What are we doing to improve access management? Make it too loose and it’s the number one way organizations get breached. Put on too many controls and now you’ve got irritated users just trying to do their job. How does each organization find their sweet spot?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. We welcome our sponsored guest Paul Guthrie (@pguthrie), information security officer, Blend.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Opal
Full transcript
Intro
0:00.000
[David Spark] What are we doing to improve access management? Make it too loose and it’s the number one way organizations get breached. Put on too many controls and now you’ve got irritated users just trying to do their job. How does each organization find their sweet spot?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark, I am the producer of the CISO Series. And joining me for this very episode, it’s Geoff Belknap, he’s the CISO of LinkedIn. For a moment, Geoff, get everyone comfortable with your voice. Your voice sounds like?
[Geoff Belknap] Hey, everybody. This is Geoff. Pull up a chair, get comfortable, let’s light the fire, let’s talk about stuff.
[David Spark] We’re going to talk about something related to cybersecurity. I hope that’s okay with you, Geoff.
[Geoff Belknap] Well, that’s the stuff I implied, yeah. I don’t really know how to talk about anything else.
[David Spark] [Laughter] I have to say you must be fun at parties.
[Geoff Belknap] Sad but true. I am a pretty boring guy unless you want to talk about cybersecurity or the Buffalo Bills, that’s it.
[David Spark] Oh, there you go, so you have two topics you can discuss.
[Geoff Belknap] That’s it. Yeah, I’m multi-topical.
[David Spark] Just as long as people want to talk about that at a party, you’re in good shape.
[Geoff Belknap] That’s it.
[David Spark] We are available at CISOseries.com where you can find all of our programming, not just the wonderful Defense in Depth with Geoff Belknap. Our sponsor for today’s episode is Opal. They are all about securing the identity perimeter and guess what? That’s what we’re going to talk about with our guest today who Opal is responsible for bringing us.
But let’s get our topic going. Now, Geoff, on LinkedIn you asked this question – what is the one most significant action you’ve taken to improve access management? And what’s interesting is you added the change management question of how did others accept that and did you need to shift culture to get accepted.
So, access management I have to assume is an ongoing struggle to try to find that sweet spot between too tight and too loose as the way I described it in our opening. Yes, is that the case, Geoff?
[Geoff Belknap] That’s a great way to describe it, and I think more to the point it’s how to keep it in that sweet spot because I think most of us that work on this problem can get it to where we want it but keeping it there over time becomes very challenging.
[David Spark] Excellent, excellent point, and you know, we should address that on today’s show. And we have a great guest who actually uses Opal in his environment and thrilled to have him here, our sponsor guest, it is the information security officer of Blend, Paul Guthrie. Paul, thank you so much for joining us.
[Paul Guthrie] Thanks so much for having me, David. Really looking forward to this.
What’s the optimal approach?
2:42.101
[David Spark] Jesse Webb of Avalon Healthcare Solutions said, “We use a three-tiered access strategy/design to avoid share fate failures. End user domain with SSO to most systems, data center identity that is only for servers and users maintaining systems in the data center, and external customers with SSO access to all front door services.
We use SSO…” I should mention that’s single sign-on “…to reduce user abrasion due to the separation and an enterprise credential manager. MFA, multifactor authentication, is required for all external access by employees and customers.” So, pretty substantial process there.
Kevin Kiu of Safebase said, “Okta with managed device trust via Jamf to prevent users from using non-work devices to access sensitive apps. We also rolled out Okta Verify and reduced the need to enter passwords. Far less confusion and accidently saving passwords using Chrome/Safari browser password managers.” And lastly, Patrick Garrity of Nucleus Security said, “Implemented FIDO Alliance U2F for MFA for a more secure and better end user experience.” All right.
Geoff, these are pretty proscriptive and detailed processes. I mean, they seem sound but, like what you were saying, things can drift in and out. What are ways that these kind of situations can drift in and out?
[Geoff Belknap] Let’s start by just saying all of these are phenomenally good ideas. Having SSO, having a separate identity they might use for production versus maybe your business identity apps, using U2F or WebAuthn for your MFA, which makes phishing much more difficult, and even my current favorite topic, which is just get rid of passwords, right?
