Enabling Your Users in an Era of Zero Trust
0:00:04.2 Bil Harmer: Good afternoon, everyone and welcome to SecureAuth’s Customer Spotlight series. My name is Bil Harmer and I will be hosting you today. I wanna thank you all for joining. We’re going to have the ability to ask questions if you wish. Please put them in the presenter, in the chat box on the right talk screen if you’d like to have a question posed to either myself or Lee Hutcheson at the end of this. So with that, we will get going. With us today we have Lee Hutcheson. He’s currently the CISO of Bass Pro and Cabela. He already spent 10 years in the DOD space before transitioning into the security provider space, where he’s actually been hands-on providing security strategy for hundreds of companies, and as I mentioned in the past five years, he has led the security organisations at both Bass Pro and Cabela. Myself, my name is Bill Harmer, I am the Chief Evangelist and CISO for SecureAuth. I have a 30-year career in IT, 20 in security, 10 in privacy, and I have been with such companies as SuccessFactors, SAP and Zscaler most recently. So what I wanna talk to you and bring Lee into this conversation about is the current landscape that we’re seeing today.
0:01:22.9 BH: Companies are being forced to adapt quickly. COVID-19 caused a base jump off any road map anybody had. Everything was accelerated. People went from a couple of dozen, a couple of hundred remote users to 30,000, 40,000, 100,000 remote users in a matter of weeks, and during this time, threat actors are not taking any time off. This is the perfect time for them to jump into the chaos and confusion and see where they can start injecting themselves. A lot of organisations, a lot of CISOs, a lot of CIOs realise that there is a new normal coming, and it’s going to dramatically change the role of IT and security, and we’re gonna talk about that a little bit. The challenges that are driving this from the business side, as mentioned, it’s this unprecedented workforce demographic. It has not only were we looking at changes in the upcoming millennials that are joining the organisation, which total about 30% of the workforce today and have a dramatically different view on how to work and the tools they expect, but now with the work from home, the additional requirements are being put on that, it has dramatically increased the attack surface that is being put out there for threat actors to go after.
0:02:40.4 BH: There’s also a pressure to digitise the business model. We are becoming a digital society, a homo-binary, if you will, where we now have everything online. We do our taxes online, we connect and contact people, and socialise now online to a degree that was never seen before, and that digital identity is spreading farther and farther. And this evolving user expectations is being driven out of the consumer side. Consumer grade applications that people have become very comfortable with using on their mobile devices, and on their tablets, are being brought and expected to be brought into the work environment as well. Being able to use facial recognition or a fingerprint reader to log into Facebook or a banking app, people come to work and say, “Why can’t I do that there?” And then on piling on top of all of this is the increased regulations that we’re seeing. The thing that we call cloud, and for those of you that have ever heard me speak and know me, I hate the term cloud. It doesn’t really mean much. It’s very blanket, if you will, but for the sake of things like software as a service, infrastructure as a service, security as a service, we’re gonna group them all in and call them cloud.
0:03:58.5 BH: This year alone, this shift in utilising cloud services, it’s gonna effect a trillion dollars in IT spend. So if you don’t think that this move to cloud affects you, you’re wrong. It’s either adding to your budget, taking away from your budget, or having you shift resources from where you think you need them to where management maybe want them. Over 80% of companies with over 1000 employees or more are currently using, testing, or investigating AWS, and that’s just AWS. That doesn’t include Google Compute, Azure, Rackspace or any of the other ones. AWS also has over a quarter billion active users. That is a monstrous amount of active users on a platform, but the real juggernaut is O365. For those that have ever managed an Exchange environment, you’ll feel the pain, and you’ll understand that when somebody walks in and says, “Hey, for the simple price of per user per month, I’ll take all your Exchange out and run it in our host environment,” everybody that said “Yes.” Unless there were maybe some data residency issues, there was no reason to keep it inside because Exchange is expensive, difficult and hard to run, and usually whoever is managing it has a clause in their job description that says, something to the effect of, “If it’s down for two days, don’t come back to work, ’cause we still do business on email daily.”
