WEBVTT 1 00:00:00.300 --> 00:00:03.300 Anna Delaney: Hi, I'm Anna Delaney with ISMG. Welcome to 2 00:00:03.300 --> 00:00:06.870 this first of a three-part video series, which focuses on 3 00:00:06.870 --> 00:00:10.920 identities as assets, and how to create an identity strategy 4 00:00:11.070 --> 00:00:14.640 within the broader context of zero trust. And with us to guide 5 00:00:14.640 --> 00:00:17.610 us through this topic and share insight from their own extensive 6 00:00:17.610 --> 00:00:20.940 experience in the field, our CyberEdBoard members Andrew 7 00:00:20.940 --> 00:00:24.510 Abel, cybersecurity and zero trust consultant, based in 8 00:00:24.510 --> 00:00:29.190 Australia, and Chase Cunningham, CSO at Ericom Software. Great to 9 00:00:29.190 --> 00:00:29.820 see you both. 10 00:00:30.930 --> 00:00:32.700 Andrew Abel: Hi, Anna. Thanks for having me on. 11 00:00:32.850 --> 00:00:34.950 Anna Delaney: So, starting with you, Andrew. As I mentioned, 12 00:00:34.950 --> 00:00:38.280 this is the first installment of a three-part series and in this 13 00:00:38.280 --> 00:00:41.580 video, we'll be looking at the foundations of what identity 14 00:00:41.580 --> 00:00:45.690 actually is, and how it should be operated by an organization. 15 00:00:46.020 --> 00:00:49.800 But first, I think it's fair to say that the zero trust model 16 00:00:49.800 --> 00:00:53.580 has been widely recognized as an effective approach to prevent 17 00:00:53.580 --> 00:00:56.910 data breaches, and mitigate the risk of supply chain attacks. 18 00:00:57.180 --> 00:01:00.660 And there's much to celebrate in how the U.S. government has 19 00:01:00.660 --> 00:01:05.430 addressed zero trust. However, what challenges are likely to be 20 00:01:05.430 --> 00:01:08.520 faced in the process of implementing the strategy? 21 00:01:09.950 --> 00:01:12.680 Andrew Abel: I think that a major challenge that's probably 22 00:01:12.710 --> 00:01:15.350 likely for the U.S. government in the zero trust base, 23 00:01:15.740 --> 00:01:20.870 specifically on identities, a definition of identities - human 24 00:01:20.870 --> 00:01:23.870 and non-human identities, internal and external identities 25 00:01:24.110 --> 00:01:27.110 - and how they interact with various systems and get access 26 00:01:27.110 --> 00:01:30.830 to resources in shared and collaborative environments, as 27 00:01:30.830 --> 00:01:34.070 well as internally for vendors and companies that deal with the 28 00:01:34.070 --> 00:01:36.980 government as well. So, that's the main thing for me, and 29 00:01:36.980 --> 00:01:39.470 identity, more broadly, I think it's the most challenging space 30 00:01:39.470 --> 00:01:42.260 within zero trust because sometimes it's the hardest to 31 00:01:42.260 --> 00:01:44.570 define for people who aren't familiar with the concepts. 32 00:01:46.130 --> 00:01:47.840 Anna Delaney: Chase, would welcome your perspective on the 33 00:01:47.840 --> 00:01:48.500 challenges. 34 00:01:48.000 --> 00:01:50.431 Chase Cunningham: Yeah, actually, I was just on a recent 35 00:01:50.495 --> 00:01:54.525 taskforce call about this whole thing. And identity is a really 36 00:01:54.589 --> 00:01:58.556 difficult problem to solve, even though the solution for it is 37 00:01:58.620 --> 00:02:02.522 actually, relatively, I guess, you can call it binary, as far 38 00:02:02.586 --> 00:02:06.169 as this should get to that and that should be, you know, 39 00:02:06.233 --> 00:02:09.816 gravitate around an identity, but to your point, Andrew, 40 00:02:09.880 --> 00:02:13.079 identity is no longer just a person. Machines have 41 00:02:13.143 --> 00:02:16.789 identities, containers have identities, applications have 42 00:02:16.853 --> 00:02:20.692 identities. It just becomes this growing problem. And if you 43 00:02:20.756 --> 00:02:24.403 really think about the numbers here, they get exponential 44 00:02:24.467 --> 00:02:28.177 