Subscribe
Share
Share
Embed
Cybersecurity podcast Radio Logic delivers essential, no‑nonsense conversations with trusted experts on all things identity security. Hosted by Anders Askasen, SVP of Marketing at Radiant Logic and author of Cybersecurity Explained, the show draws on his 20+ years in security and digital identity to address today’s challenges.
FSP Session 1
0:00
Welcome to Radio Logic, the monthly podcast where we breakdown identity into something that you can take away and actually use within your enterprise.
0:09
Today I'm joined by TomTom is from FSB.
0:12
Tom, welcome to the podcast.
0:14
Thanks for having me.
0:15
Tell me a little bit about who Tom is and who's FSB.
0:18
So let's, let's start with FSP.
0:21
We are a digital transformation, cloud engineering, data and AI and cybersecurity firm based here in the UK.
0:28
But we've now got branches kind of all over the world, grown really fast, lots of acquisition, last two sort of recently last year Intuitor, which was a data and AI firm and, and Hoop Cyber, which does a lot in the kind of AWS ecosystem.
0:43
And you know, that sort of data logging.
0:45
So really sort of, you know, lots of focus on security data, what we do with it, making intelligent decisions with it.
0:51
And, and there's no secret.
0:53
And just for Full disclosure, you're a partner of Radiant Logic.
0:55
So we work closely together with customers and, and the main field there is always the identity.
1:00
And the way that we see identity is, is at least from Radiant Logic's point of view, we see identity moving more and more into or closer to security.
1:08
And, and that rhymes well with, with what you guys are doing absolutely.
1:13
So at FSPI lead the identity and security architecture practice in a previous life, I've been a customer of Radiant Logic when we were at Refinitiv and and then becoming part of London Stock Exchange.
1:25
I think really saw the benefits there of using that kind of virtualisation of bringing the data into one place and, and just being able to use it, slice and dice it whilst organisations are going through those sort of big changes and having to see people through different lenses.
1:38
I've been in the space for 25 plus years and, and one thing that always strikes me is that it feels like we're sometimes battling the same type of problems over and over again.
1:50
The flavor changes slightly, but it's still the same drink, if that makes sense.
1:54
A lot of the customers that we've been dealing with, they have a built up, you know, legacy depth of, of old technology.
2:03
It's just difficult to get rid of that.
2:05
Is that, is that how you see your clients also?
2:09
Yeah, definitely.
2:10
You know, there's, there's lots of factors that mean you end up with identity data and things that would be really useful if you could just make good use of it siloed all over the place.
2:19
You know, there's things like applications where there's only 5 users in the business, so you don't pay the SSO tax.
2:25
It's extremely frustrating.
2:26
The user experience is worse and, and the governance as some of managing that silo just becomes much more difficult.
2:32
But when you take, you know, little incidents like that, multiply them out, you can see why we end up in this kind of identity data debt and, and it just makes governance and the user experience, you know, worse and, and more difficult.
2:44
And I guess that's the first part that you look at as a consultant when you try to guide and and steer and help customers to get some kind of sense and maturity of, of this type of landscape is to reel everything in and to create that unified layer of identity data.
3:02
Is that right?
3:03
Yeah.
3:03
I mean, it's, it's, it's kind of boring, isn't it?
3:05
Banging the old drum.
3:06
But if you if you don't know what you've got, you can't protect it, you can't secure it, you can't make it better.
3:10
So it, it comes down to kind of asset management, doesn't it?
3:13
But if you, you know, if you can bring the data into one place, you can start to look at the risks, you can start to manage that down track it over time.
3:21
And I think, you know, we've had some really interesting conversations with organisations of all shapes and sizes, different industries over the years.
3:28
And you know, they're doing good things around data management, right?
3:31
Good master data management, looking at financial data, medical data and the benefits of, you know, doing the same things that we talk about in identity data, bring it into one place, cleaning it up de duplicating it, making sure it's available to different people with good governance models around it.
