CEO and Co-Founder of Entitle, Ron Nissim recently had the opportunity to be a guest speaker on the renowned podcast, "Identity at the Center." Hosted by industry experts Jim McDonald and Jeff Steadman, this informative podcast focuses on identity security within the context of identity and access management (IAM). With their extensive experience in the field, Jim and Jeff bring listeners insightful conversations, industry news, and interviews with key figures from the identity management industry.
Ron was featured in an episode titled "Is PAM dead? Part 2," which explored the topic of Privileged Access Management (PAM). The episode raised questions about the state of PAM—is it on the decline, already obsolete, or taking on a new form akin to a zombie? Ron's expertise and knowledge in the field allowed for a meaningful discussion on the current status of PAM and its potential future developments in the dynamic landscape of identity management.
Additionally, we are excited to mention that both Entitle and the "Identity at the Center" podcast team will be participating in the upcoming 2023 Identiverse Conference. This conference serves as an important platform for industry professionals to connect, share ideas, and explore the latest advancements in identity management.
Check out the episode below, followed by its full transcription.
Catch the episode here
Jeff Steadman
Welcome to the podcast. I'm Jeff and that's Jim. Hey, Jim.
Jim McDonald
Hey, Jeff, how are you?
Jeff Steadman
Oh, not so bad yourself.
Jim McDonald
Doing great. No, it feels like all the forces in the universe were driving us to have this podcast session with this guest today. You know, last session we had Howard and Jackie from 1414 Ventures. You know, one of the points that I made at the time was that I thought PAM was ripe for disruption. Last night I was listening to a podcast, which is the Cooper Nicole podcast, very good recommended for anybody.
Jim McDonald
They had a friend of the show on the podcast, Paul Fisher, talking about PAM, really talking about some of these underlying changes that are happening in the PAM space. And, you know, it's you know, it's changing due to a lot of the changes that I believe are happening within I.T., within I.T., you know, automation of deployment, of infrastructures, of infrastructure, of code, movement of I.T., infrastructure out of the cloud, out to applications in the cloud, things like that.
Jim McDonald
And so, you know, we had we had done an episode called Is PAM Dead maybe a year ago. Right. And it just kind of feels like the situation of like what PAM has to do has changed so much. I wanted to get your thoughts on that.
Jeff Steadman
Yeah, I mean, it's definitely an evolving space. We are such identity nerds. You and I were actually texting last night around the idea of, you know, how do we go about sort of assessing and strategizing privileged access management, these days? Feels like, you know, the old days of, oh, I got a password vault, so I've got PAM. Well, okay, guess what?
Jeff Steadman
I don't think that's good enough anymore. And I think the world has changed and now I'm starting to think more about like I and PAM and, you know, how is that going to affect privileged access or entitlements or whatever it may be? So I think it's like anything else, it's it will evolve. There will be disruptions to the status quo.
Jeff Steadman
I think right now, the disruption is you is is something I related because I feel like DevOps and sort of like containers. It was kind of like, okay, yeah, we knew about those five years ago, six years ago. And tools and technologies and processes kind of sort of been identified. Now, whether or not you're actually doing it is a totally different story.
Jeff Steadman
But I feel like at least those use cases, we're aware of them.
Jim McDonald
What's next? Well, I think what I think what CISOs and what information security or I.T. departments want to get their arms around is. They want to centralize the management of the services. And so you talk about DevOps and you talked about cloud and the engineers who are making those things happen were going out and procuring solutions to solve those particular situations.
Jim McDonald
And the other thing is that the old, you know, privileged access management platforms are at some level, you know, they're they're trying to keep up with all this change that's happening. And there's a lot of new entrants into the market. You know, I mean, you know, you and I have been going back and forth on, you know, this privileged access management strategy and, you know, what are the capabilities?
Jim McDonald
How do we assess a program and whether or not it's keeping up? And I think, you know, kind of the summary level, I think there are a set of kind of proven tenants that, you know, they were true five years ago that were true ten years ago. PAM has to be run as a program. You know, you've got to get by.
Jim McDonald
People have to know what the roles and responsibilities are. You have to have a good paper trail. You have to strive toward this privilege. But then there's all these new trends. Cloud infrastructure. I have been saying cheam forever. I, you know, in one of our recent episodes called Akeem, I got a nice little funny text from one of our listeners, Paul Mesereau, saying, Jim, it's CIEM calling CIEM.
Jim McDonald
You know, I know he is one of the that he might have been the person at Gartner who came up with that term. Anyway, he corrected me, so I'll call it CIEM. And, you know, so we got the CIEM, the DevOps CI CD pipeline. I mean, all of these new technologies that you need to have a good you need to get your arms around and how do you do that?
Jim McDonald
And, you know, what is your maturity around that today and where does it need to be?
Jeff Steadman
Yeah, I like the the concept of dynamic privileging. Right. It's just in time. I know we're going to get into that with our guest here in a minute, but I like that idea. I think it's difficult to execute in the real world sometimes because you may not have the technology investment or the process or people investment to actually make it real.
Jeff Steadman
But I think that's where things are going, especially if you think about it from a machine perspective and we're talking about workloads that are instantaneous. They might with only a few milliseconds, but that might be enough to do real damage if you don't have good control over it. And if those processes, you know, those permissions get hijacked for any reason be very difficult to recover from.