really quickly, which is a problem, especially when you're 45 00:02:28.241 --> 00:02:31.504 talking about a large enterprise. You know, I'm one 46 00:02:31.568 --> 00:02:35.407 person, I can tell you right now, because I have things that 47 00:02:35.471 --> 00:02:39.501 track it on my machine. I have 393 usernames and passwords, and 48 00:02:39.565 --> 00:02:43.532 I'm one person. So, imagine if you're an enterprise of 400,000 49 00:02:43.596 --> 00:02:47.498 individuals, along with machines and everything else, it just 50 00:02:47.562 --> 00:02:50.250 becomes a big numbers game really quickly. 51 00:02:51.030 --> 00:02:51.810 Andrew Abel: Yeah, for sure. 52 00:02:52.260 --> 00:02:55.470 Anna Delaney: Well, Andrew, let's go back to basics. How do 53 00:02:55.470 --> 00:02:59.160 you define identity? And how should it be operated by an 54 00:02:59.160 --> 00:03:00.000 organization? 55 00:03:00.000 --> 00:03:04.890 Andrew Abel: I think that the new area to look at defining 56 00:03:04.890 --> 00:03:07.980 identity is, as Chase touched on there, it's not just humans 57 00:03:07.980 --> 00:03:11.250 anymore. It's machine identities and it's non-human identity. So 58 00:03:11.490 --> 00:03:14.790 I think it's defining what - you know, everyone knows the concept 59 00:03:14.790 --> 00:03:17.280 of an Active Directory with a bunch of carbon life forms that 60 00:03:17.280 --> 00:03:19.320 come in and login with a username and password and do 61 00:03:19.320 --> 00:03:21.960 their work. But now, with cloud environments and cloud 62 00:03:21.960 --> 00:03:25.320 migrations and an automated processes, big push for 63 00:03:25.320 --> 00:03:28.290 automation, AI and machine learning, all of that, you're 64 00:03:28.290 --> 00:03:33.210 basically outsourcing a lot of low-level processes to machine 65 00:03:33.210 --> 00:03:36.600 identities and non-human interaction. So, for machines to 66 00:03:36.600 --> 00:03:39.390 talk to machines and complete a task, you've still got to assign 67 00:03:39.390 --> 00:03:43.140 the identities and adhere to the zero trust principles of least 68 00:03:43.140 --> 00:03:46.830 privilege and focusing on just enabling the process to 69 00:03:46.830 --> 00:03:49.290 complete, to get the business outcome, you know, whether it's 70 00:03:49.290 --> 00:03:52.470 a human doing the work or a machine. So I think that's a big 71 00:03:52.470 --> 00:03:54.630 challenge for people to get their head around that. It's 72 00:03:54.630 --> 00:03:57.180 just one server making an API call to another or an 73 00:03:57.180 --> 00:04:00.090 application or whatever. So there's no humans involved, but 74 00:04:00.090 --> 00:04:03.000 it's still identity-driven and it needs to have identity 75 00:04:03.030 --> 00:04:04.470 security controls applied. 76 00:04:06.130 --> 00:04:07.930 Anna Delaney: Chase, anything to add to the definition there? 77 00:04:08.590 --> 00:04:12.490 Chase Cunningham: Yeah, well, identity, really - I wrote about 78 00:04:12.490 --> 00:04:15.610 this in the cyber warfare book I published - I like to think 79 00:04:15.610 --> 00:04:19.210 about it as actually an entity. It's anything that sort of 80 00:04:19.210 --> 00:04:21.910 touches electrons, in my opinion, has an identity. And 81 00:04:21.910 --> 00:04:24.580 that's like we were saying it can be a user, an application 82 00:04:24.610 --> 00:04:27.550 container, whatever, like Andrew was saying, I agree with him 83 00:04:27.640 --> 00:04:32.350 1,000%. Having that really grounded approach to the reality 84 00:04:32.350 --> 00:04:36.700 of the space that you must have a plan for all of those things, 85 00:04:36.700 --> 00:04:39.880 and you have to be able to do it while they're standing in motion 86 00:04:40.450 --> 00:04:42.040 is really valuable. 