Event Recording
Insights of a CISO: Interview with Thomas Malta
And yeah, as multiple times already mentioned today, Tom milder is with me, who is absolutely an expert in the field of identity and access management for many, many years, as I could read today, working as head of it and access management at Navy federal credit union. But Tom, you had many years of experiences in a number of banks and other organizations, but before I say something wrong, I leave it to you to tell us a little bit more about, about your career so far.
Yeah. Thank you. Burk. I'm happy to be here today. Yeah, so I, I grew up as a developer and landed in the risk based by accident 20 plus years ago, and been working in cybersecurity in particular identity, access management ever since then, all in the financial services sector and more of late in addition to leading programs, I like to give back as much as possible. So doing a lot of speaking engagements like this, doing some white papers, and I also participate in a couple of different board advisory positions. One in particular is the identity defined security Alliance, which I do a lot of work with them on. So again, happy to be here today with you.
Yeah. Yeah. I think that's, that's interesting. So you are an active board member in the identity for security. So what, what, what, what, what does this mean? What, what, what is your job as a board member there? What are you doing? Great.
So I'm, I'm one of the practitioners on the board. So they, what they do is they bring practitioners and vendors together to make the identity community stronger, if you will. So an example of that is if you have Cy a, is your privileged, you know, solution, and maybe you have savvy into your idea, try to get those two vendors to talk to each other. And from practitioners perspective, give people real use cases on how to implement those tools. So we see it as a great way of educating, you know, the community, if you will, whether you're starting out in IM or even in a mature program, it helps people really understand what they need to do.
Yeah. I, I recently wreck the white paper of identity find security and, and what I found interesting was a quote, which says the way to zero trust starts with identity. So that's right. Can you comment on that? Can you, I mean, sure. It resonated to me a lot. Yeah.
Yeah. So we like to believe that I identity is really centric to security, right? And we coin the phrase, identity centric, security in all organizations. We're the frontline, right? We're that first line of defense, the bad guys get into the network and they get the credentials. They can then, you know, move laterally across the organization. So depending upon where you are in your program, whether you're starting out, maybe you just need some basic fundamentals or you have an advanced program that whole concept of zero trust, right. And making sure you understand who has access to what, and that those credentials are being managed correctly through the organization is really key. One thing we like to always tell people is the basics are, you know, foundationally, make sure you understand the identity events coming into your organization, right? Your new hires, your transfers through levers. A lot of times, particularly with consultants or contractors or non-permanent help managers have an impetus to get that person on, right? You want do that project, gotta bring that contractor in, but when they leave, they forget to remove their credentials. And again, that creates risk and, you know, violates that whole zero trust concept.
Yeah. I heard that from, from many experts that typically the recommendation is to start with I access management when it comes to zero trust, but I access management is certainly not the only core component of a zero trust approach. So what other components do you think are required to, to establish a zero trust project or program?
No, that's a great question. You know, it starts with identity and it extends across the organization, right. So, you know, also in your network, right. Making sure that you're protecting that correctly, you understand the people coming in and out, we segregated the network properly across different business units and so forth. I think all of that, you know, comes together in that zero trust framework it's centered around identity, but it's also around the entitlements and the authorization of what that identity gives you. So it starts with identity, but then it extends to what can I do with the identity? Right. What's my authorization across the, the network. Can I do privileged access? Can I just get the end user print and so forth? So definitely begins with identity, but then it extends across the entire organization.
Yeah. Yeah. So what I mean, everyone, that's another, obviously very typical phenome in many organizations. Everyone is now either already or about to move into the cloud. My typical clouds to be, to be fair. So is cloud a driver of the zero trust approach?
Great question. Vertical. Yeah. So as you're thinking about your journey particular, if you're in a multi-cloud environment today, and for those of you out in the audience, if you just have one SAS provider, right. Using Workday or using cell for force, you're in a multi-cloud environment where those identities now need to also be managed in, in a centralized way. So when you start to think of the big three that are out there providing cloud services to many organizations, each of them has their own identity and access management framework. So it's a little bit of apples, oranges and bananas, right? When you try to bring it all together. So managing that can be quite a challenge, not to mention as many organizations go from on-prem into the cloud, it's the explosion of the identities, right? So no longer do we just need to worry about human accounts and maybe some of those service accounts that we're running on our, in our data center, but now we've just exploded it to machine APIs and API and service accounts and other things that are running there, you know, and services that are running.
