WEBVTT 1 00:00:00.330 --> 00:00:03.120 Anna Delaney: Hi, I'm Anna Delaney with ISMG. Welcome to 2 00:00:03.120 --> 00:00:06.540 part two of a three-part video series, which focuses on 3 00:00:06.540 --> 00:00:10.260 identities as assets, and how to create an identity strategy 4 00:00:10.470 --> 00:00:13.470 within the broader context of zero trust. And joining me to 5 00:00:13.470 --> 00:00:17.070 share insight on how to do so are CyberEdBoard members - 6 00:00:17.160 --> 00:00:21.030 Andrew Abel, cybersecurity and zero trust consultant based in 7 00:00:21.030 --> 00:00:25.980 Australia, and Chase Cunningham, CSO at Ericom Software. Good to 8 00:00:25.980 --> 00:00:29.430 see you both again. We'll be expanding on defining and 9 00:00:29.430 --> 00:00:33.630 securing human and non-human identities within the zero trust 10 00:00:33.630 --> 00:00:38.550 model. But first, how or where is identity often misunderstood 11 00:00:38.550 --> 00:00:41.250 when implementing a zero trust strategy? 12 00:00:42.830 --> 00:00:45.193 Andrew Abel: Yeah, sure, I think that identity is often 13 00:00:45.250 --> 00:00:48.514 misunderstood in terms of the importance and the risk that 14 00:00:48.570 --> 00:00:51.609 they carry. I think a lot of organizations just create 15 00:00:51.666 --> 00:00:54.818 identity after identity that they never clean up. A good 16 00:00:54.874 --> 00:00:58.138 example in that traditional senses is service accounts for 17 00:00:58.194 --> 00:01:01.684 applications that get created in an Active Directory, and then 18 00:01:01.740 --> 00:01:05.061 they just stay there forever. Because the applications long 19 00:01:05.117 --> 00:01:08.494 gone, the people who sponsored getting it onboarded are long 20 00:01:08.550 --> 00:01:11.983 gone, but the service account remains and they're often badly 21 00:01:12.040 --> 00:01:15.980 configured and open to abuse and carry a risk that shouldn't be there. 22 00:01:15.000 --> 00:01:17.513 Chase Cunningham: The market has been driving really hard at 23 00:01:17.573 --> 00:01:21.043 telling people to start with identity as almost like a - I 24 00:01:21.103 --> 00:01:24.753 don't know - biblical reference. I don't necessarily disagree 25 00:01:24.813 --> 00:01:28.463 with that, because identity is super important. But the point 26 00:01:28.523 --> 00:01:32.053 is, we say that humans are a key piece in this whole place. 27 00:01:32.113 --> 00:01:35.763 Humans, we use identities. So if you're looking for the ... I 28 00:01:35.823 --> 00:01:39.652 guess you'd call it kind of the gear that the mechanism of cyber 29 00:01:39.712 --> 00:01:43.422 revolves around, it's going to be identity. So you should have 30 00:01:43.482 --> 00:01:47.132 a plan in place to take care of that really critical piece of 31 00:01:47.192 --> 00:01:48.090 this machinery. 32 00:01:49.770 --> 00:01:52.830 Anna Delaney: And Andrew, in our last video, we explored what we 33 00:01:52.830 --> 00:01:56.040 defined human and non-human identities, but I was wondering 34 00:01:56.040 --> 00:02:00.210 if you could dig a bit deeper as to maybe share examples of what 35 00:02:00.210 --> 00:02:01.050 you exactly mean? 36 00:02:01.660 --> 00:02:04.090 Andrew Abel: Yeah, sure, I've got a couple of images that 37 00:02:04.090 --> 00:02:06.640 might help people to understand where we're going with it. So 38 00:02:06.640 --> 00:02:11.890 I'll just share my screen now. Basically, when I think about 39 00:02:11.890 --> 00:02:15.490 identities, I've sort of come up with six human types of 40 00:02:15.490 --> 00:02:18.580 identities and five non-human types. So it just goes to show 41 00:02:18.580 --> 00:02:21.550 that when you are trying to define identities and look at 42 00:02:22.090 --> 00:02:25.750 them in the context of assigning controls, putting roll 43 00:02:25.750 --> 00:02:28.810 boundaries and wrappers around them, and segmentation, there is 44 00:02:28.900 --> 00:02:34.660 quite a fair bit to consider. So when we look at the different 45 00:02:34.660 --> 00:02:38.200 types of identities, I'll just move ahead to give people an 46 00:02:38.200 --> 00:02:43.090 idea of what I'm thinking in the human space. So to me, the six 47 00:02:43.090 --> 00:02:45.430 different types, and