CyberWire Daily - Securing multi-cloud identity with orchestration. [CyberWire-X]
Episode Date: September 1, 2022While multi-cloud brings significant benefits, it also poses serious security risks. And identity is the reason. Each cloud platform, such as Azure, Google, and AWS, uses proprietary identity systems,... and the lack of interoperability makes it unruly to manage. These disparate systems can’t talk to each other resulting in a fragmented environment full of identity silos — the perfect way for an attacker to get in and cause destruction. In this episode of CyberWire-X, the CyberWire's CSO, Chief Analyst, and Senior Fellow, Rick Howard, is joined in the first half by Hash Table member Rick Doten, the CISO for Healthcare Enterprises and Centene. In the second half of the show, CyberWire podcast host Dave Bittner talks with our episode sponsor Strata Identity's CEO and Co-founder Eric Olden. Both sets of discussions center around the challenges to identity management caused by the rapid shift to multi-cloud. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Hey, everyone.
Welcome to Cyber Wire X, a series of specials where we highlight important security topics affecting security professionals worldwide.
I'm Rick Howard, the Chief Security Officer, Chief Analyst, and Senior Fellow at the CyberWire.
And in today's episode, we are talking about securing multi-cloud identity with orchestration.
A program note, each CyberWireX special features two segments.
note, each Cyber Wirex special features two segments. In the first part, we'll hear from an industry expert on the topic at hand. And in the second part, we'll hear from our show sponsor
for their point of view. And since I brought it up, here's a word from today's sponsor, Strata
Identity. With multi-cloud, your apps and identities are distributed across clouds and IDPs,
making them hard to manage and secure.
With Strata, all your existing identity systems work together
without ever refactoring an app or feeling locked in to your IDP with one-to-one connectors.
Identity orchestration helps you solve your biggest IAM problems,
even the messy ones you thought were unsolvable. Thank you. Share your time on a discovery call and we'll send
you custom AirPods Pro. The multi-cloud identity wave is here and you can ride it with Strata.
Ready to learn more? Visit strata.io slash cyberwire. That's strata.io slash cyberwire.
And we'd like to thank Strata Identity for sponsoring our show. I'm joined by Rick Doughton, the CISO for
Healthcare Enterprises and regular contributor here at the Cyber Wire. Rick, thanks for coming
on the show. Hey, Rick. Happy to be here. So today we're specifically talking about securing
multi-cloud identity with some sort of
orchestration strategy, but it's even more complicated than that. If we're going to build
an identity orchestration system, we can't forget about our other data islands either,
like the data centers, our SaaS apps, and even our mobile workforce, either working from home
these days or starting to move out to Starbucks and even back to the office. And if
we're going to build something, let's build it for everything. That's kind of my model. So,
let's just go back through some basics about identity and access management or IAM. Before
we even start talking about managing multi-cloud identities, what are some of the functions we need
to understand when we start to orchestrate this stuff? If I'm going to manage identity, what are the essential fundamentals to get right? What should we be
thinking about here? Well, I think it's certainly about levels because not everyone is the same.
And you have privileged identities for administrators of platforms or applications
that have a lot more control. And frankly, whose accounts are more valuable to
an adversary because then you can create other accounts and escalate privileges to certain
things and be very persistent. Then you have normal user accounts that are doing different
things and guest accounts and all these things. So I guess it's like understanding the governance
of and the hierarchy of all your applications and of all your accounts
and for what platforms and applications they need.
And that's usually the first place to start.
So you mentioned a couple of things there, right?
One of them is called Identity Governance and Administration, IGA.
And what I think that means, and you tell me if I get this wrong, it's generally a committee
within the organization that discusses and kind of writes down the policies that's going to manage all the identities and devices and things we have in the organization.
And they're the ones that kind of write it down to see if it makes sense.
Yeah, that sounds like a good way of doing it.
I would agree.
It's like data governance, and it supports data governance because obviously your data classification guidelines dictate what you would need to access what.
And, you know, it's the concept of elite privilege and all the standard stuff we normally have.
But a identity governance board, that'd be great.
I have not seen one, but I think that's a good idea.
Well, let's talk about that.
You get to talk to a lot of CISOs out there.
Do you say that most organizations don't have this kind of thing? Then who decides what the policy is inside these organizations?
your size and how we're heavily regulated or not regulated. I mean, your mileage may vary so much.
And so, yes, not many organizations have really good and solid data governance. They have a data classification guidelines and they kind of know what they need to protect and they do things.