So each of those has an identity that now has to be managed as well. Right? And that brings on some really big challenges. One of the things we like to recommend for people is try to bring it all back into a centralized framework and establish what we call it an identity DNA. So if Tom Walter is at Navy federal, it's a five character ID, everything that Tom does at Navy federal, whether he has privileged access, whether he maintains service accounts in the cloud, he has other application entitlements that are outside of his normal single sign-on. You want to tie all those credentials back to that DNA. So now when your life cycle events, as Tom moves across the organization, or he leaves the organization, you can actually generate workflow to make sure you're properly, you know, disposing of the credentials that he has. In some cases, some of them might go to right. His, you know, successor, others might be, Hey, we need to get rid of these accounts no longer here. Right?
So the already talked about that identity access management is sort of the foundation of a zero trust approach. What other important steps does one have to take in order to implement zero trust? So what did you do at, at your organization to, to, to get started and to get it implemented? So can you share that?
Sure. Great question. So I think if you're just starting out, right, start with the basics again, make sure you got your identity lifecycle events managed well, typically organizations immature to some sort of a role framework, right? Where you might start to introduce roles in your provisioning and in your lifecycle event. One of the things that I've found over the years though, having done this for the last 20 years is that we need to get away from the amount of provisioning and certification of access that we're doing in organizations throughout the world today. Right? What was traditionally, Hey, Tom comes into the organization. I'm gonna model em after virtual and give them everything their, well, that might not be appropriate. Right? But then people will argue, well, Tom, you know, we, we have the certification event where we're gonna review all of this access and we'll be able to see everything so that, you know, generates a lot of maintenance.
It generates a lot of stress for your end users and your management population. We have to look at all that access. You have to certify it on a regular basis, right. It becomes daunting. And what happens in the industry, what I've seen is that we get into this rubber Stanford approach, right. Where people are looking at access on the screen and they're just, their eyes are blazing over, right. So they're just coming down and saying, accept, accept, approve. Right. So now what I'd like to introduce to the audience is that think about as you mature that process to try to get yourself into a core screen versus fine brain. And what do I mean by that? So roles are great and you could use it roles, otherwise known as application roles, where you can gravitate to the top of the pyramid and do business roles.
But what you want to be really careful about is don't put all your entitlements into the role, make sure you're concentrating on what the people share and that it's in common that's horse screen, take the course, screen, access those entitlements and build your role framework. It will be extremely successful that way. And then you can tie it to your birthright provisioning so that people come into the organization and there a new business Analyst that business Analyst Analyst is gonna get all the basic things that he or she needs right now. You might be asking yourself, well, what about fine grain income? Well, that's where we go get to the next level of maturity. So what I'm seeing organizations do now more and more, I've done at my last place in looking to do it at Navy, federal as well is the concept of dynamic authorization for just in time provision.
So no longer am I giving Tom or both hold everything that they need that they want. So they're not walking around with that access, right? Therefore I'm not provisioning it. And also better. The manager doesn't have to certify all of it, right? Because if I use dynamic authorization, otherwise known as just in time provisioning, I only grant that access of the split seconding harm that the person within the transaction needs to be authorized to do it. I might even have a step up authentication as part of it, right? If it's something really sensitive. So that's really embracing the zero trust model folks, right? Because you're not provisioning that access except for the very moment in time that that person needs it. It's something sensitive. If something very fine grain, that course brain general stuff, put that in your roles, the fine grain moves to your dynamic authorization framework and start to, you know, adhere to it that way and be very, very successful. Hmm.
Interesting. Many people think of, of zero trust, primarily as a technical project. Right. So, so to implement, to implement zero trust on, on devices, on network, on applications and storage, et cetera. Right. But, but I think we all know that, that the individuals, the humans are often the first place to go when an attacker comes into an organization. So they are the number one attack surface, if you want. Right. Yes.
You want
So, so, so, so what are you doing in order to work with the, with the people in order to make them aware and to make them risk conscious, etcetera?
