On an episode of Cloud Security Podcast, Ron Nissim and Ashish Rajan discussed Identity access management and privileged access management management in the context of cloud security.
They explore the challenges of managing identity and access in a cloud environments, the different types of identities in the cloud, and the complexities of implementing identity programs in the cloud. They also touch upon the importance of addressing misconfigured permissions and the evolving nature of privilege management, especially in the cloud. The conversation highlights the need for permission management programs to start with sensitive resources and then expand to cover other aspects within an organization. Ron emphasizes that these topics are evolving, and companies can benefit from continuous dialogue and collaboration in the security space.
Full transcript:
Ashish Rajan
Access Management. One way to toward identity access management have been sought for years. But today I am having a conversation with Ron from Entitle because we haven't spoken about entitlement in in the world of cloud. So why not talk about today things like why is it hard to manage a normal identity that access in a cloud context the different kinds of identities that can exist in a cloud context.
And what you could be doing is starting an identity program in cloud all. Learn a lot more in this episode I hope enjoy that if you want more episodes on Cloud Security Podcast or if you would like us to cover more interviews and training on topics like identity access, management cloud definitely get us a comment or email us or in for a chance to meet
And as always, if you know someone who is really working on the checks as management, please share the video with them. And if you are here for the second and third time, different job as a like or comment on YouTube. But if you're listening to us on audio, thank you so much for keeping us close to you. And if you have a moment, I would really appreciate if you can drop us sort of your rating and I would talk to you soon this next episode.
Welcome to another episode of Cloud Security Podcast. Today we're talking about my favorite topics identity access management. So I'm really excited about this. This I have run. Thank you for coming to the show on nice.
Ron Nissim
Thanks for having me.
Ashish Rajan
No problem. And what people don't know, Ron, what's your background and I mean how you got to agency.
Ron Nissim
The long answer, a short version of it. So when you get I grew up in Dallas last year has been spending in Tel Aviv started my journey in cybersecurity in the army data security research and development and you know all the kind of low level research stuff. And when Avi, my co-founder, and I finished our service, we realized that many of the core challenges were in the permission management space.
Right? So that's why we decided to focus on that space as kind of the next core charge of what we felt was yet to be solved. Yeah. And that's kind of what led us to starting Entitle and kind of that snowballed into what we're doing today also.
Ashish Rajan
And I think I did access Management because we find that a lot of the cloud security conversations lot about wonderful hey parties, wonderful things are we found that vulnerability in cloud identity and access management is usually looked at as a space that is I think maybe if you guess main where IAM is for you. That would be a great brief facing my question that's about to happen.
Or people who do not know what IAM is how would you describe it?
Ron Nissim
So IAM first of all, identity and access manage, right? That's the whole concept of governing. Who has access to what and who is the identity inside the different application. So centralization of identity or using identity provides SSL is kind of that first step that usually often people think about and talk about in IAM, but there are obviously other parts of that privileged access management takes the more ephemeral approach.
Identity governance administration yeah. More visibility and actual operational day to day. So definitely a multifaceted. It has a lot of different aspects to it, which is why often it takes huge teams to actually manage all that process. I think people often think about IAM as a subcategory of cybersecurity. It can almost be thought of as like its own world, right?
I feel like it's consuming enough and large enough to be in parallel.
Ashish Rajan
I agree. It's funny because I started my career as I was category in IAM and I used to think that, oh, this is not going to be like a thing, but do what you said because my thinking, my oh, it's a subset. I want to learn all these other things. But there are companies with dedicated teams just where IAM with.
But I'll do that. And I'd be curious to know from your side, because it's a problem that's been there for a long time. A lot of people here in the for go it's not already so why is I the topic now when we're talking about in the cloud world.
Ron Nissim
Well this goes back to where you started your first question of like, you know, vulnerabilities. IAM, what's the relationship. I think that companies are realizing over time that, you know, misconfigured permissions or mismanaged permissions is a vulnerability. And when you look at all the major compromises that happened to the largest companies over the last few years, Uber and OCS, I think are two large examples that happened fairly recently.
