Case study - How leading organizations solved security challenges leveraging NHIM

Case study - How leading organizations solved security challenges leveraging NHIM

Publish on

October 2, 2024

The increasing complexity of managing non-human identities in today’s cloud-centric environments is a critical challenge for security leaders. In this final session of our series on non-human identity management, Roey Rozi, Director of Solution Architecture at Oasis Security, discusses how leading organizations are overcoming these hurdles. Roey shares real-world case studies, showcasing how companies have implemented non-human identity management platforms to address security challenges and improve operational efficiency through automation. He also covers the essential steps organizations can take to establish lifecycle management and reduce the risk of breaches.

Join us to explore how lifecycle automation, policy enforcement, and proper prioritization can help you secure non-human identities across growing cloud environments, and hear practical insights on how to adopt and scale these solutions effectively in your organization.

Transcript:

Dorene Rettas:
Hi, welcome back for those of you who are with us at the prior sessions. So once again, I'm Dorene Rettas, I'm the co-founder of CyberSecurity Tribe. And again, I'm gonna thank our sponsor because I can't leave them out, Oasis.

So this is the final session on non-human identity: the risks, the reality and how to manage. In this last session, how leading organizations solve security challenges leveraging solved security challenges. Sorry, Roey Rozi, the director of Solution Architecture with Oasis Security, is gonna discuss specific hurdles that organizations have faced with non-human identity security across a rapidly growing cloud environment prior to adopting a non-human identity management platform.

This session's also going to provide insights into how companies have implemented lifecycle automation capabilities to drastically reduce the risk of breaches while improving operational efficiency. So, for those who weren't on previously, I just wanna point out a couple of things.

We have a chat functionality in the bottom right in there. You can respond to one another, we can respond to as well. There's also a questions widget. That question widget allows you to ask just the moderator questions. And then finally there's an apps little icon there and within there there are handouts. So I believe there are four handouts that you can access and download during the event. So good to see you again Rozi, and I'm happy to have you with us to share a little bit about a case study. So with that I'm gonna let you take it over.


Roey Rozi:
Thank you so much Doreen. So what I've been doing for the last two years is in a way since I've been implementing projects to manage and secure non-human identities, so different styles of organization, different prior priorities and different types of teams. And what I want to share with you guys today is a bit about the different types of organizations we saw, how each organization approach this problem differently and how, and a plan to tackle non-human if looks like, and you can take this to yourself, use it either with a do it yourself or with a tool.

Because the plan is very similar or just a step that will slightly vary. So I wanted to start with talking about the different types of organizations and how I like to look at them in terms of how their plan will look like. So I'll share a a bit of my screen here.

And what we've noticed is that organizations are somewhere on the scale between risk oriented and governance oriented. So a very risk oriented organization is all about, okay, we're gonna have a breach one day. How do we respond? How do we rotate everything? How do we do it correctly? Think they think like they thought CloudFlare breach, what CloudFlare had to do, we are gonna have that one day. How do we approach that? It's all about anomaly detection, finding it and then response.

On the other far side, it's organizations that are all about policies and governance. So they will define clear policies and they're looking to efficiently manage them. Basically saying, all NHI should be rotated every 90 days. Great. How do we efficiently do that? It's all about automation or maybe every unused account should be disabled, I do not know, 30 days, 90 days, one year, but should be disabled completely. And they have processes and they make, they really want to adhere to those processes and make sure they're happening, get audit reporting, etcetera.

Dorene Rettas:
Roey, can I jump in and ask you a question on this? Do you often see that it's dictated by the industry?

Dorene Rettas
Yeah, so industry affects us a lot. For example, financial institutions and healthcare, which are more regulated, are often more governance oriented. Where think smaller organizations, organizations that have maybe don't have a specific identity personnel might go more risk oriented. So size of team, size of organization and how regulated it is are the main factor if it goes right or left.

Dorene Rettas:
Glad to know my assumption was correct. Thank you <laugh>.

Roey Rozi:
Yeah, and we've also seen I think during the, like I'm gonna show a use case like of how we did a project and we sometimes see organizations that start a bit risk oriented, they then move over to governance oriented as they mature. Very common kind of movement that we see. But some start here and some start there. So we've seen everything.