The same thing with identity because identity is to access that data. And so, it flows downhill
from there. So, often it's a subset of the data governance if you even have that.
So, from your experience and most of this identity governance and administration is coming
from compliance rules and things they have to follow.
Right. Because auditors will come in and say, how do you differentiate between roles that people
don't have access to data they don't need access, particularly from a privacy perspective,
if that's what you're doing, PHI or PII.
And I think to be able to audit that,
I mean, it's certainly a great idea to do that,
but a lot of it is we're kind of checking the box.
As an industry, we're kind of checking the box
to make sure that we can assure
that only the right people have access
to the right platforms to get to the access,
the right data.
You mentioned another thing, privileged access management, or PAM, the rules that allow your administrators and other
important people to have permissions to change things or to fix things. Yeah, they're the ones
who can add and delete accounts. They also can change configurations. We used to call them admin
accounts or in the
Unix world, the root account. But when we talk about applications, we talk about platforms,
then we just like privilege access, which means that you have more authority than your average
bear. And therefore you can do, you know, add and delete counts and do things that most people can't
do. Yeah. The one example that we've seen recently is the SolarWinds attacks. They came in through the back door through a supply chain attack.
Once they established a beachhead, they moved laterally, the bad guys, and then looking to escalate their privilege.
And once they got to the right system administrator's account, they were able to manufacture identity tokens to log in for anybody.
So that's kind of scary. So you want to be able to identify
those accounts, those devices, those people who have permission to do those, you know,
kind of global things and watch them like a hawk and make sure that you just don't hand that
privilege to anybody. Yeah, absolutely. I mean, getting persistent when an attacker comes on
is their number one thing. And how they do that is they create accounts.
And they create accounts at highest levels and they call them ambiguous names that aren't
really thick.
But you're right.
As part of this whole identity governance is the auditing of it and knowing which ones
you have.
And then, of course, controlling those credentials.
And PAM is generated as a category because they're PAM tools that you kind of check in and check out passwords for.
I mean, I remember literally 25 years ago having little laminated cards in our wallet with the root accounts for our root passwords for our systems.
And I remember somebody lost their wallet and we had to go change them all.
But having a password vault or having a privileged access management kind of does that where you don't even, you don't share passwords like we were doing 25 years ago with these cards.
We checked out a unique password for that certain session at the time we need it.
The thing that's left unsaid here is something called privileged identity management or PIM.
It's basically the idea that we are identifying all the identities for employees, contractors, devices, and these days applications, and then deciding which ones need elevated privilege so that the governance, the IGA folks can decide, you know, who's going to have that.
And then the PAM system can implement that in some sort of automated system.
And boy, that's in a perfect world too, Rick.
But in your experience,
I don't know anybody that's getting all that done
in one organization.
There might be like smaller organizations
that are mostly all technical organization
that could do that.
But particularly as you get into
a large distributed organization,
it's very, very hard.
It's certainly something to aspire to.
And it's certainly like the right thing to do.
And probably people do it in an ad hoc way, but. And we'd all love to have it,
you know, completely finished, you know, yeah. But most of us are not quite there yet, right? So,
so managing identities across all of our data islands has become so complex just because all the things we just talked about, that it feels like that corner of the cybersecurity tool space, the identity space,
it's kind of moving in the same direction as the overall security tool space, you know, the security stack tool space,
where we don't want to manage different stacks for each of our data islands, like all of our clouds and all of our SaaS applications and in the data center.
Instead, we want to manage a platform that handles
each data island for us, where, like I said, we would set the policy once and the platform manages
each data island for us. And that's been coming down the pipe for the last couple of years.
According to Gartner and their 2021 IAM hype chart, it's hard to say out loud, they have IAM
managed services on the slope of
enlightenment about two years away from being best practice. But as you talk to CISOs, Rick,
do you find they're inclined to use these IAM managed service providers? If you're apt to do
a service provider for other things, then this would not be a bad one. If you're a smaller,
less mature organization and you don't have the people to staff it, fine. I mean, it's no different than, you know, what we all do now with having Office
65 for our mail. They're just literally hosting our exchange server where we used to do it five
or six years ago, or 10 years ago. By the way, we didn't think that would ever happen either,
did we, right? I remember, you know, when the first time I heard this was kind of going on,
I think it was the LA Police Department. This is back in the early 2000s.
They decided that they were going to use Gmail as their official email provider.