Jeff Steadman
So I think that's where I most interested in is sort of like this dynamic, you know, just in time, zero standing privilege, you know, whatever the right terminology is for it. I think that's I think that's next, realistically speaking, for organizations, because I think it does take time for organizations to catch up to say, okay, here's our industry's going.
Jeff Steadman
And two years later, based on budget, political, organizational cycles, whatever you want to call it, it usually takes some time to move some of these move these things along. Smaller organization, maybe they move quicker. Maybe they don't because they don't have as much funding. A bigger organization maybe has more funding, but they're like a freight train. It takes a little bit to slow down or change directions.
Jeff Steadman
So I think this is kind of where things are going next because I think and Jim, feel free to disagree with me, but I think like, yeah, everyone gets password vaulting. I think most people understand the, you know, the need of the concept for some sort of session management or session recording or session monitoring. I think that's probably where most organizations are now.
Jeff Steadman
That's like either their current or next step that they're on. The next step past that I feel like is, okay, how do we get a better handle on the actual entitlements and selves and making sure that those are adequate managed and maybe even linked up with other systems? Not necessarily privilege access, but this is maybe where ideally governance comes into play, linking the two systems together and having, you know, getting more value from kind of both both sides of things.
Jim McDonald
Mike I agree with him. No, no, you're not crazy. It's amazing how far we've come, though. I mean, I remember, you know, building a strategy for an organization. Some someone mentioning that the admin passwords are in a spreadsheet and they're on a shared drive, but only the admins can get to the share. Yeah, of course. Okay, that's safe and we're good.
Jim McDonald
So it's called a constantly editing portable.
Jeff Steadman
I'm happy to copy that. Onto a thumb drive and see you later.
Jim McDonald
Do you need me to email that to you? Yeah, so. But you know where they will be talking a lot about this, Jeff Which is where? Denver. Oh, where would that be? The Denver first conference in Las Vegas next week.
Jeff Steadman
Yeah. So time is running out. I think this is this is the last week. I think it's probably realistic for people to expect to show up and averse, but hopefully we'll see people there and I are going to be there. We're doing a sort of a life I don't live recording in front of a studio audience. I guess so.
Jeff Steadman
But it's not a live broadcast. But we'll have a spot there Tuesday night, 7 p.m. just outside the Expo Hall that I don't have. A team has been kind enough to set us up with some spots that we could do some recordings there, but hopefully we'll see you there so you can join the digital identity community at the ARIA Resort and Casino in Las Vegas May 30th to June seconds.
Jeff Steadman
It's the must attend annual event that brings together over 2500 security professionals for four days of world class learning, engagement and entertainment as an identity at the center listener, your get 20% off your identity is 2023 tickets using the code idv23-ice and two zero. You can use that. I've done Overstock.com. We'll have a link in our show notes, so makes it easy.
Jeff Steadman
You don't have to remember it. Just click on the link it'll pre populate for you. Make it super easy. We hope to see people there, but time is definitely running out and that's probably the last time that I will read that I would never want to take. I don't ever sort of partnering up with us to hook our listeners up with a little bit of a discount on their on their attendance.
Jim McDonald
Absolutely. I can't wait. I was going back with one of our our favorite people. I'm not even going to say who.
Jeff Steadman
We have so many.
Jim McDonald
Well, she works for an analyst firm. They haven't been on the show in the past and said, well, I just happened to be walking by during the 7:00 hour and you happened to grab me and stick me on the live stage with you guys. Probably not a whole lot I can do to stop you wink, wink.
Jeff Steadman
And I kind of mentioned the same thing. I think you know who we're talking about that, you know, hey, if an ambient mike happens to pick up a voice, what are you going to do? You're at a conference right? We'll see what happens. But I'm definitely looking forward to seeing new and old friends there. And I think we've I think we got a pretty good, pretty good lineup coming up for that.
Jeff Steadman
At least four at 7:00 show. You've done a good job of putting together people for that.
Jim McDonald
No, thanks. I mean, I feel like I remember feeling like I had to convince people to come on the show in the early days of the show, and rightfully so. I mean, we were just not very good in the survey. So what do you do? And then I remember Eve Mailer agreed to come on the show, and then it was like, okay, well, everybody would email, by the way, even closed on the show.
Jim McDonald
That was Jackson Shaw, and then in Glazer. And I was like, my emails became high. We've had guests such as Ian Glazer and and Eve and Jackson and, you know, felt it. Now we're at the point, I think, with as many listeners as we have and such an awesome fan base that people know of the show. And I don't really even need to convince them whether or not they should be on the show.
Jim McDonald
They've already made up their mind.
Jeff Steadman
Yeah, it only took four years to get here. It's a slow climb, but hey, we're to man up. What are you going to do? Yeah. Speaking of esteemed guests, why don't we get 2 hours for today? We talked about privilege, access management upfront. We're going to get into that in a little more detail here. We referenced going, you know, is PAM dad around this time last year that was episode 142 but why don't we welcome to the show around the scene.
Jeff Steadman
He's the co-founder and CEO at end title. Welcome to the show, Ron.