3:47
So people don't go, you know, shadow data and do their own thing.
3:51
So all of those, all of those kind of, you know, good positive traits around data management.
3:55
Certainly we can apply to identity data as well.
3:58
I think what's interesting in sort of the identity and security space is thinking about the different speeds at which we need to do things with that data.
4:05
So sometimes, you know, an access decision needs to be made right at the edge.
4:09
When something bad happens on an endpoint, sometimes it's months later.
4:12
It's forensics.
4:13
You know, we need to look at it and go what what went wrong there?
4:15
And can we learn lessons from it so it doesn't happen again.
4:18
And, and to that point of lessons learned, I mean, we see every year several reports comes out from Verizon with their breach report and from IBM and other players and the the interesting reading, but they all send the same signals that identity is, is the Causeway of a lot of these problems.
4:37
Typically it starts with some kind of trigger that is social engineering.
4:41
But ultimately there's the identity that is being at the at the, at the culprit of everything.
4:47
Right.
4:48
Yeah, yeah, it's, it's kind of a difficult position, isn't it, when you know, the area that you are helping clients with is always the number one sort of category in these reports.
4:56
And why haven't we fixed it yet?
4:58
I guess the reason we haven't fixed it yet is because it's a, it's a wicked problem.
5:01
It gets harder all the time.
5:03
And talking about that sort of identity debts, you know what, what do we mean?
5:06
Why is it not fixed?
5:07
So I think over the last couple of decades we've made some real improvements in in security and in the sort of the usability of, of what what we now call sort of identity security tool sets and controls.
5:20
So if you think about, you know, 10/15/20 years ago, people having hundreds of different, you know, usernames and passwords and writing things down, you know, moving to more centralised authentication, so single sign on and then securing that using things like MFA so we can stop some of those attack paths.
5:36
You know, we've made some real improvements.
5:38
And, and I think, you know, even MFA, which was maybe not always the most user friendly thing, you know, the constant pop ups hundreds of times a day, even that's getting better.
5:46
And we're, we're, we're more context aware when we use things like MFA and, you know, using the intelligence we've got about what's going on in the environment, not to pester the user if we don't need to.
5:55
Do you have a pattern when you, when you go in and advise clients, they they have some kind of identity project that they want to embark on and, and where do you start and how do you progress?
6:08
How do you make sure that that project actually succeed?
6:12
Because in my experience, a lot of these projects have a tendency of failing you.
6:16
You scope it incorrectly, you focus your attention on the wrong things and at some point it just becomes that never ending project that doesn't deliver the value that it was set out to, to do.
6:28
What do you say to clients when you scope projects?
6:31
I think, yeah.
6:31
I mean, it depends why you're coming in and where you're starting.
6:34
But again, you know, having that, having that inventory, having that asset database, you know, whether it exists or whether it's something you have to start creating or we know at least labelling something you already have and, and being able to track that over time.
6:45
So you can see, here's what we have here are the risks.
6:49
It's not going to be a complete picture.
6:51
I think we've had this discussion internally so many times about how do you start projects when everything's not perfect?
6:57
Well, it never will be perfect.
6:58
You'll never get there.
6:59
So you have to start with, you know, the data, the systems that you've got and start to prioritise risks.
7:05
You know, so we've what we've got, we can't know everything.
7:08
You know, if you think about a bunch of accounts, whether that's humans or machines, what do we know about them?
7:14
And you know, if that, if that inventory of accounts and so on is incomplete, well, the fact that it's incomplete is itself a risk.
7:21
So we can start to look at, you know, how do we get better insights into what these accounts are, how they're behaving.
7:26
You might always have the tooling for that or the data, but you know, you can, you can start to track that as a risk itself.
7:32
I think the other thing is a lot of these kind of operational technologies like directories and so on that we've been living with for years.
7:39
They are operational technologies, right?