0:05:21.8 BH: So what have we built? Well, it’s what I like to call the sprawl. Anybody who has a reasonably sized organisation has some variant of what you’re seeing on the screen. You’ve got offices, premises, somewhere, somehow being used in some method. Currently today, probably very quiet, but in general, there’s some people that go there to do work, but their applications aren’t typically there, their infrastructure isn’t typically there anymore. We’ve seen a massive push through the security side from the Palo Altos and the Zscalers out there into this security as a service. SD-WAN is taking over in the connectivity side of things, the internet is the new network. Whether you like it or not, it’s there to stay. And it’s now about connecting users to resources. How do you connect a person to a resource at an appropriate time? And really, it’s just we’re back into a sprawl, just a different version of it.
0:06:15.0 BH: So it brings us to the importance of access management. Breaches, we know, are rising year over year, 81% of the breaches in 2019 were credential-based breaches. Most recently, I’m sure most of you heard, GoDaddy announced that they were compromised last October to the tune of 19 million sets of user credentials. They seemed very proud of the fact that no user credentials were used to access GoDaddy, but that’s not the point. That’s not what they attack it for. They attack it to get those credentials to sit and work on them in private to deconstruct them and then stick them into sniper or something else, and start launching credential stuffing and it attacks against other victims that had no idea that those credentials were stolen. And that’s gonna keep happening, at least in the near future until dramatic shifts happen.
0:06:58.2 BH: Extended perimeter for remote work. I think we all agree that the perimeters are gone. People are working from wherever they can, and we know that there are companies that were out there that when COVID hit, and work from home rule was put in place for certain regions that they simply said, “Do it and open holes if you have to. Punch holes in the firewall. Get people in so they can continue to work.” And of course, we know that government regulations are trying to catch up, even if it’s join the near past, ’cause they usually never get to the future, but that is the direction they’re going. And then you pile on top of that, all of the user concerns around… Not only being secure, but the ease and the simplicity of access, that is what users want, because we know end users have trouble doing something from a security perspective, they find a way around it. So that brings us to the evolving security user experience. We went through this life of a single factor where we used user names and passwords in, made the password as complicated and as long as possible, and then along came Two-factor and we were suddenly throwing text over, SMS, or maybe we had an app that was doing it or an RSA key something to that effect.
0:08:10.6 BH: And there was some good in that and we started seeing the consumer grade biometrics coming in. But the reality is we need to move into a world where there’s password list, we can’t keep making it harder. Security people like to find a problem, throw a solution at it, find a problem, fix it. But they always make it harder, more difficult, harder, more difficult to foil the bad actors. And the reality is we have to look at the resources, judge the risk, and then be able to pull back on some of those and get it into a password list to do some pre-text to pre-authentication before the users ever asked for a password. And that’s where you see the access maturity curve develop, the contextual stuff. That’s SSO, right? People put an SSO for simplicity sake. It was not a security thing. It didn’t anything more secure, it made them less risky, which is, okay, we accept that. But then they moved into two-factors and now you had some adaptive where you’re saying, “Okay, if it’s this, we’ll throw two-factor MFA on it in some form or fashion, but the reality is people are trying to move into this continuous side and that’s in the world of Zero Trust.
0:09:10.6 BH: How do you get to a world of Zero Trust? You must get to a continuous evaluation of context and identity. So that brings us to the approach. And this is where I’d like to introduce Lee and bring him into the conversation. Lee, welcome.
0:09:28.0 Lee Hutcheson: Thanks for having me, Bil. Good to be here.
0:09:31.1 BH: Great to have you with us, and I know everybody’s doing the work from home and nobody’s doing conferences. And so I think it’s great to be able to do these live webinars where we can actually interact with some people.
0:09:42.5 LH: Absolutely, yeah, so I’ve not done a lot of webinars. I’ve done a lot of in-person stuff, so the webinar is new for me in the last couple of weeks, but I’m getting used to it, not too bad.
0:09:52.2 BH: Excellent, excellent. Well, let’s jump right in. When we were talking about this, one of the things that you were telling me that this is more than just the tech. This isn’t just the fancy bits. The first thing you talked to me about was executive buy-in and understanding that the business owns the data. Can you dig into that for me a little bit and how that works with you at Bass Pro?