It was boring old stuff, you know? Okta What it was, it was customer success teams having access to a very wide range of environments and one of them getting compromised. That is the basis of AI and it's the bread and butter. First of all, it's proof that we still have not solved that issue. The fact that the biggest compromises are these boring old things.
But second of all, I think that a lot of industry changes have opened the opportunity to solve this problem and a wider scale. I think that, you know, synapse, SPM, cloud security was kind of that first step in realizing that misconfiguration of something is a vulnerability. It doesn't have to be zero day. It can be just a setting that's not configured correctly and it's very similar in the IAM world.
If a permission is making it misconfigured, that in itself is a vulnerability. And so how do you go about orchestrating, managing that whole process, especially as you take on more SAS applications, more infrastructure, people are opening themselves up to multi-cloud, managing that. You know, maybe a really great idea as you bring on GCP, that's a whole other world, India.
As you start to diversify your assets, it just becomes more and more challenging.
Ashish Rajan
Interesting you say that because most people would think that. Yeah, as it's always like the reason I mean doesn't that we will solve the problem the complexity of multi-cloud having multiple SaaS providers and managing access across that as well. So it's not just I've been to the essence manage is a lot more complex now than what used to be.
Ron Nissim
Well I think there are aspects of it that become more challenging just to give a concrete example, as also has become very widely adopted. And so the whole concept of local users and things like that, those are becoming, you know, things of the past. I'm not going to say they're totally behind us, but definitely things that, you know, all of a sudden.
So something has taken more and more for granted. But now that we have that basis behind us, we can start thinking about the more granular, the more forward thinking, the more specific aspect of permissions inside the different application. That's kind of that next step, right? That governance, administration, permission provisioning inside the applications themselves.
Ashish Rajan
Interesting. And how would you describe and I think managing because I think we were talking about this offline as well about entering management of space. Yeah. And we spoke about IAM at the top level, you can kind of go granular even further as well. That's how complex it still is. How would you describe entitlement management?
Ron Nissim
It's interesting because first of all, I think because the space is really in its early innings, it's evolving and changing. Often companies come to me and they'd say, We're looking for team and they mean totally different things. So I mean, let's put the term aside real quick and let's talk about the problems statement and the different aspects of it.
I think that generally there are two sides to things governance. The more visibility, understanding of who has access to what, identifying overprivileged, identifying permissions that are not in use. Things like that is kind of generally considered more on the like visibility, maybe even cloud security side of things. And then there's the administration, the actual operational day to day of how employees get access, what is the process they go through, how do you define these policies?
And that's, you know, first of all, they go hand in hand. Yeah. Yes. I spoke with with a French ce. So a while ago he gave me I'm going to try to imitate the French accent, but he said, you can't show me the shit without giving me a broom. You can't give me a broom without showing me the shit.
So the two very much go together. And so anyways, generally to say team can tackle, both of them can see just the visibility side, maybe just the provisioning side. Let's put the term aside. Will that Gardner and Cooper Agricole define what that means? But generally, I'll say that those are the two sides of information management that still need to be covered.
Ashish Rajan
And is that for every level of a company like would a startup have to consider that compared to like a big enterprise? Where do you see entity management becoming more of a challenge? At what scale?
Ron Nissim
I guess, yeah. So I think when you're really early in your process, there are ten employees, 30 employees, that's probably not top priority for you. You probably just managing users through Okta. That's probably good enough. Yeah. There comes a size where you start having hundreds or thousands of employees and tens or hundreds of SAS application ins and different resources.
Then that matrix becomes really large, right? If you have like a ten by ten matrix, it's fairly easy to manage a thousand by thousand matrix. That starts to become really, really edgy. And so that's where automation starts really showing its strength, is being able to define these policies across different infrastructures, across different business units. That's where it becomes more challenging.
I think that when you're talking about a cloud native company, cloud resource intensive companies, they have one set of challenges, right? That matrix is kind of fairly vanilla. They're early in their process. When you're talking about more enterprise company, you know, they already have a lot of legacy that they brought with them. They have a lot of homegrown solutions, things like that.