No, that's a great question. So communications is key in your IM program, right? Making sure people understand that, you know, risk management is part of everybody's responsibility in every organization, right? So if there are credentials that you no longer need, or if there are accounts that you have, that you no longer require, do yourself a favor and get them out of your, you know, possession, right. Don't wait until that certification event or a transfer of access occurs. Cuz a lot of times people will accumulate privileges over time. Right. And what ends up happening is we end up with a toxic combination of access. Right? The other thing to your point we told is around inactive accounts, right? And as an IM organization, make sure you're looking at accounts that aren't being used anymore in the organization. So even though I grant you something on day one, you might never need it.
Right. And that account major sit out there in an active state. So try to develop a program after 90 days, if you see an inactive account, disable it, right. And maybe after 180 days, delete it. If somebody really needs it and they're gonna call the help desk within six months, right. And after six months, if they don't need to take it outta your organization, right. You're, you're removing that risk from the organization. The other thing to think about also is physical access. Right? A lot of times we focus on logical access. Only physical access is becoming more and more important, right? The bad guys are getting more sophisticated. You know, they might be shoulder surfing or piggy when we call piggybacking somebody into a building and going to an open office and looking for an open terminal and trying to break in that way. So make sure that your physical access controls are also tied to your identity management system, such that people, when they leave, you're removing their badges, you're removing their controls as well. I've seen over the last 20 years, a number of incidents where we had situations where service providers have came in and out of the campus, you know, might leave their job like a guy delivering the Coca-Cola to your vending machines. Right. He's got a badge and he might not be a good person. Right. And he might leave the company, but still he'd be able to get into building with that badge. So make sure that you're, you're that physical access as well.
I, I have a bit of an unfair question of you.
Yeah.
So given, given what I mean, you, you, you are on your way to, to this journey for, for quite some time. So, so you've done a lot already. How well protected do you think you are at this point in time?
Great question. We're never protected enough, right? To be honest, I think in all of those out there on the cyber security space, I hope you're nodding your head with you, right? Like we're we seem to always be a step behind the bad guys and we need to kind of advance the controls even more. I think some of the things that excite me is that they look at the future things like blockchain and bring your own identity and self sovereign identity are some of the buzz words and some of the new initiatives out there. So I certainly encourage the, the participants to look into that. Particularly if your program is at that higher level of maturity and you want to take it to the next step, you know, how do we get that frictionless experience that has customers right. Of a retail organization or even of a bank?
You know, we go to our phone and we have this frictionless experience where we can log in, in a secure way as a customer, or is it our case, a Navy federal, it's a member cuz we support the military. And we like to think of them as members. We want that same frictionless experience though for the workforce, right. We really want to be able to get people get in passwords are a thing in the past. They need to go away. I strongly believe in two factor authentications for everything, but we need to make it frictionless. Right. We don't want it to be painful for our workforce, but we want to elevate that level of security passwords and user IDs are just the thing in the past guys. Right. We really need to get away from them. And unfortunately, almost 70% of the organizations out there, if not more, are still highly reliant on user ID and passwords for the majority of their access. And that's scary. Right. Particularly because the criminals can crack them pretty easily right
Now. Yeah. But, but that's thank you for your comments because I think that's a, that's a great schema that the implementation of zero trust, we create a lot of data points and in order to make access and, and the usage of it frictionless, we have to integrate all these data points in real time. Very, very fast.
Exactly. And
Of course there we, we need modern technology, AI and, and other things. Would you agree to that statement?
Absolutely. Yes. And there's some really good tools and product coming out on the market now that embrace AI and machine learning. We're looking at one now that's doing role mining for us. So lots of, lots of cool things out there. And the market is really starting to move in that direction of the advanced protocols. And you're starting to see things like blockchain and AI and machine learning and this whole concept of self-sovereign identity. Again, really start to get a lot of hype in the marketplace, right. That, that buzz is starting to happen. So it's exciting. But still again, I gotta be honest. I'll go back to the beginning of this interview for everyone out there. Make sure you're getting the basic stuff right guys. Right before you go into these advanced concept that we talked about today, I mean, are you provisioning and deprovisioning people in the, in the right way, are your lifecycle events working, cleaning? Cuz if they're not, you gotta start there, build that house and then continue to build it on your journey.
