Securing multi-cloud identity with orchestration.
Rick Howard: Hey, everyone. Welcome to "CyberWire-X," a series of specials where we highlight important security topics affecting security professionals worldwide. I'm Rick Howard, the chief security officer, chief analyst and senior fellow at the CyberWire. And in today's episode, we are talking about securing multicloud identity with orchestration. A program note, each "CyberWire-X" special features two segments. In the first part, we'll hear from an industry expert on the topic at hand. And in the second part, we'll hear from our show sponsor for their point of view.
Rick Howard: I'm joined by Rick Doten, the CISO for Healthcare Enterprises and regular contributor here at the CyberWire. Rick, thanks for coming on the show.
Rick Doten: Hey, Rick. Happy to be here.
Rick Howard: So today we're specifically talking about securing multicloud identity with some sort of orchestration strategy, but it's even more complicated than that. If we're going to build an identity orchestration system, we can't forget about our other data islands either, like the data centers, our SaaS apps and even our mobile workforce, either working from home these days or starting to move out to Starbucks and even back to the office. And if we're going to build something, let's build it for everything. That's kind of my model. So let's just go back to some basics about identity and access management, or IAM. Before we even start talking about managing multicloud identities, what are some of the functions we need to understand when we start to orchestrate this stuff? If I'm going to manage identity, what are the essential fundamentals to get right? What should we be thinking about here?
Rick Doten: Well, I think it's certainly about levels because not everyone is the same. And you have privileged identities for administrators of platforms or applications that have a lot more control and, frankly, whose accounts are more valuable to an adversary because then you can create other accounts and escalate privileges to certain things and be very persistent. Then you have normal user accounts that are doing different things and guest accounts and all these things. So I guess it's like understanding the governance of and the hierarchy of all your applications and of all your accounts and for what platforms and applications they need. And that's usually the first place to start.
Rick Howard: So you mentioned a couple of things there, right? One of them is called identity governance and administration, IGA. And what I think that means, and you tell me if I get this wrong - it's generally a committee within the organization that discusses and kind of writes down the policies that's going to manage all the identities and devices and things we have in the organization. And they're the ones that kind of write it down to see if it makes sense.
Rick Doten: Yeah, that sounds like a good way (laughter) of doing it.
Rick Howard: (Laughter).
Rick Doten: I would agree - you know, just like data governance. And it supports data governance because, obviously, your...
Rick Howard: Sure.
Rick Doten: ...Data classification guidelines dictate what you would need to access what. And, you know, what's the concept of least privilege and all the standard stuff we normally have. But a identity governance board - that'd be great. I have (laughter) not seen one.
Rick Doten: But I...
Rick Howard: Well...
Rick Doten: ...Think that's a good idea (laughter).
Rick Howard: Well, let's talk about that. You get to talk to a lot of CISOs out there. Do you say that most organizations don't have this kind of thing? It's - then who decides what the policy is inside these organizations?
Rick Doten: So often it's a compliance or just a GRC, governance risk and compliance group, that would do it - and with everything, is it really depends on your maturity and your size and how - where you're heavily regulated or not regulated. I mean, your mileage may vary so much. And so, yes, not many organizations have really good, solid data governance. They have data classification guidelines, and they kind of know what they need to protect, and they do things - the same thing with identity because identity has to access that data, and so it flows downhill from there. So often it's a subset of the data governance, if you even have that.
Rick Howard: So from your experience, then, most of this identity governance and administration is coming from compliance rules and things they have to follow.
Rick Doten: Right - because auditor will come in and say, how do you differentiate between roles that people don't have access to data they don't need access, particularly from a privacy perspective, if - you know, if that's what you're doing - PHI or PII - and I think the - you know, and to be able to audit that. I mean, it's certainly a great idea...
Rick Doten: ...To do that. But a lot of it is, we're kind of checking the - you know, as an industry, we're kind of checking the box and make sure that we can assure that only the right people have access to the right platforms to get to the - access the right data.
Rick Howard: You mentioned the other thing, privileged access management, or PAM - the rules that allow your administrators and other important people to have permissions to change things or to fix things.
Rick Doten: Yeah. They're the ones who can add and delete accounts. They also can change configurations. We used to call them admin accounts or, in the Unix world, the root account. But when we talk about applications, we talk about platforms. Then we just got privilege access, which means that you have more authority than your average bear and therefore, you can do - you know, add and delete accounts and do things that most people can't do.
