people there from different industries, from universities, et cetera, they were talking about the real world challenge they have about user adoption user acceptance. And I think the point that I would make where we're at now, both in terms of the state of business and the it landscape that they have now and are currently continuing to adopt and the technologies that are available certainly at One Identity but to actually, not only improve security and reduce that risk like Alan was saying, but to also improve user experience. And a really obvious use case for example is the fact that almost everybody has a smartphone and they've got on device biometrics. So now, you can give people a password list sign on experience, where they have to do face ID or fingerprint on their phone to-- it wraps in that concept of MFA secure access, but you can actually skip the whole step of using your password altogether. So you can address-- by using the technology that's available, you can both reduce the risk but also improve the end user experience, and that's what the work from home shift-- it was already happening, but obviously there was a sudden shock to so many businesses had to suddenly make it happen overnight. And that kind of user experience really became paramount. That was the friction that meant the difference between success versus a lot of inefficiency and friction in the business. And obviously, from an end user standpoint, if I have a much easier experience while proving who I am and making sure my Identity is correct, I'm going to be using that technology much more often. It's going to be like you say, frictionless. It's going to be the thing that will allow me to do my work in a way that doesn't complicate things or make things more difficult for me as an end user. And so that's making things almost consumer centric. I hate always saying that, but it's one of those things that's been around for a very long time to make things easier for end users to use. Yeah, absolutely. But I think we have to have the mindset that tighter security does not mean worse user experience. They have to go hand in hand. Improve user experience, improve security. Excellent. Great. So I wanted to move to another thing, which is-- there's a lot of different systems out there. There's a lot of different security that was put in place over the years. Essentially, the 1.0. I had to have this point solution and this point solution and all these different things to try and fulfill some of these security gaps that I'm finding. As attackers, we mentioned get more complex, and they start going after critical systems. I would love to find out both of your perspectives on a unified security platform or essentially looking at a vendor and saying, can they provide a lot of the different things that I'm going to need from a security perspective? So Alan, can you talk a little bit about that? Yeah, love to, Jason. So Stuart touched on a very important point around friction and part of the point of having a unified security platform in the approach to this is to actually remove components to those friction [INAUDIBLE] spoke about user interface and removing friction from the end user's interaction with systems. But there's also other areas of friction that get overlooked as well. Part of the logic behind consolidating around a single security platform is not just around funding and making more of the resources that you have, because you also got Teams that you're consolidating as part of exercise, which is a very healthy thing to do, but it's also around removing friction between security silos. Think about that end user experience where they're using biometrics to log into a system or they're requesting access to a system that needs to be approved, and the person approving it is going to either approve Alan Radford accessing admin 5 on server 12 or whether they're going to be approving Alan Radford accessing the accounts payable database when he accessed accounts receivable database yesterday. All of those different components that enable the decision making and remove friction from the process as well is one of the key benefits at play here. That's why when you look at privileged access management, identity governance, and access management, you look at the market history of that and the vendors that exist in those spaces. It's very interesting to me that we're only now seeing those three areas of the market consolidate being led by customers consolidating around these platforms. Like, as you know, Jason, there's only so many vendors that exist in all those spaces, and just before I bat back over to Stuart, one of my favorite quotes that came out of Gartner this year was that by 2025, converged IAM platforms will be the preferred adoption method for access management IGA and PAM in over 70% of new deployments, and they said that twice. Not just in the Gartner Access Management Quadrant, but also in their key predicts for 2022. So that consolidation is in motion and it's being driven by Stuart's point need to remove friction but also it need to be more efficient. I don't know what you'd like to add to that, Stuart. Well, when we talk about a unified security, I think one of the really important things these days is the fact that we have more and more ways of taking in external signals and assessing the risk that those signals indicate. For example, with the one log and access management platform in One Identity, we have something called vigilance AI. Every time a user tries to authenticate to the platform, we perform a real time risk calculation on how they authenticated from this laptop with that browser and that browser version from this IP address, this geographic location, all the rest of it, what's their device and before and have they successfully been verified with MFA in the past from that profile, et cetera. So there's a lot of intelligence that you can use to calculate that risk score in real time. Now, how does that apply to the unified story? Well, what's been happening is that those real time risk scores are being used, not just as a warning or a logging or even just a feed into your social security system, but it's being used to actually adapt in real time the authentication flow. The experience that the user is going through. So if they have a higher risk, rather than just block them out right, which can impact the business, you challenge them for a stronger form of second multifactor authentication, for example. Now, that's just at the point of access. When you look at Identity Management as a whole, you actually have a number of other risk calculations that you can look at. And with a unified platform, you can integrate those risk flows. So the way a user is granted permission to a particular application can actually influence and change the way they authenticate into that system. So is it a standard application that's part of their job? Did they just ask for it themselves and it wasn't approved by a manager, et cetera. So there are ways that you can take the risk calculations from a governance point of view, feed it into the authentication experience, and use that even more intelligently when it comes to privileged users? It's really about taking that security to the next level. And it's also something that, Stuart-- sorry, you touched on something that was also very important as well. When you talk about that vigilance AI and that ability to be contextual and actually change the access flow in real time based on what's actually happening, based on context. That's a really key part of any zero trust strategy. NIST did a great job of writing this stuff up with [INAUDIBLE] zero trust, which I won't bore the audience with. But one of the key outputs that NIST put front and center of that is that the policies themselves must also be dynamic, because your users, your assets, your