Closing the Security Void left by PAM and IGA in the Cloud

Dive into the cloud identity security with experts Simon Gooch, Johan Lund, and Sandy Bird. In the session, "Closing the Security Void left by PAM and IGA in the Cloud," these thought leaders from Accenture and Sonrai Security unravel the challenges and opportunities in transitioning to cloud-based identity processes. Key Insights:

• Evolving Identity Management: Traditional PAM and IGA concepts are evolving to fit the cloud's unique demands, with machine identities taking center stage.
• Data and Identity in the Cloud: Safeguarding data in the cloud era requires a deep understanding of data flow and the pivotal role of identity amidst new data products and services.
• Starting the Cloud Security Journey: Gain insight and visibility into your cloud infrastructure before delving into governance and compliance efforts.

Simon Gooch sheds light on aligning security strategies with global tech initiatives, emphasizing a balanced perspective on cloud transition and its business implications, while Johan Lund underscores the significance of comprehending machine identities in the cloud, moving beyond traditional service accounts. A prosperous cloud security strategy demands a profound understanding of the cloud environment and alignment of tech and security efforts. Discover the distinctions between on-premises and cloud security mechanisms, with a focus on data protection.

Karen Levy (00:00): Welcome back everyone. Our next session is, Closing the security void left by PAM and IGA in the cloud. Presenting this session, we have Simon, the director of global cybersecurity and global digital identity lead for the CIO at Accenture. Johan, a security consulting senior manager at Accenture. And from Sonrai Security we have Sandy Bird, who's our CTO and co-founder. Over to you presenters. Sandy Bird (00:28): Karen, thanks for the intro. Just to remind everyone listening in today, if you have questions, just drop them in the chat, and we will get to those at the end of the session. Welcome to this great session. I'm joined by two great people today. Johan Lund is here. Johan spends a huge amount of time with Accenture's customers on identity on that side. And Simon, great to have you. Simon Gooch, the director of cyber, and you have global identity, I believe, as well for the CIO's office. Again, welcome guys. Thanks for joining us. You can do a little intro in a minute. I probably screwed your titles up, but we'll let you correct them. (01:09): This session's all about the void and how things change with PAM and IGA and Just in Time Provisioning and all these things as you move from an enterprise that probably has pretty mature identity processes into using public cloud, maybe for the first time, maybe you've been doing it for five years. Maybe you're doing great, maybe you're doing terrible. We'll figure that out as we go. But then also, once you have this stuff up and running, if you have great governance and cloud, where do you go next and things of that nature. (01:38): Johan, Simon, I'm going to turn it over to you for just a minute. Introduce yourselves, a little bit about your roles. And then, we'll take a look at maybe a little bit about architectures and things like that after. Simon, why don't you go first? Simon Gooch (01:51): Thanks Sandy. Great to be here. I think the easiest way to describe my role is, I'm responsible for securing all the core technology that runs the Accenture business. I could leave it there, that might not really tell you what that's all about but. Whether it's how we think about securing that critical network, whether it's how we think about securing SaaS platforms from a configuration management perspective, securing all our workstations, those are all part of my responsibility. I have to make sure we're doing the right thing and it's aligned to our security strategy but also our global tech strategy. And then, as you mentioned Sandy, I also have direct accountability for all of the identity services, whether that's CIEM, MFA, the whole IGA scope of services and activities. That's all mine as well. (02:48): I have an interesting view, I think, of this space generally. Because a lot of the things we're going to talk about, I've had to experience, and it's had quite a big impact on me over the last couple of years. But honestly as well, it is probably worth mentioning, and then I will let Johan chime in, I don't actually come from a security background either. I've only been doing security for five or six years. I come from an IT transformation background. So, I actually find a lot of the things that are happening in this space super interesting in the context of that bigger move to the cloud and how you think about what you want to do, not just from a tech perspective, but honestly, why are we doing this? What's the business value? Sandy Bird (03:27): I love it. I think this whole, again, mixed history and different roles in your past actually work really well for this. I also think just having don't learn from our mistakes of the past is a good thing to have in the back of your head too. Johan, give us a little bit about yourself. Johan Lund (03:43): Yeah, sure. Thanks for having us join. I appreciate being here. I'm similar to Simon. I'm working in the IAM space right now. But particularly, I do it with Accenture Security, it's in the identity and access management space. Right now, I'm helping clients with that type of work, whether it be implementations or supporting some kind of operation. My background though is, I have worked in industry for quite a long time. I've worked in information security for quite a long time in a variety of different roles. And right now in particular, I have this opportunity where I got to partner with Simon to integrate