Rick Howard: Yeah. That one example that we've seen recently is the SolarWinds attacks. They came in through the back door through a supply chain attack. Once they establish a beachhead, they move laterally - the bad guys - and then - looking to escalate their privilege. And once they got to the right system administrator's account, they were able to manufacture identity tokens to log in for anybody. So that's kind of scary. So you want to be able to identify those accounts, those devices, those people who have permission to do those, you know, kind of global things and watch them like a hawk and make sure that you just don't hand that privilege to anybody.
Rick Doten: Yeah, absolutely. I mean, getting persistent when an attacker comes on is their No. 1 thing, and how they do that is they create accounts. And they create accounts at highest levels, and they call them ambiguous names that aren't really fake. But you're right, this - part of this whole identity governance is the auditing of it and knowing which ones you have and then, of course, controlling those credentials. And PAM is generated - is - you know, as a category because there are PAM tools that you kind of check in and check out passwords for it. I mean, I remember literally 25 years ago having, like, little laminated cards in our wallet with the root accounts for our...
Rick Howard: I remember, yeah.
Rick Doten: ...Your work passwords for our systems. And I remember somebody lost their wallet, and we had to go change them all. Having a password vault or having a privileged access management kind of does that where you don't share passwords like we were doing 25 years ago with these cards. We checked out a unique password for that certain session at the time we need it.
Rick Howard: The thing that's left unsaid here is something called privileged identity management or PIM. It's basically the idea that we are identifying all the identities for employees, contractors, devices and, these days, applications and then deciding which ones need elevated privilege so that the governance, the IGA folks, can decide, you know, who's going to have that. And then the PAM system can implement that in some sort of automated system. And boy, that's in a perfect world, too, Rick. But in your experience - I don't know anybody that's getting all that done in one organization.
Rick Doten: There might be, like, smaller organizations that are mostly all technical organization that could do that. But particularly as you get into a large distributor organization, it's very, very hard. It's certainly something to aspire to, and it's certainly, like, the right thing to do. And probably people do it in an ad hoc way, but...
Rick Howard: And we'd all love to have it, you know, completely finished...
Rick Doten: Yep.
Rick Howard: ...You know. Yeah. But we're - most of us are not quite there yet, right? So managing identities across all of our data islands has become so complex just because of all the things we just talked about that it feels like that corner of the cybersecurity tool space, the identity space, is kind of moving in the same direction as the overall security tool space, you know, the security stack tool space where we don't want to manage different stacks for each of our data islands, like in all of our clouds and all of our SAS applications and in the data center. Instead, we want to manage a platform that handles each data island for us where, like I said, we would set the policy once, and the platform manages each data island for us. And that's been coming down the pipe for the last couple of years. According to Gartner in their 2021 IAM hype chart - that's hard to say out loud - they have IAM managed services on the slope of enlightenment about two years away from being best practice. But as you talk to CISOs, Rick, do you find they're inclined to use these IAM managed service providers?
Rick Doten: If you're apt to do a service provider for other things and you - this would not be a bad one. If you're a smaller or less mature organization and you don't have the people to staff it, fine. I mean, it's no different than, you know, what we all do now with having Office 365 for our mail. They're just literally hosting our exchange server, where we used to do it five or six years ago, so - or 10 years ago.
Rick Howard: By the way, we didn't think that would ever happen either, did we, right? I remember...
Rick Doten: No.
Rick Howard: ...You know, when - the first time I heard this was kind of going on when - I think it was the LA police department. This is back in the early 2000s, all right? They decided that they were going to use Gmail as their official email provider, right? And we all went, that's horrible. How would you do that? You know, now many people do that. It's like it's not even a thing, all right.
Rick Doten: Yeah. It's almost - I mean, it's a best practice to do because I mean, I just did a keynote just last week where I talked about, like, going to exchange is one of the first things that people did as a cloud service...
Rick Howard: Yeah.
Rick Doten: ...As a platform or as a service. And I'm like, you know, exchange servers are finicky. They're troublesome. They go down a lot. I mean, have somebody else take care of it. And it's the fastest way to upgrade it is to just put it to the cloud and let Microsoft manage it.