Yeah. Yeah. I have a ton more question for you, but unfortunately the time has come to an end already. So thank very much for being with us. It was really a pleasure talking to you and getting all these insights also, thanks to the audience for listening to us. And with that said, yeah, I handed over to Christopher.
Yeah. Thank you. Burk. I'm happy to be here today. Yeah, so I, I grew up as a developer and landed in the risk based by accident 20 plus years ago, and been working in cybersecurity in particular identity, access management ever since then, all in the financial services sector and more of late in addition to leading programs, I like to give back as much as possible. So doing a lot of speaking engagements like this, doing some white papers, and I also participate in a couple of different board advisory positions. One in particular is the identity defined security Alliance, which I do a lot of work with them on. So again, happy to be here today with you.
Yeah. Yeah. I think that's, that's interesting. So you are an active board member in the identity for security. So what, what, what, what, what does this mean? What, what, what is your job as a board member there? What are you doing? Great.
So I'm, I'm one of the practitioners on the board. So they, what they do is they bring practitioners and vendors together to make the identity community stronger, if you will. So an example of that is if you have Cy a, is your privileged, you know, solution, and maybe you have savvy into your idea, try to get those two vendors to talk to each other. And from practitioners perspective, give people real use cases on how to implement those tools. So we see it as a great way of educating, you know, the community, if you will, whether you're starting out in IM or even in a mature program, it helps people really understand what they need to do.
Yeah. I, I recently wreck the white paper of identity find security and, and what I found interesting was a quote, which says the way to zero trust starts with identity. So that's right. Can you comment on that? Can you, I mean, sure. It resonated to me a lot. Yeah.
Yeah. So we like to believe that I identity is really centric to security, right? And we coin the phrase, identity centric, security in all organizations. We're the frontline, right? We're that first line of defense, the bad guys get into the network and they get the credentials. They can then, you know, move laterally across the organization. So depending upon where you are in your program, whether you're starting out, maybe you just need some basic fundamentals or you have an advanced program that whole concept of zero trust, right. And making sure you understand who has access to what, and that those credentials are being managed correctly through the organization is really key. One thing we like to always tell people is the basics are, you know, foundationally, make sure you understand the identity events coming into your organization, right? Your new hires, your transfers through levers. A lot of times, particularly with consultants or contractors or non-permanent help managers have an impetus to get that person on, right? You want do that project, gotta bring that contractor in, but when they leave, they forget to remove their credentials. And again, that creates risk and, you know, violates that whole zero trust concept.
Yeah. I heard that from, from many experts that typically the recommendation is to start with I access management when it comes to zero trust, but I access management is certainly not the only core component of a zero trust approach. So what other components do you think are required to, to establish a zero trust project or program?
No, that's a great question. You know, it starts with identity and it extends across the organization, right. So, you know, also in your network, right. Making sure that you're protecting that correctly, you understand the people coming in and out, we segregated the network properly across different business units and so forth. I think all of that, you know, comes together in that zero trust framework it's centered around identity, but it's also around the entitlements and the authorization of what that identity gives you. So it starts with identity, but then it extends to what can I do with the identity? Right. What's my authorization across the, the network. Can I do privileged access? Can I just get the end user print and so forth? So definitely begins with identity, but then it extends across the entire organization.
Yeah. Yeah. So what I mean, everyone, that's another, obviously very typical phenome in many organizations. Everyone is now either already or about to move into the cloud. My typical clouds to be, to be fair. So is cloud a driver of the zero trust approach?
Great question. Vertical. Yeah. So as you're thinking about your journey particular, if you're in a multi-cloud environment today, and for those of you out in the audience, if you just have one SAS provider, right. Using Workday or using cell for force, you're in a multi-cloud environment where those identities now need to also be managed in, in a centralized way. So when you start to think of the big three that are out there providing cloud services to many organizations, each of them has their own identity and access management framework. So it's a little bit of apples, oranges and bananas, right? When you try to bring it all together. So managing that can be quite a challenge, not to mention as many organizations go from on-prem into the cloud, it's the explosion of the identities, right? So no longer do we just need to worry about human accounts and maybe some of those service accounts that we're running on our, in our data center, but now we've just exploded it to machine APIs and API and service accounts and other things that are running there, you know, and services that are running.