Ron Nissim
Thank you very much and super happy. Honored to be here.
Jeff Steadman
Yeah. So thanks for taking the time for us. And one of the things we like to do and we have a new person on the show is to really kind of understand their origin story when it comes to identity and access management. So why don't you tell us, how did you get into IAM? Is it something that you chose or did it choose you?
Ron Nissim
It's it's it's funny because I started my journey in cybersecurity in the Army and we saw this like next gen stuff, right? And we finished our service and we saw what companies we were, we were entrepreneurs. You know, I knew we wanted to start a company and we saw what people were starting. Companies are is all this like next gen A.I. stuff, right?
Ron Nissim
But we knew what companies were getting compromised for was like same old boring crap. Sorry for the the French, but you know, people and companies, their biggest risk continued to be just boring old permissions and most recently Uber and doctor's hacks just emphasize it that way, you know, end up getting compromised for some boring, privileged access. And we knew there was something that needed to be done.
Ron Nissim
There. And we were really drawn towards the challenge of creating something new in an old industry. And I think kind of felt like we kept trying to go off and different offshoots and different areas, but we kept getting drawn back to access management, mainly by security professionals that we were talking to.
Jeff Steadman
So now you're with an organization called End Title for people who aren't familiar with a title, what do you guys do? What's the problem of your solving? Give us sort of like the 32 seconds, 60 seconds elevator pitch.
Ron Nissim
Cool. So and what entitle that is automates cloud access management across the organization. So whether that's in self-service requests enabling employees to request access to what they need through creating policies that enforce automatically across your client infrastructure and SAS applications, be that everything from databases all the way through Salesforce and the idea is to create a simple to deploy simple to maintain cloud access management solution that you know we're conservative companies took forever to implement and see value from we're very quick to to deploy and roll out throughout the organization.
Jim McDonald
Hey Ron one thing we like to do on the show is is not move too fast and lose people. So I wanted to start with a question of how do you define PAM before for answer, the follow up is going to be, hey, we recorded a show last year. I referenced it earlier called Is PAM Dead? So after you tell us what PAM is, I'd like you to go into is it dead?
Ron Nissim
Good question. What you know, to answer if it's dead, you have to define what PAM is. And, you know, you look at what historically privileged access management solutions provided. I think it was three tiers of value. First was just the authentication to conservative on prem old systems. There you had an old system how to use any password you wanted to enable logging in with your assets.
Ron Nissim
So you wrap that in a vault and you created some sort of junk service. So that was kind of generally what that actually solve for was just the authentication of an old username password system to a new asset. So you know, at the time it was Kerberos on Active Directory and now it's SAML and knocked over. The second part was creating a more intricate authorization layer where you could, you know, someone writes the pseudo command and you can create a policy of who can write what commands inside the application.
Ron Nissim
These more again conservative systems didn't often have intricate authorization policies and so by being the middleman, you could create these policies and by doing so. And then the third was session recording. And session recording was kind of a byproduct of just again, being the middleman. I knew exactly what people were doing. And I think the reason that PAM is definitely changing.
Ron Nissim
I don't know if it's that, but the definition of PAM is very much changing, is that when you look at that first part, the authentication methods, those are changing because the solutions themselves, the applications, are adopting a more up to date method of authentication. So whether it's natively by companies integrating logging in because they're so or with other companies wrapping it like, you know, a teleport does for us, the sage keys as an example, and then the session recording.
Ron Nissim
The third part is being solved natively in the applications, right? If you take the audit logs from the applications themselves, I can see exactly who's doing what. I don't need a middleman B telling me what's what's going on and who's doing what inside the application. And so out of the only part that's left there is, is authorization, right?
Ron Nissim
Who can do what inside the application. And I think historically authorization is more of a IJA problem. It's the actual administration of who gets access to what, then the actual provisioning. And so just in time, access is kind of become, I think a or, you know, ephemeral access to sensitive resources. Why historically being called TAM has become kind of a sudden use case of general permission management.
Jim McDonald
Yeah. Talk to us if you would, about the just in time access or jit access. Talk about what it means like some of the details. So are we talking about there's an account there that, you know, I as an administrator can kind of access that account when I need it just in time and then not have the access or are we talking about the account actually being provisioned on the fly?
Ron Nissim
It's a good question. I think that very much depends on on the application. Generally, the underlying idea behind just in time access is it's making sure that people don't have access to things that they need when they don't need it. And especially when it comes to privileged accounts, to sensitive resources, those are the things that you want to be really, really, really meticulous on who is doing what inside those applications.
Ron Nissim
Generally you want to control, who has access to what across your whole organization, but you want to start off with the sensitive aspects naturally. And when looking at those sensitive aspects, it's really hard to govern and control and create policies that are back. You know, historically it's really hard to know exactly who needs access to what at any given time.
Ron Nissim
And so by creating a self-service model, you're enabling people to elevate their privileges when they need it, but not have the privileges when they don't. And by doing so, you get a lot of other byproducts for that as well. You get auditability in retrospect, you know exactly who elevated what. And back to your original question of is it creating the user and elevating privileges?
