Identity and Access Management - Technologies & Enablers to Enhance an Organizations’ IAM Security

Show Notes

Identity and Access Management - Technologies & Enablers to Enhance an Organizations’ IAM Security   - Matthew Lewis, Product Marketing Director at HID Global

Richard Wong, Senior Vice President and Global Head of Security Market Advisory at Frost & Sullivan and Matthew Lewis, Director of Product Marketing for HID Global, discuss the status of the IAM industry, including IAM challenges in corporations, best practices to manage workforce identity & access and new innovative IAM solutions for workforce.

 

Transcript

Speaker 1 (00:01):

Powering trusted identities of the world's people, places and things every day, millions of people in more than 100 countries use our products and services to securely access physical and digital places over 2 billion things that need to be identified, verified and tracked are connected through HID Global's technology.

Speaker 2 (00:24):

So I'm curious from your perspective, the, some of the core challenges you're seeing really today in the market. And let's just start there with maybe a summary of those core challenges.

Speaker 3 (00:44):

The first and foremost is this acceleration of digitalization and how is had a significant massive impact on business operations, right? Everyone I'm sure will agree that our business operations is very much different from pre COVID versus what we have in terms of a current situation. And this is number one trend, which we are seeing now.

Speaker 2 (01:18):

Yeah.

Speaker 3 (01:19):

So as a result of this shift, right, I think there is a gap in terms of understanding the needs of end users, right. And especially when you think about the IM solutions that we have. So there is a bit of a disconnect between security solutions versus the needs of end user organizations out in the market, or rather solutions are in the market. So the second thing that we want to also highlight is with digitalization, we are also seeing increasing constraints in the availability of skilled land power people who truly understand what convergence means as, as how do you actually manage converge technologies across both the physical as well digital domains. The third is really looking at cybersecurity attacks are not just focusing on cyber assets, but physical assets as well. And this, the proliferation of ransomware tax rate are increasingly putting increasing strain on our operations, as well as highlighting or increasing that kind of a business risk that we will encounter. So regulations is also definitely one area, right? They can, they are becoming very much of a burden on our organizations and that's really constraining how we manage items such as our data, personal data, privacy, how we actually look at security controls that we put in place in order to protect the data on personal data. Yeah, right. So I think if you look at all these various constraints is really becoming a challenge for business operations going forward.

Speaker 2 (02:55):

The last one you started to touch on there, number, I guess, would be number four in your list, which is more around the regulatory environment, the compliance environment. Let's, let's actually do a double click on that, cuz I think it's interesting. It's somewhat related to that, which is cyber insurance. So a lot of the conversations we've been having, particularly at a state and local here in the us state and local governmental agencies, law enforcement, as a for instance, any sort of environment where there are multiple users, maybe sharing a workstation or there's some sort of, kind of almost transient nature to it. Healthcare being a prime example, manufacturing, I mentioned law enforcement think cyber insurance is increasingly taking a look at that market and, and applying generally to FA so requiring to FA you know, on the, on the, at the user's behalf, which I think's good to put some teeth behind something like that to avoid sort of a moral hazard situation that would never happen with insurance obviously.

Speaker 2 (03:55):

But how do you see cyber insurance maybe beginning to creep into the zero trust model? We also know from here in the states, the white house put out an executive order that was really all about zero trust. It had applicability to a number of areas and the physical, as well as the digital domain, either reinforcing the current physical controls that were in place just to reiterate that those are still a requirement or even upping the game a little bit in the, the digital space. So how do you see those kind of the cyber insurance side, which is kind of out of the private sector, maybe governmental agencies, how do you seek those beginning to kind of meld and hopefully push some of this, the zero trust kind of paradigm forward a little bit.

