Listen to learn the first steps to take to implement identity management and other critical aspects of identity security.
Identity management is a critical aspect of any cybersecurity program. Creating the right roles and implementing a mature identity management lifecycle requires thoughtful collaboration between information technology and business operations.
Garret Grajek (CEH, CISSP, certified security engineer, product builder and CEO of YouAttest) sits down with Host and Principal Security Analyst Jen Stone (MCIS, CISSP, CISA, QSA) to discuss:
Resources:
Download our Guide to PCI Compliance! - https://www.securitymetrics.com/lp/pci/pci-guide
Download our Guide to HIPAA Compliance! - https://www.securitymetrics.com/lp/hipaa/hipaa-guide
[Disclaimer] Before implementing any policies or procedures you hear about on this or any other episodes, make sure to talk to your legal department, IT department, and any other department assisting with your data security and compliance efforts.
Hello, everybody. Welcome back to the SecurityMetrics podcast. My name is Jen Stone. I'm one of the principal security analysts here at SecurityMetrics.
Very excited about this topic today because it's one that everybody needs to do and a lot of people really struggle with. It's identity management. I'm gonna introduce the, our our guest first. His name is Garrett Grajek.
He's a CEH CISSP certified security engineer and product builder. Garrett has twenty five plus years of IT security product creation. He has thirteen US patents for information security products with a focus on application SSO, two FA, identity assurance, continuous authentication, AI, and blockchain.
Garrett specializes in creating secure IT products for markets in the financial, health care, federal, state, education, and other regulated areas. Products Garrett has created resulted in multiple awards, Gartner ranking, and have been sold to more than five hundred customers resulting in two hundred million plus in revenue. Garrett, thank you for joining me.
Thank you. Thank you for your, scheduling this.
I appreciate your time, and I really appreciate your interest and and expertise in identity management. And this is, it seems like everybody that I talk to, whether they're undergoing a, some kind of a compliance issue or a security audit or or general consulting, identity security is something that people struggle with. So, maybe maybe kinda give us a high level understanding what is identity management.
Where do people start with it?
Wow. This is an effortful question because I I it recently, as you said, you know, founder and CEO. Great. I started another IGA. I didn't even governance product to manage and help people govern their IAM products. And I was talking to this MSP. He was all real excited, and he's like, Garrett, I like what you say.
I like your enthusiasm, and Bob is always a bob in a room.
Yeah.
Bob said, you know what you're talking about. Right? But you're gonna have to step it back. Okay?
And and he go, can you write me a white paper and literally that I would give to a customer and say, this is identity management, and this is why you need it? Yeah. He goes, because I can't I can't articulate that. And then it was kinda it was kinda apropos.
And I literally sat down and wrote the outline yesterday and then wrote the whole paper in, you know, twenty minutes. Mhmm. Because I was I was just like, okay. This is what people need to know.
Identity management is and I went I wrote up yesterday was, okay. Great. You have, you know, acme tile dot com. Right?
And this is really I wanna start at the low level because very often, you sort of have you you you start a company. Right?
Mhmm.
And rock and roll, you you you you have some applications. You have a payroll app. You have an email app. You have you have everything app. You have your scheduling app. Right?
Right.
You have your, you know, your compliance app to the states. You have your tax apps. Okay. Guess what?
Each one of those each one of those usually has an identity Mhmm. And its own identity store. Yeah. Very often.
You know, you get on HubSpot, and it's got its manager, and and it manages those users. Great. You you know, you get on Salesforce, you create that, and now you got those users. And you get on, you know, g Suite, and you create those.
Identity management is the concept of let's step back.
I don't care if you're Acme tile or if you're Boeing.
You've got all these identities you have to manage. Right?
Right.
And how do you manage them, and how do you this is a real key question in twenty three. How do you govern them? Mhmm. And what that means is everywhere everywhere you see right now, I don't care if it's a DOD pushing the CMMC.
Yeah. Some acronyms. That's there you go. There's their new regulation that says all suppliers have to have it.
Yeah.
But if you're new to retail, for the last twenty five years, ever since the TJ May TJ Maxx hack, you've you are under what's called PCI DSS, and you have to quantify all your users.
Yes.
And if you're in health care, you're under HIPAA. Mhmm. You have to quantify. I can go down the line.