these are green to red in terms of the 48 00:02:45.430 --> 00:02:48.250 risks that they carry, in my experience. So you've got your 49 00:02:48.250 --> 00:02:51.310 general user accounts, you've got shared accounts, which you 50 00:02:51.310 --> 00:02:54.430 may have to use in certain organizations on shift or 51 00:02:54.430 --> 00:02:57.310 rotation, they have a limited number of accounts that are 52 00:02:57.310 --> 00:03:01.270 shared for various reasons. And then there's information. So 53 00:03:01.270 --> 00:03:06.310 you've got information people might have access to, 54 00:03:06.310 --> 00:03:08.890 information resources in an organization such as financial 55 00:03:08.890 --> 00:03:12.160 data of customers, or various other highly valuable or 56 00:03:12.160 --> 00:03:16.270 sensitive information. And then we've got the local admin 57 00:03:16.270 --> 00:03:19.480 accounts, they might be server admins, or someone who's in the 58 00:03:19.510 --> 00:03:22.420 support team, or the service desk, who can log on locally to 59 00:03:22.420 --> 00:03:25.330 a bunch of domain controllers or application servers. And then 60 00:03:25.330 --> 00:03:29.110 they have local admin privileges to those. And then the last two 61 00:03:29.110 --> 00:03:31.810 are the sort of the high risk ones in my experiences that are 62 00:03:31.810 --> 00:03:34.480 around the application administrators. So when you buy 63 00:03:34.480 --> 00:03:37.810 an enterprise application that comes with built-in high level 64 00:03:37.810 --> 00:03:41.410 or privileged access, or administrator access, that you 65 00:03:41.410 --> 00:03:45.910 assign to people or processes or non-human identities to run 66 00:03:45.910 --> 00:03:49.780 processes. They're the ones you need to be really worried about, 67 00:03:49.780 --> 00:03:51.760 because they can make fundamental changes to the 68 00:03:51.760 --> 00:03:54.910 enterprise application. And then, of course, the traditional 69 00:03:54.940 --> 00:03:57.430 privilege distributed user, which is you talking about your 70 00:03:57.430 --> 00:04:00.070 IDs, the domain admin, your scheme admin, and your 71 00:04:00.070 --> 00:04:04.420 enterprise admin. So that's sort of how I've split it up. And it 72 00:04:04.420 --> 00:04:08.920 gives people an idea, and these are just ideas that I've had. So 73 00:04:09.160 --> 00:04:12.610 it gives you a flavor of how much service to consider when 74 00:04:12.610 --> 00:04:16.000 defining the different types of human identities. And you can 75 00:04:16.000 --> 00:04:19.690 see this some that are high risk that need a lot more control and 76 00:04:19.690 --> 00:04:21.490 thought and boundaries put around them. 77 00:04:23.190 --> 00:04:24.840 Anna Delaney: How about the non-human identities? 78 00:04:26.130 --> 00:04:27.840 Andrew Abel: So for the non-human identities, there's 79 00:04:27.840 --> 00:04:31.860 five there. So I've come up with some. The function one, which 80 00:04:31.860 --> 00:04:34.800 I've sort of basically called IoT, or hardware accounts, where 81 00:04:34.800 --> 00:04:38.820 they're just sending telemetry to back to a central source for 82 00:04:38.820 --> 00:04:42.090 processing, the orchestrating non-human accounts, which are 83 00:04:42.090 --> 00:04:46.140 like bot accounts, which may run and do some data crunching or 84 00:04:46.140 --> 00:04:49.770 run up a VM or something and do some work and then shut down the 85 00:04:49.770 --> 00:04:52.080 traditional service accounts that we sort of touched on to 86 00:04:52.080 --> 00:04:56.010 run applications. And then the other ones are the assumed. So 87 00:04:56.010 --> 00:04:59.040 what I call assumed is like an AWS or some cloud environment 88 00:04:59.040 --> 00:05:03.600 where machine or non-human identity will assume a role to 89 00:05:03.600 --> 00:05:06.780 carry out a process, and then release the role again once the 90 00:05:06.780 --> 00:05:09.450 process is completed, and then your traditional machine 91 00:05:09.450 --> 00:05:12.810 identities as well for all of your servers and workstations 92 00:05:12.810 --> 00:05:13.680 around the network. 