Ron Nissim
That very much depends technologically. You know, there are a lot of applications. If I want to elevate someone to an admin, an actor, you know, I'm probably not provisioning the user. I'm just changing the his role inside of the if I want to create privilege inside of it, inside of a database, I might actually have to create the connection stream in order to enable that.
Ron Nissim
So very much depends on the application.
Jim McDonald
So I want to turn this and turn this discussion around about, you know, if I have invested in PAM over the years and I've got a, you know, one of the well known privileged access management platforms, you know, can I should I take that platform and take on some of these new use cases in the cloud? Are are those tools getting there or are they there in terms of being able to do those things?
Jim McDonald
You know, it's interesting, as I mentioned, that podcast with Paul Fisher, you talked about the leadership compass that he wrote for for privileged access management. And they break down their compass. You know, they break down the the vendors by leaders, leaders, challengers and followers. And you said that a lot of a lot of, you know, buyers, they go right to the leaders.
Jim McDonald
Right. They don't even want to consider somebody who wasn't good enough to make it into the leader field. But he said what's more interesting are the challengers and even the followers, which is, you know, the newest entrants who are, you know, taking on very specific use cases. I want to get your thoughts on that. But I also want to know, like, you know, is is there a reason if you if you're invested in a platform, is it really, you know, sensible to think that the platform can take care of all my needs or does it need to be supplemented?
Jim McDonald
Or how do you how do you want people to look at that?
Ron Nissim
Yeah, it's a it's a good question. And I might want to tie this back into general entrepreneurship. Right? The challenges of starting a company in a well-defined space means that you just have to be still much better. I mean, you can be a little better. You can't be. You just have to blow things out of the water. And I think that a lot of companies, when they look at their cloud infrastructure and their cloud approach, you kind of you always have two options, right?
Ron Nissim
You either migrate your existing infrastructure, an existing team into working on that cloud environment, or you start from scratch. And I think that what we've learned in a lot of different cycles of innovation is that it's really hard to adapt an existing product and infrastructure, both as a vendor, but also as a buyer. Right? When you are building up a new part of the company that is going to be relying on new infrastructure, you can't be adapting those current tools into kind of that new world.
Ron Nissim
Now, you know, will people be trying? Absolutely. And I even encourage them to do so, because if you're able to extract that value out of your current platform, you should definitely do it. I think what we're saying is that it's just it's very challenging. It's very challenging to be able to build in a new infrastructure world, use old tools and an old mindset.
Jim McDonald
I, I really like how you approach that question from the standpoint of an entrepreneur, because I think as an entrepreneur, you're starting up a business that's going to, you know, not hit the, the full breadth of the market on day one, right? You have a vision of where the market is heading, whatever, five years, ten years down the road, right?
Ron Nissim
Absolutely. And that's kind of the thesis that you start off with in a company, because I think our job as as entrepreneurs and as vectors is generally is the kind of foresee what the needs are. Guess that's not that we're oracles, but guess what the what the needs of the market will be five years down the line. It's always a dance, right?
Ron Nissim
Providing the needs for the needs of companies today and being able to generate revenue while thinking more forward at five years down the line. Ten years? What will the needs of these companies? And I think that in a lot of different industries I can give a few examples. What you see is companies on targeting you always start with targeting kind of the early adopters out of the understanding that the larger companies will end up migrating a lot of their old infrastructure to kind of a new approach and you see that with a lot of different cycles of innovation.
Jim McDonald
Yeah, and I think what I hear you talking about is not kind of this hybrid cloud that a lot of folks are talking about today is almost like, you know, I don't I don't hear you talking about like future loop in the future engineering your product to handle the on premise data center. So is your theory that the on premise data center is a is a dinosaur as a thing of the past ten years from now, they'll barely exist.
Ron Nissim
I'm going to be I'm going to say something here, you know, on premise dead. And then people are going to burn me at the stake. What's a good hook to start off your podcast with? I think that generally, especially a lot of your listeners, you know, it's always a dance between what does reality look like today and what does what do companies actually use?
Ron Nissim
And a lot of companies have a lot of on prem infrastructure. But again, we're thinking about how will the how will the future look like? What will companies do adopting? I think that there is a very, very wide range, a wide adoption of both SAS applications and kind of the inversion of developing things internally and also the adoption of cloud infrastructure, you know, GCP, Azure, whatever work or whatever on prem, whatever interest that cloud infrastructure provider you use.
Ron Nissim
And so generally what we're doing is we're building a cloud. Imagine a permission manager platform excuse me around the needs of cloud resources. And one of the things that that enables, by the way, is I think the challenges of access management is that every company is a special snowflake. It's it's so tied into the business values and use cases that it's hard to create a platform that serves a wide range of companies.
Ron Nissim
And the beauty of the adoption of SAS and infrastructure is that all of a sudden companies are more similar in their in their technology stack and that enables companies, vendors, to build a product that's fit for a wider audience and less reliant on professional services and long implementation times and so forth. Definitely a lot of benefits of adopting a cloud infrastructure world.
Jim McDonald
Yeah. And there might be people sitting out there listening and thinking, Rhonda's crazy. These datacentres aren't going to going away. Whether or not that's true, right? We're all looking into our own crystal ball based on our experience and trying to figure out, you know, where things are going to be. And, you know, the only way we'll know who's right is.