So here it is. Not only is identity management important because that's literally how your your employees and contractors do their work, let alone your your customers get any data from you. Right? But it's also governed.
It's governed to do business in the west now. You're gonna be under some governance, and you're gonna have to show not only this is the key to identity management. No longer is it enough just to provide access.
You have to provide why you gave that access.
Exactly. Exactly. So why they need the access because you have to go on, you know, minimum necessary, access.
And so Ideally, the principle of least privilege.
Yeah.
Yes. They won fifty three p r a c. That's six.
Exactly. It's cracking me up that you mentioned CMMC because my last episode literally was with Katie Arrington of the, who used to be the CISA or the CISA of, the DOD who was the mother of CMMC. So a a lot of people are talking about these things out there. These are all very timely topics, and identity management. Well, how do you secure what you don't know?
So How do you secure what you don't know?
Right. And how do you know what you don't know? Is it in there having a good time doing dwell time and and going through your network?
That's a really critical question that that's, often I will ask people just a couple of questions beyond the actual compliance thing that I tend to talk to them about because I actually care about security. And the one question that I ask that's a little bit beyond sometimes is, how do you know if someone has set up a privileged account in your systems? How do you know? And and a lot of them don't even know what their current accounts are because, like you said, there's so many of them, and they they can't get their arms around them. So, really, what's the first step that an organization should take when they're considering identity security?
And and first, I'll go on a slight tension that I answered your question.
I got one customer. It's not a large customer. It's two thousand employees. Right?
Mhmm.
They uploaded to to my system of identity attestation, the concept of knowing where sixty five megabytes of roles.
Okay? That's true.
So that that's work today.
Sixty five megabytes of roles had to be attested to. Okay?
And another customer, right, he's got, nineteen hundred managers in twenty nine countries, eight hundred thousand roles.
That sounds like to that.
A lot. So what we're talking about is roles that go a single individual maybe has many, many roles depending on what they have to access and how they have to access it. Right?
A few of these had twenty three hundred roles.
That's a that's a lot of roles for someone to get their phones around.
But this is it actually is not a bad tangent because your question was where do we start?
Yeah. Where do we start?
Yeah. And I and I did make it when I was just wild mining yesterday having fun in writing. I was like, okay. So let me get title acme dot com. You got all these applications.
Uh-huh.
What do you do first? And I'm a governance product, and I did not say the first thing you gotta do is slap on governance. No. I said, the first thing you have to do is choose an IDaaS, please.
I mean, really, they're really good products, guys, because I built one. I built one from scratch called SecureAuth. Okay? And then I looked at what's going on.
I was like, wow. Okta, you know, Azure ID, Ping, JumpCloud. You guys got more funding. You you have a good time.
So I'm not kidding.
But but like you said, there's a lot of options out there. So so lot of good options. People should have one of those should have rung some bells for the people listening.
Right. But look at what they provide and then understand it. First of all, it it it secure identities in the cloud are gonna be needed. Right?
Okay? They should have built in two factor. They they should all all have that. Right?
They should have decent, you know, logging in there. Okay? Rock and roll. Okay? They should have a great library of SSO.
That's really that's really what it's about. It should be easy. And, you know, if you're a same guy, fine, or or OIDC, it should have that that thing. And then, really, what matters, All of us we just talked about. Mhmm. All these rules, all these privileges.
Right?
I don't care if you're just gonna use SaaS applications or if you're no. You're a you're a ZTN guy. You're a zero trust. You're SACE.
You're security at the service edge. You are cutting edge. Okay. I've done podcasts with all these technologies.
And the first thing they said, I go, what about identities? They go and I was like, I'm a distraction. They're like, oh, yeah. Well, you know, the companies all have this grouped into roles.
I'm like, okay. Okay. You're you're an l two to l four guy. I get it.
You have no idea what a disaster identities are, but that's your answer. The answer is to start with an IDAS, start with your identity as a service, put your identities there, and start early by focusing on roles. And if I'm complicating too much out there to call it groups, guys, that's all they are.
So so just to back it up a little for people who are who are following along, IDaaS, identity as a service.
We're talking about IAM, which is identity access management. Right?