And then that becomes its own issue, right? Is like, how do you juggle between this new era of cloud infrastructure, SAS applications that I'm adopting and what I'm using there versus all this old stuff that I still need to maintain, I still need to manage. And I think that what we're seeing in a lot of these companies is they end up having all through different business units, through different organization, is tackling them separately.
You have the IAM team that's tackling the more corporate workforce identity stuff and then you have the cloud security side tackling. The more side identity stuff. Exactly. You know, WAC and databases and SAS applications.
Ashish Rajan
What are some of the use cases that people would kind of start because I imagine people do is going, yeah, I think what form saying it makes sense, but what are some of the use cases when people start seeing it? They should go, oh, that's my permission, knowledge and tell it like I just want to use cases that you think, Oh, I think we were talking about Justin about provisioning and all about that, their use cases.
I did think that would become a challenge that scale in cloud.
Ron Nissim
Yeah, totally. So first of all, when you look at a permission management program like I'm a company, I want to go about starting the whole concept of permission management or my organization. Where would you naturally start? You'll start with your more sensitive resources. Yeah. What is that? Usually called. That's called Pam Privileged Access Manager. Right. So that's often the first step that companies take in their permission management program is starting with the more sensitive resources or the approach around these more sensitive resources is usually what's often called the just in time approach and then ephemeral concept of ephemerality of these more sensitive resources that a permission or access to these more sensitive resources.
So that's kind of usually where companies like starting, and that's a place where you can get value quickly. These are products as they're easier to deploy. The time to value is quick. It's easier to see success there. And I think that what's happening in the cloud world is that the whole concept of privilege, of sensitive assets, companies are realizing it's not a binary.
The whole concept of privileged access is not a binary, yes or no. It's not privileged or not privileged. It's a spectrum. There are things that are more sensitive, but I think they're less sensitive. And so how do you manage that over time, I think is that's where permission management programs start to evolve, right. As you start with this just entire approach around sensitive resource, that's a low hanging fruit.
That's the first thing you do. And then you start to expand into the rest of the organization, the rest of the application that obviously need to be managed just as much of the more sensitive aspects.
Ashish Rajan
Would that be different between said on premise world? Was the cloud world totally.
Ron Nissim
Totally. I think that, you know, privileged access managing the on prem world takes on a slightly different meaning. People often when you say privileged access manager, they often think jump servers. Yeah, they think, great, how do I wrap the authentication of legacy systems for very sensitive aspects? And so that's, I think, one side of things. I think that's getting solved over time, right?
You're having less local accounts, you know, as you're PM as a simple example, right. But how do I assign roles in Active Directory and an ephemeral manner? That's a simple approach in a cloud manner that's actually no different than any other permission management, right? The whole concept of, you know, who's an admin and Active Directory is not that dissimilar to who has access to a SharePoint website.
They're both permissions that I'm provisioning and provisioning based off of attributes and other aspects that are slightly more dynamic.
Ashish Rajan
Yeah. And well-put together as well. I mean that's kind of most of the technical questions I had. Where can people find you on the Internet to connect and talk more about the documents space?
Ron Nissim
I mean, in Entitle we see that hopefully as a fairly indicative name. That's strange to the point. We try to keep things simple and straightforward, not too much marketing fluff. And so obviously our website happy to reach out. I'm happy to connect on LinkedIn. Ron Nissim Yeah, looking forward to talking and having some more interesting conversations. You know, somewhat what's beautiful about Black Hat, we hear a black hat before about Black Hat is just having a lot of security practitioners that are really happy to share their perspectives.
And I think that's where we thrive as startups. This keeps you on the cutting edge, understanding what we could be doing differently. And if I'm wrong, I'm happy to be called out on it.
Ashish Rajan
That's pretty awesome. And I'll lead the links in the shorts as well. But thank you so much for coming on the show.
Ron Nissim
Thanks for having me.
Ashish Rajan
Thank you for coming on. And thank you for watching.