a CIEM solution within Accenture CIO. That's where Simon and I have partnered and work together. Sandy Bird (04:30): Great. It's probably good to talk a bit about the scale, the types of cloud properties you're in, those types of things. You obviously can't give any secrets away, Simon, about the complete internal inner workings of this all. But give the audience just a little bit of scale and size concept and which clouds are important to you maybe. Simon Gooch (04:52): Yeah. The top line numbers, Accenture's fast approaching being an 800,000 person organization. We are truly multi-cloud, so we're across all the big cloud providers. And I think we have a pretty good strategy in terms of... From a tech enablement perspective, we decided 10 years ago, we knew the cloud was the only place that our size of business, 800,000 people with, I don't know what the number is now, but probably 3000 plus clients. We knew we really needed a lot of the flexibility that the cloud provided. So, we started that journey, not necessarily ahead of everyone, but I think ahead of the bow wave that you've been seeing over the last two or three years. But we didn't just stop at that initial cloud journey. We very much have an architectural intent to be cloud native. And honestly, I think we're at 30-35% of all of our critical services are now SaaS service and truly cloud native. (05:57): It definitely impacts our thinking. It makes us really reflect on how much we'd want to avoid legacy approaches to stuff, how much we really want to understand how we can extract absolutely every piece of value from that flexibility that we get when we think about cloud services. (06:19): But over the last 10 years, because we've been doing this for a long time, and we'll talk about it in a bit, I think Sandy as well, I've experienced a lot. I've been through a lot in terms of the things that were good that you can do more broadly in terms of that tech journey. But honestly, the things that I really wish, that I know today. And I think that's one of the strengths that Johan has when he talks to some of our clients. We just have learned so much stuff that you don't need to relearn. I really wish that I could have leapfrogged some of the things that I've had to experience in the last couple of years. Because Accenture as an organization of its size and scale with its complexity, it's been an interesting journey to get to here. Sandy Bird (07:06): Very neat. A couple of weeks ago, I was at the Cloud Security Alliance Conference, and they spent a huge amount of time talking about learning from your mistakes and complexity in these systems, but yet, could be a better world actually, if done properly. And I think it resonates here as well. Johan, clearly you spend time with customers. Pain points from them that you think are worth bringing up, humans versus non-human identities and things like that, machine identities in cloud. What are you seeing in the field? Johan Lund (07:37): I think this is an interesting topic or a good question here. It kind of varies. It really depends on who you're talking with as far as clients are concerned. One of the things that I've noticed is when I talk to a typical identity access management group, oftentimes we are focused on users' identities and service accounts in particular. That's the typical, traditional thing to look at. And some of my conversations with some of our clients, especially with the IAM groups, we start talking a little bit about machine identities. And some of them think machine identities, they immediately jump to service account. I remember when I first got on this thing, I thought the same thing too. But it's more than that. And you realize really quickly in the cloud, "Wait a second. These compute resources, these resources in the cloud can become identities." It's not just a service account in the sense that traditionally the way you thought about it. So, just having those conversations with clients, it's been really good. And hopefully it's been very enlightening too as we've had those conversations with them. Sandy Bird (08:46): Again, expanding a bit on that service accounts, and again, we have this multi-cloud problem. So, we have roles in AWS, instance profiles use. And then, in Azure, we've got under the cover something called a service principle that then has enterprise apps and managed identities, there's all these things. And then in GCP, you have something that's actually truly called a service account. Do you think, in the field, do people understand the benefits some of these brings? Short-lived tokens and stuff obviously is a huge benefit of this. We're not carrying keys around and putting them in config files anymore, which is good. But then, some of the complexities that come in the way the entitlements work. Do people understand it when you talk to them? Is there a lot of education you're still doing? Johan Lund (09:32): Again, it depends on the group. If you talk to a cloud group, yeah, they get it, they get it really quickly. Especially, cloud security groups in particular. But when you do have conversations with IAM groups, typical traditional IAM groups that don't have that visibility in the cloud, where the organization for whatever reason has that separation where there's a bunch of IT guys working in the cloud and then you have your InfoSec guys in the IAM space, some of the guys in the IAM space, yeah, they don't have that understanding. You're having to spend a little bit of time doing some education on that. That's what I've seen in some of the conversations that I've had. They're not all like that, but it just depends on how mature they are in the cloud and where they're at. But often, there is a lot though a lot of folks that I've had conversations with that have spent a lot of time in IAM that