So, you don’t have to worry about passwords being stolen so much if you don’t have passwords. Now there are other things that could get stolen, but you’re leveling up the complexity that is required to successfully compromise your identity environment.
But what’s challenging is all of these things are great, they all help build a great defense for your environment, but they don’t address the thing that I think our guest and I deal with day in and day out which is what should David be allowed to access day in and day out? How do we make sure that he hasn’t exceeded the things that he should access day in and day out and how do we stay on top of that?
And especially if we’re at a high-scale organization, how do we determine who gets to make those decisions? And I think that becomes very, very challenging when you get to the things that humans usually decide and then you have to move to systems that help you make those determinations for you.
[David Spark] All right, Paul, I’m going to throw it to you. This is really, teeing off of what Geoff said, is it agreement that these are really good solutions here, but the real challenge is the individual access management, yes? And I mean, how much of a bugaboo is that for you?
[Paul Guthrie] Well, I think it’s a bugaboo for everybody, to be honest. It’s one of the greatest risks that we as information security professionals face is overprovisioned accounts. If an overprovisioned account is compromised, then an attacker can gain access to some system or resource which the actual user account shouldn’t even have been provisioned for in the first place.
And so that’s something we try really, really hard to stop at Blend by having a lot of ad hoc or ephemeral access to systems, especially when we’re talking about privileged systems. And so it used to kind of be the pattern that everyone would have a nonprivileged account and then administrators tended to have a privileged account that they had all the time.
And so if you look at a lot of pentest reports, as I’ve done in my life, you tend to see a similar pattern, which is an attacker compromises a privileged account and then uses that privileged account to move through the network. And that’s one of the things that we try to stop by essentially devaluing accounts as much as possible.
[David Spark] Geoff, is that really the best solution? Because, I mean, the story that Paul just said is a story we’ve heard again and again. Someone gets access to someone’s account, it’s got way too many privileges, and then they cause havoc. This is the number one problem you’re constantly dealing with, yes?
[Geoff Belknap] Oh, absolutely. If they land past your identity perimeter, which is all these great solutions are fantastic for hardening the perimeter, if you don’t have a focus on authorization and limiting and managing access internally, you’ve effectively just hit the jackpot as long as you can get past and land in somebody’s account.
So, that day-to-day deciding how do you make sure that you don’t have overprivileged access is really the challenge here.
What’s our visibility into this problem?
7:39.838
[David Spark] Kris Arthur of SEKO Logistics said, “It’s basic but user access review of accounts.” Abby Rowe of KPMG US said, “Performing role mining and optimizing entitlements on bloated identities. Job responsibilities should match their access, especially for privileged access.” And Laurie Kenley of Microsoft said, “Mine is a massive deprivilege effort that became a streamlining of roles and role-based access overall.
We kept peeling back the layers for a while, who had this access, why do they have it, what business function did it serve, before finally getting strategic. All of this had a big impact on the organization while it was in process, lots of confusion and business processes that got upended. Eventually, security champions lived in all the app teams to help get everyone into the new system and stay green [Phonetic 00:08:43].” This is a great example, what Laurie just mentioned at Microsoft, is that it sounded like there was a little pain but by getting the security champions onboard, they were able to work their way through it.
Paul, did you have a similar experience? What did you do to try to deal with this issue of too much privilege?
[Paul Guthrie] Well, one thing we did was we separated privilege really into three areas – birthright access, which is access you have just by the nature of the organization that you’re in, we have multiple organizations, and the cost center. In other words, essentially your job function. And ad hoc access, which is essentially to anything you don’t get through birthright access, something that might cost a little extra or something that not everybody needs.
And then finally, privileged access that we look at just like ad hoc access, but it’s got an additional twist to it, and that additional twist is that it must be tied to a Jira ticket. Then that way somebody can take a look at the request for privilege access, they can say that the resources that are being requested make sense for this ticket, and then when the ticket is closed also the access is taken away.
And that way, we have very ephemeral access, especially to privileged systems or privileged accounts in production environments.
[David Spark] Yeah. You don’t want things sort of staying static when they don’t need it. Geoff, how did you handle this and do you have moments of pain that you sometimes have to get through? And when I say pain, it’s often not your pain, it’s the people you’re dealing with’s pain.