Speaker 3 (04:40):

Okay. So I think when you actually look at the, maybe just to respond to your, this mention of this executive order, right, mm-hmm <affirmative> one point to note is that when you look at the executive order, a lot of that is really more applicable towards the government, right? Especially at the federal government level, but what we have observed with the market is any of these CEOs that have been launched or published, it has huge implications on the private sector, right? Many organizations look at the, the orders and they take that as a guidance in terms of what is the direction that they should also take into conservation within the context of their own organization. So if you look at the Biden EO, there was quite a bit of a mention in terms of cloud in terms of zero trust. And I think, again, you make the earlier reference on how zero trust, you know, can actually have kind of impact on both the physical as well as a digital realm, right? This mantra of never trust, always, really needs to be applied across both of these walls, right. In order to ensure robust and secure operating environment.

Speaker 2 (05:51):

Absolutely.

Speaker 3 (05:53):

So, and if you think about it, right from insurance organization's perspective, what they want to do is to really provide you that kind of coverage for whatever kind of accident or risk that you might face. But yeah, at the same time minimize the risk of payout that they have to actually give. Exactly. So in order to minimize that they would expect insured or people who are buying the insurance to have the necessary controls in to be able to minimize that kind of a risk. So where is it from executive order that has implication on government agencies, or really from a private sectors perspective in terms of how they would expect organizations to manage their risk at the end of the day, it is important for us to really put those controls in place on a very proactive, preemptive kind of approach. Right? So that we can have that controls in terms of secure digital identity, access control architecture within both a risks within both physical address, the, the, this digital to me. Yeah.

Speaker 2 (06:58):

Yeah, if you look at the, the underlying thought behind zero trust and, and the, the original intention, you can definitely take it and apply it in both of those spheres. And, and I think that that's a conversation we need to continue to have you highlighted in one of your research points? The in fact it was around the first poll, excessive privilege, dormant accounts. That's not just something that it has to worry about. The security director that's thinking about, okay. Are all these people that have badges to get in my door? Do they have the right privileges? Do they actually still work here, even, especially with the impacts of COVID on just general employment.

Speaker 2 (07:48):

And then I think that also extends beyond just who is employed at my company, who can access this building in a number of different directions. There are visitors, there are contractors coming in and out of buildings, either escorted or unescorted sometimes potentially through sensitive areas. And, you know, I'm certainly not technical, but I know you give someone the right someone access to a, a device. They can, they can do some harm and it doesn't require a lot of quick access either, or you know, a lot of time rather. And then on the other side, there's also the excessive privileges that build up with having been at a company a while. Maybe I've been granted access to other facilities, maybe even in other countries or more sensitive areas. And so thinking about how you can review those identities, review those privileges, cuz it doesn't just apply in that, that, that logical domain.

Speaker 2 (08:42):

I, I think it's as equally as applicable in both. And I think those go hand in hand in the it team, the security team is S I, you know, kind of whatever moniker or, or name you're wanting to use, they're really partners in helping that comp begin to effectuate something different in security overall, it's a business problem, not just an it problem at this point that we're trying to affect. And I think zero trust equally applies other than those excessive privileges, dormant accounts, any other kind of key key areas, excuse me, you think are worth highlighting for how zero trust is gonna begin to affect those companies. You started to touch on it a little, I think kind through your talk with the movement of SAS and, and some of that too all pause there.

Speaker 3 (09:28):

Yeah. Right. I think again, you know, you, you touch on those points, right? I know it's repeat, but you need to recognize that the risk will apply for both physical as well as the digital world. So there's no two ways about it. And when we talk about that, right, is that essentially, you know, you can put in place the best kind of controls and protection for your digital assets, but it's literally game over, you know, once a highly capable malicious attacker gain access to your physical assets. Right. So it's important to note that cyber attackers are not just targeting your digital defenses many more often than not. They leverage on the weaknesses in your physical defenses to gain access to the digital assets. So some of these methods are really commonly seen in today's context, right? Like they can be social engineering, clothing of your physical access cards, or even as simple as tailgating to get access to your critical facilities or sensitive facilities. Yeah. So once you have recognized that, then like I mentioned, can we properly map out the types of controls that we need to put in place? And one of them, of course, is really having that kind of a robust identity access management controls that can be mapped up and applied accordingly. Yeah. So I think that would help to mitigate some of the risk that we see.