87 00:04:43.150 --> 00:04:43.510 Andrew Abel: Yeah. 88 00:04:44.710 --> 00:04:47.440 Anna Delaney: So, Andrew, how should companies be looking at 89 00:04:47.440 --> 00:04:49.390 identities differently? How should they change their 90 00:04:49.390 --> 00:04:50.020 approach? 91 00:04:50.000 --> 00:04:53.750 Andrew Abel: I think that all types of identities, whether 92 00:04:53.750 --> 00:04:57.080 they're human or non-human, need to adhere to the principles that 93 00:04:57.080 --> 00:05:00.620 people do understand and that's around organizational roles. And 94 00:05:00.620 --> 00:05:03.170 so, from a security and zero trust perspective, like you 95 00:05:03.170 --> 00:05:06.050 think of a role, as in you're hired to be an accountant or to 96 00:05:06.050 --> 00:05:08.990 be a truck driver or to be or whatever. So, you know, everyone 97 00:05:08.990 --> 00:05:12.230 can understand what that role is in an organization. But from a 98 00:05:12.230 --> 00:05:14.960 digital and an identity point of view, it's a similar thing, it's 99 00:05:14.960 --> 00:05:17.720 an outcome. So, you know, you have a thing, which is an 100 00:05:17.720 --> 00:05:22.130 object, either a human or non-human identity, it does a 101 00:05:22.130 --> 00:05:24.560 bunch of stuff to achieve an outcome for the business. So, 102 00:05:24.740 --> 00:05:29.000 the principles hold true. From the traditional point of view to 103 00:05:29.000 --> 00:05:32.360 the modern, and the zero trust, cybersecurity strategy point of 104 00:05:32.360 --> 00:05:35.480 view, you're basically putting those controls around the 105 00:05:35.480 --> 00:05:38.360 identities to limit what I can do to achieve a specific outcome 106 00:05:38.360 --> 00:05:39.260 for the organization. 107 00:05:41.090 --> 00:05:42.980 Anna Delaney: Chase, do you have examples of how organizations 108 00:05:42.980 --> 00:05:45.170 should be approaching identities differently? 109 00:05:45.720 --> 00:05:49.140 Chase Cunningham: Well, the big thing is, if you look at the 110 00:05:49.740 --> 00:05:53.340 overall goal of cybersecurity is to defend data and to be able to 111 00:05:53.340 --> 00:05:56.580 keep the bad guys kind of out, you accept that there's going to 112 00:05:56.580 --> 00:05:59.850 be a compromise. But if you look at the history, the data, the 113 00:05:59.850 --> 00:06:03.840 statistics in the space, they go after users' passwords 114 00:06:03.840 --> 00:06:07.200 identities, so therefore, you should do that thing first. And 115 00:06:07.200 --> 00:06:10.350 you can boil off a large percentage of the problem by 116 00:06:10.350 --> 00:06:14.490 enabling some very simple things we know, statistically speaking, 117 00:06:14.730 --> 00:06:18.030 multi-factor authentication on human identities makes a heck of 118 00:06:18.030 --> 00:06:23.040 a difference. So, these things can be done at scale, but they 119 00:06:23.040 --> 00:06:26.130 should be done carefully and cautiously with a plan in place. 120 00:06:26.130 --> 00:06:30.060 And then, to Andrew's point there too, making sure that 121 00:06:30.060 --> 00:06:33.240 you're doing this as part of a program and an overall strategy 122 00:06:33.240 --> 00:06:36.240 is really valuable. You don't want to just be solving for 123 00:06:36.240 --> 00:06:39.030 identity and leaving everything else sitting on the side of the 124 00:06:39.030 --> 00:06:39.420 road. 125 00:06:40.230 --> 00:06:42.930 Andrew Abel: That's a good point there from Chase around. When 126 00:06:42.930 --> 00:06:45.000 you look at zero trust, holistically, you've got your 127 00:06:45.000 --> 00:06:47.700 information or your data, you've got your identities, and you've 128 00:06:47.700 --> 00:06:50.430 got your devices, and you've got your network segmentation. So, 129 00:06:50.700 --> 00:06:53.760 to look at it from the very high angle, they all blend and blend 130 00:06:53.760 --> 00:06:57.570 in together to complement each other in terms of protecting the 131 00:06:57.600 --> 00:07:00.660 company assets, whether that's information assets or physical 132 00:07:00.660 --> 00:07:04.290 resources, or, you know, some other form of data or processes 133 00:07:04.290 --> 00:07:07.650 or IP, you know, so that's where you have to sort of intake that 134 00:07:07.680 --> 00:07:09.810 higher-up view and blend them together and look at your 135 00:07:09.810 --> 00:07:11.340 overall solutions and outcomes. 