Event Recording

Adam Drabik: Importance of Identity & Access Management and other Aspects of Cybersecurity in Post-Covid-19 World


Log in and watch the full video!

The session will be about threat landscape tips from the practitioners.

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Register  
Subscribe to become a client
Choose a package  
I've been in this industry for about 25 years out of that, about 20 in, in cybersecurity management roles, all sorts of all sorts of risk and compliance, sort of connected to it. I've been working for many industries and I'm sure you can recognize some of those brand names. The companies that I either consulted or worked for directly as a chief information security officer, I do specialize in all those things on the right, especially in judo coaching to, to the children. I'm also a founding member of a club CSO, and it's a effectively, a, a group of peers, heads of security and CSOs. And we basically gather together to exchange views and sort of help each other. It is us against them, right, as the good guys against them, the bad guys. So I, I think, I think we can only solve it together, but anyway, what are we going to be talking today about?
Well, first, how to prioritize and prepare for those sort of near future. I guess we gonna be talking also what happens when, when you get it wrong, right? What, what, what are the consequences we're gonna be talking about why those bad consequences happen and then into a bit more sort of sharing of good practice, we're gonna be talking about fundamentals of good security, also tips on how to become resilient. And I'm gonna share some really interesting articles for you to read so well, how do we focus on the right things? So the most important things is to focus on the important things on the left. We can see the, the typical heat map. It's nothing to do with security is just a graphical representation, but it, it basically shows a risk heat map, and some of those risks are moving. And that's exactly what happened to our environment over the last couple of months, some risks became much more prominent and then some have probably fallen into, into sort of other categories.
So I think the tips from from myself is that we really need to analyze how our businesses have changed in the last three, four months. It's also important to, to understand the context of where we are heading into the future. So I think the discussion with the business executive leadership is also also a good idea to check what they think the business would look like in the next six months. So we can prepare better. I think a a really great place to, to start is that risk registered and that, that he, you know, risk heat map, we need to effectively readjust our priorities based on what is really important. So all the things generally in red with high impact and relatively high probability is really something that we need to pay attention. And we also need to understand if a risk has moved into that space, because we may want to actually address the risk differently or do more in terms of mitigation.
And this is really what effectively allows you to create your tactical task list. Let's say, I think, I think it's also important to, to act fast, right? In order to be prepared, there is no point to delay this after summer, or, you know, later on the year that kind of readjustments and, and prioritization has to really happen, you know, as a regular, you know, frequently repeated process, generally speaking, I would say 80 20 rule helps. So if something is 80% done, just declare it as good enough and move on to the next big thing. You know, we quite often fall into the trap of trying to do things or, or complete things and arrive at perfection that is usually not required. Right. And, and, and you may, you may want to consider doing more things rather than just one thing perfectly. All right. So what happens if you get it wrong?
So I I've pulled that, that information from, from wired magazine, and this is effectively the financial impact or estimated cost and damages from a cyber incident. And this is this specific sort of not Pia incident that happened in 2017 and affected all those well known brands out there. I mean, massive, massive numbers. I have been actually the CISO of one of those organizations, ragged bank, well, prior to the, that, that incident. So I can absolutely see how devastating that kind of incident maybe to, to, to the company operations, that specific incident, you know, brought nearly all those companies to, to near extinction. And we, we're gonna talk about it a bit later. So moving on to, to what happens if you get it wrong apart from the sort of the, the, the, the, the, the impact caused by the cost of recovery and the, the, the, the sort of the cost of managing the incident itself.
You know, we also may expect some eye watering fines, especially now that general data protection regulation is present in Europe. These are just a list of, you know, a fairly sort of recent fines issued to, to companies. And especially if you look at the amount of fines issued to Google and, and British airways and Marriott Marriott hotels, you can see that those amounts are absolutely stunning, especially now in the, in the COVID 19 world. We, you know, a lot of those organizations are basically already suffering business wise and imagine big fines coming along and having to be sort of accommodated as well. That would be absolutely devastating. So there is, you know, apart from the, the sort of the GDPR fines, what we can sort of expect as an impact to our organization is also reputational impact, which then leads to things like loss of customers, loss of, and that leads to loss of future revenue or even current revenue.
And that could basically significantly impact ability to, you know, of, of the company to recover from, from that, you know, quite a tough business environment operating during COVID 19 pandemic. There may be also some other, I guess, financial and, and reputational consequences like class action. So effectively the end consumers suing N mass, the organization that impact could be much more than those fines and, and other, other financial consequences. And, and, and that would affect, again, the, the future profitability of the business. I think one more sort of unwanted effect is where, you know, especially when the, the, the, the regulator comes in and, and checks how well we were sort of prepared and, and managing our security and privacy of data and the data protection, they may actually decide to do more direct management. If they're not confidence that we can manage our environment well, and, and manage that, that data under that specific protection.
So anyway, all in all it is money down the drain. And I just want to mention the, the, the two recent sort of data breaches, where we don't know what the impact is gonna be from a regulatory perspective. And that is Travelex, which if you remember, was quite severely impacted back in, in December and January this year, and also easy jet quite recently, easy jet has been really struggling business wise, obviously because of the lockdown and flights being grounded, what happens if they're gonna get a massive fine, you know, will that bring the company to extinction and is the regulator gonna take appropriate measures here? And, and, and what is gonna be the, you know, the, the, the, the, the sort of the, the, the amount that, that EasyJet is likely to be fined, you know, looking at British airways, quite similar sort of breach, you know, that amount could be absolutely staggering.
