Executive brief on how PCI DSS 4.0 affects offensive security practices, penetration testing, and segmentation testing. Watch Now

Navigating the IAM Maze: Expert Strategies for Cloud Identity Security

In this expert-led session, security leaders discuss the critical challenges and solutions for managing identities in complex cloud environments. Learn how to tackle machine identities, implement continuous hygiene practices, and leverage AI for enhanced security posture.


Session Summary

This insightful conversation features Komal Dhull (Founding Software Engineer at P0 Security) and Rita Gurevich (CEO and Founder of Sphere) sharing their expertise on Identity Access Management (IAM) with Bishop Fox's Matt Twells. They explore the often-overlooked challenges of managing machine identities that now outnumber human users, emphasizing the importance of continuous identity hygiene rather than one-time cleanup projects.

The experts emphasize that effective identity management requires shifting from periodic cleanup projects to continuous identity hygiene practices. They outline practical approaches to inventory management, making identity data actionable through categorization and risk assessment, and addressing the complexities of hybrid environments where transitive access paths create hidden risks. Both speakers highlight how AI can transform identity management by automating tedious manual processes, improving ownership attribution, and enhancing permission recommendations based on usage patterns. Throughout the discussion, they stress that identity management requires ongoing attention to access relationships, unused credentials, and permission boundaries—not just annual compliance reviews

Key Takeaways

  1. Machine identities represent a critical blind spot - While organizations have processes for managing human users, machine identities now outnumber people and often operate with excessive permissions and insufficient oversight.
  2. Identity hygiene requires continuous maintenance - Effective identity management isn't a one-time project but an ongoing process requiring regular attention, similar to personal hygiene practices.
  3. Understanding relationships is crucial - Organizations must map the complex relationships between identities and resources to properly assess risk, particularly in hybrid environments with transitive access paths.
  4. AI can transform identity management - Machine learning can automate tedious processes like ownership attribution, permission recommendations, and risk prioritization across large identity datasets.
  5. SaaS applications create unique challenges - Managing third-party service accounts and credential rotation requires specialized approaches beyond traditional IAM practices.
  6. Regular review processes must replace annual compliance checks - Continuously monitoring permissions and authorizations is essential as identity is now the primary security perimeter in cloud environments.

Abbreviated Transcript

Matt Twells: Hi, welcome back. I'm Matthew Twells, Senior Solutions Architect at Bishop Fox. We're going to discuss navigating the maze of IAM in cloud environments. Joining me are Komal Dhull, Founding Software Engineer at P Zero Security, and Rita Gurevich, CEO and Founder of Sphere. Rita has won many awards and Komal has a computer science degree from Carnegie Mellon.

I'd love to hear both of your thoughts on IAM. Identity management is crucial; if you don't know who the people are and what they can do, everything else is secondary. Komal, what do you see as the most pressing issue in IAM for cloud environments?

Komal Dhull: A big issue is managing machine identities, which now outnumber human identities. People know how to manage human identities through identity providers, but they struggle with service accounts. They might have hundreds or thousands of them and often don’t know what they all do or if they have more access than needed.

Matt Twells: Absolutely. Service accounts can log into other servers, and if unmanaged, they pose significant risks. Rita, can you define identity hygiene for us and how it relates to this?

Rita Gurevich: Identity hygiene involves automating the discovery of identities and fixing any problems found. As companies move to hybrid environments, understanding the relationships between identities and target systems is critical. It’s about continuous maintenance, much like personal hygiene.

Matt Twells: Inventory is crucial, but making it actionable is key. Rita, what do you suggest for a company with a large number of identities in their Active Directory?

Rita Gurevich: Inventory is the first step, but you need to make it intelligent. Categorize accounts by type and find where the problems are. It’s about continuous maintenance, not just a one-time project.

Komal Dhull: It’s also about surfacing risky identities, like unused machine identities or those with excessive permissions. We need to manage these continuously and address the tension between security and developers.

Matt Twells: Blast radius is important. Knowing what a compromised identity can access is crucial. How do you handle identity management in hybrid environments?

Komal Dhull: Managing transitive access is key. Group memberships and machine identities often have complex access paths. Cleaning up unused identities is crucial in both cloud and on-prem environments.

Matt Twells: How does AI fit into identity management?

Rita Gurevich: AI can automate manual processes, making ownership automation more accurate and flexible. It helps in risk scoring and control violations.

Komal Dhull: AI can prioritize risks and help uncover sensitive resources. Analyzing large data sets and predicting future activities can enhance permission recommendations.

Matt Twells: What are the main challenges with SaaS applications and identity management?

Rita Gurevich: Identity is the new perimeter. It’s about understanding relationships and communication paths, and ensuring continuous maintenance.

Komal Dhull: Managing third-party service accounts and credential rotation is critical. Understanding who has access and ensuring permissions are necessary is key.

Matt Twells: What’s the most overlooked aspect of IAM?

Rita Gurevich: Continuous maintenance is essential. Think of it as a lifestyle change, not a one-time project.

Komal Dhull: Continuous monitoring of permissions and authorization is crucial. Regular reviews are necessary, not just annual compliance checks.

Matt Twells: Thank you both for this insightful conversation. Where can people find you online?

Komal Dhull: I'm on LinkedIn. Feel free to connect and reach out about P Zero Security.

Rita Gurevich: Visit us at booth N4219, and I’ll be speaking tomorrow at RSA about intelligent discovery. Come say hello!

Komal Dhull: We’re also at booth 1960 in the South Hall.

Matt Twells: Thank you both for your time. Have a great rest of your week.

Matt Twells

About the speaker, Matt Twells

Former Senior Solutions Architect

Matthew Twells was a Senior Solutions Architect at Bishop Fox focused on technical scoping of client engagements, training and development, and sales enablement. He graduated from the University of Reading in Reading, England with a B.A. (Hons) in Economics, and has spent time working in the British Army as a Secure Communications Engineer, working with the National Health Service as part of the Cyber Defense Operations Center (CDOC) team during the COVID-19 pandemic and subsequently in a variety of cybersecurity consulting, technical project management, internal audit, and penetration testing roles over the last 7 years.

More by Matt

Extend Your Knowledge

Check out these related resources.

Bishop Fox Livestream RSAC 2024 Daniel Wallance Justin Greis
Virtual Session

Speaking Board Language: Translating Cybersecurity for Executive Leadership

McKinsey cybersecurity leaders share essential strategies for translating complex security challenges into business-focused board discussions. Learn how to effectively communicate risk, establish meaningful metrics, and build productive partnerships with your organization's leadership.

Learn More
Bishop Fox Livestream RSAC 2024 Nate Lee
Virtual Session

The Human Element: Building Trust and Influence in Security Leadership

Veteran security leader Nate Lee reveals how effective cybersecurity depends as much on relationship-building as technical expertise. Learn practical strategies for gaining organizational trust, communicating effectively, and driving security initiatives through persuasion rather than mandate.

Learn More
Bishop Fox Livestream RSAC 2024 Application Security
Virtual Session

Beyond Whack-a-Mole: Modern AppSec Strategies for High-Growth Companies

Security leaders from Reddit, Meta, and SeatGeek share battle-tested approaches for scaling application security in fast-moving environments. Learn how these organizations are shifting from vulnerability hunting to building secure-by-default ecosystems that empower rather than hinder development teams.
Learn More

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.