So so when we're talking about these solutions, I think the reason is you can't every once in a while, I will still run into a group that's largely running maybe like a a a Windows farm. And and instead of, having a a role based approach or a group approach to adding privileges, they'll add granularized privileges to an individual.
And and that pretty soon gets out of hand.
So It gets out of it gets out of hand with twenty five users.
Yeah. Yeah.
It it really does.
Because how okay. How are you enforcing? Yeah. How do you do, you know, you know, join move leave.
Right? What what's going on? Yeah. Right? You know what I mean? How do you just remove the whole idea is, oh my gosh.
Did you see what he posted? We gotta cancel him. Okay. Rock and roll. It should be one button.
I just removed them out of this group. I just removed them out of this SaaS application. I've removed them through access through the CASB, all that. It should be one button, and it is one button if you identified your users, put them in logical groups, and then are enforcing policy through the groups.
Yeah. Absolutely. It also helps, I think, with some of the the group the people who they like to,
promote from within,
and they give these opportunities for people to grow. But then that that means that the person who had these privileges in one role in the company, now they move to a different role in the company. And so instead of modifying the roles they belong to, they just start adding privileges. And pretty soon, people who have been at a company for a long time have all the privileges in the world, and there's no way to really get that under control unless you use some type of, access management tool like you're talking about.
Yeah. And and and what the I the other thing I think I think people do wrong, right, is they expect too much of the IAM tool. Well, the IAM tool should enforce all of these groups and role privileges. Really?
How? Are you seriously? I mean, how is it supposed to do that? Is it supposed to have deep hooks into every application?
This is something, like, I built my in my identity. Not like it's something I built in my identity governance program because it was from the auditors. The, the, external auditors said, okay. They pushed back in a company that was ready in, and I I have a governance tool. And they said straight out, okay. You're doing a decent job. You've started this.
Okay? Your IAM, you have the users in in groups, and then you even had Garrett's product. You attest. Go in and attest those roles. Okay?
Alright. Now you also threw at me because they were financial and the health care did the same thing. You threw at me these these other four applications that have access to in this effort, you know, financials, PIIs, for the health care is PHI, and for the DOD CUI. They have access to secure data. Okay?
Alright.
Where's your logical mappings?
Right.
Right? You know? I mean, okay. You're just telling me this that they should have access. Really?
Why? Mhmm. Why should they have access? And what I literally built into my product was a compass of a siloed app, where not only does it identify ghost accounts.
Right? You know you know, Bob left two years ago, and he's still in this financial avenue. He was still in this this, this, health care app. Okay?
No. What it does is quantify the users that are in that silo app and then quantifies the group role here in your identity store record.
Mhmm.
Now those should this should be a subset.
This should be a subset of this, and it helps you identify your your anomalies and all that. And then then your audits go a lot cleaner and more relevantly, your security is a lot cleaner. Right?
Sure.
Because as much as I love I am, it's it's not everything. Most enterprises haven't always taken the time to integrate everything, and the governance still needs to be there. But I I do and I will proponent, not from my idea, but from my readings and from the auditors I like, say, start with your users, group them into logical roles, and then enforce those roles. That will scale.
Right. And and I like what you said there because as you touched on just briefly earlier, just because somebody should have access, who says they should have access? Right? So that authorize the authorization step and so a lot of times what I see is there are there are business processes that are logical and sure.
Hopefully. And and there are business, accesses that are required because of these business processes. But where those are detached from privileges, then then you start getting into trouble. And so where you talked about, well, how let's map these things.
What are they supposed to have access to and why, and who was involved in that question? So a lot of times when only the IT group is is, left with these requirements, then they don't they don't know why someone should have access or to what degree they should have access. So this really becomes, I think and and maybe maybe you see it differently, but I think this really is much more a business logic question than it is an IT challenge.
Yeah. But but, I mean, we off often yeah. I am in a security product called SecureAuth, and I and I let's play it this way to the when I told my team. You guys have to remember, authentication doesn't exist.
You don't exist. And they were like, what do you mean? That's how we make our living. All that.
I go, no. The user wants the application. Yep. We're just something in between. Mhmm. That the and we're a current state of this for regulation blah blah blah blah.
And that's why I also look at at IT.
We don't really exist. The business problem is this.