And we all went, that's horrible.
How would you do that?
Now many people do that.
It's like it's not even a thing.
Yeah.
It's almost, I mean, it's a best practice too, too.
Because, I mean, I just did a keynote just last week where I talked about like going
to Exchange is one of the first things that people did as a cloud service, as a platform,
as a service. And I'm like, you know, Exchange servers are finicky. They're troublesome. They
go down a lot. I mean, have somebody else take care of it. And it's the fastest way to upgrade it
is to just put it to the cloud and let Microsoft manage it.
So, but as you talk to CISOs out there, Rick,
are you seeing people grabbing onto these managed services?
Are you still seeing people trying to do this themselves
for each of their data islands?
They're managing identity for, let's say, Amazon,
and then they're managing it back in the data center,
or are people dipping their toe into this,
let a service do that?
Because we all think it's a good idea,
but how many people are actually doing it? Right. So there's two pieces to it, multi-cloud and everything else.
Because we have single sign-on and federated entity. We've had those for a couple decades,
and that's what most people do. I mean, that's why you only have to log into your domain once,
and then you go to Salesforce or Workday or whatever, and you don't have to log in 15 times in an enterprise.
Where your question comes to complication
is when as an infrastructure, as a service,
as one of those privileged accounts,
two multi-clouds, they don't play well together.
And that's where there really is the killer app for it,
which is to be able to federate or standardize that
so that I don't have to go to Azure and AWS and Google
that as a privileged user and a different account for each.
But going back to the paradigm of
there are small organizations that are less mature
and there's very, very large organizations
that are very mature.
And when we talk about multi-cloud,
almost everybody is in one cloud.
Like we said, it could be like Exchange or something like, you know, because you're doing Office 365 or you have some things hosted in AWS or something like that.
Many are two clouds, very few are three clouds.
And depending on your size, you may have specific teams for each of those clouds, in which case it's kind of irrelevant because only the Azure people are focusing on that.
And they don't even touch AWS and who cares.
And likewise, the other ways.
When you're a smaller organization
that doesn't have the resources to split them up
and you are multi-cloud for whatever reason,
then this would come in to be very handy
for those users who are managing and spinning up stuff
and doing administration and infrastructure
across multiple clouds.
Yeah, it's almost like the smaller to medium-sized organizations
have the advantage here
because they can eliminate a lot of problems
by following this example,
whereas the big organizations
who spend a lot of resources building their own systems
will find it harder to untangle themselves
and do something like this.
Right, and probably solve it by just isolating people
and having only AWS people doing AWS.
And frankly, I mean, most people are good at one cloud
and maybe okay at another.
Very few people are good at all of them.
If you have all the cloud certifications,
because the cloud people are so rare.
I was literally on a call 15 minutes ago
with the Cloud Security Alliance.
There's so few cloud people, you just get the one for the one that you do the most. I don't have to
diversify as a cloud person because I'm getting work just as an AWS person or as an Azure person.
Well, this also might be a way if you go to some sort of cloud orchestration platform,
there may be a way to change your architecture to something that's better, more efficient.
But we're also talking at the user level.
And that is already kind of solved by these single sign-on tools or federated entity tools to be able to define you and your access.
Where we get into the complication, as I said before, is for the people who are doing administration on the cloud.
Because it's not an application account.
on the cloud because it's not an application account. It is a, you know, a specific admin accounts or super admins or whatever that allow you to create infrastructure and create users
and things like that. So let's do a bottom line here, Rick, in terms of multi-cloud orchestration
platforms, what's your view here? Is it's a great idea and they're probably a couple of years down
the road for everybody to use as a best practice or
they're never going to happen or something in between? What's your best guess there?
I think it's a great idea for a certain group of organizations, depending on your need. And I think
that anything to simplify and consolidate accounts is always great because we all even personally
have dozens and dozens of accounts we're taking care of that we have in our password vault.
I think it's a good idea, but I don't think it's for everybody
depending on what your infrastructure is,
what your organization and what your staffing is.
It might be kind of irrelevant, but I think it's a good thing.
And to take your last point, if it helps you reduce your complexity,
then by all means pursue it with all vigor.
Yeah.
And you know, something is better than nothing and simplifying that something is great.
That's the best way to say it.
We should be in marketing.
Well, that's all good stuff, Rick, but we're going to have to leave it there.
That's Rick Doughton.
He's the CISO for Healthcare Enterprises.
Thanks for coming on the show again, Rick.