0:10:15.2 LH: Yeah, absolutely. So you think of the business owner and the executives of the organisation, like you said, they own the data, not the security individuals like you and I. But there’s this weird dichotomy there where the business owner wants everything. They want it to be secure without doing anything, and the security guys like you and I, wanna make everything infinitely secure and perfectly secure, which we both know is impossible. We both have to agree to kinda meet in the middle and know our own roles, right? So you try to educate the business leadership on what their responsibilities are, owning the data, owning the organisation and everything else, and what our responsibilities are on I’m securing it, so hopefully we can partner together. I’ve always been an analogy-driven guy, so you think of your home and a home security company, nobody lets the salesman come in and tell you how to secure your house. You always have a conversation about what’s the risk, what’s the crime in my neighbourhood? What do I have in my house I need to protect? And together you come up with a solution on how you’re gonna protect your house within the budget that makes sense for you. And the business world really needs to be the same way, both sides have to understand the other, you have to have a partnership to achieve a common goal.
0:11:22.9 LH: We’re always been viewed as a cost center. We really need to be a business enabler, and we can’t do that if we don’t understand the business side. But we also can’t secure it if the business side doesn’t understand at least with a high level of what we do. The other piece of that is working with whoever in your organisation manages data governance, data privacy, things like that, it’s kind of a three-legged stool. You have the business owners, you have the data governance folks, and then you have the security folks, and there are three powers combined, you can come up with a really good strategy on how to protect your data, your organisation.
0:11:56.4 BH: I couldn’t agree with you more. That’s fantastic. I like the idea of a three-legged stool, ’cause if you ever get into the disagreement, at least it could be two against one, you don’t end up in a stalemate.
0:12:03.6 LH: That’s exactly right.
0:12:07.4 BH: Yeah, that’s fantastic. And I think you touched on something there, which I think is, really I think we should highlight for the audience is that the security people need to learn the business. If security people don’t understand why they’re in business, why they make the tables they make or sell the products they sell, they can’t defend it because there’s no understanding of risk based. What can Mike’s company survive if something goes wrong? So that’s fantastic. I guess that leads into the user education, teaching the non-tech user safe behaviours. How important is that to you?
0:12:42.1 LH: It’s the most important, I think anybody in security knows that the user base that you’re ever trying to protect is your weakest link. You can put the strongest password with the strongest tools, the strongest locks in place, but the user is who have the keys, they’re ones who authenticate every day and they’re the ones who behave the way they behave, so without educating them and teaching them how to conduct their business safely, all of the millions of dollars you can spend on securing your cyber assets is really worthless because they’re just gaping holes into the organisation. For us, we try to do multiple approaches. We host a cyber security week, every year, we go on site at the large corporate facilities, we invite people to attend virtually, and we try to balance actually the content between the tech and non-tech savvy users. We don’t want anybody to be bored, we hope everybody gets some value out of those weeks. And then we also do our own phishing campaigns, things like that, to understand the maturity of the business, so we know where to target, talk to them about web browsing habits, what’s good, what’s bad.
0:13:45.0 LH: But we really focus a lot on their personal privacy at home, how do you protect yourself? How do you protect your own data at your house for your family? And things like that, with the hopes of educating and teaching them how to do that, that some of those better behaviours, they will hopefully adopt at home will transfer back to the workplace as well, and year over year, increase the security of our organisation also.
0:14:10.0 BH: Yeah, that home, that home/work is a very interesting topic there as well, because I think some studies have been done on the phishing side, and if you try to phish an employee at home, you’re less likely to get them. More likely to get them at work because there’s a belief that the security department is protecting them, whereas at home, they feel, “Oh gosh, I’m at home, I don’t have that anymore.” And I think being able to help them understand and educate them that the home behaviours, the work behaviours, take them and sort of blend the two together and use them consistently across everything, because “your home is now part of work” is a really good way to approach it.
0:14:44.1 LH: Yeah, absolutely right. And really this side I’m along with executive buy-in, I really view it as almost the same thing, sometimes it’s just you’re taking the top-down approach for the executive buy-in, or the bottom-up approach with the business user buy-in, and hopefully meeting and overlapping in the middle, so absolutely.
0:15:00.9 BH: Yeah, I couldn’t have said it better. Leads us to identity management. You’ve said identity is the new perimeter. Tell me what you mean by that?
0:15:10.5 LH: Yeah, and you know, you had a slide earlier, which I think is “welcome to the sprawl”, which I thought was a great slide, and it kind of graphically depicted what I’m talking about. It showed the traditional infrastructure of a organisation and the, what used to be called the Perimeter, all the sensitive stuff were inside of this, and then you have all of these holes poke through all of these web service and things like that. So the perimeter, while it still exists and still needs to be protected for your infrastructure, it’s not the end all, be all. You have data, you have process, and you have everything in the Clouds. And again, I like your phrasing of “don’t like to call it a Cloud”, I always have to ask, “What do you mean when you say Cloud?” Because everybody has a different definition. But you have processing there, you have data there, you have all kinds of… You have business partnerships there, even partners that… Other organisations that you work with are there. So there’s lots of activity taking place outside of your perimeter that you also need to protect. You don’t have control over the AWS edge, like you do your own edge for your own company.