93 00:05:15.190 --> 00:05:20.140 Anna Delaney: Very useful and very clear. Chase, so bearing in 94 00:05:20.140 --> 00:05:25.510 mind what Andrew just said, what does the zero trust roadmap look 95 00:05:25.510 --> 00:05:27.400 like? And where should organizations start? 96 00:05:28.320 --> 00:05:30.420 Chase Cunningham: Well, I think the thing to really start with 97 00:05:30.420 --> 00:05:32.970 and he showed it there is the issue you have about the most 98 00:05:32.970 --> 00:05:35.970 powerful identities, the most powerful accounts that are 99 00:05:35.970 --> 00:05:40.020 inside a systems, anything that is above, kind of basic 100 00:05:40.020 --> 00:05:43.200 privilege level. Take care of those first - admins, 101 00:05:43.230 --> 00:05:46.740 application administrators, the privileged local, even those are 102 00:05:46.740 --> 00:05:50.760 really valuable to take care of. I did a study on this that 103 00:05:50.760 --> 00:05:53.280 validated the point that. Folks weren't even necessarily 104 00:05:53.280 --> 00:05:56.280 concerned about whether or not a compromise would happen, that 105 00:05:56.280 --> 00:05:59.160 was a given. Everyone was concerned about lateral movement 106 00:05:59.160 --> 00:06:02.580 after they got in and where they went. So the way you solve that 107 00:06:02.580 --> 00:06:06.210 is, by getting rid of these excessive privileges. It's okay 108 00:06:06.210 --> 00:06:10.020 if there's one administrator, that you might have missed an 109 00:06:10.020 --> 00:06:13.170 account, and that's got control somewhere else. But what you 110 00:06:13.170 --> 00:06:15.840 don't want and what we typically see in large enterprises, 111 00:06:15.900 --> 00:06:18.960 hundreds, if not thousands, of those privileged administrator 112 00:06:18.960 --> 00:06:22.620 accounts with excess of controls on different systems. 113 00:06:23.080 --> 00:06:25.870 Andrew Abel: Chase is spot on there. And again, part of the 114 00:06:25.870 --> 00:06:29.320 idea around the split here is that you can look at, you know, 115 00:06:29.320 --> 00:06:33.580 we've got X number of enterprise applications, so each of those 116 00:06:33.580 --> 00:06:36.340 are run by a certain application owner or a business group or 117 00:06:36.340 --> 00:06:39.580 whatever. And then through understanding that you can work 118 00:06:39.580 --> 00:06:42.490 out well, how many high-level admins do we need to operate 119 00:06:42.490 --> 00:06:45.220 this platform? What's our process? How do we add and 120 00:06:45.220 --> 00:06:48.970 remove people from that privileged group, you know, and 121 00:06:48.970 --> 00:06:52.180 again, a lot of the problem with identities is the offboarding, 122 00:06:52.180 --> 00:06:55.180 like not the creating. There's never a problem with creating 123 00:06:55.180 --> 00:06:58.120 identities with privilege, but it's the offboarding as well. So 124 00:06:58.450 --> 00:07:02.590 it's sort of a real-time, constant process. And that's why 125 00:07:02.620 --> 00:07:05.890 even in the IAM space, I prefer the IGA - identity governance - 126 00:07:05.890 --> 00:07:10.450 because creating an identity and assigning it access is fine and 127 00:07:10.450 --> 00:07:13.690 great and part of the process, but knowing what that identity 128 00:07:13.690 --> 00:07:16.660 is doing, and when it executes privilege, and what risk it 129 00:07:16.660 --> 00:07:19.600 carries in real time is where the future of zero trust and 130 00:07:19.600 --> 00:07:22.450 identity operation is to me because if you just create an 131 00:07:22.450 --> 00:07:25.390 identity, assign them access, and then manage them in terms of 132 00:07:25.390 --> 00:07:28.390 moving them in and out of groups or whatever, that's a bit 133 00:07:28.390 --> 00:07:31.150 cumbersome and the horses already down the road and around 134 00:07:31.150 --> 00:07:33.520 the corner, by the time you've got an issue. It's that 135 00:07:33.520 --> 00:07:37.210 governance and that real time alerting and telemetry around 136 00:07:37.210 --> 00:07:41.110 privilege execution and identity usage that to me will be the 137 00:07:41.110 --> 00:07:44.110 future of where zero trust will hit in the identity space. 138 00:07:45.490 --> 00:07:47.890 Anna Delaney: And how does this potentially change the zero 139 00:07:47.890 --> 00:07:50.320 trust journeys organizations have begun, Andrew? 