So I mentioned that different team structures affect a lot how the plan looks like. So I wanted to share a bit with you Doreen, what are the different stakeholders seen such a non-identity project.

So, we always have the CISO or executive, VP of identity or something like that who has high level initiative. He wants to see the problem solved, he wants metrics, he wants reporting, he wants to see reviews and he wants to make sure it's properly addressed. That's the first stakeholder we always look at.

The second stakeholder which is very, very interesting is security architecture. Now, during you maybe have a guest why security architecture is so important for non-human spot.


Dorene Rettas:
Yeah, I was gonna say nothing like throwing me on the spot. No, I don't but I guarantee that you're gonna have a really good answer for me.


Roey Rozi:
Yeah. Often because non-human is such a new thing, we have teams that are responsible for classic human identities, but this is a new problem. So there isn't someone who's particularly responsible for it yet a lot of the times and security architecture will are we see are often like this is a big problem, we need to approach it, we need the tool, we need the strategy. They will build a basic plan and then they will find someone in the organization who will adopt and implement that plan. So that person could be either a cloud security or a cloud administrator or an identity administrator. Think the person who used to manage active directory and now getting more responsibility. And in smaller organizations it might be SOC just because they're already very used to getting more responsibility as an organization. So we've seen both depending usually on the side of the organization.


Dorene Rettas:
I don't wanna jump ahead too much and you may be getting into this, but do you think that's going to change over time? Do you think that there will be a stakeholder that's specifically focused on that?


Roey Rozi:
I'm pretty sure it's going to happen. I think my guess is that a few processes will be happening. First of all regulations and auditors are gonna be much more interested in non-human identities as well. We see PCI leading this initiative with a lot of new things they put in their 4.0 standards about non-human entities. They call them system accounts and I'm assuming the frameworks and other auditors will follow through and then we'll find experts and full-time employees who will be responsible for this just like we have today full teams for human identities.


Dorene Rettas:
Yeah, okay. Makes sense. And it's going to be necessary. We know that.


Roey Rozi:
Yeah, For sure.

But we might be surprised, maybe it'll be part of the cloud team who will take on this responsibility because cloud will become such a major player and they're very techie people usually and we'll be able to to do that. So might go a different way but I'm sure it'll be a big part on many plates.


Dorene Rettas:
Yeah


Roey Rozi:
And at the end of the day though, the most important part for a successful non-human identity initiative is to have an administrator who this is his responsibility. Exactly like you said, having an administrator who has the right permission, who knows what metrics to track and is doing the work and getting the progress and operationalizing and enforcing those policies.

Terrific.

So, just a bit of how a project like this can, can look like. And this is a like a bit of framework that we develop with our different customers on how to do a project. And it's the same if you're using a tool or not using a tool. And the first part is the kickoff: We need to plan milestones, success criteria, understand the environments map the stakeholders, understand how we're gonna approach it and what we're trying to achieve. Very simple like any project.

Then during the onboarding we start with centralizing, which is basically creating an inventory, making sure all of the data, all of the identities are managed in one place. Small organization, Excel is fine, larger organization you might need a dedicated tool like Oasis. Then we do an overview, understand the patterns, what are the problems, what are the main issues. And then what I like to do is the first step is to solve like the top five issues, find the top five things we need to solve. Think of like a third party contractor administrator that's been there for 10 years unused with admin permissions for everything. Let's just disable this account. We can then solve like five main big issues and during the process we see how it works, who defines policy, who does the work, who does it need to notify, how do we do reporting, how do we do auditing? And after we do that a couple of times manually we can re-identify the stakeholders and define a process, understand how it works and this is often where all the pieces fit in and we understand how we can approach a problem and scale for the entire organization.


Dorene Rettas
What, what do you mean when you're talking about re-identifying stakeholders and and why? Right?


Roey Rozi:
I'll share with you a story. So we were working with this identity team and we mapped with them off the identity, created a full inventory and we found 300 accounts that were unused for over two years. Great. Now they wanted to disable them but then they saw, wait we don't have the permissions to disable, we just have reader permissions into the identities. It's the cloud team that it manages those identities for us. So they, we now re-identify that we need a stakeholder in the cloud team with the right permission that will let them open a ticket for him or give them the permission. And we had to define a process with them and how it's done because, and we didn't know at the beginning of the project that we're gonna need their support. Now we, we know to ask the questions in advance, but it's often that because it's a new process, you need to identify the stakeholders after you try to do the manual process a couple of times.

