Digital systems have become very complex, 95% of admins have too many permissions, and 76% of IT decision-makers are facing a skills gap. This is a recipe for disaster, so how do you fix it? Patrick Parker from EmpowerID will elaborate on this challenge in his Keynote Model, Measure, Manage - The Journey to Autonomous Security in a Hybrid Multi-Cloud World on Tuesday, May 10, at the European Identity and Cloud Conference 2022.
To give you a sneak preview of what to expect, we asked Patrick some questions about his presentation.
Why is there a need for Autonomous Security in a Hybrid Multi-Cloud World?
That's a good question. So there are four major cloud platforms in use right now today by most enterprise organizations and these cloud platforms have a depth of functionality that also is increasing the complexity of their security models, producing about 40,000 unique permissions across the four platforms. So what you end up with are very complex systems for which 95% of admins in these systems are over permissioned because most people do not understand how you would get to a least privilege model and how to manage those complex systems with that many permissions. So from the technology side, from the business side currently 76% of IT decision-makers are facing a skills gap. We've had a great turnover right now where most people have left their jobs in IT, they're looking for something new. We also have a major skills gap. The skills gap in cybersecurity alone has increased by 39%. So you have more complex systems, you have the struggle to find properly skilled or trained people. And then that all is going to produce by next year, which is predicted to be 99% of cloud security failures will be the customer's fault due to misconfiguration. So it's all coming together that really we can't keep up with it just from a human manual effort perspective.
How can organizations define their ‘desired state’ for identity and access management?
So you really need a desired state because you need to know where you're headed to align your resources and your people and your technology toward a mission. A clear goal. There are different metrics you can use. One overarching principle is zero standing privilege, the idea that on weekends and at night you shouldn't have identities that are privileged, lying around waiting to be compromised by hackers, that you should convert your organization or optimize it into more of a just in time infrastructure. So privileged access is granted just in time just enough and just for the purpose that it's needed. And then it's also monitored. That's one key principle, is measuring your organization's progress from standing privilege. Where people have it permanently all the time to where it's just in time so that when people go home at night, there aren't these privileged identities. There are also many other measures. One other goal would be to move toward zero trust, which means that you're always proxying, never giving direct unmonitored access which you could measure that using tools like privileged access management. And then other statistics like the number and percentage of your user accounts that are orphans that do not belong to a specific person, so they're kind of unmanaged and they represent a risk. The average age for your passwords, for users and privileged users, the percentage option for multi-factor authentication, the average age of risky access from the time it was last recertified and then all of this you can produce an overall risk maturity score to track your organization's progress to how they're getting better and more secure. And what's really needed is some industry benchmarks maybe to be produced by an organization like IDPro that we could all share this knowledge in agree on a set metric to help gauge or compare one organization's progress towards another.
How can modeling and abstraction lead to a more secure automated identity infrastructure?
So abstraction and computer science especially has always been our savior, managing things at the machine code level was early days and it was not very productive. Really, the abstraction has allowed us with very little effort to have levers that are more powerful, that can move more things. So really the same applies to security and permissions across all these complex systems. Right now every system has its own security model and you really need to be an expert in each system and there's no way for the different domains of expertise like business intelligence, IGA, SIEM, and AI to talk to each other and know that we're speaking the same language or that we're actually talking about the same thing because we're managing at the technical level. The real abstraction and the use of a semantic language or modeling language where we're bubbling up these fine-grained permissions and activities across systems into one common language that's understandable by business people and can be gauged and assessed for risk will allow those different domains to tie together processes, IGA to understanding access you're allowed to have based on what you should be able to do from a business perspective, SIEM to let you know what you are doing, and is it appropriate in the same language and then AI to use that same language to automate toward a mission or a goal, to reduce standing privileges, to monitor for risky activities. And again, if we all get on the same page, then it'll increase our awareness. We'll get the benefit of a multi-disciplinary approach and we'll have a better overall security perspective across the enterprise. And one more thing, just with that standard language or that modeling or a defined end state, then people work best with a mission and so does AI. If you're going to throw AI to beat against the problem, if it has clearly defined mission parameters or a goal that it's working towards, then you can apply AI principles and AI technologies to help you continuously get to that goal. That's the autonomous part. We are enforcing least privilege optimizing permissions from permanent standing permissions to just in time permissions and just hacking away or banging away at our attack surface to reduce it and make the organization better overall, which again, that's the part that the humans can't really do because we don't have enough skilled people and just too many systems, too many permissions these days.
What can attendees expect from your talk at EIC?
I hope a little bit of fun. I hope it's not dry. I hope we have a good time. I hope that after the talk we will come up and we can really chat about it and continue the conversation in the social media world as well as maybe at the next upcoming conferences. And really, I guess the goal would be to help them plot a course and leverage the best technologies available to accelerate their journey toward a more secure and mature organization to deal with this multi-cloud complexity.