Speaker 2 (10:54):

Yeah. I mean, so much is predicated on a user and their identity that it, it certainly seems like a very logical place given also why we're having the conversation today. You talked a little bit there at the end, in some of your key summary, your key takeaways about adoption of cloud and its impact on IM you even had a slide with some of the pros, the cons, or, you know, the perceptions of some of that. And I think that's an important topic too, in the zero trust world. Because as a, as a vendor, we have certainly an aspect to play in that there are, there are corporate governance and policy implications for us, you know, how are we ensuring that the systems we touch Matthew as the product marketer, maybe doesn't have access to sensitive systems or proper segmentation micro segmentation, all those types of things, but also just the policies we're putting in place around things like ISO.

Speaker 2 (11:53):

So 27,000, which is particularly important and pertinent for some sort of SAS environment, there are other standard stock, 1, 2, 3, 4 type 1, 2, 3, 4, you know, all of those things. But I think that is beginning to also increase. We're seeing increase requests on what are you doing as it relates to your corporate policies and how are you looking out for our best interest? There's been a lot in the media, around the software supply chain, so different from hardware supply chain, whether I'll get my Ford F150 this month or next month kind of thing, but you know, the software supply chain and the implications of how zero trust may affect that as well, I think is increasingly important as cloud continues to speed up. And, and you even highlighted some of that so here to maybe add a little bit around kind of cloud and how that's gonna play a role in some of this is trust me.

Speaker 3 (12:50):

Sure. The cloud is actually one of my favorite topics because yeah, you know, the benefits of cloud cannot be denied. And when you look at these benefits, right, it really talks about scalability and flexibility for end users. So furthermore, when you look at flexibility really follows that pay as you use kind of a model, which in our opinion is really more efficient than when you're paying for something, which you may not necessarily need a hundred percent at that point in time. Right? So cloud and on premise are essentially different deployment models. And as a result, the cost structure of each cloud is more of a OPEX. Whereas on premise is really locked in, in terms of the a hundred percent KX as I mentioned. And what you pay is essentially what you get. So what does that mean? Right? So every X dollar for, in a KX expenditure, you feel that fixed solution based on that fixed specification.

Speaker 3 (13:50):

And if you think about it, this is very limiting to operations and not useful for organizations because you buy for something and you only use like 50% of that. So, you know, I think when you dig that into consideration, those benefits do outweigh any consideration necessary that you may have for on premise. Now we are not saying that end users should all move to the cloud because there are, of course, some very unique instances where users may need that. But what we are saying is that, you know, you really need to give careful ation to make sure that you're able to do that kind of a proper evaluation to identify why you should stick with on premise S when there is that cloud model that is way more attractive. Yeah. Yeah. So the other aspect is that sorry for hopping on the cloud is just, you know, cloud, but the cloud solution really allows users to, you know, free themselves from the burden of having to maintain the system, right?

Speaker 3 (14:55):

Yeah. Because everything is all handled by the cloud service provider, but is it updates and patches, you know, the kind of a administrative task that you may need as an end user organization, it's all taken away because this is solely the responsibility of our cloud service providers. So your stress, the pressure that you face, the kind of need for resources to be able to maintain your OnPrem solutions again, there is that reduction and you can really focus on the core business and the core operations that you should really be focusing on. Right. I think you highlighted some of the standards that the cloud providers have to, you know, look at in terms of the ISO standards, right. As well. So any other security standards are there, the market that's applicable few. Yeah. <laugh>, I, I don't want to go through the, the long list.

Speaker 3 (15:47):

Yeah. But you know, if you really look at all these requirements, it is in the best interest already, is this in the interest of cloud service provider to number one, be able to achieve those standards, adhere to those standards and to be able to protect their systems or the services that they provide to their end users. And why is that? Because at the end of the day, it is really their bread and butter, right? Any issues, risk, or threats that cloud service provider face, any incidences that occur would have a detrimental impact on the operations of cloud service providers and turn the impact on the end users. And that's really bad for business. So what we really want to emphasize is that, you know, Hey, cloud service providers, number one, they provide that efficiency, number two, they will spend and do whatever they can in order to and enhance and make sure that they security posture is really at the, at the top, right. They will employ the right kind of skilled manpower that is needed. If you look at, you know, some of the main, major, bigger mega players, Microsoft, Amazon, the army, or the kind of security professionals that they can bring on what in order to protect their environment is tremendous. So if you take all these considerations or all these points into consideration, our perspective is that, you know, cloud is really the way to go.

