What Your Company Needs to Know about Identity and Access Management

Host (00:01):

Welcome to The She said Privacy, He said Security Podcast. Like any good marriage, we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.

Host (00:21):

Hi Jodi Daniels here, I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and a certified informational privacy professional. And I help provide practical privacy support to overwhelmed companies.

Host (00:38):

Hi, Justin Daniels here I am passionate about helping companies solve complex cyber and privacy challenges during the life cycle of their business. I do that through identifying the problem and coming up with practical implementable solutions. I am a cyber security subject matter expert and business attorney.

Host (01:00):

This episode is brought to you by Red Clover Advisors. We help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, SaaS, e-commerce, media agencies, professional and financial services. In short, we use data privacy to transform the way companies do business together. We’re creating a future where there is greater trust between companies and consumers to learn more, visit redcloveradvisors.com.

Host (01:35):

All right, and now let’s introduce our guest. We’re excited to talk identity access management today and we have with us today Hanno Ekdahl who is the founder and CEO of Iden Haus Consulting, which specializes in you guessed it – identity access management and cybersecurity services based here in the good old ATL. Hello Hanno. 

Hanno Ekdahl (1:47):
Hi Justin. Hi Jody. Thanks for having me. I appreciate it. Looking forward to having a good conversation about identity and access management and its impact on businesses, how it can help.

Host (2:00):
Well, I have a question right off. Are you Hanno? How did we verify that you are, who you say you are? Are you a deep fake on that screen?

Hanno Ekdahl  (2:07):
I had to fingerprint authenticate to my phone in order to get on the camera. So you got some biometrics going for us today.

Host (02:29):

Good to hear. Well, we’re so glad that you’re here. Thanks for spending some time, you know, it would be great if you can kind of help explain how did you get started in, in, into this world of identity access management?

Hanno Ekdahl (02:43):

Sure. So I started off, I’ve always had a fascination with technology and computers did a lot of computer programming when I was a teenager. And also sort of had an interest in business. You know, I was selling my comic books. I came up with all these ways to make money. You know, you had to like the lemonade stand type of thing when you’re growing up. So my background is in applied math, computer science, and I got an MBA married the two together and really found that I enjoyed solving business problems with technology. So I think a lot of folks look at technology as this independent thing, but the most interesting part about it is actually can help solve problems if you link it to the business correctly. One of the biggest pain points is that IT systems aren’t implemented in a way that’s truly aligned with what the business needs, whether it’s from a security perspective or functionality perspective. And so we help bridge that gap. And that’s what got me into identity and access management and cybersecurity.

Host (03:44):

Well, wonderful. So tell us a little bit about what is identity access management, we’re floating these words and acronyms around, maybe not everyone is as familiar with it.

Hanno Ekdahl (03:55):

Yeah. I don’t want to wind up with some alphabet soup here where everyone ius wondering what we’re talking about. So identity and access management. I mean, actually Justin did a really nice job of teeing that up with how do we know who you are, who you say you are. And that really is what identity is, right? How do I know that you’re an employee of whatever company, right? So the first part is establishing your identity. Usually that’s done when you’re onboarded right there, validating your driver’s license, your passport, other information about you to make sure you are who you say you are. And then they create a record for you in their HR system. And we can use that record then to create accounts for you inside the network, because we know you should be inside the network. We validated your identity. We have a trusted system that can establish that identity.

Hanno Ekdahl (04:39):

Now the access management side of that is what systems should you have access to and what are you authorized to do in those systems? So I’m, if I’m a financial analyst, let’s say I may have access to some basic financial functionalities but I can only do certain things in the system. So I have, what’s called a role that role determines what I can and cannot do in the system. So identity and access management is about taking good data on users to determine whether they should have access to our systems and taking additional attributes on that user to make decisions about how much access they should have within our environment based on their job function or role.

Host (05:23):

So in other words, that’s like in our household, if my role and responsibilities doesn’t include going and getting the specific things at the Whole Foods I wouldn’t have access to that program and the ability to go to Whole Foods and select those items.

Host (05:41):

Yeah. I didn’t know we were going to connect Whole Foods to Access, but all right, whatever works,

Host (05:46):

You know, I don’t know if you can create some IT or the technology around making sure that I’m permanently excluded from that program. I think we’ll have to talk after this podcast

Hanno Ekdahl (05:59):

We’ll see what, if we can help you out with that one,

Host (06:02):

But a little more seriously. When it comes to IAM, which is a significant defense in the defense and depth cyber strategy, why do companies have such a difficult time effectively implementing IAM?