[Geoff Belknap] Yeah. I think if the organization is ready to accept pain, then we’re done. We can just go through and strip everybody’s access every week. But the reality is, we’re… I mean, this is the friction that we’re always dealing with, people like Paul and I. We are trying to make little changes to people’s access so we don’t have to go through this experience that Laurie articulated, which is weeks and weeks of just digging through this rabbit hole of why does David have this access, why does Geoff have this access, and that’s really hard.
So, any small tweaks we can make or any upfront automation we can build that figures out when we hire Paul or Geoff or Denise, whatever it might be, what should they have access to, and how do we know when they should elevate that access, how long should they elevate that. These are all very simple concepts to sort of put out on the whiteboard but implementing them becomes really, really hard and getting insight into what people actually need and what people actually use day to day, that tends to be the secret to figuring this out.
[David Spark] Is there any of this that can be automated or is this a lot of manual provisioning that’s going on, Paul?
[Paul Guthrie] We automate pretty much all of it, to be honest. So, first of all, to the concept of friction – by removing friction in the process, it makes it much, much, much easier for users to request access to something. So, something that we’ve done is we’ve bundled together – when we talk about access – network access and logical access.
So, we use a zero-trust system and essentially when somebody requests access to a particular resource, we both give them network access as well as logical access. But also if necessary, we’ll even automatically install software for them to use that resource and provision a license for them. And so those four things together make it so there’s very little friction, so a user doesn’t have to go out and open multiple tickets to get access to a particular thing, which is highly annoying.
So, by automating these entire processes, we made it easier for the user overall and that makes the user acceptance much higher.
[David Spark] And just very briefly because I’m going to be talking about our sponsor in just a second, is this what Opal is doing for you?
[Paul Guthrie] Opal is doing this. Yes. Opal is a big part of this equation, and we’ve even automated the configuration of Opal. So, if, for instance, we detect a new resource within our environment, we auto provision the access flows into Opal. And so from a perspective of my team, it’s not even done manually.
A lot of this is purely automated. We see a new resource; we automate a new flow.
Sponsor – Opal
13:00.164
[David Spark] Paul was just talking about Opal, and they are our sponsor for today’s episode, and I do want to tell you exactly how they’re dealing with this very issue about access. So, as we’ve been talking about, access can be really hard to calibrate. The “who you are,” “what you do,” and “why you need it,” is a complex set of relationships when framed against the reality of work.
It’s not just about implementing the best practices we know, but how to integrate them with the culture and habits of a particular organization.
For the teams responsible for nailing this balance, this can be a daunting task. The policies involved can be complex, and in sensitive systems the stakes are high. Too much access, and you can give a bad actor an opening, as we discussed. And at worst, this results in the company-ending breach. But too little, and you put roadblocks between people and their work, thereby slowing the business down.
Neither is good.
So, Opal is designed to give teams the building blocks for IAM strategy, identity access management, and seamlessly apply intelligent policies that are built to grow with your organization. Whether that’s setting good rules for day one access or helping to clean up the rat’s nest of long-lived access in the cloud with time controls.
Opal is used by best-in-class security teams today, such as Figma, Databricks, Paul’s company Blend, Marqeta, Scale AI, and more. There’s no one-size-fits-all when it comes to access, but they’re here – Opal – to provide the guardrails every step of the way. Check them out at their website, it’s opal.dev.
Would this work?
14:47.068
[David Spark] Avani D. who’s with Schellman said, “Recently met an organization that used dynamic access matrix system. Unlike traditional static access control lists, this would adjust access permissions based on real-time contextual factors. The system even utilized artificial intelligence and machine learning algorithms to analyze user behavior, location, time of day, and other relevant variables to dynamically determine access privileges.” I’ll start with you, Paul.
Is this what you’re getting because you were talking about automating a lot of this behavior?
[Paul Guthrie] Kind of. I mean, certainly, I mean, to be blunt, I think AI is probably a little premature for this at this point. I’ve definitely seen some rules-based systems and we do certainly utilize rules within our SSO and MFA systems to be able to enforce various things. Like access to PII must only happen from a virtual desktop as opposed to from your laptop or various things like that.