0:16:11.9 LH: So how are you protecting that? And it comes down to making sure that you have known, trusted validated identities, know that Bobby does this, this is his role, his responsibility, here’s what he should be accessing so that when you see an anomaly or you see something out of the ordinary happened, you’re able to quickly respond to that. Like we talked about earlier, there’s no such thing as perfect security. There’s the right level of security where you’re not overspending, where you’re preventing the obvious, but there’s still always room for bad things to happen. And that was a reaction side, without truly knowing the identities of your workforce and your contractors and your business associates, you can’t really respond to the rest of the things efficiently, and that’s why a lot of the times you see data breaches are detected months after they happened if not longer, and then months still before they’re actually reported, because a lot of the work, at least in my experience in other companies I’ve been involved in, are spent trying to figure out who did what and, “Was it really Bobby that did this, or was it somebody who stole Bobby’s identity and did this?”
0:17:12.9 BH: Yeah, you’re spot on there, and I’ve seen this being in the SaaS industry for the last 20 years, we always had customers that would come to us and say, “Well, I want you to put some IDS in there or… Sorry, DLP in there. I want you to stop my data from leakage.” But you have to understand, I’m a hosted environment, I need to send your data out. And they say, “You only need to send it out to the right people.” And that’s always stuck in my head as to how do you start to manage this where you’ve got data elsewhere, you’ve got data in places you need to allow it to go out, but how do you know who truly keyed that password at the end?
0:17:50.6 LH: Yeah, absolutely right. Yeah, and a lot of times, if you don’t have a well-thought out strategy and programme and the right tool set, you can’t know that. And it goes back to the people as well. People is really at the root of everything here. You can buy the best identity management solution in the world, but if you’re not investing the time of your people to tune it and mature it, it’s kind of worthless.
0:18:13.6 BH: Absolutely. And so deviating on that a little bit because you talked about response from an automated… And I know some of our audience is interested this, an automation response. So orchestration, automation and response to security events. How do you feel about… Probably back when you started, you were remembering the security guys didn’t really put in automated responses because of the false positives. Have you seen a change in the acceptance of false positives and the allowance or the need for automation?
0:18:43.0 LH: Yeah, absolutely, I think automation, it’s came a long way. I feel like every year you get orders of magnitude more maturity out of automation orchestration and things like that, and I think it is being more widely accepted, and it’s a good thing. As you grow your security tool set throughout the organization, you generate large volumes of data of alerts or what have you, audit logs, things like that, that you’d have to hire an army of people to pour through that stuff and find the anomalies. So you have to have some automation to figure out what is worth a human’s time looking at it and what isn’t. Hopefully, in that automation, you also have a team that’s looking at tuning that right. Let’s start looking for false positives and false negatives, to make sure we figure out why it was, and tune it and it gets better day over day. Security, still not a perfect science. You’re never perfectly secure. Like I said earlier, it’s more making sure you’re as secure as you can be, and that every single day at work, you’re getting better, because if you’re not putting that effort into getting better and making the automation orchestration better, just by nature, it’s getting worse. People are gonna find a way around it, it’s gonna miss things, so you have to make sure you’re putting that effort in to improve it every single day.
0:19:54.6 BH: For sure, for sure. Absolutely. I think that’s an incredibly experienced response to that question, and I appreciate it. And that leads us into that user activity monitoring, not only knowing the behaviors, but let’s talk about what you see on role-based user behaviors, but after that, and something to put in the back of your mind, maybe the privacy aspect as well, we can discuss.