140 00:07:51.590 --> 00:07:54.350 Andrew Abel: I think that a big part of doing zero trust well, 141 00:07:54.350 --> 00:07:57.680 and even more broadly than that is limiting your cyber risk, 142 00:07:57.710 --> 00:08:01.400 it's understanding your environment. And as Chase said 143 00:08:01.400 --> 00:08:04.670 before, that the identities are where it's at, in terms of even 144 00:08:04.700 --> 00:08:06.950 you know, whatever your resources are your assets or 145 00:08:06.950 --> 00:08:09.650 your crown jewels, at the end of the day, you need to have 146 00:08:09.650 --> 00:08:12.620 identities accessing them to do stuff to just drive the business 147 00:08:12.620 --> 00:08:17.360 and, and complete our processes. And, you know, drive growth. So 148 00:08:18.080 --> 00:08:21.050 by understanding the different buckets, or the different roles, 149 00:08:21.050 --> 00:08:23.960 or whatever, and putting the right level of controls and 150 00:08:23.960 --> 00:08:26.870 least privilege around these different identity types, at 151 00:08:26.870 --> 00:08:31.220 least gives you a plan and a strategy that you can use for 152 00:08:31.220 --> 00:08:32.960 your unique organization as well. 153 00:08:34.760 --> 00:08:36.470 Anna Delaney: Chase, would welcome your perspective too. 154 00:08:37.110 --> 00:08:39.870 Chase Cunningham: Well, the proof is in the pudding. You 155 00:08:39.870 --> 00:08:41.850 know, I like to deal with numbers and data. So I think 156 00:08:41.850 --> 00:08:44.940 that the folks that think that you can solve this and sort of 157 00:08:44.940 --> 00:08:50.010 one off approach, you can't. It's too big. This is really 158 00:08:50.460 --> 00:08:54.090 good validation of the fact that you need some sort of solution. 159 00:08:54.090 --> 00:08:57.120 I don't care what solution it is. But you need some sort of 160 00:08:57.120 --> 00:08:59.460 scalability, you need some sort of leverage of 161 00:08:59.490 --> 00:09:02.880 automation/orchestration to be able to do this. And I mean, 162 00:09:02.880 --> 00:09:06.360 these are four single-ended entities. You're talking big, 163 00:09:06.360 --> 00:09:09.720 big numbers. So I really think that folks, when they're talking 164 00:09:09.720 --> 00:09:11.790 or when thinking about putting the strategy in place, 165 00:09:12.030 --> 00:09:15.240 understand that you're going to have to take a bite of the apple 166 00:09:15.300 --> 00:09:18.690 and leverage some sort of capability, whether it's open 167 00:09:18.690 --> 00:09:21.480 source or vendor provided, whatever, to do this at the 168 00:09:21.480 --> 00:09:24.990 right scale. You cannot take care of identities on a 169 00:09:24.990 --> 00:09:25.710 spreadsheet. 170 00:09:26.500 --> 00:09:30.250 Andrew Abel: Yep. That's exactly right. And I think that the idea 171 00:09:30.250 --> 00:09:33.130 of like we touched on in the previous video around the IAM 172 00:09:33.130 --> 00:09:36.730 platforms and you know, one of the misconceptions with zero 173 00:09:36.730 --> 00:09:39.010 trust is you need to go out and buy all these big enterprise 174 00:09:39.010 --> 00:09:42.340 things that can do network segmentation, or IAM or some 175 00:09:42.340 --> 00:09:45.730 other thing, but that's not the case. So what I advise people to 176 00:09:45.730 --> 00:09:48.400 do is to understand this stuff first, and then go to market for 177 00:09:48.400 --> 00:09:53.800 your IAM platform, and then roll in your device, your endpoint 178 00:09:53.800 --> 00:09:56.830 control, your EDR stuff, look at your network segmentation, but 179 00:09:57.070 --> 00:10:00.040 ultimately, you've got to pick a solution and a product and a 180 00:10:00.040 --> 00:10:02.800 platform that matches how you want to operate within your 181 00:10:02.800 --> 00:10:05.980 organization - not trying to morph your organization to fit 182 00:10:06.070 --> 00:10:09.250 the limitations or capabilities of any specific platform. 183 00:10:10.600 --> 00:10:12.310 Anna Delaney: Very good. Well, gentlemen, this has been 184 00:10:12.310 --> 00:10:14.830 thoroughly informative and useful. Thank you very much for 185 00:10:14.830 --> 00:10:17.680 your time, and I look forward to the next in the series.