CSO Perspectives (Pro) 5.17.21
Ep 47 | 5.17.21

New CISO responsibilities: identity.


Rick Howard: When I was a kid, I loved the Saturday morning cartoons. And for those of you that aren't in the "old as dirt" category like me, I need to set the stage here. This is the early 1970s. No cell phones, no internet, no cable TV. We only had three TV channels, but a kid like me could wake up early on a Saturday morning and be fed a steady stream of animated joy and daring do from the likes of Johnny Quest, Scooby Doo, the original Underdog, and one of my favorites, Josie and the Pussycats. The story of a first of its kind, all women, mixed race guitar band who traveled around the world, singing at rock concerts and fighting evil. How great is that? By the time noon rolled around and after I had consumed entire boxes of Count Chocula cereal, that included seven teaspoons of sugar per serving, I would raise myself from the couch in a sugar-induced coma, ready to start the day. Ah, those were the good times

Rick Howard: And, Josie and the Pussycats produced an album with the song, "You've come a long way, baby" in 1970, which is my way to say that the cybersecurity community has come a long way, baby, too. See what I did there? Okay, moving on. Fast forward to the 1990s. That's when I got my first job in the security community, I managed a Unix server farm in the electrical engineering and computer science department at the U.S. Military Academy. The worldwide web was so new that the paint was still drying on it. My favorite book, "Cuckoo's Egg" had come out a few years earlier, and we all had experienced the first ever denial-of-service attack from the jaw dropping Morris Worm. 

Rick Howard: Security was on our minds, but we had no idea how to do it. So typical of what a bunch of techies do when confronted with a new problem, we focused on the technical widgets of our digital environments, you know, patching firewalls and antivirus, which in hindsight is adorable, but not very useful.

Rick Howard: Fast forward again to today, 2021, our thinking has matured. In terms of grand strategies, we have moved away from the idea that we can solve this problem from a purely technical standpoint. We've realized that an aggressive intrusion kill chain prevention program can stop 95% of the attack campaigns on the internet on any given day. We've realized that a more passive zero trust posture can greatly reduce the attack surface in our digital environments. But we've also realized that you can't do a zero trust program unless you have complete visibility into the people, the devices, and the applications that interact with your digital environments. In other words, you have to absolutely know the identity for everything for all transactions.

Rick Howard: If that's true, and I think it is, doesn't that mean that identity is the key and essential piece to the organization's security program. The linchpin, so to speak, without it, everything else, crumbles in failure. Doesn't that mean that the CISO should own that responsibility? Let's find out. 

Rick Howard: My name is Rick Howard. You are listening to CSO Perspectives, my podcast about the ideas, strategies, and technologies that senior security executives wrestle with on a daily basis. 

Rick Howard: This is our second episode in a three-part series on new CISO responsibilities. Last week, we tackled whether or not the CISO should explicitly own the security posture of our IoT networks. Spoiler alert: yes, they should. 

Rick Howard: For this week's episode, we are examining identity with two questions in mind, should the CISO own this responsibility and do they? In my last CSO job, I traveled around the world many times over talking to security leaders about how they do security. It's my experience that the CISO has not been formerly given this responsibility in most cases. Mostly, it's run out of the CIO's office. I've invited two CISOs to the Hash Table to discuss. Amazingly, they both have been given this responsibility formerly, or in one case, they just took it in a kind of Pirates of the Caribbean kind of way. But since they both have it, you may be shocked to learn that they also think that's the right model, too. I asked Jerry Archer, the Sallie Mae CSO to explain.

Jerry Archer: Look how it flows together. You can't begin to separate identity from security. It's the fundamental foundation that we build everything in our security stack off of. How could you possibly segment out identity and access management and stick it in some other organization where the security team don't know what you're doing from an access perspective? It wouldn't make any sense at all. 

Jerry Archer: Just think of the collisions that you would run into every day. How would the cyber team begin to start to filter traffic flows, to look at any kind of goings on in the environment to make sense out of transaction details? If you don't know who's who then, what the hell? You don't know anything? The world I come from, it's always been an important characteristic of security. 