Thanks for coming on the show again, Rick.
Next is Dave Bittner's conversation with Eric Olden, the CEO and founder of Strata Identity.
So today we are talking about securing multi-cloud identity with orchestration.
I would love to start off with some high-level stuff here.
Can you give us a little bit of the lay of the land in terms of the types of challenges that folks are facing when it comes to multi-cloud?
Yeah, absolutely. I think a couple of the big trends that we're seeing today are around this move to the cloud.
And when you go to the cloud today, you're not going to just one cloud.
It's typically three or more.
And we've seen as many as 14 different cloud systems or cloud platforms that people are using.
or cloud platforms that people are using.
And once you start to use more of these clouds,
you have to secure them.
And securing 14 different things with 14 different security systems becomes overwhelming,
and it's all fragmented.
And the challenge is,
how do you make the applications and data that you're using running on these clouds secure, but in a very consistent way?
Because right now, if you've got, say, five systems that you're using to secure your clouds, you've got to manage access in five different places by hand.
And people make mistakes, things get
overlooked, and next thing you know, you've got a breach. And it probably happened because something
fell between the cracks in all of that complexity. So companies now are trying to get their arms
around this sooner than later, because what they're finding is that once a breach happens, it's very difficult to
kind of put the horse back in the stable, if you will. So, you know, people are really trying to
figure out how to do this quickly. Well, help me understand sort of the reality of this on the
ground. I mean, if I'm an organization and I'm using several different cloud providers, you know,
let's just say some of the big names here. When it comes to identity,
are we talking about login information?
Are we talking about APIs?
How broad a spectrum of things does this cover?
I would say the broadest way to think about it
is identity management.
And the challenge is that in the past,
before people were using the cloud, you had everything nice and protected behind a big perimeter firewall.
And when we talk about that, it's like you had your firewalls or you used VPNs to make sure that only the right people could get into the fortress.
Only the right people could get into the fortress.
Well, now with the cloud, there is no perimeter that is in your, you know, that's no longer enough because all of your apps and your data are on the other side of that perimeter. And there's an expression that identity has become the new perimeter.
So the only way that you can manage security when your users and your applications and your data are out on the Internet is to focus on the identity.
And in that world, what we're looking at is how do we manage access control?
What can that user access?
Can they access an application and certain types of data?
We care about how we authenticate that user.
Are we using a password, which is not very secure, but everyone's used to it?
Or are we using something like multi-factor authentication to replace passwords?
So authentication plays a big part of it.
Auditing is another big component.
And that means that we need to have a record, a trail of what happened and what rules and permissions were set up, who set them up and how were they configured and what users came in and
accessed applications and data.
So you have your triple A, kind of your access, authentication, and audit. But in this new world, it's really done all around identity management.
And so what part does orchestration play in all of this?
Well, orchestration plays the role of coordinating how all of those different policies are affected.
So, for instance, if you are a customer or enterprise, rather, then what you're trying to do is create a policy.
For instance, if I'm trying to secure a customer portal that we use. Say it's a bank and this bank wants to secure who can
access applications on the bank's website and make sure that only the right people are accessing
the right applications and seeing their data. And, you know, the other aspect is, how do we create that account in the first place,
where we're trying to sign this user up and give them permissions and access?
So you have a lot of different moving parts. And in the past, what this meant would be that
you'd hire a consultant and they would come in. And maybe a couple quarters or a year later,
you would have all of these different systems
wired together. And there's a lot of custom code that goes into that and a lot of expertise and
experience that's required. And it takes a long time. Now with orchestration, what you can do is
replace all of that manual coding and use a no-code model to, for instance,
link together the social sign-up and sign-in process.
So people can use their Google account or their Twitter account or their Facebook account
to create an account at the bank.
create an account at the bank. And orchestration would connect that OpenID connect process and link that into the bank's systems of record. So their identity provider, maybe that's an
Azure Active Directory from Microsoft, or maybe it's Okta, a lot of different identity providers
that you want to have your users sign up and create an account for them.
Well, then the second step is that we want to make sure that this customer is really who they say they are so that we don't have any bots or we don't have any money laundering issues. So in this case, what we can do is use identity orchestration to call
the identity validation system. Maybe that's a OneCosmos or a SecZeta or a Trulioo. And these
are systems that you may have seen them where you upload your driver's license and take an animated video to
make sure that you really are who you say you are. Well, in the past, you would have to custom code
that with orchestration and no code. You would just add that as a step in the user journey.