0:20:19.7 LH: Yeah, absolutely. So user activity monitoring is always scary, and I’ve talked to other organisations about it as well. You start talking about monitoring user’s behavior and HR instantly becomes alarmed, or maybe the legal department becomes alarmed on, “Well, what are you monitoring? What are you doing with it?” and things like that, but it really is an important aspect of everything, and I don’t know how many forensic after the fact investigations you’ve done, but it’s really important, because otherwise, you don’t know what you don’t know. You have to have some sort of trail of bread crumbs to figure out who’s doing what, and you’re in a better position if you’re doing that proactively. Baseline user activity… And again, we have over 40,000 employees, so that’s a lot of activity, a lot of data to baseline. So you’re trying to do break it down by business units. What are the roles, what are the responsibilities, what do they have access to versus what are they actually accessing? If you find a group that has access to a legal share for instance, but no user has accessed it in the past year, that might be a problem. Why do they have access to something that they’re obviously not using for day-to-day responsibilities?
0:21:25.8 LH: Because when you talk to the users, “What do you need? Do you need access to this?” the answer is always, “Well, of course I do. You can’t take my access away. That’s critical.” And you have all of these big, strong words on why everybody needs access, but then the data shows you haven’t used it in a year, so you can then have a different conversation. Privacy is the most difficult thing. I’ve always been a firm believer, when you think of like a secure operations center, for instance, that they need to be as separated from the business, from IT, and even from the rest of the security team as they can be. I don’t need my Secure Operations Center analysts knowing that Bobby in Accounting down the hall does this, and having a personal relationship. And you can’t prevent it, don’t get me wrong, but I need them to be a trusted group. I need them to know they’re going to see sensitive data, they’re going to see people logging into their personal banking websites, they’re gonna see business financials, they’re gonna see maybe termination documentation just throughout the course of doing their job, and to make sure there’s not a conflict of interest as they’re doing what they’re doing.
0:22:23.1 LH: So privacy is always there. Holding those individuals accountable, and of everybody on my security teams, the Secure Operations Center folks, need to be the most trustworthy people that I have on my team because they’re the ones doing everything. I’ve got folks doing tool maintenance and tuning and things like that to make them better, and prevent false positives and things like we talked about earlier, but they’re looking at their specific tools. They’re not necessarily digging into the data quite as much. The Secure Operations folks have visibility into everything. They’re the ones doing the response, so privacy is always something we’re concerned about. I know personally, I’m cautious on what I share with that group sometimes. I’ll send them into an investigation and not necessarily tell them why, tell them what’s going on. Just kinda ask them, “Hey, go find this specific behavior for me,” just for that reason, trying to maintain employee safety, because at the end of the day, if employee X wasn’t doing some nefarious activity that we were investigating, I don’t need that team to be jaded. I don’t need them to think that this was a bad guy, even though we exonerated them. So it’s always a balance, and it’s probably one of the more difficult things in my group to keep balance, if that makes sense.
0:23:31.5 BH: No, it does, it does. That “Go look for Bob” versus “Go look for the action” and “Confirm that it was Bob,” it seems so simple, but it is so critical in an investigation because like you said, not only jaded, how many of us ever see somebody on the news acquitted? Acquitted just simply meant they didn’t have enough evidence to find them guilty, because as soon as you figure out that an investigation needs to happen, “Oh, they must be guilty. You wouldn’t investigate an innocent person.” So you’re very, very smart on that one, and I’ve seen it myself on my side happen as well.
0:24:03.6 LH: Yeah, you’re exactly right. The investigation does admit guilt, kind of, to the investigators?
0:24:08.9 BH: Yeah.
0:24:09.7 LH: There’s no press release, no company-wide announcement that says, “Hey, we found that Bob is actually a good guy and did nothing wrong here.” That never happens, so yeah, no, good call out.
0:24:20.3 BH: So then the investment in technology, let’s talk about, I guess, what you guys have done. The SD-WAN side of things, talk to me about your world there.