Hanno Ekdahl (06:19):

I think the reality is that while identity and access management is a fairly straightforward concept, right? We laid it out pretty quickly there. This is what identity establishing identity means. This is what access management means in practice. It’s a lot more complicated than that. It’s intersects policy, process systems. And there are all these edge cases that need to be considered. A lot of times organizations shortcut the analysis and make some overly simplistic decisions about how they manage things. So they might say, well, all people in the accounting department should have this access period. Which is oversimplified. And so they wind up creating security issues by making very simple decisions for more complex problems. They don’t understand the nuances. The other thing is that scope on these projects actually tends to explode really quickly because everyone sees that they need what identity management offers and you wind up trying to take on too many things and you can’t do it all.

Hanno Ekdahl (07:23):

And so the program ultimately fails because you’re not able to meet the project deadlines, et cetera. But getting back to the root question – underlying data quality issues is a big problem. Understanding the processes, how do we manage the identity life cycle? What do we do for people who join the organization, move within the organization, when they leave the organization? How does that intersect with technology and our policies, right? What you should, and shouldn’t have access to based on different states that you may have as a user, all that has to come together and work in lock step in order to create the desired result. And there’s a lot more complexity than you might think.

Host (08:07):

So help us understand where you all come in and you know, if I’m a company, I recognize, gosh, I really need some assistance. How can I you know, under better understand what you all can do to assist? Where would you start?

Hanno Ekdahl (08:29):

Sure. So I think there are a lot of people in the identity management space that are technical implementers. So they’ll go build what you tell them to build. We come in and offer more of a strategic approach. So we have architects who will evaluate and layout designs. We have strategists who will come in and think about the processes and how the whole system comes together. So one of the things we like to do, that’s a little different is start off with an assessment and a planning session. It may only last a week, usually they’re one to three weeks – understand where the gaps are and processes the gaps in technology, any data issues that are underlying any policies that need to be developed. And once we understand where the problems are, we can actually lay out a comprehensive plan in order to get our customers to the right side of the solution, which is it’s working and it’s doing what they want. So a lot of organizations have a build and pray strategy. And some get paralyzed in analysis. We like to come out somewhere in the middle where we’re making smart, deliberate decisions with our customers to help them move forward, mitigate risk, maximize value.

Host (09:38):

So kind of building on that concept, Hanno and let’s talk about 2020. What was an interesting year for a lot of reasons is how does IAM evolve when we talk about it in terms of using it with a workforce that’s so quickly pivoted to being mostly remote.

Hanno Ekdahl (09:57):

It’s interesting. We have a customer that we just finished standing up their identity management solution for them probably actually a month or two before COVID really hit and then suddenly everyone’s working remote. And so the first question I had is, well, how do we get everyone VPN access? It’s like easy. You put them in the group that says they get VPN access. And we can automate that through the identity management solution. So the identity management solution can help us grant and revoke access as our needs change. So suddenly you go from, let’s say a thousand people in your company needing VPN access to 10,000 people needing it. Okay. We can grant that in literally a couple of minutes and we can really look at as well based on our business rules. So now we’re able to quickly provision and deprovision access as our business needs change. I could actually implement policies that say, you need a VPN to access these three systems. But otherwise you don’t need it. So we can then consume and manage our VPN licenses based on the sensitivity of the systems that people need to access.

Host (11:04):

So let’s talk a little bit about the technologies that are in place. So you mentioned, you know, a technology solution. Can you speak to some of the technologies that are here now and where you think those types of technologies are going?

Hanno Ekdahl (11:19):

Well, it’s a crowded market space, so there are a laundry list of solution providers out there. So SailPoint, Sapient, Plain ID, Hitachi, Micro Focus, Omada, Empower ID. So some of them are smaller niche players others have specialty type solutions in terms of where the market’s going. So we talked a bit about the flexibility, right? You have a remote workforce, right? And the environment’s changing where organizations are moving more and more to cloud. So we see in the more sophisticated platforms and some of the vendors who’ve been on the scene for a few years. So they’re starting to implement more and more risk-based controls that are based on user attributes. So I can enforce my policy and reevaluate my policy even within a session, right? So we have policy decision points. So I keep evaluating the policy based on your session data, maybe there’s an update to how you’re accessing.

