We talked with three Chief Information Security Officers (CISOs) in high-growth tech companies to learn from their identity and access management (IAM) experience.
These leaders shared their stories about the complexities of IAM and funny stories that could have had not-so-happy endings. We hope you find these as valuable lessons that you can apply in your own organizations.
Thank you to our guests:
Manuel Garat, Head of IAM at Booking.com
Yaniv Toledano, VP Global CISO & IT at Pagaya
Moderated by:
Dean Pe'er, Head of Product Marketing at Entitle
Watch the recording
Dean Pe’er
Hi, everyone. Thanks for joining us today.I'm Dean from Entitle, we're the “New Kids on the Cloud”. We make it easier for security teams to limitaccess by automating how access is rented. And that's all the self-promotionyou'll hear from me today.
We have a special treat for security and identity and accessmanagement professionals. With me are three brave security leaders who willshare some hard hitting stories dealing with complexities of IAM, whichI'm sure most of you will relate with what they're about to share.
And most importantly, I hope you could usesome of the lessons they learned the hard way in your organization. And solet's start with a short round of introduction of our speakers. Gentlemen, It wouldbe great if you could introduce yourself and I'll take it away.
Manuel Garat
Thank you, Dean. So Manuel here, I am the Identity and Access Management leader for booking.com within the cybersecurity team. I have been Identity and access management for about 18 years nowmy background is security engineer and from there I evolved a little bit in programmanagement, governance, andauditing, and finally I ended up in this place and theyare really excited to be here.
Amir Tito
Hi, my name is Amir Tito. I'm the chiefinformation security officer of a Healthcare Company. I'm working in theindustry, high tech industry for 23 years now. That's a lot. And glad to behere.
Yaniv Toledano
Everyone. My name is YanivToledano. I'm the global chief information security officer for a companycalled Pagaya, focusing on the fintech market. Been around in this industry forthe past 18 years, experienced both on prem hybrid to the cloud on the clouddifferent scenarios and I'm happy to be here and taking part with the respected gentlemanwith me.
Dean Pe’er
So without further ado, having started theday, tell us what was the biggest I am messed up that you've ever experiencedgreat fantastic.
Yaniv Toledano
So IAM is definitely abig, big issue for multiple companies. And, you know, looking at the differentscenarios that we are facing, how to manage multiple application, how toactually actively have a fair resolution, and what really happens when you goto the cloud. Each one has got its own store in front of me, probably a lot ofmess ups on its own.
But I want to take one of the scenariosthat, you know, I faced in one of my companies was when we actuallytransitioned to a different architecture within the cloud. So we had kind oflike the basic legacy approach. Pretty much a lot of employees had their accessto different resources to do their different assets. And obviously that is abig issue in a big scenario that they want to very much intimidated, especiallyfrom a cybersecurity perspective.
So you can do a lot, you can actuallymanage mission, you can try to navigate and map that information. But once youreally learn how to achieve a proper policy, the main objective for you isactually to make sure that you are really for one hand cutting the long tail,but from the other way around, really orchestrating the permissions in a waythat actually fits to the policy that you have described.
So when we wanted to make that change,obviously we had to do a proper discovery, wanted to understand who has accessto what and when. We needed to do that, then we created the policy. And one ofthe biggest concerns that we didn't actually pay in to attention. This is wherewas from one hand. I don't call it mess up, but definitely a challenge is howdo we make sure that properly now we're counting on like opening a new slack, anew sheet to some degree and trying to start assigning permission in the waythat makes sense.
And then we realized that it doesn't reallyhold for a long, significant amount of time because everything is dynamic onthe cloud. We wanted to be in a scenario that the access to the resources of adone in a way that continuously adjusts or adapts to the actual policy that wehave defined that and that was extremely difficult because you don't justmanage it with tickets.
You cannot just say or think to yourselfthat the permission that you allocate to someone for a specific resource willactually be aligned throughout a long, significant amount of time. The cloud iscontinuously changing. How do you maintain a proper flow that actually from onehand actually adhere to the policy that you have described, the mission levelof approvers, who is actually approving it and from the other way around?
How do I actually take into perspectivethings that we used to call them privilege identity management, now we callthem just in time. How do we really adjust and have the relevant functionalitythat we need within the cloud? Long story short, the challenge that we arefacing when transitioning into the cloud is not just doing the proper discoveryand proper policy adjustment.