7:41
They are in the moment.
7:42
They don't always have that good kind of audit trail and ability to go and look back and understand how we've improved over time.
7:49
So again, being able to capture that data and look at it over time and, and show improvements and understand where, you know, where changes perhaps haven't materialized the the improvements that you were hoping for is, is really important.
8:00
So yeah, it's, but it, it sounds like you have a pattern that yeah, it's have a tendency of data gathering.
8:06
It, it start with the data, make sure that that's under control, clean it up and, and once you have done that, that's where you can start evolving that that program and, and that's where you start seeing some of the benefits as well.
8:19
And it to me, when you explain this, it kind of rhymes with the big security frameworks where you need to have that inventory of, you know, devices, servers, machines, network equipment, etcetera.
8:31
Same thing applies to identity, doesn't it?
8:33
Yeah, absolutely.
8:35
Doesn't matter which framework you're using, you'll find a control in there that says, you know, build the inventory and look at privileged accounts or look at standard accounts.
8:43
Look at, you know, is MFA deployed everywhere that there's always that step of, you know, know what you've got and then start to apply the controls in a risk prioritized way to it, which is really hard when you, when you don't have the inventory or when you're going, well, you know, you're going back to an auditor or a regulator and saying, well, we've got 100% of our accounts with MFA enabled.
9:03
And then they come in with a pen test.
9:05
Is that the case though, though?
9:06
Do you reach 100%?
9:07
Well, no one ever reaches 100%.
9:09
But the problem is, is we start to gain the stats, right?
9:11
So you say, well, 100% on these systems in scope, but all of those systems that, you know, there's five people in marketing use that system.
9:17
It's too small.
9:18
We didn't pay the SSO tax.
9:20
So we don't know if it's got MFA or not.
9:21
We don't know if the people that had access to it, that left last year have still got access because we have no insight to what's going on in that silo.
9:27
So it's a back to that identity debt.
9:29
You know, we'll try and do the right thing, but it's, but it's really hard when you don't have visibility and that observability of what's going on across the whole estate.
9:38
But, but tell me, tell me why are we still stuffing around with these old legacy systems that, you know, they're, they're difficult to integrate with.
9:46
They have proprietary protocols and they're, they're just a nightmare to integrate into a modern solution.
9:52
Why are we still having that same problem?
9:56
I think all organisations have legacy.
9:58
I think if you go in, you know, if you go in to help an organization and with an expectation that we're going to do Greenfield and you know, it does happen, we do have those rare gems where we start, you know, real Greenfield.
10:09
Everything's brand new, cloud based, but they're pretty rare.
10:12
Most organisations, especially ones with the interesting chewy technical identity complex environments, if you will.
10:18
Yeah.
10:19
You know, they, they have that legacy.
10:20
And I think if you pretend that they don't and, and just say, well, you know, we're only going to work with this stuff.
10:25
We're going to put the scope around the new things because we know how to fix that and the tools work with it.
10:30
You just, you can't ignore the legacy.
10:32
You know, that might be the systems that are running on extended support and not getting patched.
10:36
And if they get breached, we need to be able to contain that blast radius and make sure that, you know, the the access from that doesn't spread to other systems.
10:43
So you really need to, you know, make sure that your strategy and then your tooling is able to cope with the legacy systems that may talk or protocols may not integrate very well because if you leave them behind, then that's, you know, you're accumulating more debt, right?
10:58
But how much is tooling versus strategy?
11:02
I mean, the, the, the tooling can solve so much.
11:06
And yeah, and, and the processes and the people, they obviously need to adapt to that as well.
11:11
And there needs to be a long term vision of where do we want to be, right?
11:15
Yeah.
11:16
And I think we, we always talk about this, you know, even the best technologies, and we work with lots of vendors and some great technologies, even even the best don't do everything that they, you know, the marketing teams say or that the client really needs them to do.
