TechDemocracy

foreign

[Music] a few things about things management the topic of the day is memorial landscape before going to speak to that you give a new introduction about the company when I'm working for Tech democracy is a psychopathic form it has found in the year 2000 and for the past 22 years democracy has been delivered identity and access Management Solutions as well as identity problem s and in the U.S and we are also in Community cycle and advisory risk assessment and Security Services as well um that means we have offices our Canadian offices that mean mississ

and

other really big customers exactly so again A Brief History to 2022 we have opened our Canadian operations available and we have we have we have colleagues working from others in every province of Canada so we are trying to expand more way to the western Canada and some of the services that we provide here as you can see identified access management Amaze as well as um credit management and so on so we are vendor agnostic do you work with the wide range of factors um you can recognize all these names yeah I am and we have to be happy to collaborate with one such important Partners we have trust these are the three values that we try

to bring you know all of our implementations and products okay I wanted to start with a Halloween joke but they say great minds think alike and add to work on this presentation independently wanted to use the same joke so I'm going to skip that and keep the suspense under the end okay all right let me uh so Ed I didn't steal your job it's indoors okay so I didn't see an access management that's the topic I'm going to talk about um democracy and I have been working in the identity and access management field for uh more than 15 years from now um so I started in early 2000s where I used to work in the US again I was

personal it's not so the normal time and it was just tell that at the most an access manager I did pretty much very reliability innocent things up there so I'll just talk about the Vlog too and why of language yes to introduction so what is I think he management is a combination of two areas one is identity management as as the name goes and the other one is access to Insurance um I'll talk a little bit more about each of these in the next few slides so why do we need identity and access management as we know the the top reason for any security breathe is the unauthorized access of some sorts right people hackers in unauthorized

access and then they escalated privileges um and that's how that that's the main reason for the security reaches for years so how to control the unauthorized access and how to how to make sure that all the access that's there that's assigned is accountable identity management can help us with that how idg management ensures that right people can make right access at right times to write resources for the right reasons so so that means people who are true should be allowed to access a resource should be given the access and those who should not be given access should be blocked or denied that access and IDT management can take care of this automatically and who needs identity management

anybody anyone who wants to control access to their assets assets or other information that they want to protect so if you have something that you want to protect and control access you need identity management so today we are going to talk about identity management purely from a user perspective so there are different kinds of kinds of identities but I am going to focus only on the user identity um that's what I did tonight so since it's a very vast area we have chosen three Focus areas one is identity manager and the second one is access management and the third one is access manager I'll be talking about the first two and and we'll be talking about them

so identification identity management what is it managing identification then what is an identity an identity in is a collection of characteristics or attributes we say that can uniquely identify an entity in an organization so you have so many users you have so many entities in an organization how can you uniquely identify the characteristics let's say uh what's your name Jojo Jojo yes so you are JoJo how do you describe yourself Who is JoJo when I say JoJo what should I think I should think of the beautiful hair through JoJo has I should think of like her hearing some characteristics right or if I know you very well the way you talk the languages you speak or your

likes and dislikes so the characteristics are unique for you and they make sure that you are changing can anybody else be JoJo they can imitate you but they cannot so that's identity it's Unique it's single within the whole authorization okay and identity management deals with the life cycle of these identities what is life cycle life cycle means to start somewhere you go somewhere else and ultimately that's finish up that so similarly for identity um I call it I took three stages you can give any names you want but I'm on this onto it that means bringing in identity into the artist let's say we create and there is a need for an identity to be created in an

organization then what should happen as the next step identity is created there are many systems that we have to make sure that this identity is propagated to all the systems the identity is supposed to have an account or an entity right so that's the onboarding identity management can do that so once you bring in an identity you can have um depending on the characteristics of the identity it can be created on multiple systems and points without manual intervention so then okay we have the identity there then something needs to be changed that person got promoted transfer to another department or left the company uh depend on madly right so then some a few things should be changed

