How to Create an Identity Strategy - Part TwoRoles & Controls: Defining Human and Nonhuman Identities
In Part 2 of a three-part video series, CyberEdBoard member Andrew Abel, a cybersecurity and zero trust consultant, and Chase Cunningham, CSO at Ericom Software, explain why organizations need to think about identities in the context of humans and nonhumans. Each has a role in the organization and each brings varying levels of risk to the business.
Names and faces change on corporate organizational charts all the time, and so do the many access privileges of devices, internal apps, bots and business systems that employees interact with every day. Many IT organizations have no problem onboarding employees, but they struggle with keeping up with when employees leave or move on to new roles.
Abel says identity strategy needs to start with a granular org-chart view of all identities -human and nonhuman - in a journey to zero trust, an approach that emphasizes least privileged access and continuous verification of identities. Trying to manage that process manually is cumbersome, and "the horse is down the road and around the corner" before anyone can respond to incidents, he says. Automating those processes is key.
"It's that governance and real-time alerting and telemetry around privilege, execution and identity usage that, to me, will be the future of where zero trust will hit in the identity space," Abel says.
Humans and nonhumans can have nearly a dozen different levels of privileges based on their roles, which adds complexity, but Cunningham advises giving priority to the highest-privileged administrators, application administrators and local administrators. "What you don't want - and what we typically see at large enterprises - are hundreds if not thousands of those privileged administrator accounts with excessive controls on different systems," he says.
In this video interview with Information Security Media Group, Abel and Cunningham discuss:
- Why identity is often misunderstood when implementing a zero trust strategy;
- Examples of human and nonhuman identities and risks;
- Incorporating human and nonhuman identities into your zero trust road map.
Abel has over 25 years of experience in IT across a range of industries including finance, services, retail, resources and consulting. He has worked as a vendor and a customer in both Europe and Australia. Over the course of his career, he served in a variety of roles from support to administration, consulting and enterprise architecture, and IT and security strategy. He has deep expertise in zero trust planning and adoption with an emphasis on identity, devices and network controls.
Cunningham, aka the "Doctor of Zero Trust," shapes the strategic vision, road map and key partnerships at Ericom. He previously served as vice president and principal analyst at Forrester Research, providing strategic guidance on zero trust, artificial intelligence, machine learning and security architecture design for security leaders worldwide. Prior to Forrester, he was chief of cryptologic technologies at the U.S. National Security Agency, where he directed research and development of cyber entities to assess threat vectors, network forensics and methodologies of nefarious cyber actors across the intelligence enterprise.
CyberEdBoard is ISMG's premier members-only community of senior-most executives and thought leaders in the fields of security, risk, privacy and IT. CyberEdBoard provides executives with a powerful, peer-driven collaborative ecosystem, private meetings and a library of resources to address complex challenges shared by thousands of CISOs and senior security leaders located in 65 different countries worldwide.
Join the Community - CyberEdBoard.io.