0:24:33.2 LH: Certainly. So we’re Bass Pro Shops and Cabela’s. We have [0:24:36.5] ____, marine, we’re a large organisation with around 200 different locations across North America. We have corporate locations, distribution centers, manufacturing plants, restaurants, hotels, a little bit of everything. So a lot of those places don’t need huge internet pipe for what they do, but at the same time, they need access because, to our points earlier, everything is going out to cloud-based applications, software as a service, what have you. So really, you talked earlier, I think you said the internet is the new network and we need to get used to it, and I think this really enables that and causes us all to adopt it. What’s really important as we head down this path is that security and IT, the network folks that are making the changes, are really doing this together and not one doing it through the other, the whole ounce of prevention versus a pound of cure thing. If we do it together, and we make conscious well-thought decisions on what data, what applications, what connections can go straight to the internet, for instance, from any of our 200 locations versus what has to be back called through our data center, through our security tools and things like that, and you get a clear…
0:25:45.5 LH: There’s two different connections we have going on, and then you add a third in, we have vendors on site, you have guest WiFi, things like that, and really determining holistically what needs to go where, and then you iterate through that. You go through app by app. Some apps, we have some HR type apps, where people can view timesheets or download their pay stub, things like that. They also view training material, videos, things like that, for normal annual workplace training. I don’t think the training videos should be as protected as I do the employees’ pay stubs. So that particular application [0:26:24.7] ____ or in this case, straight from the internet, so that we’re kind of getting the best of both worlds and we’re able to reduce our cost of getting those to our locations online. And again, it’s one of those things that we’re working through it now. In five years, you and I can have the same conversation and I’ll tell you how we’re still working through it, because it’s never perfect, it’s never done. Every week, every month, we’re looking at trends, looking at what’s changing, and trying to make it better, right?
0:26:52.1 BH: Absolutely, absolutely. God, I think the self-improvement and that constant improvement is critical. The second you sit back and say, “Ah, I’ve made it,” you just get destroyed so quickly, it’s unbelievable.
0:27:09.3 LH: You do.
0:27:10.9 BH: So you’re cloud migration?
0:27:13.1 LH: Yeah.
0:27:15.1 BH: You guys have, public versus private. Okay, so let’s talk about this horrific word we call cloud.
0:27:23.7 BH: Tell me about your journey through that.
0:27:26.3 LH: Yeah, so like most organisations, I think high 90% of companies out there, the business actually took you to the cloud before anybody in technology made the jump, whether it was a cloud-based app or they started using Dropbox or some other cloud-based service, and then technology and security had to catch up behind it. We’re no different, and that’s not totally a bad thing. We just wanna get in the front of where we’re at, so trying to understand again, application-based, workload-based, everything like that, what applications, what workloads, what data can we store in the public cloud that is going to be shared, maybe less secure, less controls around it versus what needs to be in our private cloud that we have more granular control over it. And we look at not just is it sensitive data, but is it revenue generating, workloads, things like that, and try to make the best decision.
0:28:20.4 LH: A lot of times, you don’t know what you don’t know. You create this model, you create this strategy, and it’s a journey. As anybody who’s been through a cloud migration knows, it’s a multi-year journey to get halfway done even a lot of times, but you learn along the way. You have a strategy, and then three months in you have to change your strategy, and a year in, you’re changing your strategy again, but visibility is what matters. A tool like a CASB tool, and there’s other types of tools out there, are important. What are your users using? If you decide, “We’re going to take Office 365,” that you brought up earlier, “We’re gonna use that and OneNote and things like that for data storage,” that’s great. You get that as your company standard for how we’re gonna share data, but then you bring in a CASB or some other visibility tool and you start seeing that you have users that are using Google Drive, you have users using Dropbox or box.com and everything else to do things as well, that blows up your strategy. How do you incorporate that? Do you force the business unit to move over to what you, the technology folks, pushed out, or do you try to secure what they’re using, or do you do a hybrid approach?
0:29:24.3 LH: So again, that’s the thing that you try to have a holistic approach across the business, or at least that’s what we’re trying to do, but you have to be willing to adapt to the business. Again, the business owns the data, and a lot of times it’s you’re actually working with another organisation, another business partner who has adopted a different tool than what you have, and we have to be able to interact with them, so you may have two solutions or three or seven. So being nimble and having more of a strategy on how you’re going to protect the data and workloads that go to the cloud versus the very specifics about, “This is our cloud, and we’ll never have another,” that’s really short-sighted. The cloud is big, and like you said, it’s everything. Is it infrastructure as a service, software as a service? But really defining, holistically, take every definition you can have with the cloud and understand your corporate strategy and how you’re gonna not only protect it, but how you’re gonna respond to anything that does happen, and be able to have quick reaction capabilities when the business or a bad guy decides that they’re going to mess up your day and do something different for you.
0:30:23.9 BH: For sure, for sure. Absolutely, and that concept you mentioned, that you said you change, then you change again, and then you continue to change, I think is so critically important, especially for CISOs that are in charge of large or small organisations, because, sometimes I think I’ve fallen victim to it myself. A little bit of hubris comes in and you say, “I’ve done this before, I’m gonna do it again, I know how it gets done.” And being able to not only say to the business, “Okay, the business is changing, and I have to help enable that, but also I have to change my approach.” Maybe that worked in the last 17 companies that I worked at, but now the world is different or the company is different, or the risk appetite is different. Something is different, and I have to be able to be open to that change as well. So I think that’s a critical component.