Speaker 2 (17:17):

Yeah. And you touched on that. I think in the last one of the last slides about the the labor market, as it relates to skills and, and, and re I won't say reduced, you know, competitiveness, but if you and I, aren't having to compete head to head for that resource. And instead they're, you know, with a third party that is offering us some services, then we kind of all are gonna win at the end of the day. Cuz overall I think the more organizations that begin to adopt this will begin to affect kind of the defensive side of this, this whole equation, which currently is a little bit asymmetrical in nature. But I, I think the other thing you touched on, you talked about some of the differences in, in on-prim and cloud and, and I think it's, it's always an interesting perception battle.

Speaker 2 (18:03):

You hear very quickly when something goes wrong with a major cloud provider or there's an outage or, you know, even, and, and I think those were still happening and are still happening though in a on-premises environment. It's just, we frequently don't hear about them. The, the impact may or may not be as wide, but that doesn't mean those aren't happening. So I think to, to, to what you said, each has pros and cons, especially if you're in a particularly sensitive environment or you have data sovereignty concerns, which that's, that's enough for a whole other webinar. We don't have to get into data sovereignty or anything like that. But yeah, I mean, I think with, with where cloud is going, for sure, it's, it's gonna be something that as companies become more familiar with, it become more familiar with the vendors playing in the space.

Speaker 2 (18:50):

We can kind of move the ball forward together. Cause the other side is the newer technologies are helping ease. Some of those user experience challenges that, that older solutions may have caused. Some of the friction with logging in, you know, with an actual OTP token versus a Fido, let me just press the button and it sends my, my credential kind of thing. So I think that's making a big impact. So, and you actually touched on the last one I wanted to talk about, which was the, around the cost of the cloud. So I think with that, we can probably wrap up and maybe look at some of the questions that come in.

Speaker 3 (19:24):

Okay, cool. Sure.

Speaker 4 (19:27):

To our audience members, we're today's presentation, you've gentlemen of you, big of a factor. Do you feel separation of duties should be in making security decisions, for example, is it wise to use Microsoft's IAM solution for Azure and or other Ms. Resources,

Speaker 3 (19:57):

Right. Do you wanna take this or should I try?

Speaker 2 (20:01):

Why don't you give it a first crack and then I can

Speaker 3 (20:03):

Add, okay, this, this is a interesting question. Because now if you look at separation of duties, right, this is the underlying one of the underlying principles of security, right. Cyber security or physical security. And then what I think the question seems to be linking is in terms of how we apply that within a specific technology platform, right? And whether is it wise for us to actually look at using a common technology platform when we want to take into consideration of a separation of duties from our perspective where we look at separation of duties, the most important factor is really about the role, right? So many of the solutions that we see out there in the market have this row based access control and this row based access control would, if you assign it correctly, if you assign it correctly, pretty much applicable to you within your organization itself should be able to help you to address that factor and the technology platforms or the solutions that you use would not necessarily have a significant impact on how you split that out in terms of the separation of duties. Yeah. So that is our perspective and view in terms of that specific question. I dunno if you have anything else to add on?

Speaker 2 (21:33):

Yeah, I was gonna comment, I think probably along a similar line, which is separation of duty tends to be more of an internal policy and workflow thing sometimes divorced of the, the overall technology stack itself. So I think as long as the delusions you're looking to put in place can give the, the requisite step up needs or something like that. I think there's, there's that I think the second part of the question, that's a little more focused on kind of thing in house. I, I think that really comes down to the needs of the organization relative to their risk profile relative to the, the overall landscape that they're having to deal with. You know, there's a lot more applications than just something in office or Microsoft 365, I think they're now calling it. So, you know, they make absolutely fantastic solutions. And so it, it just depends on what the organization needs based on having Salesforce, which now is, is forcing MFA, which is great to see based on having well Tableau's now Salesforce too. Any of the other systems you may have within an overall business organization and appropriately, you know, securing those. So interesting question. Thank you for that one. There was one around PI and, and kind of interoperability, which we can take offline and make sure I get the right, the right answer for that. No one can be very nuanced, so certainly wouldn't wanna apply, respond on air. Heather, do we have any more?