Jim McDonald
So we wait until that that actually happens. Right. But, you know, to turn this into a question, I was listening to Paul talk about it and he said, well, there's a a growing population of companies that intentionally have multiple products that fit into this umbrella. PAM, they have a chart, you know, and some of this is probably projecting because they did a survey.
Jim McDonald
And, you know, he's analyzing information coming from the survey. You know, the way I took it was a lot of people have these traditional patterns. But to solve these use cases like what you're talking about, they'll intentionally have multiple products while in the future might be that the most important products are the ones that solve these particular use cases and the on premise the niche.
Jim McDonald
But I think there's there's also a scenario what we've seen in access management, right, was, you know, there was this heterogeneous support was the way of computer associates with the integrity and, you know, Oracle or iBooks. They had the, you know, the support for, hey, all these different ways that you might want to do web access management. Then OCTA came along and said, Well, all we do is sample support.
Jim McDonald
And you thought, Well, how can you win if all you do assembles where? Well, obviously it's pretty clear who won now. But now if you look at Okta, a lot of the things that they've done over the last five years or so is like put some of that backward compatibility into their product, right? Because they don't want that old application that you have enough created to be the reason why you don't go with doctor, whether you have to choose one of the old legacy players.
Ron Nissim
Absolutely. And that's always a balancing act, by the way, as a buyer, too, like when you are sitting in front of your infrastructure thinking, where do I want to focus my efforts? If 90% of your infrastructure is on prem and your services are internally developed, then that's going to be your top priority. But if 90% or 80% of your it's a structure cloud, then that's going to be your top layer and that's where you're going to want to focus.
Ron Nissim
So it comes down to every company having to assess where their priorities are and then going with the partner that can help them that is focused and aligned on focus.
Jeff Steadman
So let's get into just a little bit of venue here a little bit because I talked a bit about just in time from a entitlement perspective, imagine those things in zero setting privilege and ephemeral right and all the fancy words that basically say, how do we make sure that the right thing or person has the right access at the right time?
Jeff Steadman
And I think the separate part of that question is at only the right time, which I think is the harder part to achieve, I guess, you know, what is your viewpoint on? Is that realistic as a goal to achieve today? How can people start to think about privileged access management in terms of not just having the access but only having it when it's needed and then taking it away from everything, everyone as part of their organization.
Ron Nissim
I'll answer that by taking a step back if that's okay and starting about like how did Access Management start initially? And kind of the biggest buzzword that at the beginning was our back right rule based access control and the idea that you create these these clusters of permissions that you assign based off of what the job is to be done.
Ron Nissim
And I think the challenge of our back over time is that you realize that the organization is flexible and evolving. It's it's it's a living creature of sorts. And then it's really hard to define and set concrete roles of people over time. And then a lot of things have cascaded from there and different, different options of how to solve for our back.
Ron Nissim
And I think that one of the things that has been borne out of that necessity is the idea of of automating the request process is creating a process where employees can self-serve, elevate access and change privileges based off of what they need. And the beauty of that is, all of a sudden, you don't have to be as rigid in what you define.
Ron Nissim
Employees get as birthright privileges. And I think the reason that companies were focused so much on on creating these amazing roles is that they knew that the business implications of an employee not having access to things that they need is really high. If I need access something, I don't have it. I know I'm going to be going through a two week ticket process on service now, and that sucks, frankly.
Ron Nissim
And so what companies and security teams felt is they needed to over privilege to make sure that the business was effective. And so I think the whole idea behind self-service is how do I reduce that barrier? How do I make sure that employees can get access when they need it so that I, as a security team, can feel comfortable removing that access?
Ron Nissim
And that's not to say that our back. Is that right? There are set permissions of things that you feel comfortable giving away. But the more sensitive the role is and the more granular it is in terms of how many people need that access, the more the request process comes in and kicks in. And that's why I think just in time, access around sensitive resources has become a very strong use case because it's really hard to define who needs that access.
Ron Nissim
It's really hard to define when they need that access. And so instead of going through the process of researching all these roles and defining and creating this policy that frankly won't be relevant after six months, you create a policy around the change management. You make sure no one has that access to begin with. But the change management needs to be flexible and automated so that when people need that access, they can gain it.
Ron Nissim
And now you have a lot of structure and rigidity and auditability as to who's getting that access and where and being able to adapt the policy over time. So and of the governance part, which, which I feel like people have been focused on as kind of the end goal governance is a byproduct of a good process. If you make the process good, then obviously you're going to be good from a governance perspective.
Jeff Steadman
So it sounds to me like in order for this to be effective in the real world, you really do have to have self-service sort of locked down, right? Meaning you've got good processes, you've got good governance over what that looks like because you don't want to get in the way. And that's typically right. The main, main complaint around probably some something like this would be, well, it takes too long, it takes two weeks to get access.
Jeff Steadman
And I think that's sometimes where the knee jerk reaction comes in to say, okay, well, let's just create that access inside of a role that are exist because Jim might need it as part of his role. And now we start to get into the world of, well, are you less privilege or are you are back? Because they are counter, you know, opposing forces sometimes, especially in the world of privilege access management.
