SC Media spoke with Centrify CEO Tom Kemp about the future of identity and access management. Here's what he had to say.
SC Media: During your talk at a Cloud Security Alliance forum at RSA earlier this year, you spoke at length about the fact that users have too many passwords and too many privileges. What kinds of policies and procedures should companies put in place to reduce passwords and privileges without making it more difficult for employees to do their jobs?
Tom Kemp: Centrify has a methodology to move an organization from the danger zone of too many passwords and too much privilege through an identity and access risk-reduction maturity model. To reduce the risk of passwords a company should look at implementing best practices around single sign-on, multifactor authentication and privileged identity management.
Interestingly, recent advances in technology improve employee productivity rather than raising hurdles of complexity. For example, most users cringe at the idea of multifactor authentication because it conjures memories of transcribing an eight-digit code into a laptop login, then again to a VPN login, and finally each app they needed to use. But today's multifactor is much smarter. Using machine learning to understand a user's typical behavior allows smart decisions around whether or not another factor is required or even if a user can be silently logged on. And when a second factor is required (such as accessing an app for the first time or from an unfamiliar location for that user), that factor is a single button press in an app on the user's mobile device. No inventory of tokens to manage for IT and a better user experience for end-users.
SC: A recent Forrester report that you referenced noted that $75 billion is being spent on security products, but just $5 billion on identity management technology. If companies were to increase their identity security spending by just another 10%, what could that $500 million buy?
TK: Let me set the scene a bit: Last year alone over $75 billion was spent on cybersecurity with vendors. The result? A brand new study from Forrester found that two-thirds of enterprises have been breached an average of five or more times in the past two years. There is clearly a disconnect on the priority of security spending versus the effectiveness of that spend on stopping breaches. Favoring an old approach of protecting a network perimeter that is not as relevant in today's boundaryless hybrid enterprise is a recipe for disaster.
And let's be clear — the consequences have been massive. In just the past year, the largest breach in history impacted over one billion consumers. Further, it cost Yahoo 7% of the Verizon purchase price ($350 million), and cost the CEO $12 million in lost compensation. Plus, the company is currently the target of an SEC investigation. And then there were hackers, who had a massive impact on the U.S. presidential election. Global cybercrime-related costs are expected to exceed $2 trillion annually in the next few years. Simply put—today's security is not secure.
So back to your question. Extra money can be used to implement well-established best practices when it comes to securing enterprise identities. The new Forrester study found that companies which reached a more mature IAM posture cut the number of breaches experienced by half. But the same study found that only 17% of companies had reached this level of identity and access management (IAM) maturity. So, there is a lot of room for improvement for most enterprises.
Finally, the Forrester study highlighted that a great place to start is by implementing privileged identity management. There was a correlation between the most mature companies and their level of privileged access security.
SC: You've talked about greater enforcement of least privilege and just-in-time (JIT) privilege. Please explain the challenges a company would face that currently does not implement these privilege limitations and what are they looking at in terms of personnel, technology and training when they do enforce privilege limitations?
TK: Many organizations believe that controlling the time period in which a user has elevated privileges (by example, checking out a root password for 60 minutes) is sufficient to stop attackers. The problem is that anyone who has that password has anonymous access and full control of a system – exposing an organization to a host of potential compromises. The concept of least privilege and JIT privilege eliminates unnecessary privileges from the role of the user and controls access at a more granular level, such as individual commands. For example, a web admin should be able to configure and restart a web server but not create local accounts or transfer database files from a machine. They should also log in as themselves and not as an anonymous shared account, thus preserving accountability to an individual. JIT privilege adds a layer of request/approval that exposes the need to use privilege to a machine to a manager and removes the privilege from the user after the task is complete. This means that even if a user is compromised in the future, they don't have permanent privileges on any system. This reduces risk and frustrates would-be attackers.
SC: You've discussed leveraging the power of identity services. In practical terms, how would an enterprise do that and how would it benefit? Also, how could SMBs – the targets of some 40% of all cyberattacks – benefit from implementing stronger identity services?
TK: We have already discussed how enterprises can cut the number of breaches in half. Enterprises can also benefit by lowering the cost of identity technology by 40% or more. This cost savings is realized when compared to implementing point solutions from various security vendors verses pursuing a single vendor strategy like Centrify Identity Services — built from the ground up to secure every user's access to apps, endpoints and infrastructure. SMBs benefit because they don't have the resource or skill sets to implement and integrate various point solutions, but instead can subscribe to Centrify which provides a complete solution out of the box.