Dorene Rettas:
Would you say that you're only re-identifying those stakeholders one time or can it sometimes happen multiple times throughout the project?

Roey Rozi:
It can for sure happen multiple times, but I think after you do a few manual operations you get like 90% of the picture.

Dorene Rettas:
Okay, thank you.

Roey Rozi:
And then that's when we, you go scale, right? So you did it a couple of times. You re-identified the stakeholders. Now you can put in the IT stem integrations, the ServiceNow within the Jira, get it hooked up with your CMDB or organizational databases and then you can start doing things at scale, operationalizing it across different scopes. And usually the process will go in is make sure everything has an owner assigned to it, then decommission all the unused identities and then start doing rotation and enforcing least privilege on what we have left and going scope by scope and doing this with like a wide movement across the organization. This is the cleanup the mess step.

Dorene Rettas:
How long does, and I'm sure the audience is thinking this right when you look at this slide, so how long does a project typically take? And I'm sure there's lots of variables, right?

Roey Rozi:

So, it usually takes around a couple of months what I've currently talked about. But it's all about the scope you define and the best thing to do is to define a scope that can be cleaned up and about two to three months and then you can see results straight away and then you're happy and you can expand the scope. It's all about getting the managers happy at the end of the day and everyone too we'll get to keep their job and get their bonuses.

Dorene Rettas:
I gotta be honest, I mean for a project two to three months does not sound, you know, too bad to say the least. Yeah.


Roey Rozi:
And at the end of the day, once we do the initial cleanup we will wanna have what we call the stop the bleeding part, which is where we can define automation and automatic policy enforcement to make sure everything is done automatically and then just having to touch up every once in a while and then we can have a good time and relax at the end.

Dorene Rettas:
Stop the bleeding.

Roey Rozi:
Yeah, Very classic. You clean up the meth and then you stop the bleeding. Yeah.

Dorene Rettas:
Perfect.

Roey Rozi:
So Dorene, do you want to see like a sample project with timelines and everything?

Dorene Rettas:
Yeah, that would be very helpful.

Roey Rozi:
All right so this is an example project with one of our design partners. And so it's very early on in Oasis things like one of the first projects we did and this is a, a financial institution that moved over from more risk oriented to governance oriented during the process.

So, how did that look like? We started connecting to lower environments, right? Lower risk, easier to manage like dev and staging and things that are not operational, not non-production.

We did discovery, we looked at issues, we saw what they're not doing and where they can be better presented like a summary report and understood, okay, this is what we're not doing, this is roughly the site that we have, let's start.

And then we went operationalizing and then doing it manually a few times re-identifying the stakeholders, defining the process and then got to the point where, okay we know how to do it in our dev environment, let's connect to production defining goals and then starting to go and and achieve those.

And within two to three months you can get to the point where you cover all of the top issues you wanted to solve the decommission all of the stale identity, rotate all of the privileged ones got to the point where everything is secured.

Dorene Rettas:
So, and, and I know Ryan mentioned this in our very first session today, but for this example that you're giving, why was as you're chosen as the starting point for the project?

Roey Rozi:
Great question. It's usually easier when you're using a third party tool to start with a cloud where it's easier to integrate and connect and it's also a great, so that's one reason. But the second reason it also most of the cloud assets are internet facing by design. They're used for microservices that are connecting one to another SaaS platforms. So there's a lot of risk there. All you need to access super sensitive information is just one key and that's it. No firewalls, no nothing. So both in terms of ease of use and also in terms of priority for the organization.

Dorene Rettas:
Okay, so this is really their starting point if you will.

Roey Rozi:
Yeah. And after we did this and defined policies and we got to the stop the bleeding part, we expanded the scope so then we tackled the hardest one, which is on-prem Active Directory and started tackling those legacy applications, which is more challenging. But once you've done it in one place, it's easier to expand.

Dorene Rettas:
I don't wanna keep interrupting you so I'll try to stop but questions come up as you're talking. Can you talk a little bit about the process for defining the policies and also why that's so important?

