Techstrong TV: Why Insufficient Identity Management is the Biggest Security Threat of the 21st Century

The interview will focus on the results of the research that One Identity released on 11/2 that revealed that the shift to remote work and surge in cloud adoption has created an identity sprawl challenge for companies. The video and a transcript of the conversation are below.

 

Alan Shimel:            Hello everyone. Welcome to another Techstrong TV interview. My guest for this segment is Larry Chinski. Larry’s with a company called One Identity. Hey Larry, welcome to Techstrong TV.

 

Larry Chinski:            Well, great to be here Allen. I’ve heard a lot about you so it’s good to finally meet you and then have a nice conversation with you.

 

Shimel:            Well, I don’t believe the hype. I hopefully will live up to it. You know, One Identity is one of those companies where the name kind of does say it all a lot in terms of what guys do. But for those who maybe are not familiar with One Identity and where they play, why don’t you give us a quick kind of core background and maybe a little bit about your own position and what you do at One Identity.

 

Chinski:            Sure. Yeah, well, One Identity is the cyber security division of Quest Software. And like you said, Allen, the name kind of says it all. When you talk about cyber security it’s very broad and there’s a lot of different aspects and areas that covers. So what we focus on at One Identity is everything related to building an identity based ecosystem. So that can mean anything from identity governance administration, privilege account management, you know, web access management, active directory management, those sorts of tools. So it’s really putting a security framework around the huge amount of identity sprawl that we see in the market now and then building out an infrastructure that’s really centered on the identity instead of on the parameter devices like we’ve seen in the past.

 

                                 And what I do at One Identity, I’m vice president of global strategy. And so what my job is to do, and I’ve got field strategists and reports need that are spread out all over the globe. And so what we do is we evaluate what we see in the current cyber market trends. What types of shifts are we seeing? What types of changes are we seeing? And then we come back, can we work with our engineering development and product management teams to figure out who do we need to buy or build, who do we need to partner with to ensure that we’re providing the best measure of IT security for our customers. And so that can mean a whole bunch of different things, you know we like to joke at One Identity that no one can just have one job. So you have several different ones that kind of fall under that same umbrella. So anything from you know, I run the field execution of our global SAAS delivery program. You know, we manage the Alliance partnerships with companies that, you know, in the hyper automation space, for example, and, you know, robotics has become very popular over the last couple years. And so we do that. And so a lot of different things with regards to building that better identity based ecosystem.

 

Shimel:            Absolutely, and, you know, look identity, especially over the last, you know, with COVID and everything we moved to the cloud,  the whole identity and access management space has become, you know, front and center. Because, you know, we don’t have, or you logging into your corporate land on active directory based upon that, where you’re going to go and what have you. You’ve got direct to cloud, you’ve got work from anywhere. You know, all of these, not necessarily new because the they’ve been around, but these are becoming dominant forms of how people access content information.

 

Chinski:            Yeah. Yeah. You’re, you’re exactly right. Alan, as a matter of fact, you know, that’s something that we’ve been talking about for, well, you know, I would say for the last two years, but maybe even a little bit longer. And one of the trends we’ve seen in cyber is we’re moving from an infrastructure centric protection model to an identity centric verify value model. And you said it exactly right. I mean, when you have infrastructure devices that are protecting your individuals, you’ve got dual layer firewalls network, segmentation, router, you know, port block content filters. It’s easy to get to a hundred percent protection model because you got so much control over them. But you know, especially when COVID, when we saw an extreme, rapid move to remote learning around remote working, you now have to put the protection on top of the identity, not around the infrastructure.

 

So now you’ve got to try and figure out how are and to manage these not only the identity themselves with the huge amount of identities that we’re seeing now. we call that identity sprawl at One Identity, which is, you know, it’s not just humans anymore. It’s bots, digital identities, devices, and just the identities are growing at an extremely rapid rate. And now companies trying to figure out how do we manage these things? And so that, yeah.

 

Shimel:            Good stuff, great stuff. And then Larry, I just feel like we’re miss, if we don’t mention, as part of Quest software, One Identity is one brand, one solution in a portfolio of, you know, some really great solutions. You know, I’m trying to, I’m drawing a blank on some of the other ones, but we’ve interviewed the CEO and, you know, we know a bunch of them. So it really is, it’s a great story.

 

Chinski:            Yeah, it is. And, you know, there’s a lot of other tools like people have heard of Toad and they’ve heard of, you know some of the other tools that are really built around managing active directory and monitoring and reporting and logging and things like that. So there’s a lot of different tools that are, some of them are tactical in nature. Some of them are more strategic in nature for larger customers, but, you know, at Quest software you know, we work with organizations with very small amount of employees up to, you know, hundreds of thousands. So there’s a very wide ecosystem of customers. And I think, you know, the last I saw, I think we had around 8,000 customers and the amount of verticals it’s like 30 some odd different industry verticals. So it really is agnostic. Like we don’t focus with a specific, specifically on healthcare or finance. We really spread across a really wide band of different types and categories of customers.