0:31:11.7 LH: Oh, you’re absolutely right. I go back and go 20 years when I started working in security and at the time, folks like you and me, we’re in the back room. We were never to be seen or heard from. We should be securing the organisation silently and nobody in leadership knows who we are most of the time. That’s not the case anymore and it really shouldn’t be the case. So we talked earlier about security guys, understanding the business, understanding what’s going on, and that means being able to be quick reacting and all of that. So yeah, it really is a different world now from when you and I both started, and I’m really interested to see how different it’s gonna be five years from now or maybe even one year from now.
0:31:50.3 BH: For sure, for sure. Did you ever think that… I know I didn’t… When I got into the security side of things that I have to know what a PML was, how to read a balance sheet made no sense to me.
0:32:02.0 LH: Absolutely, right. I remember my first year going way back on just budgets in general, we needed to develop a budget. I’m like, “Well what does that mean? What is budget driven from? And man, I went to school. I read books. I talked to people I trusted, and I learned the best I could really fast. And I still learn like every one year over here to do it better, but you’re right. It’s nothing I ever thought about when I first started out on this career path.
0:32:25.0 BH: Very cool. So now I guess we’ve got… Oh, my apologies. So the key takeaway, this is your quote,”User identity is a new perimeter for cyber security professionals.” If you could, for our audience, could you just reinforce what you mean by that?
0:32:43.4 LH: Yeah, absolutely. Now again, there is no perimeter. It’s a dotted line perimeter. Your perimeter is user behavior, it is your user base, whether it is your employees or your customers or whoever it is you’re trying to protect, that is your new perimeter. Their behaviors, their access, what data they have access to, what data they don’t have access to, all of that goes together to form this person’s identity. Right? Across multiple apps, multiple infrastructures, multiple domains, it becomes very big very quickly. So having a very strong identity management program, understanding that Bob Smith over here is the same as Bob Smith over here, and here’s what he should be doing. It’s really the most critical thing you could do because when you’re looking at user behaviors, identity behaviors and identity, by the way, could be a machine, it could be a service, it’s not necessarily a person, an identity is an item, whether it’s a human or not.
0:33:36.9 LH: But understanding what they typically do, what they should be doing, makes things a lot easier once the second they do something they shouldn’t do. So that really is the new perimeter. That’s the equivalent of somebody hitting your firewall 10 years ago with a port protocol, things like that, but abnormal anymore, and that still happens, but anymore the real alarms that you should really take industry now is when user identities or identities in general do any activity they don’t normally do. That should be the things we’re responding to the quickest these days.
0:34:05.5 BH: Absolutely, when you think about it, somebody actually used my credentials to log in and do exactly what I’m supposed to do. Well, they’re just doing my job for me, so I’m okay at that point. It’s when they deviate and start doing something that isn’t my job, that I’m gonna get started to get worried.
0:34:19.8 LH: Absolutely right. And if they’re better at me in my job, I might welcome it. But if they’re gonna embarrass me in my job, we may have a different conversation I guess as well, right?
0:34:26.7 BH: Absolutely, absolutely. So now if you would, if you’re open to it, Lee, we’ll do some Q&A. I got actually a couple of questions here. One is, how critical do you think IM is in an overall program to support your zero trust initiative? I think you touched on that a little bit, but specific to zero trust, how important is it?
0:34:50.3 LH: Yeah, I think it’s one of the most important items actually. So when I think of zero trust, and there’s lots of organisations and white papers and many things like that that talk of zero trust, zero trust is really more of a philosophy than it is a solution, right? It’s basically the understanding that nothing on your network inside, outside, whatever is to be trusted, you have to worry about it all. Identity is probably the most important component of that for me, because everything else is just that. It’s just connectivity, it’s just everything else, to know the identity of a machine, of a server, of an application, of an employee of any customer. That’s really how you start down the zero trust path, in my mind, and without that, you’re just creating friction points for people with no real reason. You have to understand the identity, so that you can not just enable zero trust, but you can do it in a way that provides us less friction points and actually enables the user and hopefully it makes it as transparent to user base as possible.