Rick Howard: So but as you talk to CISOs out there, Rick, do you - are you seeing people grabbing onto these managing services? Are you still seeing people trying to do this themselves? For each of their data islands, they're managing identity for, let's say Amazon, and then they're managing it back in the data center. Or are they - are people dipping their toe into this let a service do that? Because we all think it's a good idea, but how many people are actually doing it?
Rick Doten: Right. So there's two pieces to it, multicloud and everything else - because we have single sign on and federated identity. We've had those for a couple decades, and that's what most people do. I mean, that's why you only have to log into your domain once and then you go to salesforce or workday or whatever, and you don't have to, like, log in 15 times in an enterprise. Where, you know, your question comes, the complication, is when as an infrastructure, as a service, as one of those privileged accounts, two multiclouds, they don't play well together. And that's where there really is the killer app for it, which is to be able to federate or standardize that so that I don't have to go to Azure and AWS and Google that - as a privileged user and a different account for each. But going back to the paradigm of there are small organizations that are less mature, and there's very, very large organizations that are very mature. And when we talk about multicloud, almost everybody is in one cloud. Like we said, it could be, like, exchange or something - right? - you know, because you're doing Office 365, or you have some things hosted in AWS or something like that. Many are two clouds. Very few are three clouds. And depending on your size, you may have specific teams for each of those clouds, in which case it's kind of irrelevant because only the Azure people are focusing on that. And they don't even touch AWS, and who cares? And likewise the other ways. When you're a small organization that doesn't have the resources to split them up and you are multi-cloud for whatever reason, then this would come in to be very handy for those users do - are, you know, managing and spinning up stuff and doing administration and infrastructure across multiple clouds.
Rick Howard: Yeah, it's almost like the smaller-to-medium-sized organizations have the advantage here because they can eliminate a lot of problems by following this example, whereas the big organizations, who spent a lot of resources building their own systems, will find it harder to untangle themselves and do something like this.
Rick Doten: Right and probably to solve it by just isolating people.
Rick Howard: Yeah, yeah.
Rick Doten: And having, like, only AWS people doing AWS. And frankly, I mean, most people are good at one cloud and maybe OK at another.
Rick Howard: Yeah, yeah.
Rick Doten: Very few people are good at all of them if you have all the cloud certifications because the cloud people are so rare - I was, like, literally on a call 15 minutes ago with the Cloud Security Alliance. There are so few cloud people, you just get the one for the one that you do the most, you know? I don't have to diversify as a cloud person because I'm getting work just as an AWS person or as a Azure person.
Rick Howard: Well, this also might be a way - if you go to a - some sort of cloud orchestration platform, there may be a way to change your architecture to something that's better, more efficient.
Rick Doten: But we're also talking at the user level, and that is already kind of solved by these single sign-on tools or federated entity tools to be able to define you and your access. Where we get into the complication, as I said before, is for the people who are doing administration on the cloud because it's not an application account. It is a - you know, a specific admin account or super admins or whatever that allow you to create infrastructure and create users and things like that.
Rick Howard: So let's do a bottom line here, Rick. In terms of multi-cloud orchestration platforms, what's your view here? Is it's a great idea and they're probably a couple years down the road for everybody to use as a best practice or they're never going to happen or something in between? What's your best guess there?
Rick Doten: I think it's a great idea for a certain group of organizations, depending on your need. And I think that anything to simplify and consolidate accounts is always great because we all, even personally, have dozens and dozens of accounts we're taking care of that we have in our password vault. I think it's a good idea, but I don't think it's for everybody. Depending on what your infrastructure is, what your organization and what your staffing is, it might be kind of irrelevant. But I think it's a good thing.
Rick Howard: And to take your last point, if it helps you reduce your complexity, then, by all means, pursue it with all vigor.
Rick Doten: Yeah, and you know, something is better than nothing and simplifying that something is great.
Rick Howard: That's the best way to say it. We should be in marketing.
Rick Howard: Well, that's all good stuff, Rick, but we're going to leave it there. That's Rick Doten. He's the CISO for Healthcare Enterprises. Thanks for coming on the show again, Rick.
Rick Howard: Next is Dave Bittner's conversation with Eric Olden, the CEO and founder of Strata Identity.