don't understand that right now. Simon Gooch (10:28): And I think Sandy, it's such a great question because it presents part of a challenge and part of opportunity for me. The challenge, Johan, I think outlined in terms of, do you have the right mindset? Do you have the right skills? Do you understand technically what you're trying to enable? (10:46): And the way that we pivoted to think about that in Accenture when we were looking at CIEM and what we needed to do and some of the complexity of those cloud environments was actually say, "Well, we probably don't have all the right skills." And in fact, are we thinking about this from a classic securing maybe non-cloud legacy perspective and really use it? So, actually use the problem that was in front of us and the challenge, to try and reeducate ourselves and actually challenge our thinking around, honestly, even more broadly than just this base off security services. (11:26): And do a couple of fundamental things. One was ask ourselves, I think you raised it Sandy, it's not an organizational question, but are we thinking about this in terms of not really pure infrastructure or security, but do we really understand the problem we're trying to solve for here, and honestly, what it means to the business? And that's not a mindless time to value statement or whatever else. It's just saying, "Hey, this isn't really just infrastructure anymore. This is much more complicated than that. Do we have the right architectural understanding and intent?" We use that to drive a bit of a challenge ourselves and our thinking. (12:11): And then, we also used it to say, I think we will definitely touch on this, "How do we think about the effectiveness of what we're trying to do? Genuinely, what is the outcome?" And you can't think about the outcome if you're going to think about it from a legacy mindset perspective. So, we have to make that change first. But once we've done that and thought about the space and what we were truly trying to enable, then we started to think about those things. (12:35): I think it's driven us to really actually challenge the way that we've thought about identity and to some degree the broader security space. And that's been super interesting for me. Because we no longer think about security as something we want to do to the rest of the firm. And again, I think trying to secure the CIEM space has driven us to say, "How are we leading the firm's charge to do some of this stuff?" (13:03): Security now, for me, is a great space and a great opportunity to work in a space that is pivotal to a lot of organizations, bigger tech strategy and enablement strategy, that cloud consumption space. But put this right at the top of that and say, "I'm going to do this thing first, and I'm going to think about it in the context of it as a cloud service in its own, so I can actually feel and tell the story for all those other tech groups and what they're trying to do. As well as the stuff I need to do for them and to them." Maybe that's a little bit philosophical, but we've brought all of that stuff to bear in our thinking in this space. Sandy Bird (13:47): I now have 40 directions we can go. Actually, you drove this really interesting concept there. Again, you and Johan can figure out how to divide this up as I ask it. You talked a lot about, we're going to put this at the top, it's going to be this interesting priority. But then, you talked about teams and things. How does this organizationally happen in the cloud? (14:10): I sometimes love to think about it this way. When we did classic identity stuff, you had a group and there was a manager of a group and they approved things or attested to them or whatever. But who in the heck approves the serverless function role? How does that work? And then I've heard, and again, it's an interesting perspective because you get it from different areas. Some customers are like, "That's just development. They own them. That's their responsibility, they have to do it." And then, you have some really strong identity teams that are like, "No, they need to be at least privileged. Because when we get attacked, it won't be a human identity. They'll get in somehow, vulnerability to something, and then they'll use that identity to laterally move and get positioned in the cloud." How do you guys see this organizationally? Who has the power and who turns the switches for this stuff? Simon Gooch (14:57): That's a tough enough question. I'm going to let Johan answer it. Johan Lund (15:03): That is a tough question, Sandy. I think it's interesting to hear you talk about that. I think every organization's going to operate differently in that sense. I've seen this where the InfoSec organization, especially the IAM organization, may be different than the cloud organization. And you're right, cloud is off doing their own thing at some point. Simon Gooch (15:33): Hey Johan, let me jump in there. Honestly, my perspective is one of the things I think personally, you do need to move. It's one of the things we did. Identity moved out of the classic security InfoSec space and we moved it into technology. Because Sandy, a lot of your questions are like how do you want to effectively deliver some of the outcomes of being secure, but also, how you're going to run all of that infrastructure that you are looking to interface with. For me, honestly, part of it was getting much closer to those areas of technology. Not necessarily devolving all responsibility and accountability. I get that point you made about needing to make sure you can enforce patterns for lease privilege, et cetera. But I think you can be more effective in that if you're much closer to the tech. So actually for me, part of what we did was, I now sit in the technology enablement piece of our organization. Sorry Johan, to jump