136 00:07:12.690 --> 00:07:14.970 Anna Delaney: And Andrew, what's at risk by overlooking this 137 00:07:14.970 --> 00:07:15.510 approach? 138 00:07:16.920 --> 00:07:19.500 Andrew Abel: Well, I think that, you know, everything comes down 139 00:07:19.500 --> 00:07:22.230 to identity at some stage, like, you know, when you look at all 140 00:07:22.230 --> 00:07:26.490 the trends in security and cybercrime, that's about, you 141 00:07:26.490 --> 00:07:30.600 know, ransomware attacks and social engineering, people 142 00:07:30.600 --> 00:07:33.510 trying to trick you into the username and passwords, access 143 00:07:33.510 --> 00:07:36.570 to bank accounts and all that. So, ultimately, somewhere along 144 00:07:36.570 --> 00:07:40.290 the line, this always comes back to identity theft or identity 145 00:07:40.290 --> 00:07:43.410 compromised, or access that someone shouldn't have that gets 146 00:07:43.410 --> 00:07:47.910 it somehow. So, I think that not taking a proper approach to this 147 00:07:47.910 --> 00:07:50.460 is you're leaving yourself open to risk all over the place 148 00:07:50.000 --> 00:07:54.200 Chase Cunningham: The other piece too for businesses is 149 00:07:50.460 --> 00:07:50.790 really. 150 00:07:54.230 --> 00:07:58.250 The other piece for businesses is you're always trying to solve for the compliance problem, 151 00:07:58.250 --> 00:08:00.830 right? Like you have to be in compliance to do business 152 00:08:00.830 --> 00:08:04.400 digitally, these days. If you look at the requirements, you 153 00:08:04.400 --> 00:08:08.600 have to do these things. So, get them done because even if you 154 00:08:08.600 --> 00:08:12.470 don't subscribe to this, makes a difference in security. Talk to 155 00:08:12.470 --> 00:08:16.100 the CFOs and talk to the people that are the box checkers. You 156 00:08:16.100 --> 00:08:18.590 want to be compliant, you need to solve for identity. 157 00:08:19.950 --> 00:08:20.250 Andrew Abel: Yep. 158 00:08:21.300 --> 00:08:24.060 Anna Delaney: So Andrew, what are the key identity strategy 159 00:08:24.060 --> 00:08:25.590 goals that you'd like to share today? 160 00:08:26.470 --> 00:08:29.200 Andrew Abel: I think that they're in keeping with the 161 00:08:29.200 --> 00:08:32.350 broader zero trust approach around least privilege, you 162 00:08:32.350 --> 00:08:35.440 know, segmentation, and segmentation comes down to 163 00:08:35.440 --> 00:08:38.860 network segmentation, as well as identity segmentation. So, if 164 00:08:38.860 --> 00:08:42.070 someone does compromise, say a finance or finance department 165 00:08:42.100 --> 00:08:46.990 worker's credentials, they're sort of isolated from the rest 166 00:08:46.990 --> 00:08:51.430 of the estate because those credentials will only reach 167 00:08:51.430 --> 00:08:53.860 certain assets within the business. Whereas in the old 168 00:08:53.860 --> 00:08:56.830 days, you know, you could jump from there across the business 169 00:08:56.830 --> 00:09:00.190 and access a lot of resources. So, I think that that's part of 170 00:09:00.190 --> 00:09:03.610 the main strategy. And I sort of touched on that in a PowerPoint 171 00:09:03.610 --> 00:09:07.210 that I'll bring up shortly to give you a visual overview of 172 00:09:07.210 --> 00:09:09.880 what I was sort of getting out there. So, we talked a lot about 173 00:09:09.880 --> 00:09:12.790 the sort of the broad view and in my mind, this is something 174 00:09:12.790 --> 00:09:16.120 that I drew to keep me sort of an easy quick reference about 175 00:09:16.120 --> 00:09:19.270 zero trust. And you can see the main pillars around the outside. 