Dave Bittner: So today we are talking about securing multi-cloud identity with orchestration. I would love to start off with some high-level stuff here. Can you give us a little bit of the lay of the land in terms of the types of challenges that folks are facing when it comes to multi-cloud?
Eric Olden: Yeah, absolutely. I think a couple of the big trends that we're seeing today are around this move to the cloud. And when you go to the cloud today, you're not going to just one cloud. It's typically three or more. And, yeah, we've seen as many as 14 different cloud systems that - or cloud platforms that people are using. And once you start to use more of these clouds, you have to secure them. And securing 14 different things with 14 different security systems becomes overwhelming, and it's all fragmented. And the challenge is, how do you make the applications and data that you're using - running on these clouds secure but in a very consistent way? Because right now, if you've got, say, five systems that you're using to secure your clouds, you've got to manage access in five different places by hand.
Eric Olden: And people make mistakes, things get overlooked, and next thing you know, you've got a breach. And it probably happened because something fell between the cracks in all of that complexity. So companies now are trying to get their arms around this sooner than later because what they're finding is that once a breach happens, it's very difficult to kind of put the horse back in the stable, if you will. So, you know, people are really trying to figure out how to do this quickly.
Dave Bittner: Well, help me understand sort of the reality of this on the ground. I mean, if I'm an organization and I'm using several different cloud providers - you know, let's just say some of the big names here - when it comes to identity, are we talking about login information? Are we talking about APIs? How broad a spectrum of things does this cover?
Eric Olden: I would say the broadest way to think about it is identity management. And the challenge is that, in the past, before people were using the cloud, you had everything nice and protected behind a big perimeter firewall. And when we're talking about that, it's like you had your firewalls or you used VPNs to make sure that only the right people could get into the fortress. Well, now, with the cloud, there is no perimeter that is in your - you know, that's no longer enough because all of your apps and your data are on the other side of that perimeter. And there's an expression that identity has become the new perimeter. So the only way that you can manage security when your users and your applications and your data are out on the internet is to focus on the identity. And in that world, what we're looking at is how do we manage access control? What can that user access? Can they access an application and certain types of data? We care about how we authenticate that user. Are we using a password which is not very secure, but everyone's used to it? Or are we using something like multifactor authentication to replace passwords? So authentication plays a big part of it. Auditing is another big component, and that means that we need to have a record, a trail of what happened and what rules and permissions were set up, who set them up and how were they configured and what users came in and accessed applications and data. So you have your triple A, kind of your access, authentication and audit, but in this new world, it's really done all around identity management.
Dave Bittner: And so what part does orchestration play in all of this?
Eric Olden: Well, orchestration plays the role of coordinating how all of those different policies are affected. So, for instance, if you are a customer, or enterprise rather, then what you're trying to do is create a policy. For instance, if I'm trying to secure a customer portal that we use - say it's a bank, and this bank wants to secure who can access applications on the bank's website and make sure that only the right people are accessing the right applications and seeing their data. And, you know, the other aspect is how do we create that account in the first place, where we're trying to sign this user up and give them permissions and access?
Eric Olden: So you have a lot of different moving parts. And in the past, what this meant would be that you'd hire a consultant, and they would come in and maybe a couple quarters or a year later, you would have all of these different systems wired together. And there's a lot of custom code that goes into that and a lot of expertise and experience that's required, and it takes a long time. Now with orchestration, what you can do is replace all of that manual coding and use a no-code model to, for instance, link together the social sign-up and sign-in process so people can use their Google account or their Twitter account or their Facebook account to create an account at the bank. And orchestration would connect that OpenID Connect process and link that into the bank's systems of record - so their identity provider. Maybe that's an Azure Active Directory from Microsoft, or maybe it's a Okta, a lot of different identity providers that you want to have your users sign up and create an account for them.
Eric Olden: Well, then the second step is that we want to make sure that this customer is really who they say they are so that we don't have any bots, or we don't have any money laundering issues. So in this case, what we can do is use identity orchestration to call the identity validation system - maybe that's a 1Kosmos or a SecZetta or a Trulioo. And these are systems that - you may have seen them - where you upload your driver's license and take a animated video to make sure that you really are who you say you are. Well, in the past, you would have to custom code that with orchestration, and no-code, you would just add that as a step in the user journey. And then the third step would be, well, we take the security of the account very seriously. It's banking, and money's involved, so we want to improve the security posture and use something like password lists. And maybe it's a vendor like a HYPR or a Duo or a Microsoft Authenticator.