like the account status for example activate active or if it's a transfer from one Department to another the job code changes and so does the responsibilities so modification of identity in one system well done should be done on other relevant system so there should not be what we call as fragmented identity like you have certain characteristics for this identity like Jojo uh is somebody here in Bull Valley College and suddenly JoJo changes into somebody else at her home is that possible no JoJo should be JoJo anywhere so similarly that identity changes should be transported to all Channel systems um so those modifications are also handled by identity and access manager um underlying technology is like there

are some few things called connectors that connect uh one system to other systems changes of trigger changes trigger events and then those changes are propagated so finally the deactivation very important so what happens when somebody leaves the company and the accounts are only canceled on what are incomplete the activation often accounts a big problem for security so deactivated accounts should be taken care of so that if an account is no longer needed that you should reflect in all other in all systems fighting so that's taken care of by identity management um another important feature is the user self service um password resets so somebody forget the password instead of calling it has test click on the password recently get

an OTP or answer a few questions and get your password reset same operational class as well as inclusive process efficiency so this is also done by the identity management so profile changes like we talked about modifications um modern equations can be two times one is admin made and the other one is user way so certain attributes users can change say like telephone number are you wanted to change your number then you can do it by yourself but whatever is permitted by your organization for you to modify by yourself so these are the two things one is the life cycle management the other one is the self-service changes so um let's say you have idea in place then how to make sure

yeah your idea is right this is not a complete list of checks but a few important pointers to know um so if you have an identity and access management system in your organization you can check whether that identity system is delivering a single and unique identity so this is the old rule identity management no fragment and identity no duplicated identity single unique uniform identity across all the systems so if that's the if that's what is being delivered by your identity management then you're not getting it right and there is a centralized repository so a centralized data store they have a simple dot CSV file on a database whatever it is you have a centralized area where all your

identities are stored and Achieve any change made on one of the systems is first brought to this centralized Repository okay so it puts the changes and then it pushes the change to other systems to reloading systems again so if you have a centralized what else how will you move how do you manage like each system should be connected to like let's say you have n number of systems one system should be connected to n minus one so many connectors right for each and that's very difficult to maintain so one centralized repository Remain the changes push the changes to other systems and auditing and logging everybody every time knows how important it is right so analyze

um what's going on with your system or to act as a evidence if something goes wrong the second part access management who can access what that's what accessorization does so we can dictate who can access what resources and you can also um track those accesses okay so that's access management letting with people in blocking black people or maximum system um access management I don't know has some function that has has a few functionalities and today I will talk about authentication optimization so access management but I'm saying it can manage who can access what how is it doing it does it by the help of policies access policies certain rules are put in place those rules combined together

become a policy that the policy determines if a certain user can access a system or cannot access a system so though there are two kinds of policies one is authentication policy another one is authorization policy difference between us to authentication will let the system know who you are who you claim to be and authorization will tell you what you can access so if you take a real life example as a Canadian citizen you want to travel the foreign country let's say what you what are the two official documents that you need to carry one is your password excellent and the other one is the Visa right the Visa that you need to enter the other country so

authentication is your passport authentication document so it verifies who you are whether you are a Canadian citizen you are Jojo then you look like this or you're on age so and so so everything so it establishes your identity what who you are and then what is Visa it is permission to stay in that foreign country for a given time period right so that's the difference between authentication and authorization um another beneficial feature of access management is single sign-on so login once and access multiple times reduces password fatigue and again improves because the user experience um so signal sign up there is another form of single cell Confederation I want to talk about the difference between these two so if you

have an organization let's say you have multiple applications you log into application one then you want your access application number two without having to build submission credentials so the process behind that is the single sign up going up so there's a total generated stuff but that's you log in once you access um multiple times so that's Federation Federation facilitates the same thing single sign-on but between different organizations so um let's say you are you are working for your company and your company provides some healthcare benefits let's say like they have health insurance from other countries for example then you log into your company's portal and you want to verify your benefits okay health benefits or

insurance benefits then you just click on the link or I'll go to Blue Cross and you want to talk about that because