We need to have the technological solutionto actually support us. Otherwise we think that we are actually reaching orapproaching a point day, but rather than that, we are actually doing somethingcompletely different. If we do not have a 30, 60 degree view, 50, 60 degreeview around discovery, policy, enforcement of permissions, we're going to do alot of different damages, a lot of different changes will take place.
And what we think we have actually achievedis going to be the opposite around that. And this is kind of like one of thebiggest gaps that we saw. And definitely the idea of cloud orchestration isbecoming a major aspect, a major challenge to assign it to an IDP and thenassign the roles. Who is approving new permissions?
How do you have just in time, everythingneeds to actually fall into the piece that you want to have that is actuallydriven by your overall discovery in policy that you have achieved. This is abit my story about the journey that we have actually went through whenadjusting the I Am space into the new era of cloud.
Manuel Garat
It's a really interesting one because theway I see it, I didn't do an exercise. Management is is very difficult to saywhen an incident or situation is. I am related because I am. It's typicallyvery, very often at the center of any particular security incident, regardlessof what it is. In the end, it can always be mitigated by having more segregatedpermissions and so on.
Manuel Garat
So in the end, it's a little bit witheverything, right? But for me it's the screw ups that we are talking about inin the case of IAM is a little bit different that with other security cybersecuritydomains because they don't typically happen at a point in time, they tend tohappen over time because of bad cyber hygiene or well by practices.
And I think that's that's basically what Yanivwas was explaining really well is well, it's not that we can do something wrongtoday, is that if we don't think about doing things properly, starting now andbasically in a sustainable way, we are going to find ourselves in troublebecause we are basically opening doors for exploitation and malware.
Dean Pe’er
If you already have the floor and maybe youand entertain us with your big I am Ms. I'm story.
Manuel Garat
Sure, sure. Thank you very much. I mean,it's, it's, it's kind of similar in concept. In my case, it was we've alwaysheard about this concept of birthrates, right? So birthrates are basically thepermissions that everyone obtains just because they are. I don't want to say anemployee. It's basically they are a member of the of the identity domain pool.
Right. So because they are an identity inthat domain, they already get some some entitlements simply simply for thatreason. And we I don't know why it's taking as a long time to to get intobrains of everyone. It's not a good practice. You should never discard thingsas in, well, these are birthright. Everyone has email, everyone has slack,everyone has a one.
Right. So we we were in that situation inthis in this particular instance where where we always will be had these thesecertain systems that we're already we're not even protected by a specificentitlement. They were birthright. Not only that with time there were somewhich were protected by a specific entitlement, but the criteria was everyonegets this entitlement right, and therefore everyone gets access to theseparticular platform, this particular internal Internet site or whatever.
And what happened at some point in time iswe actually started on onboarding additional identity domains, such as M&A.So mergers and acquisitions and and collaborating with with other other brandsin the in in the space and so on. And what happened is overnight, but thefailure was the mistake was not overnight. It had been a prolonged in timething.
But overnight these people entered the theidentity pool and they obtained access to a lot of stuff that could beconsidered as birthright when when the domain was only us. But the moment itwas opened a little bit, it was clearly not a birthright. So it it proved.Well, that's not how we should be thinking ever about permissions.
Nothing is a birthright because you ownidentity. You should have absolutely nothing, not even the most basic thingthat you always think, well, you should write zero email account or whatever,because that might not be the case. And eventually we realized that actuallyextends to even entitlements that you have protected with or or you haveassigned to a specific type of role.
If an additional idea in the provider isonboarding to our domain will those apply to them? So, for example, let's saythese permissions are for developers, these are permissions for developers. Nowwe on board, we acquire another brand and it comes with developers and theyimmediately get all of these permissions. But should they? Because in somecases, when you acquire another company, there are competitive classes andthere are basically restrictions.
Right. So um, yeah, it clearly highlighted.Well there's, there's, and another way we have to think about birth rights.There are no such thing as birth rights. You should always be protecting thingsby their own entitlements. And even if they are given to everyone in yourcurrent pool, it doesn't mean they will be given to any additional. I didn'tprovide a few on board.
Amir Tito
I want to echo the manual issue and talkedabout birth right. I want to even increase it. It took about raw birth accessand the way that I see it is role based access. It's almost like we decided towhenever I hear it, I'm like immediately, No, no, we're not doing this accessbecause we find out that this is broken process.
And to define the specific rule things thatwas always given either too much permission or in other cases, lesspermissions, we decided to to move from role based access to whenever someoneneeds access, you should ask for it and then you will get it upon if he needsit or not. And then the approval process will will guarantee and make sure thathe gets the right process.