Anyway, let's have a look why this, this incidents happen. I think we've been struggling for a number of years with, with a number of areas and, and, and we haven't really got yet to that very comfortable place where we can manage those risks really, really well. So what leads to those incidents? Well, I call it vulnerability mismanagement, right? So not only we, we sometimes don't scan very well as in, we, you know, there is effectively not everything in scope that sort of discovery of assets. Isn't great. So we don't know what's connected and what's out there. Our pen testing is either not done or, or is of poor quality. And it does not really discover all the, all the, all the weaknesses that we need to, we need to fix. So that's the first problem sort of knowing what's out there to be, to be taken care of.
Then there is a problem of management of all this information. So lack of prioritization and context enrichment, right? So we, we, we are bombarded as, as security leaders with this mass reports about tens of thousands of vulnerabilities that we have in our network. But if we are not gonna enrich it and prioritize, we don't know where to invest the effort, and it may feel like boiling the ocean. So it is really important to, to do that step before we start fixing also later, no patching, I mean, this, this, this is a grave mistake, right. You know, the organizations, especially the, it organizations have been really struggling to, I guess, deploy patches on time and to reduce that zero zero day vulnerability window, where, you know, either patches not available or patches not applied. And obviously the, the, the moment that, that it gets sort of discovered by the bad guys or by security researchers, and it's sort of published.
And the, the, the hacks start to, to sort of appear that is effectively the cause of, of all evil, I would say. So, yeah, the, the important thing is to make sure that we don't fall into that trap of late or no patching, sometimes only part of the stack is being patched. And that is also a problem. So we leaving vulnerabilities in quite knowingly, in fact, and obviously there is inappropriate configurations. So apart from patching itself, right, a lot of our equipment is still sort of potentially run with default passwords, default configurations, which are actually quite weak on security and therefore exposing us to all those malicious activity. Well, we also have a big point there about poor identity and access management. So what is the grave mistakes that organizations, you know, do or struggle, you know, solving, I call it entitlement hoarding. So especially for a long, so, you know, people that, that spend a long time in the organization, the, you know, they, they effectively maintain the, the rights and the access that they have been given for completely different tasks, you know, 20 years ago.
And they still have that once that account is compromised and that may happen anytime, you know, suddenly the bad guys effectively, or the malicious code has access to an awful lot of things. So it's almost like a, a privileged account, but actually it just comes from that entitlement hoarding. There is a lack of segregation of access in roles, you know, identity and access management, unfortunately was very often one of those things, which were sort of not really glamorous project to run, right. It's, it's one of the fundamentals, but not, you know, it's not a flashy project, but it's absolutely needed to maintain security, that role definitions, right? I mean, are we working together with our business departments to actually configure those roles and deploy them appropriately? Are we updating them when, when the roles changed, have we truly made role-based access? You know, one of the fundamentals of the way, how we, how we, how we, how we manage access to information and how we manage identity, privilege access for many right.
I mean, for, for the sake of being able to quickly resolve things, a lot of people are given more rights than they actually should. And for longer, you know, people are made administrators of their own machines, right? So they can manage it, you know, and they don't have to call help desks. So small savings on help desks results in a lot of risks being taken by the company. And there is also the, the problem of single factor authentication, a very outdated way of authentication and, and very easy to break as we can. We, we can see now there is inaccurate asset management. So again, we, we poorly discover and, and, and it gets outdated very quickly. It's another one of those sort of unloved child, you know, children, I guess, that we have, and no one really wants to get it solved, you know, or everyone wants to get it solved, but no one actually wants to insert the mass amount of effort in that.
I think part of the problem is that also all those topics are getting very low priority on the board or executive leadership level. So there is very little sort of business support for it until it's too late, right. Then everything changed. And obviously there is user errors, which are usually caused not by malicious intent, but in fact, lack of security awareness, or just tiredness, stress and all sorts of other factors. So what's good security like, well, we have to know our assets and risks. You know, we, we need to do all of this that you see on the screen process, mappings, current identification, good risk management, good ownership. We, we need to, as I, as I mentioned, manage our identity and access well, right? So we need to segregate user privilege and administrative accounts. We need to frequently audit and resolve all those problems that arise from those audits.
We have to run our, join us movers and levers process properly, and especially reset access for moves, right? To avoid that hoarding of entitlements. I think it's a good idea to, to use tools and as much automation as possible, all those tasks are very tedious and, and there is now tools and methods to, to manage it with, with little sort of human interaction, which is very welcome. I think implementation of multifactor authentication is real, really a necessity now. And, and, and we need to at least deploy it where our crown jewels are, and also the single sign on and Federation services. So we don't have to maintain huge amounts of different logins for different people, you know, and, and, and, and quickly lose control over it. We need to keep our software up to date. I mentioned patching also take into consideration your suppliers. We need to embed security in the culture and DNA of the company.
So everyone has a role in a company protection, everyone, not just a security team. We need to train and really engage people and help them in their understanding and, and in that protection role. And we need to implement security by design and previous a bit by design. And it's also one of the requirements of GDPR. So just very quickly, cuz we are running out of time and I want to take a few questions, how to build and maintain cyber resilience. There's some ideas about how to, how to do proper backup and identity backup and sort of being able to recover from disasters. There are single points of failure that we need to take care of. So we need to overlay controls. We need to effectively eliminate as much single point of failure people. And also in our service providers, we have to think about how to, you know, how to run things when someone is not available or some service is not available.
Plan planning and preparations is important. And there is also other key enablers like leadership funding, having the right people, having the right processes and tools. There is some fantastic reads that you can can sort of that you can take and, and, and, and sort of get yourself familiar with this are, these are a couple of articles written by people who have been experienced cybersecurity breach. They're not Pia and especially the MES one. And all those three articles really form a really great read, especially the Gavin Ashton, who was the MES identity access management owner. And he explains the, you know, what were the key challenges and, and trouble and that's, that's it for myself. So, yeah, I, I would like to take some questions if, if, if there is any.

Stay Connected

KuppingerCole on social media

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00