11:31
So there's always that process of taking the tooling that's kind of the best fit for the client problem and making it work to actually solve the problem.
11:39
So that involves a lot of glue and putting good process around it, good governance.
11:43
Again, you know, this is one of those areas where the data and the observability is critical because you can see the gaps where the tooling doesn't work or where, you know, there's that silo of users who aren't included.
11:53
So we can at least see the risk and manage it in other ways.
11:56
I think if you just ignore it and focus on just, you know, the, the technology that works well together, we end up leaving a lot of people out in the cold and, and that's where risk breeds.
12:06
And obviously Radiant Logic is an identity data company ultimately where we, we do exactly what you're saying.
12:13
We're unifying all these different identity silos across all different types of identities.
12:19
And, and today we have, you know, we have human identities, which is a problem that I believe we have solved and we have some patterns on how to tackle it.
12:27
But then we have machine identities and we have the, the emerging category of a gentic AI identities with, with whole different set of problems and that ephemeral nature of just in time access that is needed, etcetera.
12:41
But being able to unify that and getting those controls, which rhymes well with the security frameworks, right?
12:47
That always stipulate that you need to know what, what's out there in order to control and see and secure and protected.
12:54
And then once you have that, that's where I think, and to your point, you can mature your identity program and add that observability layer where if there is a normative, if there is some kind of breach of trust and, and, and things starts happening, you need to have that insight into what's going on in real time, not only the static point in time.
13:18
You know, here here's October 1st and this is how the access looked at at that time, which serves well for the auditor.
13:25
But from a security point of view, it doesn't really you, you need something that's faster, more agile than that.
13:31
And once you have that observability layer, then you can make decisive actions and act on that data and and, you know, shut access down instantly or send a signal to to other security vendors like Okta or Crowdstrike, what have you, to do something decisive.
13:47
Yeah, I mean, that, that, that, you know, that context is king, right?
13:50
You, you can't make good decisions with very stale data.
13:53
And I think, you know, going back to why we built up this identity debt is a lot of the data that we relied on, even when we had good processes, which were at the limits of what was acceptable organizationally, technologically to put in place, you know, an annual recertification, it's fine.
14:10
But when we look at that in reality, what actually happens is, you know, it happens once a year.
14:14
So you know, at best it's this week, at worst, it's 11 1/2 months old.
14:21
And also once you've done it once, you know, the tendency is for line managers, system owners and so on not to stop the bus is to say, yes, they still need it.
14:31
So again, we're, we're really good at giving access out because we, we want to, you know, give people agency to do the things that are economically valuable in that business.
14:41
Very bad at taking it back again.
14:43
Is there is there a mechanism to do that?
14:46
Because I mean, if we're talking about least privilege, which is popular within zero trust philosophy, and, and that seems to be the way for the future to actually be able to secure some of these different identity problems.
14:58
Is there a pattern on how to reach that?
15:01
Is there something that you want to pass to?
15:03
There is.
15:04
And I'm going to get, I'm going to get the terminology wrong.
15:06
So for the biologists tuning in, you know, in, in, in nature, right?
15:10
Where anything, any sort of is it anabolic builds up and catabolic breaks down.
15:17
So most processes are pretty good at self recycling.
15:21
We are really bad at building processes that give access out and there is no kind of termination date or criteria for when that gets taken back again.
15:29
So naturally, and this has been written out a lot in the last few years, you know, you just run that process and, and naturally access stacks up.
15:38
What we need to do as a, as a real fundamental principle is almost no access is given out without an end criteria.
15:45
So at some point we know it's going to be recycled and taken away and whether that's, you know, just in time and it lasts for an hour or context dependent that when you shift context it's taken away, you've got to have that.
15:58
You know, that always has to be an endpoint.
16:00
Where do you see that responsibility falls is that, you know, I represent a vendor or you, you represent a system integrator or the customer.
16:09
Where does that responsibility said who's going to, who's going to be more successful in, in actually putting this out there?