But I think AI might be a little premature. As an example, AI would tend to, for instance, not know about exception processes, and sometimes if you have an outage, you need to just be granting permissions all over for the right people to be able to get in and take the right steps to restore the applications to a normal state.
And that’s exactly the sort of thing that it is likely that an AI would block. So, I think common sense rules implemented through our SSO and MFA systems are probably the best way to do it now, but I can certainly see where AI provides value in the future and especially alerting, especially on alerting of unusual behavior.
But I wouldn’t want AI today to be, for instance, the gatekeeper of who can get into my systems and who cannot get into my systems.
[David Spark] All right. So, you’re not relying on AI either, Geoff?
[Geoff Belknap] I’m not relying on AI to make access decisions. Like Paul, I like AI for things like identifying when there’s an edge case, where it’s strange that someone has access in a certain combination of ways or, and this is where I’m [Inaudible 00:17:05] with AI today, helping understand what is the set of access decisions or policies whereby Geoff ended up with this access and that’s okay.
How do we justify that? And it’s especially important because one of the really important use cases, like we’ve been talking about here, for automation is making sure that people have the right amount of access for the right amount of time but unwinding for auditors and for regulators and for your customers, members, some understanding of what’s the string of decisions that led to getting that access.
That could be pretty complicated in a high-scale environment.
[David Spark] So, I mean, we’re going to see with AI but the more that we don’t have to put our physical hands on the better. Let me ask, within let’s say before you were using Opal to today, Paul, what has been the biggest change in your management of access?
[Paul Guthrie] Well, I think the biggest change was actually forced by implementation of zero-trust technologies in general. It used to be that we just had a couple of VPNs. We had a dev VPN and we had a production VPN. And the production VPN, and I think a lot of companies are kind of like this, gave access to a huge number of resources.
And when we implemented zero trust, we went from just having a small number of resources to literally hundreds, and hundreds required us to get better at provisioning and to get better at access management in general because we couldn’t increase the friction in our users at that time. So, I think that was really the thing that led us to look for a system that could really help us with provisioning and help us with this access management challenge and that’s why we came across Opal.
What aspects haven’t been considered?
18:49.889
[David Spark] Lloyd Evans of LastPass said, “Tie the benefit of stronger personal access management to corporate. So, generally, it impacts a user personally, they will care about it more. The ‘what’s in it for them’ concept and how does it impact me, my access and my data – we’ve heard this a lot – personalize the impact so there is buy in.” Now Justin M.
of DayQ [Phonetic 00:19:22] Systems said, “The most significant thing we have done is to start ensuring we consider digital accessibility when considering access management tools in and processes as most current offerings are not always accessible, leaving those with disabilities at risk.” So, just two kind of random things I wanted to just throw out here.
One is personalizing this whole accessing why we’re provisioning and deprovisioning, and second, dealing with people who have accessibility issues. I’ll start with you, Geoff. The personalization thing, I think we’ve kind of all been on board with that, but accessibility issues, have this been an issue for you with any of the tools you use?
[Geoff Belknap] I think it’s really important to think about accessibility. I’ll give you an example that I ran into somewhat recently at work which is, as you can imagine at my organization, we have a fairly strict set of policies or a fairly rigorous set of policies when you forget your password or you lose access to your account.
And without going into the specifics of how we do that, generally you need to go through a series of steps to demonstrate that you are who you say you are. Now, if you haven’t thought about people who can’t speak or can’t see, then generally you’re going to build those systems in a way that require somebody to speak or be heard, and we have all kinds of employees in my organization, some of which can’t see or can’t speak.
And trying to validate that you are who you are with somebody that doesn’t have the same abilities as you on the other end can be very challenging, and it definitely gave us a moment to, “Huh. We have to really reconsider how we run this process so that we’re balancing access for people with different abilities and making sure that we’re still being very secure.” And it was actually a great moment to make sure that we’re really thinking about that when we design security systems because certainly, that would be very convenient for a bad guy to say, “Well, I can’t verify who I am because I’m mute or I’m deaf.” And I think those are the kind of situations that anybody who’s building an access management system need to keep in mind as they build it.
[David Spark] Excellent, excellent point. All right. Paul, have you had accessibility issues when doing identification?