in. Johan Lund (16:36): No, that's a good response. What I was going to say is, it reminds me of the early 2000s when we did vulnerability management. Back then, I remember IT standing up servers quickly and trying to do some patching, but they weren't really the best at it, until InfoSec, they got Qualys scanning or something like that. And then, they started to do the scans themselves and hold IT accountable. It reminds me a little bit of that. Where it's like, cloud's going to be doing their own thing, the developers are going to do whatever. But until you've got some tool to hold them accountable, get the power back in information security to say, "Hey, we know that these machine identities are being stood up left and right, and they're not lease privileged, and here's the reasons why, and here's all the things that we can see." Until you get that kind of visibility, you can't really get that control. So, I think for an InfoSec departmental organization, it could be really difficult in working with these different areas. (17:36): The key really, what it boils down to is the leadership. As long as the leadership can get into alignment, that's really what's going to be key as far as resolving those conflicts. Sandy Bird (17:50): I always like to talk about you've got to have the zones that the developers can stretch their mental capacity and you need to be able to give them a lot of rope to create things and build things with probably some pretty sensitive identities and permissions and things to do that. But then, there's certainly areas I'm sure in your cloud where the critical things are sitting, the crown jewels if you want to call it that. And that needs to be locked down in a way more secure state and you need to have a lot more control about what people are doing there and lots more checking before it goes to production in those cases. We had on our list of things we were going to chat about today, what's the difference between PAM and IGA, secret stores vaulting, all of these types of things, in cloud versus on-prem? How is it different? Are there things that people should consider? Does CIEM fill this gap? Using the secrets managers in the cloud versus external ones, how does all that stuff play into your mind? Simon Gooch (18:54): That sounds like a tough question, I'm going to let Johan answer it first. Johan Lund (18:57): I'll start it and then Simon will help me finish it. That's what will happen here. When think about IGA, I typically think of roles and access management to some degree. But specifically, I think about periodic reviews where there's some governance capability where you're looking at that access, whatever that is. And when I think about PAM, oftentimes I think about proof of access management and how you have an account that's in a vault of some kind and there's some kind of session monitoring on that account when somebody accesses it. (19:33): Cloud is unique in this space in the sense that a machine identity doesn't really fit in the same sense of the traditional IGA or traditional PAM view. You can't vault a machine identity and you can't definitely put some session monitoring in place when it's being deployed to do whatever automation. And so, I think it's definitely unique, it's different. And that that's where the challenge comes in, and Simon's kind of talked about this a little bit, but you got to look at it differently than you've looked at the other legacy solutions that you've looked at before. It just does not work the same way. Simon Gooch (20:15): I agree with Johan. But I think the thing that has a potential to trip you up is, it is different, but it is also an evolution and an extension of those things and you can't ignore them. In fact, there's a whole load of principles in them that you're looking to apply. But it's how you apply them, the mechanism for getting some of the outcomes that you still would like to achieve with some of that classic PAM and IGA stuff is just different. The context is different. And I think that's where organizations struggle sometimes. That was the point I was trying to make earlier on actually, that the context is the difficult bit. The learning that new ecosystem and what you are trying to achieve in terms of some of those similar principles, the way you do it. Some of the considerations which you are talking about Johan, they're fundamentally different. And you do need to change your mindset in terms of how you go about achieving some of those outcomes. (21:17): But also, honestly, I think this is one of the biggest struggles, how you don't let this space become something that's isolated and orphaned from all the other things we've just spoken about. Because fundamentally, a load of, let's call it, classic IGA and classic PAM, they're still overlays, they are still relevant, they are actually sitting within that stack and within the considerations we've got. We need to think about, what does that mean when we think about them top to bottom? (21:45): One of the challenges I have, and I think it's a difficult thing to answer, someone will say, "Yeah, but Simon, whether it's machine or non-human or cloud or non-cloud, it's all just identity. Can't you just explain it to me is very simplistically?" And honestly, one of the reasons I think we struggle in this space is because we perhaps talk about it in isolation. I do think being able to talk about it, which is why your question's interesting Sandy, in the context of all those things, even if it has different principles and different intents is interesting, Sandy Bird (22:19): It probably is the principle intent, we need to cover. As Johan said, we actually don't need to vault the machine identity anymore because it's already using these short-lived access tokens. But the whole point of that PAM system before was