The one about protecting machine and human identities | Dynamically Speaking
With a ‘work from anywhere’ workforce culture firmly established, we know how important it is to verify the right people have the right access to the right information and processes at the right time.
But…what about devices and other non-human identities?
According to a recent report, more than 75 percent of employees surveyed used at least two devices for work.
So, for an enterprise with 1,000 employees, they could expect at least 2,000 additional requests for access from non-human identities.
In our latest Dynamically Speaking interview, Mitchell Greenfield, Director, Core Security Architecture for Humana, talks about how enterprise security teams can address the need to secure and authorize human and machine identities and access requests in 2022 and beyond.
Kelly: Hi, everyone and welcome again to Dynamically Speaking. I’m very pleased to have with us as our guest today, Mitch Greenfield, who is the Director of Core Security Architecture for Humana. Welcome, Mitch!
Mitch: Hey! Thanks for having me!
Kelly: So, Mitch, tell us a little bit about what it is you do you and your team do at Humana.
Mitch: Yeah, so, my team, I’m fortunate in the fact that my team is an architectural team, so we focus on endpoint email network and identity architectures.
So, we do not have responsibility for operations we are helping look at new technologies document how the technology should work and really helping from that selection to implementation, but then we have operational teams that kind of take over post-implementation.
Kelly: Excellent. So, today we wanted to talk about something that has certainly increased in interest in 2021 and looks to be probably at the forefront of concerns for enterprise security experts in 2022, and that’s securing human and machine identities.
So, with that in mind, would love to get your thoughts on a few questions here and maybe we’ll start with at a high level. What to your mind are some of the key considerations around securing machine identities versus securing human identities?
Mitch: I think the key difference to me is the Zero Trust principles that come into play.
Like most organizations, we have ambitions to really have a great understanding of our devices and of the people using them. So, machine identity, we really wanna know that, hey, this is a corporate-owned device and then that this is a valid user and that combination of user and machine together is what gives us trust that the right data can be accessed at the right time from the right asset.
So, for example, if you’re using, let’s say, a personal machine and you try to access a resource even though you might have the right user identity, you might be able to successfully MFA (multi-factor authenticate) because your machine identity doesn’t match, you don’t gain access to those resources.
As we think about the distributed workforce and how that’s changed in 2020 and 2021, and likely to really never be the same again, that machine identity is more important than ever.
Kelly: That that makes good sense. So, as you’ve seen this kind of evolve, what are some of the common missteps that you’ve seen or heard about enterprises making, or perhaps it’s more about issues that they they don’t consider when when looking at all of this, to your point, in particular as the landscape has changed considerably in the last couple of years?
Mitch: So, when we think about the the key things that people need to focus on or got it wrong, it’s really understanding that definition of what is a corporate asset and then how you keep them in compliance.
A corporate asset that is not in compliance can be just as bad as a personal asset, so it’s not just the machine identity anymore, it’s is the machine you know in a state of all that that should be authorized to access the data.
So, when we think about it, we think about what policies does that machine need and then what policies does that user need, what is the location, and how do all three come together to gain access to a resource?
You know we’ve seen challenges where rolling out machine compliance policies doesn’t always go very well.
For example, there were some issues with Samsung phones and compliance policies recently that led to some challenges and that that’s just one example of really having to have that that tight level of control.
Kelly: That does seem like it’s it’s a bit fraught certainly. Thinking ahead then to 2022, what would you say are some of the the challenges that lay ahead for us as we go into the new year?
Mitch: I think the the landscape is evolving, and you know our users expectations are evolving.
Also, everyone wants that ‘new phone experience’.
So, what do I mean by that ‘new phone experience’?
It means you get your new iPhone or your new Android and it knows everything about you already. You plug in that new device and you say “Here I am!” and it says “Okay, I’m downloading all your apps, I’m downloading all your data!”, and maybe ten, fifteen minutes later, you’re ready to go.
I think that’s the next evolution of endpoint. So, it’s how do you build trust in a brand new endpoint and how do you kind of go from supply chain all the way to provisioning and still have integrity in that device, and know that it wasn’t altered or that it was the authorized device.
For example, do you want a user going to Staples or Best Buy and just buying a device and turning it into a corporate device, or do you want it to come from your supply chain? That way, you get that tight level of control on the hardware specifications and you know it’s a supportable device.