[Paul Guthrie] Relatively minor, to be honest. I think we have also had some of the same problems that Geoff has described. And in those cases, we’ve had to implement sort of ad hoc processes. And generally, those come to me to approve and I tend to say, “Well, yes, these make sense,” or “They don’t.” But to be honest, we don’t have a holistic program at this point that encompasses all of these areas and it’s probably something that we need to level up and do.
[David Spark] Well, but also Geoff’s organization is enormous and so probably you have more people with accessibility issues. But I got to assume as they arise, you have to address them, like in any case. I mean, in the few you’ve had, I’m assuming you just had to address them as they came up. Yes, Paul?
[Paul Guthrie] Yeah, absolutely. So, we cannot make assumptions about even, for instance, what biometrics work with individuals. I mean, for instance, touch ID. It’s long known that certain groups of people, for instance, I’ll pick on guitar players, actually have terrible fingerprints because they’ve calloused their fingers so much and may not be able to use touch ID.
And so you can’t make an assumption that just because a biometric, as an example, is a really good authentication mechanism, that you could deploy it across your entire base of employees.
[David Spark] Good point about the guitar players actually. I like that.
Closing
22:59.527
[David Spark] Well, that brings us to the conclusion of our episode here and, actually, Paul, I’m going to let you have the first crack at this. I always ask what was your favorite quote and why?
[Paul Guthrie] I really enjoyed that quote from Laurie Kenley of Microsoft about deprivileging and essentially bringing down access into a base set of roles and role-based access simply because I don’t believe that you can have a holistic secure access control system unless you have essentially a well-defined hierarchy of roles.
Once you have that, that makes it all much easier, so that really resonated with me.
[David Spark] Excellent. All right. Geoff, your favorite quote and why.
[Geoff Belknap] I was going to steal that one but I have no notes. Paul’s quote is perfect. I’m going to highlight just this last thing we were talking about from Justin about bringing accessibility to all these discussions. Of course, super important to have a great perimeter on your identity system, really important to find whatever automation works for you to make sure that the access levels are staying at the level that you want and that you’re limiting people’s access to just when they need it, but all of these things have to work for people of all different abilities.
And thinking about that not only improves the environment that everybody’s working in but strengthens your security program as well.
[David Spark] Thank you very much for that. And yeah, I’m glad Justin put that in because that was very important to address this issue. I want to wrap this show up. Geoff, I want to thank you as always. Geoff works at this wonderful company called LinkedIn. If you’re looking for a job, there’s a great way you can find a job by going to their site.
If you’ve never heard of this site, may I suggest you check it out, it’s called linkedin.com. Paul, I want to close with you and the work you’ve been doing with Opal and just about your identity journey in general. And by the way, I should also say a huge thanks to Opal, but I’ll get more to that later.
Tell me about what has been the thing that’s been the greatest impact for you in this sort of journey of dealing with identity.
[Paul Guthrie] Well, I think really this automated provisioning and access control has been incredibly valuable for us. The ability for us to discover new resources, automatically build access control flows, and tie together network access, logical access, software installation, license provisioning, and even things like – this is what we’re adding in shortly – like checks to see if people have taken their appropriate security training.
So, before they can get access to a production environment, they have to take their production security training, things like that. So, it’s allowing us to automate and that reduces cost and reduces friction for the users and that’s why we really love it.
[David Spark] And you kind of answered a lot of my follow-up question here but I want to think like what does the security team and the company feel like before and after this? Before we were dealing with Opal and not having a decent identity access management program and now we have one, the organization and the security team feels like what?
What are you doing now that’s different?
[Paul Guthrie] We’re handling a lot less access requests and we’re handling a lot less exceptions, and these are things that take time and are prone to user mistakes, to be honest.
[David Spark] And exceptions create a lot of openings too for you as well.
[Paul Guthrie] Yeah. So, the natural state of our accounts is as deprovisioned as we can get them but we make it easy for people to add on privileges when they need them.
[David Spark] Good point. I want to say a huge thanks to Opal, opal.dev, they are our sponsor – secure the identity perimeter, that is their focus – and Paul has spoken very highly of them. So, thank you very much to our audience. We greatly appreciate your contributions and for listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site CISOseries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show.
If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to Defense in Depth.