Bishop Fox Livestream at RSAC 2024 on IAM in Cloud Environments
At Bishop Fox's second-annual livestream from the 2024 RSA Conference in San Francisco, we interviewed special guests Komal Dhull, Founding Software Engineer at P0 Security, and Rita Gurevich, CEO and Founder of Sphere, on navigating the complexities of Identity Access Management (IAM) in cloud environments.
At Bishop Fox's second-annual livestream from the 2024 RSA Conference in San Francisco, we interviewed special guests Komal Dhull, Founding Software Engineer at P0 Security, and Rita Gurevich, CEO and Founder of Sphere, on navigating the complexities of Identity Access Management (IAM) in cloud environments.
Abbreviated Transcript
Matt Twells: Hi, welcome back. I'm Matthew Twells, Senior Solutions Architect at Bishop Fox. We're going to discuss navigating the maze of IAM in cloud environments. Joining me are Komal Dhull, Founding Software Engineer at P Zero Security, and Rita Gurevich, CEO and Founder of Sphere. Rita has won many awards and Komal has a computer science degree from Carnegie Mellon.
I'd love to hear both of your thoughts on IAM. Identity management is crucial; if you don't know who the people are and what they can do, everything else is secondary. Komal, what do you see as the most pressing issue in IAM for cloud environments?
Komal Dhull: A big issue is managing machine identities, which now outnumber human identities. People know how to manage human identities through identity providers, but they struggle with service accounts. They might have hundreds or thousands of them and often don’t know what they all do or if they have more access than needed.
Matt Twells: Absolutely. Service accounts can log into other servers, and if unmanaged, they pose significant risks. Rita, can you define identity hygiene for us and how it relates to this?
Rita Gurevich: Identity hygiene involves automating the discovery of identities and fixing any problems found. As companies move to hybrid environments, understanding the relationships between identities and target systems is critical. It’s about continuous maintenance, much like personal hygiene.
Matt Twells: Inventory is crucial, but making it actionable is key. Rita, what do you suggest for a company with a large number of identities in their Active Directory?
Rita Gurevich: Inventory is the first step, but you need to make it intelligent. Categorize accounts by type and find where the problems are. It’s about continuous maintenance, not just a one-time project.
Komal Dhull: It’s also about surfacing risky identities, like unused machine identities or those with excessive permissions. We need to manage these continuously and address the tension between security and developers.
Matt Twells: Blast radius is important. Knowing what a compromised identity can access is crucial. How do you handle identity management in hybrid environments?
Komal Dhull: Managing transitive access is key. Group memberships and machine identities often have complex access paths. Cleaning up unused identities is crucial in both cloud and on-prem environments.
Matt Twells: How does AI fit into identity management?
Rita Gurevich: AI can automate manual processes, making ownership automation more accurate and flexible. It helps in risk scoring and control violations.
Komal Dhull: AI can prioritize risks and help uncover sensitive resources. Analyzing large data sets and predicting future activities can enhance permission recommendations.
Matt Twells: What are the main challenges with SaaS applications and identity management?
Rita Gurevich: Identity is the new perimeter. It’s about understanding relationships and communication paths, and ensuring continuous maintenance.
Komal Dhull: Managing third-party service accounts and credential rotation is critical. Understanding who has access and ensuring permissions are necessary is key.
Matt Twells: What’s the most overlooked aspect of IAM?
Rita Gurevich: Continuous maintenance is essential. Think of it as a lifestyle change, not a one-time project.
Komal Dhull: Continuous monitoring of permissions and authorization is crucial. Regular reviews are necessary, not just annual compliance checks.
Matt Twells: Thank you both for this insightful conversation. Where can people find you online?
Komal Dhull: I'm on LinkedIn. Feel free to connect and reach out about P Zero Security.
Rita Gurevich: Visit us at booth N4219, and I’ll be speaking tomorrow at RSA about intelligent discovery. Come say hello!
Komal Dhull: We’re also at booth 1960 in the South Hall.
Matt Twells: Thank you both for your time. Have a great rest of your week.