 

Shimel:            Excellent man, good stuff. All right. Enough of the background, let’s jump in Larry and talk a little bit about you guys recently did a survey with some great results. I’m going to let you kind of, if it’s okay, if you could take the lead and tell us what it’s about.

 

Chinski:            Yes. Well, as you can imagine, Alan, it was at One Identity we were really curious to see how companies were managing their identities. And I think the results of the survey were some things were surprising. I think some things were expected. But the thing that was probably most surprising is we had 1,009 customers respond to the survey. And so as you can imagine, and I think we had around 18 or 19 different industry verticals companies from around 300 employees to customers well over 5,000 which is, you know, right in there with, you know, where One Identity fits in the space. But some of the things, some of the data that we got back to data points, I think were very interesting.

 

Number one 84% of the customers that responded said their identity have doubled in the last year. We had 25% that said they increased by tenfold and other like 95% said they thought that managing those identities was probably one of the most difficult things they’re doing. So they meaning they have challenges managing those identities because they’ve grown at such an exponential rate. And what they’re trying to do to manage that is just drop in tools all over the place. As a matter of fact I think 51% of the respondents said that they had more than 20 tools to manage the identities. And it was like 20% said that more than a hundred tools. So you can imagine if you’ve got that amount of identities and you’re dropping in these tools all over the place, what you’ve now created is sort of a fragmented or siloed management state of those identities. And then you’ve got another set of challenges on top of that.

 

So, the results were, like I said, there were somewhat shocking just in the huge numbers that we have of people that responded said they had a very large challenge there. And then, but it wasn’t surprising knowing just what we know about the market today and, you know, remote workforce and that sort of thing. Probably the most concerning thing we got out of that Allen is we had 85% of the companies that responded said that their identities had more privileges than they needed to do their job on a day to day basis.

 

And the problem with that is when you look at some of these ransomware attacks and things like that, most of them are occurring from credential mismanagement, meaning that the identities had more access than they needed. They may have still been a part of the organization when the individual had left, and all it takes is a little bit of access to get in there and inject that ransomware virus or worm or whatever, encrypt your data, exfiltrate it. And now you’re in a big problem. And you look at some of the breaches that have occurred. They thought they were safe by having a VPN tunnel. And you got to have a credential to use that VPN tunnel. So if you can get access there that becomes a real concern. So, lot of really good data we pulled out of that.

 

Shimel:            That is, well, first of all, it’s a nice sample size. Right. And a thousand results, a thousand responses you really could take out of  there. I always like when I’m talking to people about the surveys, Larry, I always like to do this. What were the two or three biggest surprises for you in this survey?

 

Chinski:            Well, I think for us you know, like I jokingly say besides the amount of customers that actually responded to the survey, cause you know, how those can ago. But I think for me personally, you know, running a strategy and you know, how do we better the IT security for our customers to hear that 85% of them, their individual identities had more privileges than they need. That is a shock to me. I never would’ve thought that would’ve been that high. And quite frankly, that’s a concern. I mean, if an organization knows that they should take steps immediately to resolve that. And there’s another interesting thing we got out of that. I guess part two of what was surprising is that a lot of the organizations thought that managing those identities or building like a zero trust foundation was something they were concerned of. I don’t want to say afraid of, but that something they had not deployed because they felt it was going to be too complicated. It was going to be too time consuming. And I thought it would be too expensive. And so to hear that, you know, they did not want to invest in that because of those reasons was also somewhat surprising. Like it was more almost advantageous to continue with the risk than to actually do something about that. That another thing that’s somewhat surprising.

 

Shimel:            So, you know, Larry, I’ve got about 20, 25 years in cyber, what info sec, or whatever you want to call it. And I’m not surprised by that, because I’ll tell you something. I remember 20 years ago talking to security folks about why not automatically block guarded variety attacks. You know, back then it was code red or stuff like that.

 

Chinski:            Way back now. Yeah,

 

Shimel:            Yeah, yeah. Well it’s 20 years.  And they were like, you know, yeah, that makes perfect sense, but we can’t be blocking traffic. What happens if we block something from the CEO and he gets upset because he didn’t get a message out or some information? I think when you talk about something as personal and every sense of the word as identity and what comes with that identity in terms of access privileges, I think the fear is yeah, the security person or maybe the person answering your survey says, look, I know we’re giving these people over broad, you know, rights. And we should really print it back or even start from a zero trust to build from there. But they also know the reality of, you know, some VP of finance or director of HR or not an IT related person who maybe doesn’t understand that full risk comes in and says, “Hey, you know, even though I only use this particular thing once a year, I need it.” Right. And the last thing you, as the, you know, guy on lower on the totem pole wants is for some exec to be, you know, pissed about you cut his or you pruned his access privileges.

 

So, it is a case where yeah, we know it’s the right thing we know going to zero trust is going to reduce our attack surface and make us, you know, more resilient or harder to be a victim. But getting, you know, getting the buy off on that, getting the you know, executive team to say, Hey, yeah, go ahead. Do it. It’s worth it. That’s always been the fight. It’s always been the fight.