176 00:09:19.270 --> 00:09:22.510 And then you've got your automation, orchestration and 177 00:09:22.510 --> 00:09:25.570 visibility and analytics that operate around all the domains 178 00:09:25.570 --> 00:09:28.630 in a constant stream. This is sort of based on the NIST and 179 00:09:28.960 --> 00:09:33.910 CISA stuff and well-published zero trust approaches. So, you 180 00:09:33.910 --> 00:09:37.240 can see identity there. And the reason why I have drawn in a 181 00:09:37.240 --> 00:09:40.390 circle is that, in my view, one's not necessarily more 182 00:09:40.390 --> 00:09:42.910 important than any of the others. They all collaborate 183 00:09:42.910 --> 00:09:46.360 together to provide an overall organization protection layer, 184 00:09:46.390 --> 00:09:52.750 you know, and true zero trust. And then, we talked about 185 00:09:52.780 --> 00:09:56.530 identities as business assets. I think that's probably a big 186 00:09:56.830 --> 00:09:59.050 shift in thinking for a lot of people who aren't from a 187 00:09:59.050 --> 00:10:01.330 traditionally technical background or cybersecurity 188 00:10:01.330 --> 00:10:04.780 background. So, the reason why I think, you know, I put this 189 00:10:04.780 --> 00:10:07.990 slide together because people understand that cash and 190 00:10:07.990 --> 00:10:11.410 receivables and inventory and buildings are all assets of a 191 00:10:11.410 --> 00:10:15.250 company. But the new way is to understand that identities or 192 00:10:15.250 --> 00:10:18.040 digital business assets, you know, they have a cost to 193 00:10:18.040 --> 00:10:20.560 acquire them or create them, they've got a cost to operate 194 00:10:20.560 --> 00:10:23.440 them with your service, their staff and your incidents, and 195 00:10:23.440 --> 00:10:26.770 they all carry risk. So the risk can be mitigated by that least 196 00:10:26.770 --> 00:10:30.520 privilege approach. So that's why you need to define and 197 00:10:30.850 --> 00:10:34.210 record what rights you've assigned to them. And then 198 00:10:34.210 --> 00:10:36.340 you've got an operating plan that includes the risk rating 199 00:10:36.340 --> 00:10:41.920 for each of the identities. And then the last slide is around 200 00:10:41.920 --> 00:10:45.850 the key strategy goals for me is that you put identity at the 201 00:10:45.850 --> 00:10:48.730 center. And I think that a lot of companies make the mistake of 202 00:10:48.730 --> 00:10:52.450 going out thinking identity means an IAM platform, some sort 203 00:10:52.450 --> 00:10:55.720 of big enterprises investment in identity and access management. 204 00:10:56.110 --> 00:10:59.620 I don't sort of think that way. I think that you understand how 205 00:10:59.620 --> 00:11:02.530 you want to operate your identities first. And then you 206 00:11:02.530 --> 00:11:05.800 build solutions around that and not build your strategy around 207 00:11:05.800 --> 00:11:09.280 what your platform can do. And again, we talked about the 208 00:11:09.280 --> 00:11:12.640 single identity approach. So, simplified lifecycle, simplified 209 00:11:12.640 --> 00:11:15.250 approach, human and non-human get treated the same. The 210 00:11:15.250 --> 00:11:18.580 principles apply. Least privilege controls, outcome 211 00:11:18.580 --> 00:11:21.370 focus, why does this thing exist? What does it need to do? 212 00:11:22.090 --> 00:11:24.850 And also then, carry that forward to apply those 213 00:11:24.850 --> 00:11:28.660 organizational roles to all of those identities, no matter what 214 00:11:28.660 --> 00:11:29.080 they are. 215 00:11:31.090 --> 00:11:33.070 Anna Delaney: Excellent. Well, this has been a fine 216 00:11:33.070 --> 00:11:36.580 introduction to identities as assets. Thank you so much for 217 00:11:36.580 --> 00:11:38.920 watching ISMG. I'm Anna Delaney.