Speaker 4 (22:59):

We do. We have a couple more here? Next one is if you had pick a starting point for beginning of zero trust initiative, where would you start

Speaker 2 (23:09):

I think that goes back to some of the points I was trying to make around how some of the same concepts for assess excessive privileges, dormant user account, those types of things apply on the physical side and as well. And, and at the end of the day, it goes back to understanding who is in your system, the access they have, or the privileges rights they have do those align with their current needs. And there's prob probably some, some audits that need to happen of, of systems. If you've had someone that's not been employed for seven months, that might be a red flag, but also given COVID return to work, which you had a very interesting slide on that.

Speaker 2 (24:04):

Did the individuals, even within your company, that our current employees need some of that same access, they had six months ago, two years ago that they may not need it, or, or if you have a system in place kind of for instance, on the physical side that maybe can grant time-based access or kind of a project of, of sorts, and then remove that access or orchestrated across all the different systems you need to be maybe removing re privileges on or asserting privileges into to me, it, it kind of all boils down to starting with identity. I, I think Richard your thought

Speaker 3 (24:40):

Yeah. In fact thanks for highlighting that totally agree you that identity is gonna be one of the most important aspect, but sometimes if you think about zero trust, right. This is actually quite a common question that you always get from various parties and even from some of our clients, right? So you have identity, you have secure access and then you have the correct access. So what does that really mean from a very practical, implementable kind of approach perspective? Yeah. essentially if you think about it from a very fundamental security consideration, probably the, the, the word to use please do forgive me if I kind of like use it loosely is really about track assessment or track modeling, right? So when you go through that process within your organization, what happens is that you will be identifying the key assets that you have.

Speaker 3 (25:39):

You'll be identifying the kind of existing controls that you have put in place within each of these assets, across the different systems, as well as the different environment different facilities within the physical realm. And from there, you can also identify those identities that have the access to those assets, right. And the risk and tracks that you may encounter for each of these risks, right? So that the track assessment or track modeling kind of approach does help you to provide that base and the current state in terms of where your organization is, and then to help you to out where those gaps may potentially be. And of course, once you have that, that's where you really look at those solutions IM solutions or any other different types of solutions that you need to put in place in order to plug those gaps that you have identified. Yeah. So I think from a implementation point of view, that would be something that how you can translate that concept into a stepwise process for your organization. Yeah.

Speaker 2 (26:47):

Yeah. And you reminded me one of our solutions, the physical identity and access management solutions. That's one of the, one of the core processes that some of our customers have to go through is a recurring audit of those identities and, and, and privileges associated with those, particularly in a, as you can imagine, maybe something that might be considered critical infrastructure or something like that, where there's a certain level of sensitivity required or secure access. So, you know, some, some tools do have some of those concepts built in. So I think to your point, it's good to start it and then keep in mind that you might want to continuously do that on a, a somewhat frequent cadence. So, cool. Well, I think this has been a fun chat. Heather, do we have any more questions or how are we doing on time?

Speaker 4 (27:35):

So we'll go ahead and wrap it up unless Richard and Matthew, you have anything else you wanted to add?

Speaker 2 (27:53):

Just Richard, thank you so much for, for joining me and having the conversation with me and especially cuz I think it's maybe a little late for you where you are. So have a good evening and, and thanks for doing this with me.

Speaker 3 (28:05):

Oh, thanks Matthew for giving me this opportunity to share some of the views that I have on zero trust, as well as how that can actually be linked with the identity accessor management. I think it's a very, very critical challenge and topic for organizations today and as far thank you to the audience for listening.

Speaker 2 (28:26):

Absolutely.