Navigating the Identity & Access Management Journey with Bright Horizons

0:01:27.4 Bil Harmer: Thank you, Michelle, and thank you everyone for bearing with us through that. What we’re gonna talk about today is sort of the state of where we are. I wanna set the stage for the challenges that Javed had when the pandemic hit. Over the last four or five years, we’ve seen what I call the rise of the digital employee or better yet, we simply get to blame millennials for everything. This is 35% of your workforce and growing rapidly. This is a section of your workforce that thinks differently, acts differently, works differently and has different expectations when it comes to things like tools that we use; Evernote, Skype, what we’re using today, Zoom, all very commonplace in the commercial world. But if you had told me five years ago that Facebook would have been a business app or Twitter would have been a critical infrastructure tool for communications, I probably would have laughed, but they are rapidly becoming inseparable from what we do on the day-to-day basis.

0:02:32.0 BH: COVID absolutely changed everything. There is simply no other way to put it. Those numbers that I put up on the right are today’s numbers. I have to change these daily because they are literally changing hourly in what’s happening. Anyone who had a plan, a future plan, some sort of architectural design roadmap that was going to involve remote work to a larger degree, we were seeing this work-from-anywhere concept, this idea that maybe an employee didn’t have to be in the office five days a week, they could do some hoteling or that type of thing, or maybe we would open up some access and move the security closer to them because if you had security 24 hours a day, it far exceeded having a great security stack eight hours a day when they sat in the office. We saw those roadmaps being built somewhere or well down the path, others were still working their way through some challenges, and yet more were actually still… The car were still sitting in the driveway and they were trying to figure out what radio station to put on before they headed out on that journey.

0:03:35.7 BH: That all changed last March when majority of companies simply said it happens now, everybody works from home, and we’ve seen businesses struggle, we’ve seen other ones have no problem with it. This will make a massive difference because the change in the work behaviours that are happening are incredible. That whole concept of how to change, the challenge that people are being thrown at, the business demands that are coming at them from the executive teams are all colliding now.

0:04:10.5 BH: One thing to think about, and this is one that will not go away, the average workday since COVID hit has extended by 48 minutes. There is not a leadership team out there that will give back 48 minutes of productivity that officially is not costing them anything more when you think about that. When you look at commercial real estate, if our employees don’t have to be in expensive buildings, drinking the coffee that we supply, using the air conditioning that we run, with the electricity that we’re supplying, across the internet bandwidth that we’re paying for, if they can do it from home, in their own homes, drinking their own coffee, using their own air conditioning and I can give them a stipend for internet access, why wouldn’t I?

0:04:56.7 BH: Those are all discussions that are happening right now at the executive level in every vertical. There is not a vertical around that is not discussing this, including health. There’s different challenges and Javed will be able to talk about those, but it is happening everywhere. And the threat landscape is dramatically opening up because of that, because we now have all of these disparate systems now connecting in. My network is considered hostile, your network is considered hostile. They’re all being utilised for business. The landscape is just massively, massively larger. So with that, I’d like to pass it over to Javed Ikbal who is the CISO for Bright Horizons and have him tell you about some of the challenges he ran into very specifically with them. Javed.

0:05:41.0 Javed Ikbal: Thank you, Bil. So Bright Horizons is a people service business. Bulk of our revenue comes from childcare, so that’s what I highlighted here. And although we provide retail child care, our primary clients are corporations, so pretty much any large corporation you can think of is very likely one of our clients. So in March 2020, we had 30,000 employees and by mid-April, we laid off 66% of them. We dropped from 30,000 to just over 10,000 employees.

0:06:27.2 JI: And the problem with that is… Or the reason we did that is because all the child care centres were closed. We are a regulatory service in the sense that child care is licenced by all the states, sometimes localities. New York City itself, the boroughs have their own regulations. So in New York City we might be dealing with five separate regulations for each child care centre. So Massachusetts simply pulled our licence. They did not even bother telling us that, “Hey, let’s talk about it.” They simply said, “You’re not licenced to operate anymore.” So that resulted in the workforce furlough. And once the employees are furloughed, they continued to be Bright Horizons’ employees, but we do not pay them anymore. If they do even one minute of work on a given day, we have to pay them for the whole week. That’s the law, at least in Massachusetts.