0:35:48.1 BH: Yeah, actually, that’s incredible that you mentioned friction point in there as well. I think you’re actually right, that zero trust is a philosophy and there’s different ways to interpret it, and that can go against your business, which is fantastic. And that identity truly is the key, because when you look at some of these security platforms that have been built out there that provide incredible range of services and secure services to a wealth of different locations and access methodologies and stuff. Every one of them I think, if you look at the second bullet point in the steps to a true zero trust, second one is a secure identity, right? And they’re usually reaching out to some service to get a secure identity, send a SAML token over and then we’re all on, we’re full in. But you mentioned friction, so that sort of leads into, I guess, a partial question that we have here around the IM capabilities to create security. How do you balance those against the user experience?
0:36:48.2 LH: Yeah, so for us, as we went down the path of selecting the technologies that we want to use to maintain identity or multi-factor authentication, what have you. The number one priority in our list was the user experience. On one hand, and I’m gonna over-simplify, so I’ll apologize for that. But multi-factors is multi-factor. The mechanics of how it works and what it does is pretty basic across most vendors. There are some secret sauce behind the scenes and things like that. But what really mattered at the end of the day, especially for my organisation, is that user experience. If the users are gonna revolt and not like whatever tool I select, then I wasted a lot of money to accomplish nothing. So when we went through, we did proof of concept, we did demos, we brought in business users, and we brought in folks outside of the technical space, folks that had never talked about this at all and says, Hey, what do you think about this? But that was the driving factor for us, we needed to make sure that it’s good enough for us, that it’s secure enough, and that it is iterating us to the right direction that we wanna go for our strategy, but at the end of the day, without the user buy-in, or the user saying, Hey, this is nice, it means nothing.
0:37:53.0 LH: The other piece we’re trying to bring to the table with that is, I think you talked about it in one of your slides as well as multi-factor and single sign-on kind of coming together, if we can not only make our identity management, our multi-factor less friction points for the user but if we can take three, four, five, 20 apps and bring them into a single sign-on, so you have one authentication per business day or whatever frequency you want versus those 20 different ones. We’ve not only increased our security posture, but we’ve reduced the time that users are typing passwords, clicking log-ins, things like that, and actually gave users minutes to their day back, but minutes per day across 40,000 employees turns into a lot of time. We’ve actually bought for the business for people to be more productive, so we have actually enabled revenue-generating behavior, reduced user friction points and increased the security posture all at the same time.
0:38:45.9 BH: Couldn’t ask for more in a security solution, in my opinion, I think when you can do all three of those you’ve hit a home run. Lee, I wanna thank you very much for joining us today and giving us the wisdom both, of your experience as you’ve gone through this journey, and as you continue to go through this journey, I know there’s lots of people out there that would like to thank you personally for joining us as well. For those out there, I’d like to maybe with a last thought, if you will, around partnering with SecureAuth as an identity provider, we provide adaptable security, it’s for both the workforce and customer identities at scale, we are born on-prem and moved into a cloud, so that we can provide a hybrid solution, because we know that customers will never be all or nothing. Until you burn down every building in the world, there will always be a premise to go to, and to some of the points that Lee has brought up, it’s a frictionless user experience, you have to have that configurability that takes the business into account when you’re developing it and being able to protect very complex systems.
0:39:49.1 BH: Technology debt is there, we’ve all got it. In some form or fashion, mainframes are still out there, AS400s are still out there, Lotus Notes is still a raging system on the backend of a lot of companies. And we have to be able to address those, we can’t just keep thinking, this is a web-based SaaS world that everything operates in. With that I’d like to say thank you to everyone for joining us today, and if you’d like to get any more information, the webinar will be available for download if you’d like to go back over it and listen to it, and if you need any more information on SecureAuth, we’re at www.secureauth.com. Lee, again, thank you very much and all the best. Oh, actually, one last question, what’s the first thing you’re gonna do when the world opens up? Where are you gonna go?
0:40:34.5 LH: Oh man, I’m gonna go find a top in bourbon somewhere that someone will serve to me. That’s what I’m looking forward to the most. [chuckle]
0:40:43.1 BH: I will join you there, you let you know where that is and we will meet.
0:40:47.1 LH: Absolutely, I look forward to it, Bil. Thank you for having me today, I certainly enjoyed the conversation and I look forward to talking to you more soon.
0:40:53.4 BH: Alright, take care and be safe. Thank you everyone. And be safe out there.