Eric Olden: Well, at that point, they - the user needs to be provisioned in that passwordless authentication system. And with identity orchestration, you would just add that as a third step in the orchestration flow of the user journey, and that would be something you can configure in just a very short amount of time, in one day. So what you end up with is a completely automated, seamlessly integrated user experience that makes it very easy for the bank to onboard new customers. And from the customer-user standpoint, it's really easy because you don't have to have another password. You just click a couple steps, upload your license, and next thing you know your phone has a multipass - multifactor authenticator installed on it, and you're good to go. And you can do all of that in just a matter of minutes. So it's really about improving the experience for the user and improving the security for both the bank and the customer.
Dave Bittner: For organizations who are interested in going down this path, how do you recommend that they begin? What's a good way to get started?
Eric Olden: Well, I think a typical initial project we see - a lot of companies start with orchestration - is as they modernize their applications and move them to the cloud. And oftentimes, what they're working with is an application that has been around for a while, maybe is integrated with a more on-premises kind of identity provider - could be, like, an Oracle or a Ping, you know, the really old stuff. And they want to move that application into, let's say, Azure for a cloud platform. Well, what they need to do is to unplug the legacy identity, like Ping, and swap that out with the new identity in the cloud, like Azure Active Directory. And so you can modernize your application using orchestration to do that without writing any code or refactoring your application. So now that you've got your application now running in the cloud, using cloud identity, then we like to encourage people to take the next step, which is let's get rid of these passwords because passwords are the source of over 80% of breaches. And so if you can replace passwords with something like HYPR passwordless, then you're able to reduce all of the risk of losing a credential or a password, and that'll improve the security of your application significantly.
Eric Olden: And those are usually the first two steps. And then what we find is linking all these things together to do more innovative customer experiences is where user journeys come in. And to build a user journey, you really want to map out what it is that the user is going to do, what steps you want them to go through. And then you use software, like Strata's Maverics software, to create that in real life so that you have this ability to deploy that user journey that orchestrates the social sign up, password list, registration, things like identity validation and so forth - so moving into the user journey at that point. And then the fourth step would be, OK, now we're going to scale and use even more cloud services. So as you have more and more applications running on more and more of these clouds, now we need to step back and say, OK, we have a lot of different places where apps and data reside. How are we going to create policies that will span all of the different clouds that we have? So the fourth step is to implement multicloud access control and policy enforcement. And that typically happens in a - kind of like the fourth step in implementation.
Dave Bittner: What about the user experience itself? You know, we (laughter) can sort of joke about how much everyone loves change, right? How do you convince your users that, you know, getting through this transitional period is going to pay off for them, and ultimately, it's going to lead to a better experience?
Eric Olden: Yeah. That's a interesting challenge because on - you know, users don't like change. They may, you know, say that they do, but when you're talking about changing identity systems, you're generally talking about changing the login process. And for so long, we've been training our users that phishing attacks are designed to trick you into providing your credentials to a fake website that looks different than the one that you normally use. And so if you have to change that login experience, then we find it's very difficult for users to forget their training, not to feel like they can't trust this application, or this is a fake website. So a good part of that is communicating that if you're going to make a change, that you communicate that in multiple ways and be consistent about that and give people enough notice and heads-up so that when you end up changing something, they trust it, and they are able to, you know, use the new system.
Eric Olden: A nice way to use orchestration in this is to be able to change the identity systems on the back end without changing that login experience so that you don't have that user confusion or anything like that. But on the back end, you can use orchestration to, for instance, move people from a legacy Ping environment into a modern Azure Active Directory and do that where the user doesn't know that they're now in a different system. It's completely transparent to them. So if you're going to change something, give your users enough notice. And even better is to change it without having any impact or visibility of that change to your end users and avoid any confusion.
Rick Howard: We'd like to thank Rick Doten, the CISO of Healthcare Enterprises, and Eric Olden, the CEO and founder of Strata Identity. And we'd like to thank Strata for sponsoring the show. “CyberWire-X” is a production of the CyberWire and is proudly produced in Maryland at the startup studios of DataTribe, where they are co-building the next generation of cybersecurity startups and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. And on behalf of my colleague Dave Bittner, this is Rick Howard signing off.