that session monitoring maybe. You have all the right audit turned on in the cloud so that you have proper session monitoring of the machine identity, you're free to turn on the audit. Again, it is this kind of context of making sure we achieve the same goals. The tools might be different, but the goals get achieved. And that's important I think in that side of it. So very interesting stuff on that side. (22:58): Time moves on here and someone will give us the hook as we go through this thing. I did want to talk a little bit about access to sensitive data. And I'll open this because I love this scenario of defense in depth. In enterprises, we always had defense in depth, and we would've said that, 'We have all these different things." But in reality, we have a tendency to build a lot of firewall rings deeper and deeper and deeper. And when we actually do this in cloud, I find defense in depth is actually, we have an identity control, we have a network control, we probably have an encryption control with a separate set of who can access the encryption keys for the data, and that gives us that defense in depth. How do you guys see identity and data access coming together, going apart, in this stuff as well? What's your take there? Simon Gooch (23:46): It's interesting. The data bit of it I think is very early in people's thinking, architectural intent, and implementation of the frameworks of control. Because classically, people have thought about data in fairly basic terms, in terms of data loss prevention. When I talk to people about how do you categorize your data, they might flip to their four organizational classifications of data, whatever they might be. And when you really start to look at how you consume cloud native services and how you need to really think about, what the cloud brings to the management of data, all of that stuff is, at best, table stakes. It doesn't really help you, it is sitting on the edge. (24:36): And you really need to start to say, "From a data perspective, before I even talk about what role identity plays, do I understand what data I've got?" And I mean data attributes. And, "Do I understand how that data flows between different systems within different cloud providers. Do I truly have line of sight to all my data." And not in a classic sense either, not necessarily through the application that I built or the service that I'm consuming. Because those are just one method of understanding a view on data. Do I understand data as it flows through all of my APIs? Leads you into an interesting question about how well you're securing your APIs then, in the construct of data. (25:20): And then, all of our unstructured data use, which isn't a classic application interface, right? Before you start to look at modern data products and services, the concept of which is about to be accelerated exponentially, when you talk about it in terms of GenAI. Because all that is, is really data and data context surfaced for new business uses at a speed and depth of data analysis that we've not had before. (25:54): So, all of those things drive us to need to really redefine how we think about data. I don't know that there's a great answer for that yet, apart from, you have to start those building blocks and start to build that picture up. And that's a challenge. Because there's a lot to do in that space for any organization. (26:13): And then for me, I tie that complexity and all those things we need to think about to, what role does identity play? And you started this conversation out Sandy, with talking about defense in depth. To some degree, from a principle perspective, I think we're flattening defense in depth a little bit. Because I'm moving to think about it in terms of only data, although I probably have just given you 10 different ways to think about and catalog and categorize data. So, I'm adding the depth bit actually within that one layer. And then, I think about identity and all of the constructs that come along with it in terms of what we need identity to drive, whether it's understanding things like conditional access and manage devices, whether it's understanding threats and risks around different identity types and identity use. So, I actually think to one degree, we are pivoting to a world where it is only data and identity basically, but we're building many, many different layers into those two constructs. And I think that's quite a challenge for us at the moment and it's quite a transformation in our thinking. Sandy Bird (27:30): Again, we're not going to get to all of the Q&A today, which is fine. Thanks everyone for putting your questions in on that side. We probably have time for maybe one of these questions. John asks, "Which one do I start with, governance versus PAM versus whichever?" Do you have an opinion of where you should start? Do you have a starting point? Visibility, always start with visibility. Simon Gooch (28:04): Honestly, insight. That's what I've just been pushing probably for the last five minutes, right? It's insight. You have to understand what you've got. And if you jump too quickly to governance and compliance, then... The world is moving too fast, the cloud environment are changing too fast. You run the risk of really not having an appropriate handle on your tech footprint and what you're using it for and what's in there and where it is and all those things, which means that you are going to struggle to achieve some of your outcomes. Sandy Bird (28:44): Guys, thanks so much for this session. We'll wrap it up here. Everyone who had questions, maybe we'll get a chance to answer those offline somehow with everybody. Again, thank you very much. Enjoy the rest of the Access sessions. Have a great day. Simon Gooch (29:03): Thanks Sandy. Thanks Johan. Johan Lund (29:03): Yeah, thanks everyone.