credentials so if you log in with your company credentials but you're able to access the other companies open heart so that's Federation is the mechanism behind that so one within one organization whether one domain or underneath the base it's single sign-on between various organizations it's high definition okay similarly um like we did with identity management company you know that your pay in this drive so your access policy should not be static they should be based on zero trust we have a trust always where you fly yeah so um so your access policies are risk based depending on the risk that application has your policy authentication can step up or step down so um these are called adaptive access

policies so if your application isn't so say that again you access application one you click on number two application number two and that's a high risk application and your authentication with the step up means it needs more uh proof that you are who you are so you will either be prompted for a monthly Factor um on the equation you get another token or you might be asked to relive in or if you are not eligible to access your new denied access so depending on the high risk or the risk level your authentication policies will change or adapt so this this is like if your aim is if your access management is doing that then it's going in the right

direction other one is the continuous access certification verification of who has access to what so you granted access to certain users let's say um your area but um you gave second admin privileges to some accounts right some users are some employees in your company uh in order is you just used to give them escalated privileges make everybody DBA but yay then what happens at 2AM in the night you get phone called hey this website is down we are Healthcare Company 99 of time is needed it's all IAM sport it's all identity management swap it's not something it's not working so everybody so that that's not that's not recommended anymore what you do is you give access and periodically you verify

the access that you have given so a document is made a report is made that will be sent to whoever is responsible for verifying the access a supervisor or an administrator and they will verify the access and if it's not needed it will be reworked so continuous access certification should be done you should not provide access once employment Trust and of course I do enjoying should be good so if your access management has these qualities then then it's going in the right direction so that's all you have the link today thank you

and thanks for not stealing my cartoons we got one coming up here in a few slides um I met McKenzie I'm from Beyond trust I'm a sales guy don't be afraid of homes um I've been asked graciously by by Dr democracy to talk about privileged access management so we heard what I didn't use our how do I identify who a person is and then talk about what what access should that identity how the last step is privilege access and that's why we're here today to talk about um is what is that curriculum sound right now in the industry um of course the one I want to talk to this episode um there's a lot of moving Parts in the

industry I had a conversation with somebody earlier in the Ruth today that's fine don't worry about um what's driving on high conversations with my customers is cyber insurance there are some requirements in the Cyber insurance industry now that they're requiring people to have hands in place they're saying in order for us to renew Ables they have to assignment test station letter to say you have done this so we are seeing a big uptick in this and the reason is is a bunch of companies went into cyber Insurance business 10 or 15 years ago they've had to begin writing checks as hackers we're all in this together it's not a matter of when or sorry if it's a matter of when

they're going to be hit it is going to happen everybody's going to be here so these guys are now beginning to write their checks too so what they're demanding on their customers now is you the other one is compliance Joe Biden last year main time frame through the Transportation safety administration if she's a director to all field-based pipelines in North America if you have a pipeline that goes through the United States of America you will be protected with a privileged management solution that Blacklist your waitlists software why because Colonial pipeline last year is hot it was taken down and the price of gasoline at the pump in Washington DC was five times the pipeline the fuel-based pipeline in

North America has been identified as mission is critical infrastructure just like the electrical current is just like the water burners the field-based pipeline has been identified so they have to put it in place the other one that's writing a lot of discussions is is around I.T efficiency and Automation and assessments that are done in the environments we'd say half of the conversations I'm having with people I start off with why are we here why are you reporting what's a compelling event that made you reach up and a lot of it is hey my cyber insurance company said I must Joe Biden said I've lost or a health care industry hit by as a regulation in

place that I must the other half were the conversations I'm having is I've realized I'm not risk my company's efforts I added this assessment job we're at 2.0 on a scale of five that's not good enough for the 1855 so assessments and getting my IDs out there efficient at protecting us is I've got one customer I won't be even having this assessment they put a program in place to create I had 14 projects underneath it to address the fact that they're missed assessment payment of 2.2 which is unacceptable they wanted to be at three maybe in themselves three years to do so you can re-measure themselves into week 23 and see if the 14 projects that