16:15
It's, it's a huge, it's a combination of efforts, isn't it?
16:18
Because I think you can't take access away when it's hard for people to get the access in the 1st place because you're adding friction so the business won't tolerate it and system owners and so on.
16:29
If you don't make it easy to administer this and make it easy to, you know, for a user to get the access, I mean, it should almost be friction free, right?
16:37
The, the context and the business purpose of what am I doing?
16:40
What am I supposed to be doing?
16:41
What are the bounds of the kind of resources and assets that I can use to do that?
16:46
If you've got that data in context, you can make smart decisions without necessarily needing a human in the loop to go and say you absolutely can have, you know, that group to that share to that data.
16:56
Is it as simple as you, You have no privileges, no birth rights, and when you request access, that is always time predicated.
17:05
So you'll, you'll have that access for a certain amount of time and then it automatically, you know, gets removed.
17:10
Is, is that the solution?
17:11
Yeah.
17:11
And I think we, we, we've kind of been there in the best cases for a while, haven't we?
17:17
So what, you know, where single sign on works really well is there's a lever event and that lever event cuts your account and then cuts access to everything.
17:24
But as we've sort of moved to that patchwork quilt of SAS apps and things that, you know, didn't quite integrate with single sign on, that's where you end up with these silos at risk where that end event doesn't happen.
17:35
Equally as attackers have started to use access and so on, as the way that they move around the networks daily resources cause economic damage benefit to themselves, that access that's there as a birthright that lasts forever isn't appropriate anymore.
17:53
We need to dish it out, take it back and, and, and you know, it shouldn't be static access.
17:57
It should be again, it's back to the context.
17:59
You know, it's fine for me to be doing something in the finance system if I'm a finance manager at 2:00 on, you know, the 1st of the month, closing the last month off.
18:08
But if I'm doing it from an unknown location at 3:00 in the morning, that's weird.
18:12
So it sounds like a little bit like you're in, in that paradigm shift between operational problems versus security.
18:20
And they don't necessarily solve the same or address the same things the same way.
18:26
And that we need to think more about security.
18:28
So if, if we're, if we're wrapping up our conversation and, and, and we kind of want to, you know, face the audience and, and give them some kind of recommendation on how to address the problem and how to go forward with this.
18:40
What would you say?
18:41
So I think one, one of the things we've talked about is that that sort of security identity data debt, I think one of the worst cases that we see is, is people who've got the scars from doing like a big RBAC project, right?
18:53
So they tried to define birthright and and kind of ahead of time what this job role should do and therefore what it needs access to do throughout its lifetime.
19:02
And we know what happened, you know, they and without an awful lot of maintenance, they proliferate and we create new roles for this and new roles for that and new roles for the project.
19:10
And people end up with, you know, very composite roles, but you end up with more roles and people.
19:15
And that's just not manageable.
19:17
And, and again, it's because you know, that that static role that says this for this isn't taking into account any of that sort of dynamic context that's needed.
19:25
So I think, you know, role based approaches, maybe for some of your true static entitlements, like, you know, you have a Microsoft Office licence for your entire duration because it's needed to do everything else.
19:36
But for most things, thinking about, you know, what's the business purpose?
19:40
And you know, can we do that in a dynamic and sort of policy driven way?
19:44
So we know that, you know, if you're if you're having access to something, it's it's within that remit, but we don't have to specify it so granularly.
19:52
And of course, you need the tools that are able to take that information and make those smart decisions that has that balance between is this risky And does this enable the user to do what they need to do?
20:03
Tom, thanks for bringing your wisdom to the podcast and thanks for joining.
20:07
As we can tell, Tom is.
20:10
Have battle scores from the doing complicated R back projects we're defining roles have led into a big explosion and I think we all listening to this podcast can appreciate the problem with that.
20:23
And with that, we we thanks Tom for his insights and over and out.