So each of those has an identity that now has to be managed as well. Right? And that brings on some really big challenges. One of the things we like to recommend for people is try to bring it all back into a centralized framework and establish what we call it an identity DNA. So if Tom Walter is at Navy federal, it's a five character ID, everything that Tom does at Navy federal, whether he has privileged access, whether he maintains service accounts in the cloud, he has other application entitlements that are outside of his normal single sign-on. You want to tie all those credentials back to that DNA. So now when your life cycle events, as Tom moves across the organization, or he leaves the organization, you can actually generate workflow to make sure you're properly, you know, disposing of the credentials that he has. In some cases, some of them might go to right. His, you know, successor, others might be, Hey, we need to get rid of these accounts no longer here. Right?
So the already talked about that identity access management is sort of the foundation of a zero trust approach. What other important steps does one have to take in order to implement zero trust? So what did you do at, at your organization to, to, to get started and to get it implemented? So can you share that?
Sure. Great question. So I think if you're just starting out, right, start with the basics again, make sure you got your identity lifecycle events managed well, typically organizations immature to some sort of a role framework, right? Where you might start to introduce roles in your provisioning and in your lifecycle event. One of the things that I've found over the years though, having done this for the last 20 years is that we need to get away from the amount of provisioning and certification of access that we're doing in organizations throughout the world today. Right? What was traditionally, Hey, Tom comes into the organization. I'm gonna model em after virtual and give them everything their, well, that might not be appropriate. Right? But then people will argue, well, Tom, you know, we, we have the certification event where we're gonna review all of this access and we'll be able to see everything so that, you know, generates a lot of maintenance.
It generates a lot of stress for your end users and your management population. We have to look at all that access. You have to certify it on a regular basis, right. It becomes daunting. And what happens in the industry, what I've seen is that we get into this rubber Stanford approach, right. Where people are looking at access on the screen and they're just, their eyes are blazing over, right. So they're just coming down and saying, accept, accept, approve. Right. So now what I'd like to introduce to the audience is that think about as you mature that process to try to get yourself into a core screen versus fine brain. And what do I mean by that? So roles are great and you could use it roles, otherwise known as application roles, where you can gravitate to the top of the pyramid and do business roles.
But what you want to be really careful about is don't put all your entitlements into the role, make sure you're concentrating on what the people share and that it's in common that's horse screen, take the course, screen, access those entitlements and build your role framework. It will be extremely successful that way. And then you can tie it to your birthright provisioning so that people come into the organization and there a new business Analyst that business Analyst Analyst is gonna get all the basic things that he or she needs right now. You might be asking yourself, well, what about fine grain income? Well, that's where we go get to the next level of maturity. So what I'm seeing organizations do now more and more, I've done at my last place in looking to do it at Navy, federal as well is the concept of dynamic authorization for just in time provision.
So no longer am I giving Tom or both hold everything that they need that they want. So they're not walking around with that access, right? Therefore I'm not provisioning it. And also better. The manager doesn't have to certify all of it, right? Because if I use dynamic authorization, otherwise known as just in time provisioning, I only grant that access of the split seconding harm that the person within the transaction needs to be authorized to do it. I might even have a step up authentication as part of it, right? If it's something really sensitive. So that's really embracing the zero trust model folks, right? Because you're not provisioning that access except for the very moment in time that that person needs it. It's something sensitive. If something very fine grain, that course brain general stuff, put that in your roles, the fine grain moves to your dynamic authorization framework and start to, you know, adhere to it that way and be very, very successful. Hmm.
Interesting. Many people think of, of zero trust, primarily as a technical project. Right. So, so to implement, to implement zero trust on, on devices, on network, on applications and storage, et cetera. Right. But, but I think we all know that, that the individuals, the humans are often the first place to go when an attacker comes into an organization. So they are the number one attack surface, if you want. Right. Yes.
You want
So, so, so, so what are you doing in order to work with the, with the people in order to make them aware and to make them risk conscious, etcetera?
No, that's a great question. So communications is key in your IM program, right? Making sure people understand that, you know, risk management is part of everybody's responsibility in every organization, right? So if there are credentials that you no longer need, or if there are accounts that you have, that you no longer require, do yourself a favor and get them out of your, you know, possession, right. Don't wait until that certification event or a transfer of access occurs. Cuz a lot of times people will accumulate privileges over time. Right. And what ends up happening is we end up with a toxic combination of access. Right? The other thing to your point we told is around inactive accounts, right? And as an IM organization, make sure you're looking at accounts that aren't being used anymore in the organization. So even though I grant you something on day one, you might never need it.