0:07:34.2 JI: So that gave rise to a very, very interesting challenge. We needed to block them from certain systems, but we did not want to block them from everything. For example, we wanted them to have access to our training portal. We wanted them to have access to our ARCIS systems so they could change address, or make other changes to their other benefits that they were qualifying for. But we also needed to take access away from their work environments. And we are heavily dependant on Active Directory. We could do this technically through Active Directory, but that would have meant going in and making changes to 100 different Active Directory groups.

0:08:36.2 JI: Instead of adding them to these 100 separate groups or making changes to these 100 separate groups, we basically created a nested group where we added all these employees who needed access to certain things and needed to be blocked from something else, and because SecureAuth was fronting Active directory for access to all those applications, we added that single Active Directory group to the SecureAuth realms and the work was done. We could say with 100% assurance that these employees were blocked from certain applications and allowed access to certain applications.

0:09:21.6 JI: So these three circles make it appear very simple. You think that one AD group is doing that, but the thing is that it’s actually not one AD group, SecureAuth made that possible to actually distribute that blocking/allowing to 100 separate AD groups. But as far as our implementation, our auditing of this, and as people were coming back to service, as we were bringing people back from the furloughs, we also needed to work on only one single group, which was a tremendous, tremendous benefit to us.

0:10:10.3 JI: The last thing that I’ll talk about is that SecureAuth is more than single sign-on. It gives us multi-factor authentication. And the bullets here may be all very familiar to the F&Ds to this webinar, but we found out that there were some novel applications of SecureAuth. So for example, we do have occasions where we see fraudulent claims for our benefits, and so we are using SecureAuth for fraud prevention. We look at the geolocation and if someone is coming from California where they have never been, we ask that question why is this person now logging in from California? And that allows us to do certain things that we were not able to do before SecureAuth.

0:11:07.3 Michelle: And the last one is that SecureAuth reduces friction in the way we do business. Every single day I log in to 25 different things. Every weekend, every Friday, I log in to our timekeeping system to approve the time cards for various employees. And when that happens, I would rather not type the user ID and password every single time, even though it’s the same user ID and password. So SecureAuth allows us to just transparently click on a link or click on a time and log into that system. It’s nothing extra and I’m not storing my user ID and password on my browser, which many of us tend to do, and risk getting that user ID password compromised because it is possible to make those saved user ID passwords visible through Chrome or Firefox or other browser extensions, which people don’t know or people forget.

0:12:17.5 JI: So taking that completely away and letting SecureAuth be that glue that connects the system and making it completely invisible to me is a great security benefit.

0:12:31.7 BH: Yeah, I have to agree with you. The concept of frictionless is so important especially with now that we sit in front of our computers every day and we’re constantly doing the same tasks over and over again and adding in those usernames. There was a study done that showed the average user spends 12.5 minutes a week typing in or retyping in a password, and that doesn’t sound like a lot. 12.5 minutes doesn’t sound like a ton when you’re talking about five business days or seven days in the week. But the reality is, for an organisation that has 15,000 employees, that’s a $5 million productivity loss of people just typing and retyping passwords.

0:13:12.1 BH: And then of course, as you mentioned, the password reuse attacks are the most common attacks out there. Phishing is designed very specifically to gain credentials. So the sooner that we’re able to remove credentials from the entire equation, I think the better off we are. Would you agree?

0:13:29.4 JI: Yeah, absolutely. And I’ll just add something else to this, Bil. You mentioned the 48 minutes additional work. There are already research coming out about the mental health goal of work-from-home/COVID everything online. And I think that every single minute we can help people to subtract from doing mindless work, even if it’s typing something like user ID-password. Even if it’s like a one hair’s worth of time-saving, I think it’s worth it because people get frustrated, their Caps Lock key is down, they lock themselves out. It’s a snowball effect which now produces extra calls to the help desk and work doesn’t get done.