Kelly: That makes sense and that really reminded me as I’m sure many of our viewers remember the the heyday of ‘bring your own device’ when that was a core consideration when you join an enterprise, right, that you could go to Staples and and buy a device and just have it get into the enterprise and and into your corporate network without having to worry too much. It’s a it’s amazing how quickly that is that has changed, certainly.
Mitch: Yeah, I never bought into BYOD (bring your own device), personally, and the reason I never bought into it was I thought about my mom – hi, mom if you’re listening – but she’s not an IT (information technology) person, but I think she’s representative of most of the workforce in the fact that she is functionally literate and she can use Office, she can use Outlook, she can send an email. She can do her job, but if you say hey “Here’s a brand new computer, go set this up!”, like, forget about it. So, I always kind of use her as the litmus test of, like, “Could she be successful with this”?, and that’s why I was never on the BYOD bandwagon.
Kelly: That makes a lot of good sense and, honestly, I hadn’t kind of thought about it that way but, I like that – and hi, Mitch’s mom! So, when thinking about all these things, and certainly Zero Trust as well, is something that people I think are actively preparing for 2022.
With all of this together, does this change any of the key considerations that you outlined at the start? Is there anything in particular that folks need to be doing now to ready themselves for what’s to come?
Mitch: I think the biggest thing when rolling out Zero Trust, and I think about it as data network, identity, and endpoint, and you really have to have all four elements to get to a true Zero Trust.
By the way, I hate the term ‘Zero Trust’. I like the term ‘Minimal Trust’, because that’s really what it is, right? You’re creating a minimal level of trust necessary to do what you need to do. Zero Trust doesn’t really exist. So anyway, I’ll stick to the bandwagon of marketing terms with Zero Trust…
I think what most people aren’t ready for is what does your workforce access to be successful and do you understand your workforce at a segmented level enough?
Okay, so everyone needs access to Office 365, or everyone needs access to G Suite.
Okay, I’m with you, but when you go that next layer down to business applications to things that are running in your data center, do you understand what business units need access to what applications on what ports to be successful?
I think that application mapping to roles to business units is really the the hardest part of Zero Trust. I think the the identity portion and I think the end point portion are actually easy in comparison to really understanding and getting to a place where you can lock down the network to just truly what is necessary
Kelly: Okay, that that also makes a lot of good sense and I think this naturally leads us into the next question, which is… We kind of know what the next little bit is going to look like how all of the things that have happened in the last year or two have influenced what we need to prepare for 2022. When it comes to securing human and machine identities, how do you feel that this is what are things are going to look like in five years or you know if you have this much of a crystal ball 10 years?
Mitch: I think it’s exciting, you know. I think we’re finally at a a day when people are getting the experiences they want and enterprises are getting the security they want. And I think a lot of this is being orchestrated by cloud SaaS (software as a. service) solutions that are finally there.
So, if I was kind of reading the crystal ball, you know, down the five to ten year pipeline, custom apps in your data center don’t exist anymore.
You know you will have custom apps only in a cloud environment but even the custom side of things are probably going to be a lot less than they are today. SaaS is going to continue to explode and that actually creates its own sort of challenges, its own risk of surface area governed by central identities.
So, I think central identity is still going to be more important than ever, but I think we’re actually going to be at a decentralized central identity, if that makes any sense.
Verifiable credentials, I think, are going to continue to kind of come into play over next year over the next two to three years. You know you’re gonna have employees show up with attestations of who they are in a way that you’ve never had before that is really awesome and and I think that will really start to shape how you provision access and how you think about access and then how you think about password resets.
First of all, I hope password resets are gone. I hope we’re just talking about granting new multi-factor claims or new multi-factor devices.
But I think that whole life cycle is just ripe for disruption over the next few years and giving back productivity, giving back value to the workforce, and removing friction.
Kelly: I love it. I think that’s great and certainly we’re seeing a lot of folks trying to move away from kind of those legacy, custom applications because it’s just untenable to to try to do more with them. It doesn’t scale, it doesn’t update.
So, that’s all really great information! Is there anything else that you think folks should know about this that maybe i haven’t asked?
Mitch: I think the biggest thing everyone should think about is where they want to be and then build backwards.
You don’t want the technology, you don’t want the buzzwords kind of lead you too much. Passwordless is a great buzzword, Zero Trust, it’s great buzzword.
But don’t let the buzzwords drive your strategy.
Really think about the experiences you wanna build and then adopt the technologies that give those experiences.
Subscribe to our YouTube channel for more episodes, insights, solution demos, webinars, and more!