We're a translation of the business problem into the enforcement.
I like how you do that.
Yep. Yeah. Yeah. We're just we're just listening, and this was a good deal. But I swear to god, when I wrote this got this product done, what I how I built it is I all I did is I listened to my buddy, Raj, who's a great auditor.
Okay? Now he works at CDW. He was at.
And then my IT director, Frank Kelly, who was my director of IT at Securial. And I said, how do you guys do an identity audit? And I just took notes.
Okay? And that's and I go, the product's gonna be the workflow between Raj and Kelly. And that that's what it did. So the same thing is true when we say we ask, okay.
The business guy is saying this. Right? Is that really an IT problem? Yes. It is an IT problem.
It's an IT problem to most accurately map the business product to their technology. Right. That's why we got all those degrees and certification guys is that we're supposed to be smart enough to listen to a real world problem Mhmm. And then map it into the entity that is known as our IT solutions that we have.
This episode is brought to you by the SecurityMetrics Academy. If you're interested in learning more about cybersecurity, privacy, compliance, related topics, we have a ton of free courses. Just go to https://academy.securitymetrics.com/ and search for the academy. It'll come right up.
So so, kind of along those lines when you say, it's IT's problem to facilitate that access, One of the things that that often comes up with in businesses is two factor or multifactor, and this just gets in my way.
I wanna get to act I wanna act I, as a user, wanna access this app, and why are you making me do a second thing? So what what are your thoughts on that? Is it is it necessary? Is it is it a are we using it in the best way that we could?
Well, of course not. But that's fine.
But but are is it necessary? Oh, I don't know. I can't name the name because I just I mean, did a lot of backpacking. And there's there's things that I like about backpacking around the world.
No one can sue you. Okay? Yeah. Come back to America, and everyone can sue you for saying hello.
Yeah. That's true. I built a product. It's called SecureAuth, and it and it, it would literally, figured out better ways to do x five zero nine, authentication and more importantly, x five zero nine revocation because it's it's it's kind of backwards the way it's written.
Well, it's not backwards. They did the best they could with what they had. There was no LDAP, nothing back there. So I redesigned that.
Anyways, I went to the customer and they got it deployed. It was great. And they said, Garrett, we're a federated entity.
These entities find that a little too difficult. I'm like, I I go I got I'm like, not putting anyone down there. I got I got real estate companies using this, and I used to do the IT for real. Those are not technical people. Your people could do this authentication.
No. Dumb it down. You're gonna have to rip the, the x five zero nine out of it, which was being stored in my job. It was harmless.
And they're like, you gotta give me the intent. Alright. They made the news, guys. They made the news.
They dumbed down my, authentication.
The, that literally put no authentication in some points, and they made the news. Multi, multibillion dollar millidollar hack on them. Yeah.
I think we've seen that.
It's pretty critical.
You've gotta have that multifactor in there, the two factor, as you as you did.
Right now. It's just it's just why would you why would you not? And the fact that how I started off this call is the I'm players built it in. They built it in for you.
There's no reason not to have it. I mean, come on. You can do SMS. You can push authentication.
It's I mean, it's it's built into Google. I I I always say that what's gonna work long after the bomb's fall and all that is gonna be the goo Google Authenticator product. That thing just works. Okay?
It's no brainer. It just works. Okay? So you should do two factor authentication, and then you should quantify users' roles and then use their secure SSO.
Yeah. There there you go. I mean, I that's my I I don't and I I don't really buy the the two factors too hard. There's been so much good work so much good work and the ubiquitous of mobile today and the integration of use of mobile.
I mean, you know, do we wanna get the password? It was fine. Rock and roll. I I I don't think it's it I I've worked with people who said that's gonna be the holy grail.
I go, really? Okay. If you think so.
We we get a lot of holy grails that come along that turn out to be not the holy grail.
But Yeah.
But I think you're right. You know, if we don't have that that turned on, there then all you've got is basically, in most cases, you've got a username password. And a username password is so easy to get someone to tell you. That's what phishing is all about. Right? And so over and over again, we we hear these these cases where it was just there was no multifactor in place and somebody was was able to get in just by, asking someone for their username, password, and then using it or or somehow gaining it from a a a previous hack. And and so, I agree.