Hanno Ekdahl (12:18):

Maybe you were accessing the session sitting at your desktop, which was a company issued machine. You switched to your phone. And we say, look, you’re not allowed to see that application on the phone. We can terminate that session. So we’re constantly and continuously re-evaluating security based on changes to your session. We see anything anomalous. We can shut down your session. So the tools we have are getting much more sophisticated and allowing us to apply real-time security decisions to sessions as they’re ongoing. So instead of being a static set of rules that we evaluate once at the beginning of the session, we continuously reevaluate our policies based on, on your session, what we know about you as the user, so we can make adjustments.

Host (13:05):

So one thing we’ve been hearing a lot about from a variety of our guests and just in the marketplace is about zero trust. You have some thoughts you’d like to share about what you think about zero trust and its potential from an IAM standpoint.

Hanno Ekdahl (13:18):

Sure. So zero trust, a, another way of saying that is identity is the new perimeter, right? So who you are and what you should access is really our perimeter, right? We used to have basically these IT castles, right? We have a wall which was our firewalls. We have a moat, you know, we’re doing all these things to keep people out. We have our internal network and our external network. And with cloud, that’s all blown apart, right? People who are accessing cloud-based applications are outside of our network. So how do we manage their access? How do we determine what they can and can’t see, and still have a notion of security. Well, we have to change our security model to focus on what you, as an individual can access. So identity and access management then is about continuously establishing and re-evaluating your identity to make decisions about what access you should have. So it ties back in very nicely to the previous question where we were seeing that trend. Now that we’re, we’re looking at risk, what device are you coming from? What are you trying to access? Even when you’re trying to access it, right? We’re starting to look at pattern recognition. It’s like, well, Hanno doesn’t normally access our financials at three in the morning from a device in China. Maybe we shouldn’t allow that. And so the security now is inherent in the re-evaluation of policy, on the fly, through these identity management technologies and platforms.

 

Host (14:52):

Small businesses. So, you know, someone listening might think, well, I’m kind of a smaller business. These tools sound really big and fancy for large enterprise, like customers. We all know in the privacy and security space that bad actors love small businesses. So how do small businesses leverage IAM? Is it, you know, only a big business kind of problem, or what are the ways, or maybe some of the differences, or maybe there’s no differences for what a smaller business needs to be doing?

Hanno Ekdahl (15:25):

Yeah. For a small to medium sized business the investment in a mature big scale identity management platform probably isn’t worth it. However, more and more of the cloud-based providers are providing identity as a service functionality that small businesses can adopt. So for example, at Iden Haus, we use an online provider and we’re using their multi-factor authentication where they have these policy controls that they didn’t have two or three years ago. Right. So we continue to enhance our security. So I would encourage small, medium sized businesses if they’re using an cloud-based platform for their email collaboration tools, look at the security features within those tools and apply them. There’s all sorts of validations and security measures you can put in place to protect yourself. The one thing I would say is that hackers know that the the end user is easier to compromise than your IT systems. So really the biggest risk is training and awareness. And that’s a great place to focus on your team is helping them understand that they shouldn’t click on links and they shouldn’t download things that are attachments in emails. That’s really where most of the compromise happens. Not as much in hacking systems. I mean, that does happen certainly, but it’s really hacking users to get inside the network.

Host (16:49):

I did a presentation, a client training yesterday, we covered phishing and the, IT folks were cheering me on when I covered all these specific points, they had all their yes’s in the comment boxes. Great.

Hanno Ekdahl (17:03):

Yeah. I find that having worked for a number of very large organizations, you know, they do take the awareness training seriously and they do it periodically and they have these phishing campaigns internally to see what people click on. And we’re all human. We might occasionally click on something, but there are some people who click on everything, no matter what you do. So then you’re going to have to make a decision what you want to do with that person, because they’re a pretty big security risk.

Host (17:28):

Yes. You had also mentioned something around pushing policies down, perhaps for those who aren’t familiar with, what that means. Can you explain a little bit more about what type of policy we’re talking about here and when you push different policies, what that is like in this context?