accounts, your entitlements, your rights, your risk, they are all dynamic, and so the policies themselves must be dynamic too. Yeah, and there's one other aspect too of a unified platform, where I think this is where there's so much potential. When you have one platform that controls the creation of users in target systems, when it controls what access they're granted and then actually controls the access the authentication experience itself, that opens up whole new doors, where you can take something like zero trust to a new level. And Alan, that makes me think of that whole concept of Just in Time Provisioning in the context of pattern. Maybe you want to explain that a bit. Yeah, well, that's an excellent example of policies in motion. Say you've got-- let's say somebody needs to do something. Doesn't matter what it is. Let's say they need to do something, whatsoever really. Something that carries risk. And when they go to access that account today, that account will likely already exist for them. alan.radford@oneidentity.com. I have that account, I used it to log into this webinar, and I'll use it to do all sorts of weird wonderful stuff. But if I want to go and do something that carries risk, then does it make sense to have the rights on that account all the time or does it make more sense for me to have the rights on that account only when they're going to be used? So zero standing privilege. Now, there are many, many ways to implement that, depending on what your process is, depending on what your environment, your compliance requirements are, if it's a PCI environment, there'd be different requirements, for example. And so you might not want to have the account exist at all, but only have it exist for the period of time it needs to exist to do specifically that one thing and then have it rescinded. A lot of customers out there look to GRC and ITSM to actually drive some of this as well and plug that in to a broader platform. One of the core areas of a unified security platform for us is to actually have a just in time flow wherever possible. So we're not just relying on the access management flow being dynamic but also where you've got all of those entitlements at rest, because you've got access in motion. You've got access at rest. All of that access at rest is very much addressed by that just in time approach. Wow, that's great. So it's interesting so we talked a lot about the threats. We've also talked about, what's going on in the industry and about a unified approach. From your both perspectives, I'd love to get your opinion on where someone starts, because obviously, there's a lot going on, and there's a lot of technology that can be put in place to help mitigate some of these security risks and get a better security posture. Alan, where would you start? Where would a customer start? I would say I would say start with where it makes sense to start, which is the easy way out. But let me give a couple of examples. So there's a customer that I work with, and I was talking to you about this earlier, actually. There's a customer that I've worked with who have a lot of factories around the world. And a large component of their revenue calculation is factory output, basically. The more productive factories are, the more they're satisfying their supply chains and the bigger the revenue. Now, all of the time most factory workers are not able to log in or all of the time they're not able to use equipment that has direct impacts on the productivity. And so for them, the dials to tweak are very much, well, if we have attrition and we have an onboarding process, the speed at which we get them access to what they need has a translatable effect to revenue. There's a direct equation for it. And when we then look at that through the lens of, well, what about the risk they're carrying with what we give them and how dynamic does that need to be and how much cloud are we consuming as part of that and how much of that cloud consumption is driving that need to be more dynamic. That's where it becomes a good place to start, because then that will be driven by a leadership vision. Now, that's a more business orientated example. There are other examples, where when you look at the more tangible things at baseline, where you consider things like we have customer in media, for example, so their IP is around some of the images and things that they create and how they protect those. Now, you could be reactive, and you can wait for some of that to turn up at a competitor or you can protect it today. And so you've got a difference between organizations that are being proactive and using it to drive an existing initiative and you've got other organizations who are being more reactive, and unfortunately, the companies that are being reactive tend to end up in the media. Yeah, and Stuart, research shows that 70% of more complex programs don't actually reach their stated goals, and I understand from some of this research that the pitfalls could be lack of employee engagement and adequate management, support, things like that. Tell me from your perspective. You don't want to fall into the pitfalls side, but where were the customers start if they're looking to implement some of these security features? Yeah, I think the concept of, oh, I've got to do a rip and replace. I've got to boil the ocean. That's a very dangerous approach to take, I think, in general, and as well the products that you have available today, they're particularly thinking of cloud based, SAS based products, identity as a service, an IS platform. It's so easy to plug it in for a single use case and gradually roll it out to cover more and more of your estate, even not just cloud based, not just control access for cloud based services but also real hybrid on prem services and plug it into your AD, et cetera. But you don't have to do it all at once. You can roll it out gradually. So the opportunity is to look for a platform that you can put in place to begin your Identity and Access Management journey. And that will allow you the flexibility to gradually roll it out and extend the surface area that you cover, rather than try and we've got to replace everything we built up over the last 20 years and get it all done in two months. That's Awesome. So it sounds like a choose your own adventure. You've got all these different things in place potentially currently, but where you want to go and plug some holes, you can actually decide what the best thing is for you to start, where to start, and then start working with us to plug those holes and then build out from there. And since there is a unified Identity security platform where we're able to bring in all of these different security features and Gartner says that's where customers are going to start. This sounds like a really good place for customers to get involved with us, ask us questions, and then start building that thing out and moving away from fragmented point solutions to a place where they can achieve more integrated technologies, so forth. [INTERPOSING VOICES] Yes, but I think it's important for people to realize too we're not just talking about improved security or even improved user experience. There are huge efficiency gains around the automation that comes with this type of platform. So you're actually meeting multiple objectives, reducing the IT administrative overhead while achieving your security goals. Excellent. Awesome. Well, we are approaching the bottom of the hour and the end of the conversation. I do want to thank Alan and Stuart very much. If there are questions, we can be contacted through email, but I would like to thank everyone for joining today and listening to this excellent conversation. Alan, Stuart, thank you so much for your expertise and your time today. Thank you. Pleasure. Thank you. All right, have a great day. [MUSIC PLAYING]