0:14:20.6 BH: Yep, yeah. Absolutely. And it’s the break in the flow, right? If you get into that flow, I’m doing my work, I’m solving the problem, I’m addressing the challenge, Ah, let me stop all of that and go do this, this menial task that I have to repeat every time where I wanna log into something.”

0:14:36.3 JI: Yeah. And I’ll just add a personal story to this. So my password expired. I changed my password in every single place. I did not change it on OneNote running on my phone. So OneNote kept trashing and I woke up next morning and I’m locked out. So the usual process is I’d call the help desk or have someone open a ticket for me, and you have to wait for someone to unlock it, give access back to me. And being the security guy, I know that the help desk people are hesitant to unlock my account the most. They will unlock somebody else’s but they will give me the third degree before they unlock. So with SecureAuth, we have our password reset portal and I went in and reset my password.

0:15:28.1 BH: So do it yourself.

0:15:29.4 JI: Do it yourself. So I saved myself some aggravation. I saved some other people some work that they could do for something more useful than just unlocking somebody’s account.

0:15:39.8 BH: Absolutely. So the concept of remote access then, you’ve probably, like everyone, had to give remote access to almost everybody. And this was typically historically a specialised skill. We give this to administrators, we gave it to the CIO or the CEO, somebody… It wasn’t everybody but now we have. So do you think in what you’re seeing that this will forever be a part of the daily worker’s toolkit?

0:16:07.4 JI: It will be. For example, in late February, early March we were talking about upgrading the VPN bandwidth like we are still talking, “Okay, this is a virus, this is spreading like wildfire and not yet in the USA. What do we need to do?” One of the things that worked in our favour was we are a 100% laptop-based company. We have not bought a desktop in the last seven years. So that was good. It sort of fell into our laps then that when we decided we’ll work from home, it was really useful. Another, I guess, technology maturation that sort of worked in our favour is virtual desktops being offered by Azure and AWS. We have our own Citrix VDI environment. So, for example, someone took a laptop home and their laptop died. We can make a virtual desktop available to them on their hardware sort of and not worry about like is it compliant? Does it have antivirus and patches, etcetera?”

0:17:25.6 BH: I wanna shed light into that BYOD world where COVID hit and people were sent home and not everybody had laptops, right? So home machines were being brought on board real quick.

0:17:38.9 JI: Yeah. So I’m sort of veering away from your main question and like explaining the challenges that we had to deal with, but one of the big challenge was bandwidth. Even when people had WiFi and they were working from home before it was not a problem. But now with three kids and someone else watching Netflix, that’s a crowd, kids video gaming. My boss suffered from that problem and he had to wait for a month to get his bandwidth upgraded.

0:18:13.8 BH: Yup. Yeah, I know. I’ve got a 19-year-old upstairs playing something today, I’m sure. So the secondary line is gonna be going in.

0:18:21.9 JI: Yeah. So we have dealt with all of those problems, teething pain if you will, for the first two, three months. And now we have come to a point where everybody is happy at home. I am not driving 80 miles each way. So that’s real wear-and-tear on my car that I’m avoiding. And companies, not necessarily just Bright Horizons, but others that I talk with have seen that work isn’t being hard. People are not cheating, they are not goofing off, they are actually working more. And I think people are trying to prove more that they are not goofing off.

0:19:09.5 BH: Yes.