they kicked started in the 2020 have moved the needle up to three points those are the conversations that are driving why pan exists so again it's a subset underneath it's time to set the the I am industry so IM is the big overall access is it and then Focus down on privilege access what do I need by privilege that could be Windows administrators active directory administrators SQL Mr administrator Cisco Administration uh Unix Linux Administration all of those have an inherent privilege that comes along with those accounts and we help manage those again I love asking the question I asked it this morning another gentleman in the booth who said how do you manage privileges because you

don't want to know I said yes I do he said he said well it's in a spreadsheet he said that's good okay so I can get to it it's encrypted well that's great and that's on the shield

do you understand the encryption level on Microsoft Excel spreadsheet is not that hard for probably 14 year old kittens so your privileges are in a slot your your user needs a password during the slot but just about anybody and more importantly take it away not just how much I can take a copy of it remember me so I love asking the question how are you protect your privileges One customer again I will never gain the customer publicly um the conversation started off with Ed we need some help why we had a pen test done we held off for two hours we're up there trying to get in we held them over to the network but then as part of the pen test if

you're not denying it you got your Technique groups because within five minutes of letting them in they had complete control of the environment I said why is that those are going to make the internet so give me one username admin and I got into all of the boxes it's all of the windows here within five minutes so understanding what your privileges are because they're everywhere now that's that's probably the most important thing in understanding is your privileges are everywhere don't just think on this as the typical I.T administrator they're everywhere around your local laptops some people have stripped them we'll see here in a second some people strip those or thin rights away others have

but privileges now exist everywhere and I had another conversation with a gentleman whereas iot this is scary um there's some nasty stuff happening and I won't go down to one path uh pretty disturbing video that's up there where somebody took remote control of a camera in the nursery house and the baby that toddler was waking up in the middle of night screaming because somebody had hopped into an iot device did not send a lot of access to the camera not only that the camera has a speaker but it's generally was speaking through the camera so there's some nasty stuff out here with iot as we enable everything with the internet so you're bad actors as Heimer

are after this these are the things we need or we help you protect from from Beyond trucks is privileges whether it's a password a credential is secret Etc Secrets nothing more than a simple way of saying oops whoa

sorry that one there we go um so Pam people ask help me understand what it is here's what it is in a nutshell it's really made up of a few good news and this is taken from Gardner I created this slide so it has a privileged account and session management so what is a privilege again a Linux root a sister with me many of those are privileged accounts who can help you control how how I help you control and Report any housing should help you control them is discover on the network where these privileges are and we have some tools that can help you discover which is harmful once I've got them come up in a

statement I might not need to onboard open I may say you know what my Linux boxes don't care my windows yeah I'm going to bring them up first now that I've got them up in a sage I'm going to control who has access to it so I'm going to manage

you know my role I get to open up certain groups imagine those are systems so now analog is under the safe and we say yes amount to gain access to certain subset of system that's great so what I do is I ask the same create a session calendar this month pretty decision and begin to recording absolutely all the video key service so this is what we need in the sense of thousands a privileged accounting session managing because I'm going to allow you access to a privilege not just access but a privilege and I'm going to record everything that you do the other half of the house is better privilege elevation and delegation management and and I tell everybody this

story and I apologize if you're in Duluth married Beyond trust he'd sent me the burger right turn it on and there's two pieces of software I need to look to do much I was hired during the pandemic done so the very first one was I said a head signature software you double click on the poly column install and what do you think happens that's a big on trust laptop you drink our own champagne so the untrust products stepped in but wait a minute your sales guy you're the lowest level Trust so we're not going to allow you to load this software but there's a box that says however if you think you really need this offer to

push this button and I did is it Microsoft teams needs to talk to my heads or control my hands yes I can still connected Bluetooth but you don't get the automation so hit the button takes all the information about that piece of software from polygram and sends it into service now it automatically creates a ticket and service now and sends it off to the security analyst security analyst is about 10 to 15 minutes look at it and pay me back on teams saying hey if you see you're trying to look this we're okay with that give me the code I'll give you a code that's displayed on the screen it gives me an eight digit code I

type it in and my process is elevated you can sell the software and then development here no more nonetheless I give it an end username and password and elevate it for the amount of time I need it and then the elevated medium guess what happens 30 days hey there's an update the white one squirrel Chaser or double click on I have to have nothing there's something there right I double click at what happens