And then the third step would be, well, we take the security of the account very seriously. It's banking and money's
involved. So we want to improve the security posture and use something like passwordless.
And maybe it's a vendor like a Hyper or a Duo or a Microsoft Authenticator. Well, at that point,
the user needs to be provisioned in that password list authentication system.
And with identity orchestration, you would just add that as a third step in the orchestration flow of the user journey.
And that would be something you can configure in just a very short amount of time, in one day.
So what you end up with is a completely automated, seamlessly integrated user experience that makes it very easy for the bank to onboard new customers.
And from a customer user standpoint, it's really easy because you don't have to have another password.
You just click a couple steps, upload your license, and next thing you know, your phone has a multi-factor authenticator installed on it, and you're good to go.
And you can do all of that in just a matter of minutes.
and you're good to go. And you can do all of that in just a matter of minutes. So it's really about improving the experience for the user and improving the security for both the bank and the customer.
For organizations who are interested in going down this path,
how do you recommend that they begin? What's a good way to get started?
What's a good way to get started?
Well, I think a typical initial project we see a lot of companies start with orchestration is as they modernize their applications and move them to the cloud. what they're working with is an application that has been around for a while, maybe is integrated
with a more on-premises kind of identity provider, could be like an Oracle or a Ping,
you know, the really old stuff. And they want to move that application into, let's say, Azure for a cloud platform. Well, what they need to do is to unplug the legacy identity, like ping, and swap that
out with the new identity in the cloud, like Azure Active Directory.
And so you can modernize your application using orchestration to do that without writing any code or refactoring your application.
So now that you've got your application now running in the cloud using cloud identity,
then we'd like to encourage people to take the next step, which is let's get rid of these passwords because passwords are the source of over 80% of breaches.
And so if you can replace passwords with something like hyper passwordless,
then you're able to reduce all of the risk of losing a credential or password.
And that'll improve the security of your application significantly. And those are usually
the first two steps. And then what we find is linking all these things together to do more
innovative customer experiences is where user journeys come in. And to build a user journey,
you really want to map out what it is that the user is going to do, what steps you want them to go through. ability to deploy that user journey that orchestrates the social sign-up, passwordless
registration, things like identity validation and so forth. So moving into the user journey
at that point. And then the fourth step would be, okay, now we're going to scale and use even more
cloud services. So as you have more and more applications running on
more and more of these clouds, now we need to step back and say, okay, we have a lot of different
places where apps and data reside. How are we going to create policies that will span all of
the different clouds that we have? So the fourth step is to implement multi-cloud
access control and policy enforcement. And that typically happens in a kind of like the fourth
step in implementation. What about the user experience itself? You know, we can sort of joke about how much everyone loves change, right? How do you
convince your users that, you know, getting through this transitional period is going to
pay off for them and ultimately it's going to lead to a better experience?
Yeah, that's an interesting challenge because users don't like change. They may say that they do, but when you're
talking about changing identity systems, you're generally talking about changing the login process.
And for so long, we've been training our users that phishing attacks are designed to trick you into providing
your credentials to a fake website that looks different than the one that you normally use.
And so if you have to change that login experience, then we find it's very difficult for
users to forget their training, not to feel like they can't trust this application
or this is a fake website.
So a good part of that is communicating
that if you're going to make a change,
that you communicate that in multiple ways
and be consistent about that
and give people enough notice and heads up so that when you end up
changing something, they trust it and they are able to use the new system. A nice way to use
orchestration in this is to be able to change the identity systems on the back end without changing that login experience
so that you don't have that user confusion or anything like that. But on the back end,
you can use orchestration to, for instance, move people from a legacy ping environment into a modern Azure Active Directory
and do that where the user doesn't know that they're now in a different system.
It's completely transparent to them.
So if you're going to change something, give your users enough notice.
And even better is to change it without having any impact
or visibility of that change to your end users
and avoid any confusion.
We'd like to thank Rick Doughton,
the CISO for Healthcare Enterprises,
and Eric Olden, the CEO and founder of Strata Identity.
And we'd like to thank Strata for sponsoring the show.
CyberWire X is a production of the CyberWire and is proudly produced in Maryland at the startup studios of Datatribe,
where they are co-building the next generation of cybersecurity startups and technologies.
Our senior producer is Jennifer Iben.
Our executive editor is Peter Kilby.
And on behalf of my colleague, Dave Bittner, this is Rick Howard signing off.