Jeff Steadman
So, you know, how do you typically see it when you're talking with your customers or other folks in the space is how do you make that termination with the client and say, hey, you know what, I understand what I'm trying to do, but maybe you should take it about in different terms. Maybe it's not our back. Maybe it is policy based or attribute based as a basis for things, but it doesn't need to be, you know, the they want the one role to rule them all sort of our approach.
Ron Nissim
Definitely. I think. I think at the end of the day, a lot of companies are already getting a lot of access requests because our back always fails at the end, right? You always have. And like every law, right, we have our lawmakers creating laws and then, you know, you have people in thieves bypassing these laws and then you fix the laws.
Ron Nissim
And and it's kind of in a vicious cycle. And the same goes with with any access manager policy, create a policy around who needs access. And then you still get a ton of tickets and service now saying, hey, I need access to this or that because it wasn't included in that policy. And so I think that the understanding of the need is, is there because companies are already feeling the entropy, they're already feeling that need for change management.
Ron Nissim
I think the beauty of creating an automated change manager policy is that you'll notice all of a sudden that the amount of requests goes up, doesn't go down, because all of a sudden people feel like they can gain access and so you feel more comfortable to remove access and that cycle works well in both directions. The employees feel like they can work and they have access to what they need in security teams.
Ron Nissim
I've taken a strong step towards this privilege because then you can take that access away.
Jeff Steadman
Okay, so my last question is how do I take this and do something in the real world world with it? Is it do I start working on my self-service options to be able to request sort of these, you know, dynamic privileges, that early privileges that I want to be dynamic. I would assume there needs to be some definition maybe around, well, what do you consider privilege is probably maybe a first step.
Jeff Steadman
Do I start with attribute based access control or policy based like give me like the first two or three steps that you'd say, okay, we're going to put in, you know, just, just in time. Method for privileged access. What can people listening around the world so no pressure take back to their daily lives and say, hey, here's how we can get started?
Ron Nissim
Or I'm humbled to be asked that from you because you two are kind of the the key is on how to implement access management solutions. But I can give my $0.02 in terms of, you know, generally when when I'm a security team and I'm looking to prioritize now my projects and access that, obviously I start with my most sensitive aspects.
Ron Nissim
Those, you know, the crown jewels, that's where my security is most important to me. And then I propagate from there. Maybe that's my SOX regulated resources, maybe that's my cloud infrastructure, maybe that's my databases, maybe that's my salesforce. Every company, it's a different answer. And that's not something that, you know, we from the site can can define. And so I think the first step is identifying what are your priorities because again, access management, I think asset management projects that are notorious for failure because they drag out forever and never see success.
Ron Nissim
And so by defining a set priority of resources, you're able to see success around that and then expand your project from there. And so I think, first of all, you start with identifying your priorities in terms of resources and applications and then create a list privilege and self-service around that. You want to call it PAM, you want to call it IGA, whatever, doesn't really matter, but you start with those sensitive resources.
Ron Nissim
Create a self-service model or at least privilege model around that, and then start adding and expanding across the business units and applications from there. I think self-service and just in time access is a is a way to see success quickly and simply in an access management world where things drag out. And then it also creates a feedback loop that enables you to create better policies.
Ron Nissim
If you have structured data around who's requesting what, you now can create better policies because you know what people are meeting and now you can create maybe onboarding processes that are better for that same reason.
Jeff Steadman
It's almost like you're conducting like a symphony. You need a bunch of different parts kind of working in concert together. And when it works, it's great. When it doesn't or boy, does that sound good.
Jim McDonald
I think what I'm hearing from Ron is something that confirms a belief that I've had, which is, you know, getting to least privileged while it's hard. Right. And it's so it's probably beyond what we can calculate and come up with with our human brain. So we need this is where artificial intelligence can really plug in. You're giving the people this access through these roles.
Jim McDonald
They're only using a micro scoping amount. Now, we now we're in the world where we can handle, you know, micro roles and we can assign micro roles based on the need because the artificial intelligence can think of it and you just give it the rules. And, you know, I'm not saying we're there yet, but that's where I could see artificial intelligence plugging into this because the human brain just can't calculate at that level.
Jim McDonald
Because I think what Ron is saying is like, oh, can we use just in time, we can use roles and we can use CIEM, for example, to basically almost like mitigating controls or compensating controls. But that doesn't really answer your question of how we get down to least privilege to get done the least privileged you have to get down to defining here's what access is actually needed to perform the function.
Jim McDonald
And I don't I'm not aware of a technology that can really do that right now.
Ron Nissim
Well, I think I think that's, again, one of the benefits of a self-service approach, right. In a self-service world that employees can be requesting what they need. And sometimes they don't know what they need. And that's kind of on us as the requests engine to be able to recommend to them what are their years requesting, you know, what jobs to be done, do they have to do and how does that time into their permissions?
Ron Nissim
So taking that information, just like you said you know both you need both an intricate understanding of the organization h.r. Roles And on call systems and training systems and all these sensors around who you are and what you're doing and then taking all these sensors around the data itself, like what are you accessing? Is this privileged access? Is this PII, you know, what type of information this is?