Hanno Ekdahl (17:45):

So policies that can be something that’s fairly straightforward, like your password policy, which is probably something everyone understands, right. When you go sign up for access to your bank is a good example, right? It’s like, well, you know, it has to be this many characters long. It has to have upper case lower case. These special characters are allowed. These aren’t that’s a policy, right? So it’s defining some minimum standard that the user has to conform to. Right? So the idea with identity management is to pull as much of that policy management to the center as possible, and then enforce it through the connections to the end points. Right? So if I’m, if I have an email security policy that I’m applying to your mailbox, I can enforce that centrally in my identity management solution, how big your mailbox is, how long you’re able to retain emails what happens if you’re placed on a legal hold, those are all policy decisions. So like if, if there’s some legal event going on, my accounts placed on legal hold, identity management can then go out and lock my mailbox. So I can’t delete any of my emails, all my emails secure everything’s stored because there’s a legal hold on my mailbox. So these policies are defined centrally and then enforced through these connectors that implement the rules and evaluate them in the end points. Hopefully that helps.

Host (19:09):

I think it’s very helpful. Thank you for, for explaining for, for our audience who might not be as familiar with it.

Host (19:17):

I thought we might ask you as our last couple of questions based on all of your experience in the IAM sector what is your best personal cyber tip for end users or just, you know, people in their everyday lives to be more secure,

Hanno Ekdahl (19:34):

Don’t click on that, whatever you do, don’t click on that.

 

Host (19:35):
Like, I think that should be a new t-shirt.

Hanno Ekdahl (19: 36): I’ve got my coffee mug. I need to put like, “don’t click on that”. So that’s exactly it. I think thing is a lot of times people have that gut feeling like something’s wrong, right? We all have so many people have, whether it’s Netflix or Hulu or whatever bank you do business that spammers know that they’re out and you’re sending out thousands and thousands of emails. You know, the reality is that it’s funny, I was actually listening to a presentation recently on this and they said, you know, the average bank robbery yields $3,000. Right. And it occurred to me, you know, the odds of you getting caught or shot trying to rob a bank are probably pretty high.

Hanno Ekdahl (20:26):

The average cyber security hack nets, more than $65,000. And they have very little chance of catching you. So, which do you think is the more attractive crime and there’s almost no cost or risk to perpetrate it. So there are these broad scams, right, where they’re just sending out millions and millions of emails, hoping you click on something, download something. So if you have a suspicion, don’t do it. So what I do is if I get a link saying, Oh, your Amazon account’s been hacked, or this has been hacked, just go on the device that you trust and log in directly, like you normally do, right. Type in the URL, or go to that safe Favorite. You have go to your account. It will tell you if there’s a problem with your account. So every now and then if I’m unsure, I will do it that way. But I never click on emails on links in emails. And my wife knows this too, because I’m like, Oh, don’t click on that. What are you doing? Don’t click on it. So it’s like, we have cyber security awareness training in my house because I’m nervous that she’s gonna, you know, compromise her phone or whatever.

Host (21:26):

So when you’re not hosting home cybersecurity awareness training, what, what do you like to do for fun?

Hanno Ekdahl (21:37):

Well, one of the ways I blow off steam is running. So I enjoy running, but unfortunately didn’t get to run the Peachtree road race this year. We did the virtual race. So I’m missing the road racing part of that. And travel, travel is actually another big thing. So our last big thing was a trip to Vermont to do some skiing. And that was really the last big trip we took this year. And I miss that. So, you know, just getting out of house, travel and, and running.

Host (22:04):

Travel’s good. Thank many of us also miss travel. Well, Hanno, thank you so much. Where can people stay connected and learn more about you?

Speaker 3 (22:11):

Sure. Our URL is www.idenhaus.com and spelled I D E N H A U S. It’s the German spelling of house. And, or you can send an email to info@idenhaus.com.

Host (22:28):

Well, wonderful. Well, thanks again for sharing all of your wealth of knowledge with us today. We really appreciate it.

Hanno Ekdahl (22:35):

Thanks, Jody. And Justin, appreciate you having me. All right.

Host (22:38):

Take care. We look forward to next time we talk to you. Sounds good. Thank you. Thanks for listening to the, she said privacy. He said security podcast. If you haven’t already be sure to click, subscribe, to get future episodes and check us out on LinkedIn. See you next time.