Right. And that account major sit out there in an active state. So try to develop a program after 90 days, if you see an inactive account, disable it, right. And maybe after 180 days, delete it. If somebody really needs it and they're gonna call the help desk within six months, right. And after six months, if they don't need to take it outta your organization, right. You're, you're removing that risk from the organization. The other thing to think about also is physical access. Right? A lot of times we focus on logical access. Only physical access is becoming more and more important, right? The bad guys are getting more sophisticated. You know, they might be shoulder surfing or piggy when we call piggybacking somebody into a building and going to an open office and looking for an open terminal and trying to break in that way. So make sure that your physical access controls are also tied to your identity management system, such that people, when they leave, you're removing their badges, you're removing their controls as well. I've seen over the last 20 years, a number of incidents where we had situations where service providers have came in and out of the campus, you know, might leave their job like a guy delivering the Coca-Cola to your vending machines. Right. He's got a badge and he might not be a good person. Right. And he might leave the company, but still he'd be able to get into building with that badge. So make sure that you're, you're that physical access as well.
I, I have a bit of an unfair question of you.
Yeah.
So given, given what I mean, you, you, you are on your way to, to this journey for, for quite some time. So, so you've done a lot already. How well protected do you think you are at this point in time?
Great question. We're never protected enough, right? To be honest, I think in all of those out there on the cyber security space, I hope you're nodding your head with you, right? Like we're we seem to always be a step behind the bad guys and we need to kind of advance the controls even more. I think some of the things that excite me is that they look at the future things like blockchain and bring your own identity and self sovereign identity are some of the buzz words and some of the new initiatives out there. So I certainly encourage the, the participants to look into that. Particularly if your program is at that higher level of maturity and you want to take it to the next step, you know, how do we get that frictionless experience that has customers right. Of a retail organization or even of a bank?
You know, we go to our phone and we have this frictionless experience where we can log in, in a secure way as a customer, or is it our case, a Navy federal, it's a member cuz we support the military. And we like to think of them as members. We want that same frictionless experience though for the workforce, right. We really want to be able to get people get in passwords are a thing in the past. They need to go away. I strongly believe in two factor authentications for everything, but we need to make it frictionless. Right. We don't want it to be painful for our workforce, but we want to elevate that level of security passwords and user IDs are just the thing in the past guys. Right. We really need to get away from them. And unfortunately, almost 70% of the organizations out there, if not more, are still highly reliant on user ID and passwords for the majority of their access. And that's scary. Right. Particularly because the criminals can crack them pretty easily right
Now. Yeah. But, but that's thank you for your comments because I think that's a, that's a great schema that the implementation of zero trust, we create a lot of data points and in order to make access and, and the usage of it frictionless, we have to integrate all these data points in real time. Very, very fast.
Exactly. And
Of course there we, we need modern technology, AI and, and other things. Would you agree to that statement?
Absolutely. Yes. And there's some really good tools and product coming out on the market now that embrace AI and machine learning. We're looking at one now that's doing role mining for us. So lots of, lots of cool things out there. And the market is really starting to move in that direction of the advanced protocols. And you're starting to see things like blockchain and AI and machine learning and this whole concept of self-sovereign identity. Again, really start to get a lot of hype in the marketplace, right. That, that buzz is starting to happen. So it's exciting. But still again, I gotta be honest. I'll go back to the beginning of this interview for everyone out there. Make sure you're getting the basic stuff right guys. Right before you go into these advanced concept that we talked about today, I mean, are you provisioning and deprovisioning people in the, in the right way, are your lifecycle events working, cleaning? Cuz if they're not, you gotta start there, build that house and then continue to build it on your journey.
Yeah. Yeah. I have a ton more question for you, but unfortunately the time has come to an end already. So thank very much for being with us. It was really a pleasure talking to you and getting all these insights also, thanks to the audience for listening to us. And with that said, yeah, I handed over to Christopher.
Video Links
Stay Connected
Related Videos
How can we help you