Ron Nissim
And then being able to tie both sides of those and someone needs to be that glue. That's my that's my cue to say we're that glue. But obviously there are a lot of other companies in this space and approaches to this.
Jim McDonald
Yeah, but I think you're saying there Ron is what I think you're talking about is like what level of I quote unquote air quotes I is available and I exist systems which is oh Jim and Jeff do the same job. Jeff does. Jeff has these roles. Jim, you might enjoy having these roles. Well, that is not least privilege.
Jim McDonald
Now, you know, I'm trying to gather and I kind of feel like the whole I the whole reason we came up with our back is because the limitations of the human brain, we can understand roles of we can group it and we can get it down to the simple form. Then we can actually manage access where we're actually making good decisions.
Jim McDonald
However, we're making good decisions with bad data. The bad data being groups are just compilations of entitlements that nobody needs all those entitlements.
Jeff Steadman
So I just.
Jim McDonald
Every one of.
Jeff Steadman
Them I disagree with Jim because I think roles are born out of a desire for efficiency a.k.a laziness, because I think it's easier to request a role and tell the business to do that rather than make them jump through hoops of submitting. What do you mean? I had to submit eight different tickets to get the eight different things that my employee needs.
Jeff Steadman
That's stupid. Yeah, it's stupid. Totally agree with you. But that might have been the process 15, 20 years ago. And so we came up with the concept, well, how do we make it easier for the business? Let's bundle those things up into a specific request and then push that, you know, don't make the business jump for that hoop, kind of figure it out beforehand and go through there.
Jeff Steadman
Yes, I think there's some other things probably that go behind it, but I take a slightly different view. Just having come from the operations side, I was like, yeah, let's get roles in there. Because my my customers on the enterprise side would look at me like I was nuts when I'd say, Yeah, there's 14 different things that you need to fill out to get your new employee who's starting.
Jeff Steadman
I'm really sorry, but I need that for audit purposes.
Ron Nissim
As as the techie. Maybe I'll I'll try to I want to add maybe another explanation for why I was born to be. And I think that it has a lot to do with just the protocols and our that were put into place. SAML and all these these authentication methods. What they enabled was pushing group into the applications. And so all of a sudden you could create groups in your identity provider that propagated into permissions inside the applications and it was really hard to do the other way around.
Ron Nissim
It's really it was really hard through these protocols to create groups of resources that had to be done. And, you know, maybe manual tickets in ServiceNow, in your ITSM, maybe it was done through your IG, but there wasn't a natural an easy way to do that, to create groups of resources. And so what you had to do is you had your H.R. system pushing into your identity provider.
Ron Nissim
Identity provider already had built in groups or almost had built any groups based off of your H.R. attributes. And then had that pushing into the applications. You didn't have anything pushing from the applications back into some sort of policy engine, and I think that may have blended its way towards a very role centric approach that was focused on h.r.
Ron Nissim
Attributes. It's also, if you don't mind me add one more thing is that I think companies are slightly changing their approach as well. It used to be that companies were very structured and everyone had a goal and jobs to be done. And as companies have evolved and become more flexible and agile took place, it become much became much more challenging to define who exactly does what inside the org.
Jeff Steadman
I think that's a pretty good final word on that. So why don't we button it up there before we go, we like to end on a lighter note, and I'm thinking about, you know, Ron, you know, you're a co-founder of a couple organization areas, technology space. The question I've got for us today is what is a non company that you would like to start to be anything in the world, but it has to be as far away from technology as you can get it.
Jeff Steadman
What do you think? And today, Ron.
Ron Nissim
I have a funny one and a semi real one which I'm with you on.
Jeff Steadman
Let's hear both of them. Let's start with let's start with the semi real one and then and and then your second one to be the funny one.
Ron Nissim
Okay. So my semi real one is that especially with kind of the whole bank system failing recently, I've started kind of realizing that it feels really real, that real weird that the custodians of your money are also the ones that give customer service. So, you know, banks on the one hand to have these really smart investors, but they also have branches that help my mom get mortgages.
Ron Nissim
And there are two very different jobs. And it's weird that they're the same person that does both. And I feel like there's some sort of abstraction that needs to be done between the two. That's my semi real one kind of boring. It's like I'm in finance, like, come on. It's not that I've done some, some, you know, not a good not a good conversation starter parties.
Ron Nissim
The other one which I got really excited about I've been trying to find a founder for is a shared economy. So kind of like the uber Airbnb for laundry. So look at this like you don't want to do laundry today, you don't want to iron your shirts, but your neighbor is doing laundry. It's laundry day for him. What is your care?
Ron Nissim
That they take a few of your underwear, a few of your shirts and throw them into the laundry machine. And so kind of just.
Jeff Steadman
Depends what they in prison.
Ron Nissim
You get it in a bag. It's, you know even like Airbnb insurance for their apartment. You do insurance for people's underwear and you get a guarantee of a few days gets back to you clean becomes an easy revenue stream I think like, you know, New York kind of bachelor apartment buildings. There has to be that guy that, you know, is still willing to do everyone's laundry for a few bucks at the end of the day.