In the beginning when we we had that, therewas a lot of rejection like, hey, why somebody should just joined the companyas as manual said why you should ask for for access but then after a while itwas part of the thing yeah you were born you should go to the system and askfor access. And then after like ten employees that just on board the companyunderstood that that's the process and it didn't take that much time with thewith the the tools that we are using today.
Manuel Garat
Well, we we we to have have realized thatmoving away from from our by and I wouldn't say in every situation, butdepending when the organization is sizable, when and when it's dynamic and it'saccess requirements, definitely role based access control is a thing of thepast. It's the number of roles and permissions explodes and it's impossible tomanage.
However, we we also found anotherpossibility, which is going to an approved based access control situation whereit's there are not centralized, let's say, centralized corporate roles. Butinstead what you have is the owners of which entitlements can define dynamicaccess and therefore reduce the number of requests that basically come with ajustification of because it's my role, because I need it.
So it basically reduces the situations ofactually issuing an access request to something where the justification reallyexplains a situation that I need to read, understand and decide whether toapprove or reject. So I definitely think your your approach is valid. It'ssimply going to depend on on which type of organization, if it's in our case,for example, that basically would mean people approving access request for ajob like like that's their only job.
So in our case, attribute based accesscontrol made more, more sense.
Dean Pe’er
Yeah, it makes a lot of sense to reducethat tax service by not giving away automatic permissions, just because you'rea member of now organization am I'm here. I'm interested to hear about your IAMstory.
Amir Tito
So my end story is that I worked in thiscompany and there was someone with he was a V.P. and it was a very privilege.Like he he needed to get access to very sensitive systems. And of course, wealso the higher an intern with almost the same name as he had and when therewas some request to to allow allow access to this VIP, some people made mistakeand provided the discount.
Amir Tito
And he was like the one that you don't givehim any access to that. And he got access to very, very sensitive systems. Andthe way we figure out it was in an audit, we went into a PCI audit and and wefigure out that this intern had access to a very, very sensitive data systembecause it was very embarrassing.
And we we had to deal with the auditor, butnot just the auditor. Of course, we we just learned that we fucked up theentire access system and that one was one of the days that I learned that youshould have something smarter, not just ask someone to to provide accessbecause that it's prone to errors. And that's easily.
And the guy did it from you. You can putthe blame on him. It was all the same name and you just started, you know, andnobody nobody noticed that. I learned that once you had the mechanism, when themanager of the employee would always have to approve it by automatically, notjust you as the manager, because, you know, for this really nobody would askthe CEO of the company for a problem.
But but you would see that the manager andthe manager could have stopped it or the system or whatever, you know, like ifyou have more than one people on the approval process, especially to sensitivesystem, I mean, there are some systems that nobody cares. Like just ask for itand get access immediately. But there are some systems and you have to have atleast four eyes, at least two more people to to control it.
And that's what I learned from that event.And I'm and another thing was that even the VIP could have had just just intime access and shouldn't have access to this system for forever. And that'salso frightening today for every system that is sensitive in the organization.But they're working on it today. I want that by the end of the day, nobody willhave access to it.
Maybe like, you know, to DevOps or to it,guys, just for emergency, just for breaking the trust and scenarios. But theentire company doesn't have access to the system. They just have to ask forjust in time access and then they get access to it. So it's, it's give me alittle bit better, you know, I'm still a C, so I don't need to sleep good atnight.
But it's also and it's also more secure andbetter for audit and less prone to errors. Because think about it, even if thisintern could get just just in time access for a couple of hours, that's way,way lower risk than forever. So this is this was my story and how I learnedfrom it and how I.
Dean Pe’er
I love to have a good story when the DCIand the SC is the hero of the other day, a lot.
Amir Tito
Of these of you.
Yaniv Toledano
Don't like it. We definitely don't wantthis.
Amir Tito
I well, I didn't like it at all. You had tosee my face. You made color of my skin changed immediately. I'm like, Oh, myGod, how do I get out of this thing now? You know, you can luck with it, butback then you wouldn't see my smile at all.
Yaniv Toledano
I think that the, you know, I cling whatI'm really saying and definitely complementing to what Manuel said. And Ireally like the idea of Birthright. It's not today transitioning into thecloud. Birthright is definitely not a word that someone can actually even tryto coin in any way, in any way he wants, because this is simply not possible.
And I think that the dynamic scenario thatwe are facing when transitioning into the cloud requires us not just to havepolicies in place, but not even to have just one element of technologicalcontrols, meaning like authorization, approval. We need to have multipleaspects from discover we some can call it CRM entitlements for actuallyunderstanding who does what.