Rick Howard: Greg Notch is the National Hockey League CISO. He and I have known each other for years and would sit around dinner tables at Black Hat and DEF CON solving the world's problems in the sort of proto version of the Hash Table.  He's also the guy that kind of took identity over waving the Jolly Roger flag that I mentioned at the top of the show. I asked him if he thought it was common place for CISOs to own identity. 

Greg Notch: I haven't met too many who do. If they are, they're really much smaller companies. I've been lucky in that way that I got to make security a priority and to build the team to do that, but also retain enough operational control to execute the vision. It makes the actual execution of it a lot easier. I don't have to go ask like, "Hey, how do you guys feel about doing this?" or like, "Okay, well now, we're doing that."

Greg Notch: It depends on the org and the governance structure of the organization, for sure. Certainly sometimes the personalities and the technical skillsets involved. Determining the identity of a person,  that belongs in HR. That should come from HR IS. In terms of provisioning the digital portion of their identity, I think security owns the tooling for it, and certainly owns the solution of it, because in an environment where you have checks and balances and separation of duties, I don't think you can really have the security team own like validating identity. It gets hairy when you start talking about a business owner authorizing various members of their groups to access various things. You own the system that makes those choices and logs that and audits it, but you can't be involved in every conversation about who gets access to what and or who a person is. I don't think that's makes sense going forward. It's just too much work.

Greg Notch: I  report to the CIO, but I manage a good swath of our operations team and I manage a swath of our dev ops group. Because we managed a bunch of server infrastructure, we help out the other folks on the other side and because we took security control of the network like that, then all of a sudden you start seeing where the problems lie.

Rick Howard: Jerry has been with Sallie Mae for over 11 years, and because of an incident right before he took over the job, the Sallie Mae leadership team was only too willing to make some changes to prevent that from happening again. From the very beginning of his tenure, he owned identity. Since that responsibility is key and essential, it logically follows that you need to feed it in terms of resources like budget and people. I asked Jerry how many people made up his identity team. 

Jerry Archer: When you look at the expansion of identity and access management, we've nearly doubled our staff in identity and access management. By far and away, that's the biggest increase in FTEs that we've had since we transitioned to the cloud, I think it's in the twenties. It's a full-time job for those people. It is a lot of work but it pays off. 

Rick Howard: When Greg took over the identity management of the National Hockey League, he opened up a whole can of complexity. It took a while to sort through.

Greg Notch: Managing identity for devices and managing identity for users is,  what I'm saying is, we do it and it's very painful. Once we flipped on the network controls that rely on it. It became several people's jobs to make sure that the right people are getting access to the right things and their endpoints worked and we knew who they were and the traditional like, "Oh, well they got an active directory account created when they were onboarded," that took on many dimensions. Because the onboarding process became like, well, give them access to these cloud services and make sure their device can connect to them and make sure their device has the right 2FA profile on it so that they can log in.

Rick Howard: One point to make here, even though Greg and Jerry both own their responsibility of running the identity operation, Greg is adamant that he is not the decision maker on who gets access to what resource. Once the organization decides the minimum amount of access for employees to get their jobs done, like when they hire new employees or when existing employees laterally move into different jobs or get promoted, and even when employees leave the company, somebody else should make the decisions about access requirements, probably HR. Once done, his team can enforce it.

Greg Notch: It starts with actually, validating who the people are, and to me, some of that is an HR function. Particularly when you're talking about employees, but also, sometimes that's federated even to, contractors and others and, I don't think many business units are equipped to understand. Is that person who you say they are? Should they have access to these systems?

Greg Notch: Even something as simple as should we be inviting them to our box or Slack channel? Should this person be getting this? Who decides whether I should create you an active directory account or not?  Or, did someone just call my service desk and ask to have an account created, and then they did it.  As ITIL became more prevalent, you saw like, oh, there's actually a process for getting things out of HR IS into your system. To me, that's the crux of it.

Greg Notch: Frankly, the way identities implement and certificates are implemented, PKI is like voodoo to 90% of IT folks. You really need to get it right. You can explain it over and over again. That's where it falls into the, to answer your initial question where it falls back to the CISO. Okay, we're going to manage PKI for the org. And now you've done it. Now you are responsible for issuing certificates based on identity certificates for machines and you, how do  you validate it?  I think is where it gets tucked in. It's hard to push that back on to some unsuspecting operations people.