In some ways, it can add a little bit of friction, but there's a lot of ways that it's the friction is minimal and and should be not, trivialized in in its ability to help.
I think we there was a great I I I I was presented at a conference, the Institute of Internal Auditors, over in Dallas, IAA.
And I'd liked what the, keynote speaker, who was I was the president of IIA, said he goes, if I can do my career over again, I would have more empathy to the users.
You know? And he he was going because, you know, he gets it. Auditors, you know, sometimes confrontational. Give me this data.
Give me this data. You know? Blah blah blah. You know what I mean? He's like, no.
We we gotta make it easier. And I acknowledge that mechanism such that two factor, may, slow down people, etcetera. But I it's I mean, the the consequences are far too bad to not to learn it.
Agreed. Agreed. Oh, okay. So then sometimes I'll get asked this or told this. We're in the cloud, so we don't need to worry about identity in because cloud takes care of it. It's a you know, the cloud magic hand wavy thing that solves all the problems?
So do you think, cloud technologies are are solving some of these identity problems? Do you think it's making it worse? What are your thoughts on that?
I I would love to talk to a person who would actually say that. The cloud is fantastic.
It is it is where we need to be. It is how enterprises, I would give if it's Acme Tile or anyone become more efficient and spend less money on IT. So it's great. This call makes us probably the factor of one hundred to a thousand times more insecure. It just does. I mean, people don't realize it. And as I wrote a blog, the the the the truth of this, all that matters in the cloud is your identity.
Right?
Yeah.
It used to be l two, l four blocks and port blocks and all this kind of stuff and, you know, special VPNs and, you know, whatever.
No. And there's this thing. It's just your identity being SSO'd Mhmm. Or being authenticated, reauthenticated at at the cloud. I it's one of the things that I rant about is goes, I don't know how people equate zero trust through simply the network.
I go, that's just, to me, just downright silly.
Yep.
That's I go, it's it's not the network.
It is the concept that every point in the digital transaction, the digital life of this session should be reinforced with a level of authorization, if not authentication.
Yes. And right now, the cloud is very insecure. I mean, the cloud the cloud could be extremely insecure. Our friends at, Palo Alto unit forty two did a research that said they were looking at cloud permissions.
Mhmm.
Cloud permissions. They did eighteen hundred surveys. They found that ninety nine percent of the users in the cloud were overly permissive.
Yes.
Remember we talked about fifteen minutes ago, NIST eight hundred fifty three p r a c dash six, principle of least privilege?
Yeah.
That is the most important control for the cloud. It's the principle of least privilege.
Agreed.
We have to go through our cloud accounts, and we have to determine, does this user really need this?
Although people are getting much more comfortable with the cloud and and more experienced with the various flavors of of cloud offerings, but I think some of it is the ease with which you can, set up a new, environment and then just start adding people, and people may or may not have the expertise to do that. So so a little bit of that. But, also, maybe the people setting it up are also not the ones tasked with security, and so they don't think about, well, who's supposed to get access to what and why. For example, speaking with someone who had an, an AWS environment, and they showed me all of their accounts in, IAM.
But, you know, we went through things and then I said, Okay. Do you also SSH into here? Which is, you know, just for people who are a little unfamiliar, IAM is when you're kind of logging in the front door of AWS and SSH is kind of the backdoor. Right?
And and they hadn't listed any of that because it hadn't occurred to them. Oh, these are also accounts that have access that that we need to talk about. And so maybe sometimes just being aware of what needs to be looked at and reviewed by the business and by the auditor can can be a little broader than people are aware of.
I the and you need a really nice example of combining technology with identity. Right?
Mhmm.
Let's add an extra, you know, an extra, you know, barrier. Let's say, hey. The only way you can get this, not only you have the valid idea, but, we're also gonna have a a VPN into these resources.
Right.
Completely valid. Right? Now we all know that there's a lot of valid, valid resources out there that have no chance of putting the SSH. When a company's entire entire forecast, its entire livelihood is in a technology called salesforce dot com. It's authenticated with users. And if you got your financials in there and you don't have two factor, what what the f?
You had a problem.
You know what I mean? Yeah. I had seriously, or HubSpot or whatever. I'm not paying on Salesforce. Fantastic tool.
They they change it.