One can define it as actually every access,like a meal said, needs to be actually approved by the manager for sensitiveresources. Just in time is definitely a tool that is in place and continues toactually running through and understanding where this access rights needs tobe. Continue is done. I like to call it simply periodic use of access review isdefinition out of control.
So we always see so, you know, takingdifferent roles in cybersecurity and space and that landscape, you know, it's acliche one understand that the idea of castle in a mold doesn't exist anymoreto prove that access is no longer in place, specifically in transitioning or incloud it, this is a no brainer. But what we simply always lack, and some of usdo understand that and trying to understand because it's definitely difficultthat the controls that we need to put into perspective are significant.
Yes, have a policy, create a properculture. But the technology needs to actually be driven by four main elementsasleep. This is how I see it. This is my two cent proper discovery andunderstanding exactly like Manuel said. You think you have better frights here?I'm showing you that you never actually access. It's your birthright or noteven justified, which is definitely not a discussion.
You don't need to have birth rights on youraxis. The second one is proper flow approval, whether it's a manager approvalor a specific stakeholder. The third one is definitely using the elements ofwhat we called PAM and PM or now just in time. And the fourth one iscontinuously doing periodic access review. Even if you one time access it, itdoesn't mean it needs to continue in access.
It. Maybe someone will come and say it'snot relevant for him. So put into perspective these type of controls, then youmight have proper culture and a proper ecosystem to actually avoid most of therisks. But again, also awareness and other things are also very much justified.This is this make sense echoing with my friend here that raised their concernsand their approach is.
Manuel Garat
I would I would actually add a and anadditional element to that list. I agree 100% with that. What we found is if weadd on top of that, the the the fact that there there are no permanententitlements. So any access that is granted via an access request will alwaysexpire at some point in time at maximum one year, which means after a year,people have to either be requested or they lose the access.
But with that, that in combination with thewith with the periodic reviews is if the periodic reviews are inappropriatelyperformed at most, they are allowing an appropriate act for a year becauseafter a year those people are going to lose their access. So that combinationof the two, yeah. Basically results in in nobody accumulating historicalpermissions in the organization as they move around.
Yaniv Toledano
I agree. One. Well, I think it's alsogreat. I'm sure just to understand, this is a structured way of technologicalcontrols. One solution to solution at the end doesn't matter. You need toactually make sure that this happens in your ecosystem, work continuessupporting your business. It is also critical. So I've got like a goodsolution, a good let's call it a glove and maybe tailor made to support theorganizational needs.
Dean Pe’er
And before we wrap this up, any partingthoughts for you from.
Yaniv Toledano
I think you sounded Summers summarized itin a way that actually makes sense to most of the audience that will take partin this webinar. And here I think everyone has a lot of their files tocontribute. I think that the principles, if we think about the traditionallandscape around on prem environment and moving into the cloud, shares the sameideas and the same principles.
But definitely the frequency and the waythat you actually adjust and conduct them needs to be much more rapid, muchmore robust, and definitely not take any consideration that, you know,something that is static needs to be maintained. Static. This is what I, youknow, been learning around the cloud and how things are being de facto addedinto the cloud.
And I think this is kind of like my $0.02principles remain the same. Technology might change and definitely does change.Native doesn't matter how it is native, not native, it doesn't matter. But atthe end, when you shift into the cloud, the idea of I am takes a major peel ofsteroids and you need to definitely be adjusted and ready for that and actuallyto make sure that you're doing what you're supposed to do in order to maintaina proper authorization ecosystem.
Manuel Garat
Increase from from I mean, the centralconcept of my story and I actually recognize the same concept in the other twoI think is the same philosophy that we have now with, with zero trust, which isvalidate everything, don't, don't, don't accept any assumptions. In my case, itwas well, we make the assumption that we don't need to really validate if thesepeople need access to to email.
Now that's not valid anymore. Again zerotrust validate everything and that's that's what I think is the most importantmindset nowadays if you're in the cybersecurity space and particularly in theenergy access measure based.
Dean Pe’er
Okay. And that wraps up our day session andI hope you found it fun and very valuable. And if you didn't and let me knowwhy and if you did, let me know why and just leave a note on our website and ahuge, huge thanks to our guests and their amazing stories. Emmanuel Amir Andthank you very much and thank you all for watching and we'll see you at thenext one.
So be sure to follow us on LinkedIn forupdates.
Amir Tito
Thank you. Thank you.
Manuel Garat
Thank you very much.