Rick Howard: Jerry is one of the first CSOs that I've run into that has fully embraced the idea of a software defined perimeter, or SDP. In other words, he has it fully deployed and has for a few years now. Unfortunately, the industry named software defined perimeter doesn't really establish a perimeter in the traditional sense at all. It's more akin to the Star Trek notion of a transporter bay. Enterprise crew members arrive at the portal. Chief O'Brien, the transporter operator, checks their credentials and verifies that their mission is authorized. If so, he sends them to their destination. 

Rick Howard: It's the same for SDP, users surf over to the SDP portal and request access to a resource. The SDP portal, authenticates who they are, that's the identity piece, and then checks if the users are allowed access to the requested resource, that's the authorization piece. If they are, the portal establishes a connection to the resource, not to the entire network. We shouldn't call this a perimeter at all.

Rick Howard: The SDP portal is nowhere near the resources in question. It's outside of the traditional perimeter so to speak. Instead, we should call it something else like, I don't know how about the internet transporter bay or ITP for short? Hey. I love that name. And as Anthony Mackie, the actor who played the Falcon in the Avengers movies, like to say, when he finished the scene: <Avengers sound bite>

Rick Howard: Cut the check. I'm ready for my 10% commission for providing a better name. In Jerry's environment, the SDP portal relies on his identity program, which gives him the building blocks to deploy part of his zero trust strategy. Here's Jerry. 

Jerry Archer: Our environment is completely dark. It doesn't exist to the world unless you're pre-authenticated. From the very beginning, you need to be pre-authenticated to get access. Once you get access, you need to be authenticated and you needed to be granted access to the resources you want, and those resources have to recognize you as someone who's been granted access.

Rick Howard: I have to admit, I haven't seen too many vendors offer this service. Google rolled out BeyondCorp back in 2014 or so, but that's mostly to support the Google Cloud platform. Jerry uses a few cloud agnostic vendors. He uses SailPoint as an automatic provisioning tool and a portal service called Vidder now owned by Verizon. 

Jerry Archer: The original vendor was Vidder and then Vidder was purchased by Verizon. And now, Verizon offers it both as a software package, but they also offer it up as a service. So you can actually buy SDP as a service from Verizon. The way we stood it up is, we bought SDP as a package. It is maintained by the outside crew. They do the maintenance on it, but we set the policy, we run it day to day. 

Rick Howard: The combination of SailPoint and Vidder Verizon has allowed Jerry to implement a full-scale role-based access program, which is essential for any zero trust strategy.

Jerry Archer: We do role-based access across the board for all of our employees. Being a financial institution, we have to go through a quarterly certification process for everybody in the company that ensure that they have access appropriate for role, and that we have a segregation of duties.

Jerry Archer: The roles are established in SailPoint. When access is granted to you, you could be a member of 20 different active directory groups. You're mapping out an individual acquirer of resources against a bunch of AD groups that are essentially the resource itself. Database A is an active directory group. It's a many to one relationship. Jerry's going to map against  the role itself contained in SailPoint. For example, as a CISO, I get all of these things. SailPoint will set up those AD groups that I'm a member of, or make me a member of those AD groups, or we do it manually one or the other. Once you've adjudicated a role, then the role stands consistently as an appropriate role for segregation of duties and access appropriate. The only time you now have to go back and re-look at segregation of duties and access appropriate to role is if you change something in one of the AD groups. The roles stand independently. Roles will have access to, I don't know, a hundred different AD groups and other proprietary applications. You may have a role that has a 100, 125 accesses. If I come into the company as a service rep, I get a standard service rep role that may be close to 140 different accesses.

Rick Howard: Greg's identity team does this with mostly homegrown tools and manual sweat on the brow toil. His description of the task is similar to the painters who maintain the San Francisco Golden Gate Bridge. The task is never done. Once you paint it end-to-end you go back to the beginning and start all over again.

Greg Notch: We had a lot of groups, so we actually did addition by subtraction in that way, and where it became really acute,  let's say you have a group that's assigned a role that is given access by a firewall or some rule in some other platform. And you realize that you have nine slight variants of the same thing. You're like, "Oh, allow access to, I dunno, Gmail." And, there's three different Gmail access groups and two of them are wrong and they have people that are old and  it wouldn't work if they were in any way. And the same person's in two of the three groups. So it kind of works for that person. That kind of entitlement review and mapping back to roles, that's when you got to clean out your garage. 