Roey Rozi:
Yeah, so I'll use an example from this account and what happened here is we wanted to disable or decommission stale identity. And at the beginning we contacted owners of an identity was unused for about a year and told them, Hey do you still need this? And after they're like, I don't even know what this is or this is an old project, I forgot about it, feel free. After we've done it a couple of times we understood it. If we just define a policy that says every identity that's not in use for a year is automatically disabled or we'll give you a week notice and if you don't answer will disable it.

Something like that, we can do it in scale and much faster. So the defining policies part lets the administrator move much faster and no one's gonna be mad at him 'cause he's following policy, right? And if the policy is correct and fits the organization, you can move a lot quicker and achieve the goals much better.

Dorene Rettas:
Thank you. Makes sense.

Roey Rozi:
Yeah and it's been great.

And then you define policies and then you can enforce them and then you can keep everything secure and you don't have to go with a case by case basis.

Dorene Rettas:
I like how, how simple you make that sound.

Roey Rozi:
At the end of the day it's all about simplicity, right? You have to understand the tech and then give you clear guidelines on how to approach it in order to solve a problem. Otherwise it's impossible to do in scale. We're talking tens of thousands of identities. So you have to do it in scale by policy <laugh>.

Okay, so Doreen, is there any kind of like thing that pops into your head about like something you've learned today from this?

Dorene Rettas:
Yeah, I'm, I'm intrigued and interested on that. Risk oriented versus government oriented, right? <affirmative> and, and we talked a little bit about industries of course, but in this case you talked about an organization who sort of moved along in the journey, right? From, so do you mind just getting into that a little bit further?

Roey Rozi:
Yeah, for sure. So I think it, at the beginning it's very easy to be all about the risk, but when you learn more and you have more tooling and your maturity grows up, it's much more efficient and effective to move over to governance. I always like to say if you rotate an identity every week, you don't need to worry about it being exposed 'cause it's gonna be rotated tomorrow anyways. So once an organization gets to that level of maturity, they can go to a more governance approach and that's much easier to maintain for the long run and much safer.

But it just requires a higher level of maturity and investment to get there.

Dorene Rettas:
Thank you.

Roey Rozi:
And I think five years from now, or 10 years from now, maybe even less, this will be a standard across all industries and we'll have standard tooling and a framework and to do this and a note for me to any executive leader who is looking to empower his team and learn more and and be innovative, I would suggest you start doing this now, it'll be great for your people. They'll learn a lot, they'll advance and secure the organization but also lead this process.

Roey Rozi:
And it's really, really exciting, an exciting place to be in. So I highly recommend doing it.

Dorene Rettas:
And I will say, you know, one of the reasons we were excited, Cyber Security Tribe, to partner with the Oasis, not just for this but in in all the things we've done, is because we see the true risks of not managing those non-human identities. And our goal obviously is to provide information that's beneficial to this, to the cybersecurity industry to ensure that they're doing everything they can to protect their organization. And so, I think, while, and I appreciate Rozi, that you didn't go deep into, you know, Oasis, it is important for our viewers to know that your solution is helping organizations to really solve this challenge and reduce the risk, which is, you know, as we talked about a necessity today, it's not a question of of whether it should be or shouldn't be.

Did you have anything else that we didn't touch on that you wanted an opportunity to talk about with the audience

Roey Rozi:
Yeah, I'll give one sentence on, on Oasis. Oasis is a platform that was built from the ground up to do this exact process to inventory, prioritize, help you define policies, operationalize, and then enforce them in a wide automatic way. That's what we're built to do. That's the only thing we do and excited to go on a journey like this with anyone who's interested.

Dorene Rettas:
So my final statement is we talk to, I speak to CISOs all day and anytime that I've brought up Oasis, everyone seems to have heard of you guys by now and the the response is widely, yeah, I'm really interested in what they're doing or I'm really excited by what they're doing or, wow, that's a great company. So that speaks volumes about your team. You, thank you. I wanna again, thank you for joining me. Not for just one but two sessions and providing knowledge.

Remind those who are on right now, if you didn't get a chance and wanna download any of those handouts, including the report we have on non-human identity management, you can still access that here. If you need to reach out to any of us at any point, feel free to. But thank you for joining us.

Thank you Roey and thank you Oasis. With that, I'm gonna let everybody enjoy the rest of their day.

Roey Rozi:
Enjoy. Thank you.

More like this