It's a great tool. Mhmm. Yeah. But but it it but it's like all tools, it depends on how you set it up and if you're aware of the security, you know, around various things for sure.
Yeah. Yeah. So what I say is I acknowledge and not putting down l two and l four technologies such as as SSH and all the other VPNs and all that. Just that, unfortunately, in the in the world of where data is now, they're not always relevant, and they're not a control that can help.
K? And that's that's where I look at it. And and if we don't if we don't really take serious with all the technologies available today and encourage technologies to come out, I mean, I I think I think just personally, and then we wanna interview at this, that OIDC, SAML, and all the other mechanisms don't have an, an authorization trust score. Silly.
Right? Because you should authenticate the user and say, you know, I authenticate them at this level. I would put them at a seventy or a hundred. Okay.
Fine. Because maybe he's just looking at the web page. Right? Okay. But now now he's going to hear and hear, and we just have a single concept of one zero for authorization to for SSO, I think that's a little that that's a little dated.
Yeah. It's not enough.
Yeah. I think we have to get it up to zero trust where we say, I've quantified you here. This is this level. That means you get access to the these level of resources. But But if you need this, you know, we gotta take a little more blood from you.
I think that brings us right back to to your, you know, the the the drum you've been pounding, which is, who got access to what and why, that governance piece, and and how how do how do organizations start putting that front and center?
Right. In in we will go to this call, and your next one will be so we'll be talking about zero trust. I'm gonna talk about, say, secure access service edge. Alright? Okay. Fine. How do you enforce that if you haven't organized your users?
Mhmm.
Right? And you're doing a a CASB or whatever. There's no way you have a CASB. You don't have at least a thousand users going through that.
You have to quantify the users by role and then actively manage and govern not only the groups because the groups, that won't change that much. It really doesn't. And the guy that's that's kinda set and forget. Right?
Sure.
But the users the users are gonna change almost daily, and those should be reviewed. And and when I started this company that does access reviews, most of my customers were literally just doing it yearly. Mhmm. I more than half of them are doing it monthly now. That's great. Literally say yeah. I have I have to be reviewing these resources monthly.
Yeah. That brings up the I guess my final question is, this is a lot of work, and it's necessary. How do staffs seem to be shrinking rather than growing. How do we get this done, with less staff?
Yeah. Straight out automation.
All these processes go around and identify what employees are doing their time on. I the the silly tool that I created user activity is ninety percent. It literally reduces. We did a CPA, not doing talking to customers and prospects, eliminating ninety percent of the roles time.
And the other thing is is I do believe in the, the changing of the guard where every every, company builds its own furnace. I believe in the MSPs and the MSSPs Yeah. Where they can, yeah, where they can share knowledge. Right?
Mhmm. Someone who is an expert in IIM. Oh, he's doing it, but he does it for, you know, ten, fifteen companies. Right?
Right. He knows the best practices. Yeah. And he knows how to organize, and he knows the right tools.
I do believe that's the way we're gonna go. Because in the end of the day, that's why my brain comes on. We don't really exist. The business problem is this.
Right? We are a mechanism to that. And what is the most efficient way? What is automated tools and basically MSPs and MSSPs helping to manage this stuff.
And and most people know this, but just in case we have kind of a a newer listener, the MSP would be your managed service provider. MSSP would be your managed security service provider. And and like you said, they have the expertise in very specific things that can can take off your team's plate, some of these things. And they really do have that high level knowledge of how to do these these things for people. Well, this has been really, a really, insightful conversation. Appreciate your time. Is there anything, any last words of advice on identity management before we close?
It's all comfortable. It really is.
This is really the tools that exist today are the tools that can solve this problem, and I firmly believe that Terrific.
Because I believe they I believe in the people in the industry, and I know the people who've built these. And we're all very they're very sincere, and they address the real world problems of identities and securing the new world, which is the cloud.
Terrific. Well, thank you so much for your time.
Happiness. Thanks for the opportunity.
Alright. Bye bye. Thanks for watching.
To watch more episodes of SecurityMetrics podcast, click on the box on the left. If you prefer to listen to this podcast, it's available on all your favorite podcast prefer to listen to this podcast, it's available on all your favorite podcast platforms.
See you on the slopes.
.svg)