30 days later same thing happens I double click it through the whole process again we have the internal policy it might be on trusted in our services team it says after three events you will contact the user so they contact me or you need me to do this yes [Music] the next 30 days later comes up I double click on it what happens I don't even I don't have to touch anything that insults the second piece of software that I loaded on my first day was Spotify because I listen to music in my home office um what do you think happened when I double click on Spotify down here any guesses and salt somebody Beyond trust said you know what

we're going to let all our people who load Spotify if they don't so they put it in the windows now not my sons would do this is there they have all their own technology but my son takes a lot family tries to load Minecraft what do you think stop the big around sign comes up against Blacklist it's not about our team looked at it and said no we're never being aligned always work so compatible is all about elevating somebody when they need it just in time and get it done do not stop them for good work if I actually have that low Flex user for a developer they would quit a developer would not work in that

environment right because Visual Studio requires privileges if you're going to give the admitted username and password to a developer who just opened a huge risk why what and I don't mean to offend anybody users are stupid they will click on things that they're not supposed to click on I have been personally um hit by Resident gripped in my entire desk of 35 000 folders luckily I'm smart enough and I had a backup so I didn't have to pay anybody anything Ransom but I was personally hit because I was looking for a border for a pitcher to transfer ransomware can only do damage if it has um privilege this is what helps solve it take the privilege away don't allow

users to have privilege don't give a lift and use it and don't make it easy protect the company the number one thing if you look at Gardner's report um for cyber security status cyber security and community

so we need to protect against that so back to thousand just discover where your privileges are store them up in a safe place manage who has access to them and then Monitor and record everything they do without access pretty straightforward if you do that you've just lowered your risk in your company because that is a major attack vector or Bad actors to get in give me a privilege I'm getting a new damage make it the same dribbled on multiple machines I mean they need to do more damage the worst thing I can ever hear is yeah we use the same username password at least randomize achieved make it a little bit difficult for the person

now this is back to the pen one for a second taking away the least privilege stripping away the admin rights from your local laptop why do you need a mid-rangement if it's a corporate machine I just want to bring your attention to this easiest thing to do is circle away again right to just reduce the opportunity for ransomware this lady is a uh a speaker of ours that we use she's an ethical hacker I'll earn our CSO go look up Mark Matrix if you want to read it Mark woke up one Sunday morning with the FBI at his door with guns drawn and he attacked into a government website and they didn't like that idea

they came and paid in the business on a Sunday morning but both Mark and Paula are ethical hackers trying to expose where the weaknesses in the world exist so why and we're coming behind us um why is privilege at the user level of that thing well not we have any viruses and to do a good job I came from Africa

who does a great job against everyday the meteors now cyber or crowdstroms everyone to bridge on the helping you understand something's happening on your system on your network that isn't the way it used to be yesterday so it really helps you understand what's happening there and then of course you take some of this information from all these different systems you can have down here at an idiota and of course you want maybe to ascend all right let your sin look at all of the data and try to make heads or tails of a sin okay that's great absent antivirus a cyber tool I have a media a cyber tool have a sim a cyber tool

and I just certainly had been right to begin with I don't know how much noise can we come down the street ransomware requires privileges to do any amount of advantage the reason they encrypted my desk is my username on my home machine the student administrator so they've got complete control of my C drive my D drive and my D drive everything that was adopted jpeg everything even encrypted every single one of them and then put the splash screen on passing for a Bitcoin and that's what's probably a decade now I can tell you I'm a lot smarter on what I expect nowadays but it was my own fault admittedly and that's why I mean the users are stupid