Jeff Steadman
I like that. I think that's pretty interesting. It's kind of like, yeah, what is that you're renting timeshare with in someone's washer and dryer and it's like a package shows up as like, all right, well here's the here's the dirty package and then you pick up a new, you know, the clean package or whatever that looks like. I can see that taken off.
Ron Nissim
Hey, you, you. You're welcome to take it. I want to.
Jeff Steadman
I don't know if I have the chops or the the washer dryer space to accommodate it.
Jim McDonald
I just want to point out the fact that Brian is the first person to talk about Dirty underwear on their identity to podcast. So, hey, we've been going for 214 episodes. I mean, there's a first for everything.
Ron Nissim
I'm happy that that's what be known for.
Jim McDonald
There you go. Like so many people, I went on vacation to Maui and when I came back, I said, I'm moving back to Maui. I'm going to live in Maui. And one of the things that is with Maui, obviously, is an island in the middle of the Pacific Ocean. It's surrounded by these beaches, all the way around the island.
Jim McDonald
And there's actually some of the beaches where it's like a public beach and they allow people to camp. So people will go and set up tents and things like that. But can you imagine you're flying to Maui and trying to bring a week's worth of supplies and a backpack and all of that. You can't really gaslamp, you know, glamorous camping is called glamping.
Jim McDonald
So my idea was moved to Maui and set up a business, basically setting people up for camping in one of these public spaces. And it would be nice campsites or they had a little bit extra money. It might be like a VW camper or, you know, I'd have to figure out what the regulations were in terms of the size of the camper that you could do.
Jim McDonald
But that was my idea, was basically to go and, you know, host people or help people get set up so that they can come to Maui. And rather than staying at a resort, staying in your camping set up on the beach, which I think would be uber cool. And by the way, since I brought this whole idea up, right, I said, everybody goes to Maui, their ideas when they come home, I'm going to move back and then they never do.
Jim McDonald
And so I worked with a guy, Mike Woodburn, good friend. He listens to the show, friend of the show, and he went to Maui. And I'm like, Dude, here's what happens. Everybody goes to Maui, they come back, they say they're going to move there, and then they never do. So he goes to Maui, comes back, so he's going to move there.
Jim McDonald
I'm like, Yeah, like I told you, you're a step too, that he actually did it. So he lives in Maui. He's listening to the show in Maui. So good for him. Good for you, Mike.
Jeff Steadman
Mike's good people, really smart. So good for him, though. A bit jealous. It sounds a little bit like Airbnb, but like on the beach or something like that.
Jim McDonald
Yeah, I figured I probably never have to own sneakers there. Just wear flip flops all the time.
Jeff Steadman
You mean like a Paul Rudd character just kind of walking around the beach like, Hey, man.
Jim McDonald
So what's your idea, Jeff?
Jeff Steadman
You know, I came with the question and I don't have a really good answer. It's probably something in I don't really call it technology, but it would be something like a radio show or something that's just like completely like not I am obviously it would be more like a talk show. Funny, something like that where you know, me and a bunch of friends, probably yourself, get together, right?
Jeff Steadman
We just kind of talk about what's going on in the world and and that's pretty much it and put the opinions out there and not be afraid to, you know, be corrected or to change opinions like, hey, I think this is what I'm thinking. Have someone change my mind. All right? Yeah, that makes sense. Maybe it maybe it might change or maybe it doesn't.
Jeff Steadman
But I think just, you know, I think of some of the best memories I have is just kind of sitting around in a room, talking with friends, goofing off and just having a good time and being able to be free with each other. Right. And kind of just have a good time with it. So there might be no technology involved.
Jeff Steadman
Maybe it's just a microphone hanging from a, you know, from the ceiling or some like that catching everybody.
Jim McDonald
But yeah, you had me on the show. I think we did wind up getting canceled within five episodes.
Jeff Steadman
Yeah, I would expect so. You're pretty opposites when it comes to certain things.
Ron Nissim
Jeff Some of the most popular podcasts these days are exactly like that. Yeah.
Jeff Steadman
I don't have the time for the time for that. And I know the time for this one sometimes, but when we make it so speaking of time, why don't we go ahead and wrap it up for this week so we can let Ron get on his day. Ron, really appreciate you taking the time with us. For folks who are interested in learning more about entitle, you can visit them on the web entitle IO.
Jeff Steadman
We'll have links in our show notes to their website as well as to Ron's LinkedIn profile. So that way you can connect with him. That's where all the hate mail goes when you or you when you hear him say on premise, Dad, that's where we want to send that kind of stuff. Feel free to correct him. I'm sure he'd be happy to engage.
Jeff Steadman
And with that, we'll go ahead. We but you can visit us on the Web at Idiocy podcast, WSJ.com or on Twitter at Idiocy podcast. We're on Mastodon at Idiocy podcast at InfoSec Dot Exchange. You can always connect with Gemini on LinkedIn. We're hopefully going to see a whole bunch of friendly faces and new faces at I Don't Ever Hear Next week and don't forget to subscribe and rate the show.
Jeff Steadman
That's the best way you can help us here is get the word out, share it with a friend if you hated it, share with an enemy. Either way, as I share it, I'm cool with it. So we'll go ahead and leave it there. Thanks, everyone, for listening and we'll talk with you all in the next one.