0:19:10.0 JI: Like there’s always this thing like okay. And I feel that pressure in the beginning, the camera on my laptop was permanently sealed off, because I did not want spyware, these things. But then I felt okay, everyone else is turning on their camera and I need to turn my camera on…

[overlapping conversation]

0:19:31.3 BH: Yeah, 15 years ago when I started working from home, it was, it was 12-14-hour days because I needed to prove that I wasn’t goofing off. And it’s easy. You can roll out of bed, there’s no traffic, coffee, pop the computer open, warm it up, check email, and you’re already on. And it takes a little while, but you start to learn the rhythm of how to do this where… I have zero qualms about getting up and heading out. Back when my son was in grade school, I’m going and picking him up for lunch or going with my wife to help her with the groceries during the day, because I know I will still be working between 6:00 and 7:00 at night. And you find as long as the work gets done, the flexibility fits into people’s lives and I think they live happier productive lives.

0:20:24.4 JI: Yeah. And I think like forward thinking organisations have arrived at their decision years ago. There’s a very large financial services company in the Boston area that calculated that they save $10,000 per employee per year if the employee is working from home. Facebook is taking that to another extreme. They’re saying “Yeah, you can work from home, but you take a pay cut for that.”

0:20:53.1 BH: Yeah, they’re gonna do localisation adjustments too. And in some ways, I do kind of agree with it, because to get somebody to go live in the Bay area, having lived in the Bay area myself, is very, very expensive to pay somebody to live there. And then if that person picks up and moves to Wichita or Montana or something, where the cost of… Or even here where I am now in Austin, Texas, where the cost of living is that much lower, do they really need to be paying them that? I do understand both sides of the argument. I don’t think they should touch it… [0:21:27.5] ____ I think, a minor touch.

0:21:28.9 JI: I think it’s a logical thing and it just needs to be presented the right way. And I think if it’s given as an option, I know people who are already talking about moving to some low-cost part of Massachusetts, like you go west and things start getting cheaper so…

0:21:48.2 BH: For sure. In your industry, phishing is massive. We heard the stories that early on when COVID hit that the threat actors were going to back off the attacks on the healthcare industry because of what was happening. In recent months, it’s pretty much seems that’s out of the window. We’ve seen some pretty heavy duty attacks on the healthcare industry, very specifically phishing and ransomware. Your opinion, this is just an opinion piece really, do you feel that we have to accept that phishing will always forever be a part of our lives, or do you think there is a way to eliminate it?

0:22:24.9 JI: So I don’t know if it can be eliminated. So my answer to your first question is it will always be a part of our life as long as there are humans making decisions. Some of them can be tricked into doing something strange. FireEye, I’m going to mention the name, got breached, and they said nation-state actor, all that. And I always tell my board that if we are ever hit by someone backed by nation-state actor or something like that, it’s game over. We cannot stand up to that level of attack. I am not picking on FireEye. I’m just saying that if a company like FireEye can fall, I know them well, I know some people who are there. If they can fall, everyone can fall.

0:23:22.6 JI: And the Pentagon fell to attacks like that. So we talked about APT, and my explanation of APT is where the attacker is more advanced than you, or more persistent than you. I’m not talking about the attack itself. I’m talking about the people behind that attack. So there will be people like that. As long as they can monetise that for companies like SecureAuth or Bright Horizons, we will be attacked. FireEye will be attacked for stealing government credentials.

0:24:07.1 BH: Yeah. It’s definitely the cost analysis, right? I have the solution to ransomware. I can make ransomware go away tomorrow. Don’t pay. If everybody in the world says I will not pay ransomware, it will disappear. But the reality is the amount of effort we put into defending against it versus the cost of paying, those decisions are always being made. And it’s very, very cheap to launch ransomware attacks with very, very high risk or rewards on the other side for it. Phishing is almost… I don’t wanna say costsless, but incredibly, incredibly cheap to do massive, massive spray attacks, hoping for that one, that’s all you need.

0:24:47.7 JI: Excellent ROI.

0:24:48.8 BH: Yes, yeah. What was the most recent I heard? $2 million… No, it was a…

0:24:57.7 JI: $34 million, yeah.

0:25:02.0 BH: I mean it’s mental, but I don’t know what data is in there. I don’t know whether it’s worth $32 million. Interesting to see what happens. I’m being cognisant of time. I think we’re at the end of the half hour. Michelle, how are we on time?