we love clicking things oops I was going over the best part so how do you scare a season when you talk about it in new rights just telling everybody's got adminant access that would scare to live in the heck of anyone if you told me every laptop you'll be on trust has admitted that's just a recipe for disaster and it's such an easy fix so when I talk to people about this is they've either gone one end of the spectrum or the other everybody's got a difference what's a bad thing to nobody hiding it it's a pain in the butt for any development why because Visual Studio requires privilege to run reasonable requires privilege runs because it wants

to run into the C drive and sometimes it wants to write into the register so why not Elevate that user that that Visual Studio process on demand rather than giving that developer so Adam least privilege whatever you want to call that is all about taking away the Amendments and letting the Cecil sleep up my last slide and my last statement so everything I talk about is not Beyond Trust I've got competitors I'm not going to need them I want to give them but we all do the same thing whether it's thousand or pet them or a combination of the two remote access into your environment Etc it doesn't matter where on your journey of beginning to manage your privileges

is start but once once as Highlands I wrote once we've identified who you are and we identify the access you're allowed and identify what privileges his privilege is where damage occurs identity and access is where data is stolen from but privileges were damaged I have to have privilege to exfiltrate the data at a global scale I mean I can seal stuff on my lap companies have fun take my Bianca's lap up there's no information right give me a privilege on the on the SQL database on an Oracle database so my point on this one there's no rates I've had conversations with customers don't have it it's such a big task inside now we understand when you think the

problems are that you're running into if you don't know I can help and say Here's challenges other customers have you have the same challenges Etc but there's no right place or wrong place if you decide to start with with secure your your privileged accounts that house on the side of the house that's a great place to start let's put all my costumes up in one spot control who's got access record every time it's used how many people have to sign off every 90 days for publicly traded companies CFOs have to sign off on one start being talking what is one of the requirements of the center remains obviously not that that CFO is signing off

that I know who had access to the financial control assistance of this company I can actually help you understand who actually had access is I actually help customers pass the right to a lot it's way faster than they ever could before or if you decide to jump on with police privilege what I just talked about okay it doesn't matter get on board and the customers that that are getting on board are beginning to go back inside they're not scare them I'd be happy to stand up if you're from now and say you've got my customer who would have their disassessment 2.2.3 um is greater than three next that are taking the proactive approach understanding there is risk there is

gaps and there's security posture you know if you can hire anybody hire an outside consultant who can help you can help with turbine and show you your accounts and you may have these covered I'm not saying you don't but pay attention to those gaps and see where you can reduce your risk and then I'll shut up and once CSO c c so if we had 15 minutes of pain every 90 days since you've got to talk about every 90 days you walk in with one slide with one number left and one number on the right one on the left was Alaska's quarters mark one on the right is this quarters what he did with his found a way to

measure risks within the company on a sales order set so do I need to go 015.7 and today we're at 5.6 or 5.8 or whatever it is and that's all you do is present it to the board and say that why because he actually understood where all his arrest was and the company was able to quantify and they go okay why do we go out well here's some programs you had in place that are improving across why did it go down here are some areas understanding your risk is the most important thing we can do kind of privileges just help you lower that risk I would argue the honest is not a cyber security I would argue we're connected

management companies should be managing your privileges whether you're concerned about cyber economy to do it properly

any questions because Lord knows I can talk for her and yes I have to wear these shoes

the entrust mirroring the second order the big security conference in Toronto two weeks ago there's nine people with the same shoes on it's our marketing Galaxy makes us do it we all thought the teachers haircuts any questions sorry that I can answer through I missed I saw the CIS cmmi where you find a better levers when you're having five six more people who are trying to measure indicates it's more operational is there something that you're finding is more granted and more understood or is it just kind of flavored enough it truly is my point is hence that's why understand there's risk I don't care how you measure it I can't believe customer account again he's got the iso 27 000 certified

business in the U.S got measured against them so it really depends upon your organization I have people with this I've had people hire materials that can come in and go according to do an assessment that you marketing here for the gaps

do you have any questions I can help with otherwise

well thank you for your time [Applause]