 

Chinski:            Well, and you know, what we were talking about before Alan with you know, the infrastructure centric model where the goal was to lock everything down, it’s just not reality anymore for reasons you said. So what we like to say at One Identity is flexible yet controlled access. And way you get to that you know, when I was talking about all these tools that we’re dropping in and how it creates the siloed approach. So our approach at One Identity, you know, we’re very fortunate we’ve got the four primary pillars at our disposal in our company. We’ve got IAM, we’ve got IGA, we’ve got Pam, we’ve got AD management. So we’ve created a foundation here at One Identity. We called our unified security platform.

 

So what that does is it takes elements from IGA, Pam, IAM and AD management. And we merge those together. So we’ve created it out of that, what we call a correlation engine and what that correlation engine can do is basically propagate information in and out of those type of systems. And over into third party companies like you know, for robotic process automation and things like that to create, you know, zero trust foundations and privilege access governance and things like that, you know, stuff that you really can’t do with just one set of tools. And that’s one of the things that One Identity, when we go out and look, we go to we talk to the analysts, you know, I talk to analyst probably once a week, sometimes twice a week when we go to some of the different shows like RFA and Gartner and things like that. We’re starting to see competitors in maybe one or two of our areas sharing booths together because they’re talking about the threat surfaces change. And one of these just isn’t going to work anymore. You’ve got to be able to be flexible. You got to be controlled. So you have to figure out a way to actually blend these things.

 

I think all the analysts agree that they’re not going to have these you know, views of just independent, siloed identity tools anymore. They’re all kind of converging together. And so what we’ve created is this unified platform that’s really can be viewed as the resolution for, you know, everything we’re talking about. So, we can provide the level of control, we can give the flexibility, you know, no matter where they are, because we assume that most people are working remotely and it’s probably never going to end. And so that becomes a very interesting dynamic. And it’s a little bit of a paradigm shift from, I think, what a lot of customers looking at right now, whereas, you know, we’re going to be very reactionary and drop in something that’s going to actually take care of you know, whatever that risk is at the at time. But we’ve built this unified platform that could be built off. It’s very modular. It’s what I call a tightly integrated yet loosely coupled approach to, you know, building your identity framework. And I think that that’s really going to be the key moving forward for any organization. It’s you know, to build a secure platform, but, you know, provide that level flex that we’re going to need so that CEO doesn’t experience something he can’t get access to.

 

Shimel:            Yep. Well, I think here’s the goodness too, with all this change, more remote, permanent remote, maybe less people on VPNs going direct to cloud and stuff like that. It also gives- it’s a good time to, if you want to implement zero trust or, you know, implement a new paradigm or a new kind of model, so good time to do it, you change stuff anyway.

 

Chinski:            Yeah. It really is. And, know it’s a lot of budgets have been opened up, you know, when –

 

Shimel:            Exactly,

 

Chinski:            And I’m not going to say money’s ringing out of the sky and all that, but you know, I tell you there’s been a lot of projects that I would’ve thought would’ve been halted that we were working on when COVID really took off they did not. And we actually have been at One Identity business as usual, and although we are working remotely here as well, there’s a lot of new projects that have been you know, kicked off because of, you know, they understand the risk of ransomware and it’s something that’s, you know, I think a lot of organizations think that might be something new. But as you know, Al we’ve been around a long time that ransomware been many years. And that’s just one element of risk that we’ve seen, you know, over the last several years.

 

Shimel:            Oh, you know it’s the fan favorite today. Anyway, Hey, Larry, where we’re over time. For people who want to get more information about One Identity, where do they go?

 

Chinski:            Yeah. Easiest place to go. It’s our website, One Identity.com. You know, that’s all the information you can see there. And if you go to our leadership page on one of the smiling faces on there, get ahold of me anytime and we’ll get you taken care of.

 

Shimel:            Cool. Hey, we’re going to be at RSA on broadcast alley, doing videos all week. Maybe we’ll get a chance to meet you in person there.

 

Chinski:            I’m sure I will. I’ll be there. We’re doing a session as matter of fact, it’s an interesting one where we’re doing a session on how to build your unified platform, starting with privileged account management. So if you’ve got a Pam tool, we’re going to show you how to expand that out to the entire global enterprise.

 

Shimel:            Very cool. All right. Larry Chinski from One Identity here on Tech Strong TV, we’re going to take a break. We’ll be right back.

 

[End of Audio]

 

Alan Shimel

As Editor-in-chief of DevOps.com and Container Journal, Alan Shimel is attuned to the world of technology. Alan has founded and helped several technology ventures, including StillSecure, where he guided the company in bringing innovative and effective networking and security solutions to the marketplace. Shimel is an often-cited personality in the security and technology community and is a sought-after speaker at industry and government conferences and events. In addition to his writing on DevOps.com and Network World, his commentary about the state of technology is followed closely by many industry insiders via his blog and podcast, "Ashimmy, After All These Years" (www.ashimmy.com). Alan has helped build several successful technology companies by combining a strong business background with a deep knowledge of technology. His legal background, long experience in the field, and New York street smarts combine to form a unique personality.

Alan Shimel has 54 posts and counting. See all posts by Alan Shimel