0:25:17.2 Michelle: I think we could fit in maybe one more question and then we’ll wrap it up. If anybody has a question from the audience, feel free to go ahead and put it in the Q&A, and we’ll try to get to that as well.

0:25:26.7 BH: Alright. Great. So to me Javed, the years I spent with Zscaler looking at digital transformation, moving away from the castle moat idea, getting into the security everywhere, the one piece that was always in there was the hand me a sample token and from that point on, we’ll apply policy, we’ll do this, we’ll have action, we’ll know, we’ll track, we’ll monitor, we will zero trust, once you give me that sample token. To me, identity has become the key to unlocking zero trust, because until you know who keep the password, until you know who clicked the button, all the policies you’re applying may or may not be correct. They are correct based on the assumption that they are the person who they say they are. So, your recent experience with having to move everybody out and make all these adjustments, how do you think that’s gonna affect your future development of identity requirements inside Bright Horizons?

0:26:26.3 JI: So I actually think that if you think about security maturity or… Networks got locked down first. People understood force and allowed and denied, etcetera. Application security is still a problem but we are getting there. And I don’t know if anyone has seen this cartoon, there’s stacks of hardware in one corner and it says IDS/IPS firewall. It’s a boxing ring, all of this security defence technologies in one corner, and there’s another guy in one corner who says here’s Dave. And you’ve reached Dave, that’s it. All millions of dollars of security technology is bypassed.

0:27:16.7 JI: So I think it is, to paraphrase Star Trek, it’s the last final frontier until the next one comes along. And the challenges that I face, we do access certification every three months, and I wonder why can’t we do this continuously. What you were saying that, I call the help desk and say hey, this is Javed, reset my password. That really isn’t a good method to identify myself. Now I can do video calls maybe, but with deepfakes, is that going to work?

0:27:54.9 BH: Yep.

0:27:58.4 JI: So that’s one challenge. When we offboard users, we cut them off from active directory and VPN immediately, but there might be remnants in other systems where we are not using SSO. And those might stay alive, and we have seen that problem. Someone has left and their colleague knew their user ID, password and logged in. No malicious intent, but they really shouldn’t be doing that. And shame on us, we did not clean up that account. And all of these problems, not necessarily security risks, but there is compliance risks, audit risks for us and obviously, we cannot ignore the malicious insider or someone who got fished. If I walk up the stack of your questions, what if someone gets fished, what if with remote access now someone can login from somebody’s home? What if someone goes away, computer is on, and there’s a break-in or kid decides, “Oh, Dad’s computer is on, I’m going download this game and play it.” And that dad is on VPN and immediately we have given access to a malware that has come.

0:29:13.7 BH: Oh yeah, split-tunnel VPNs were just such a disaster.

0:29:18.5 JI: Yes. So it is this foundational securities, building up stacks, and I think identity and access management sits at the top and it’s that sharp peak that can hurt us the most.

0:29:33.2 BH: I couldn’t agree more. I think that is an excellent place to end this discussion as well. I don’t see any questions from the chat, so I think as we roll past we’re six minutes over anyways. Javed, I wanna thank you so much for taking the time to share your experiences with us today and with our attendees. Michelle, Gabby, I wanna thank you guys for setting this up and making sure that we got up going and running, and as mentioned if anybody out there is interested, we will have the recording available publicly. Michelle, when will that be?

0:30:11.3 Michelle: Within the next day or so.

0:30:12.9 BH: Excellent. So by the end of the week, we should have this up and ready. If you’ve got colleagues that weren’t able to make it or you wanna share some of the ideas, if you’re interested in anything that we talked about, please feel free to reach out to myself, Javed, we’re both on LinkedIn, my contact info is on our website, www.secureauth.com, and I’m happy to get into deeper discussions around these topics and ideas. Alright, with that, I’ll say thank you. Wish you all a great day.

0:30:40.4 JI: Thank you all.