Greg Notch: There's going to be some pain along the way. Hire a couple of end point people cause this is going to get raw in the short term, but we're gonna do this.  We had authorization nightmare of firewall rules would be mapped to groups  three different flavors of exactly the same thing. Renormalizing that kind of thing is just there's no way to automate that. You just need somebody who understands how it all works. Some parts are home grown. Like a lot of the glue is home grown, and the controls are vendors. So we use, Prisma Access from Palo Alto for the edge control. And we like that because it's not quite a CASB, but our policies are simple enough that we can make them coherent whether you're in the office or on the road. And that worked out really well for us. As far as managing machine and device certs, we have a lot of Macs. So of course we have Jamf. We have SCCM for Windows, and Mobileiron for iOS. Normalizing certificate distribution across those three platforms in order to make Prisma work, that's where like the tire meets the road and we basically rolled our own internal PKI. There are some super interesting new companies that are actually solving this for you. One of my peers is, is doing something interesting in this space where they've figured out how to handle delegate certificate authorities and stuff for you so you don't have to be a PKI Ninja to figure it out. A lot of, hours have been burned, probably automating workflows from HR IS into ITSM provisioning systems into like things like BetterCloud or whatever that are provisioning cloud, like that whole workflow, like onboarding off-boarding and, entitlement review and access management, many cycles have been burned, automating that.

Rick Howard: As the conversation between me and Jerry at the Hash Table started to wind down, we began to wax philosophically about the role of the CSO in any organization for many CSOs and CISOs, they are not really in charge of the company's security. In other words, they don't own the parts and pieces to the security apparatus. Other groups in the organization do. So CSOs spend their time coordinating across the organization's business leaders in order to convince them to follow the cybersecurity strategy that they devised. They act more as an advisor, which is not all bad. It definitely means that you have to be an effective communicator and marketer. And if you are successful convincing the stakeholders about your plan, you can rest assured that everybody understands it. But the downside is that it slows everything down. Your identity project that might've taken a year to deploy, will expand to two years or more and not everybody will be on board and some will opt out. That's a lot of friction and a lot of resources spent to get a partial solution.

Rick Howard: Jerry and I are of like mind that the preferable arrangement is that there should be one executive in charge of security for any organization. 

Jerry Archer: Everything security ought to fall under one leader. That gives you the ability to fundamentally leverage scarce resources to solve problems. When you start spreading security around like peanut butter, there's no point of responsibility or accountability. The stove pipes that you create by doing that make it difficult to create synergy among various groups. 

Jerry Archer: In our world, everybody's one big family. We all sit and we have our staff meetings every week. We talk to each other continuously. Everybody understands what everybody else is doing and how it may impact the other person and we're collaborative with each other. If identity and access management can solve a problem, that cyber has, then  that works. If identity and access management needs an engineer, they can borrow one from someplace in my organization.

Jerry Archer: The idea of spreading security out does nothing more than create stovepipes and people don't talk across those boundaries or they get parochial. And that's just to me wrong. Security is the first line of defense in an organization. I don't like the idea of somebody calling me a risk partner. I'm not a risk partner. I'm the guy that stands there at the front door that stops bad things from happening. I'm a first line of defense. If security doesn't have a sole commander of that first line, then my answer is you're always going to have problems.

Rick Howard: Both Jerry's and Greg's situation is unique in the industry. They both own the identity problem for their respective organizations. In my experience, that's not the norm across the cybersecurity community. I think it should be, but that's not the current situation.

Rick Howard: And that's a wrap. As always, if you agree or disagree with anything I have said, or anything our guests have said, hit me up on LinkedIn or Twitter, and we can continue the conversation there. For next week's show with all the news about SolarWinds, we're going to find out who owns the task of securing those pesky digital supply chains. You don't want to miss that.

Rick Howard: The CyberWire's CSO Perspectives is edited by John Petrik and executive produced by Peter Kilpe. Our theme song is by Blue Dot Sessions, remixed by the insanely talented Elliott Peltzman, who also does the show's mixing, sound design, and original score. And I am Rick Howard. Thanks for listening.