Very much everyone glad to be here. So as mentioned, my name is Man, I'm head of, im@booking.com Identity and Access management, and I've been a software developer for 15 years, and I been and access management product owner for five years before taking on the role of, of capability Lead for am. And as mentioned, I wanted to talk about cyber hygiene and why I consider that to be the backbone of a proper identity and access management strategy.
But let's start with defining a little bit what we mean by cyber hygiene, although we've probably already already discussed this several times today, but in, in essence it's the, the contrast between the Hollywood view of what, what cyber security is and the other half of the story. So in, in the H Hollywood view, it's, we're talking about dark room, a lot of people type typing really fast.
Well, and attack it's ongoing and we're trying to prevent it real time. But the other side of the coin is the, again, less sexy stuff, less, less spectacular, which is the day-to-day practices that we have to perform in order to, to stay secure even when there's not an ongoing attack at the moment.
And yeah, might be a little, a little less spectacular, but, but it's actually probably far more important. I think the right analogy is basically with personal hygiene. So personal hygiene is something that should be regular every day cyclic, routine repetition. They are practices that if you follow them, they keep the doctor away or in other words, you, you minimize the chances or the, the impact of, of an incident. In this case, I helped internet, right? So someone who has a proper hygiene probably will have less issues healthwise, and when they come they, they, they will be minimized.
Bottom line is cyber hygiene is something that is proactive while incident response, which is the other side of cybersecurity is reactive. But we, we, this is what we're talking about this, we want to focus on that, that proactive side of it. And what we need to also think is the approach of we implement a security solution, some kind of, some kind of technology that will take care of everything that's not realistic. Security solutions can definitely help us a lot, but we need that, those practices that that care of our environment to, to tackle the other, the other half of the road.
So why is cyber hygiene important? Well, it, it is bottom line in a natural, it's a requirement for cyber resiliency, making sure that our, we can achieve business continuity after an incident. It basically raises the opportunity cost of an attack by making our environment, our, our, our exposure reduced.
We make it basically more difficult to take advantages of, of those things that we are living to chance. And basically attackers will, will prefer to move to another victim because we are not giving them much to work with, right? And cyber hygiene basically focuses around two, two topics.
On one side it facilitates maintenance of our environment, our security controls, and on the other side, by doing this, by facilitating maintenance, it increases overall secure. So before we talk about how that is related, cyber hygiene is related to Im what is am, right? What is identity and access management? So it's international about who is able to access our resources limiting and controlling and limiting that. And it has basically three main areas. Identity management is basically knowing who the identities in our environment are.
Access management is about defining and enforcing what they can access. Typically authentication and authorization are the main practices in this area.
And finally, iga, Identity Governance and administration is about the controls that we put in place to make sure that these practices, identity management, access management are working correctly so that we are indeed giving access to who would need access and, and we are adding identities when, when the, the user account life cycle demands and removing them when, when they should be living our organization and so on.
And one thing to keep in mind about I am, I am is you will find very, very few, if any security incidents where I am is not at the center of it. It's basically virtually any cybersecurity incident is, has an IM component simply because it is about people having access to resources. So attackers getting access to, to data machines, whatever that is. So there is always an IM component, which means there's always value to be, to be obtained by improving your, your IM practices and improving cyber hygiene in in your IM environment.
So when we talk about creating a strategy around those cyber hygiene practices, the first thing to keep in mind is Im is definitely just like everyone, everything else in cybersecurity, it's not only about tools and technology, but also about those practices. Making sure that your controls are operating correctly, making sure that your, your access is, is least privilege, not at one point in time, but all the time.
And that's something that technology is never going to be able to, to address without us doing, doing the part, all of these controls that I'm talking about, I will mention in a minute, but, but proper user account, life cycle and, and access policy, re-certification, these type of things, they, they degrade without vigilance over time. So you can, if you do, you, you put together a team, a project team to, to improve your, your posture in this, in these areas and you basically clean your, your act drastically.
If you then walk away to, to different things and, and forget about it, I can guarantee a year you're in a very, very bad situation again. So if you don't put the proper practice that there things are going to be great. So what this means for IM access controls, which is basically the, the, the, the main tool of iga. Those access controls need to be in place. They also need to prove that they're effective.
And that is over time, that is impossible without monitoring of those controls, but also awareness by the, the owners of those controls and the people who operate those controls to again, make sure they, they stay effective over time. Change management of those access policies is, is a constant hygiene practices. So things are going to change often in, in your access policy are going to change several times per day.
Even so without a proper change management process, a week from now, a month from now, definitely a year from now, you have no idea what you have in there.
So again, it's one of the main hygiene practices. So all these, all of these requirements put cyber hygiene at the backbone of an IM strategy. It's basically going to be what, what makes sure that that IM strategy is effective and it's, it's relevant. And we are going to be looking at several, i I collected 12 different practices that need to be observed regarding cyber hygiene for Im, So let's, let's look at them. The the first one is you need to have a plan, right? And having a plan, it means you need to develop a proper IM policy standard procedures guidelines.
Basically a way to tell everyone in your environment what the responsibilities are, what the practices are, a way to take to, to tell the, the people operating those controls, how to operate them properly and what needs to, to happen, what you're expecting for them to do over time to keep things clean.
So it's, it's basically about providing clear expectations of, of how we will maintain cyber. You need to review these policies regularly.
Again, same thing if you create a way to tell people how to do things, but you don't re that way the practices themselves, even if they're followed to the letter that they may be irrelevant over time and then you need to socialize them properly. So again, if you have the policies, if you review the policies, if you don't socialize them properly to everyone involved and everyone involved to some extent is actually everyone in the organization, you, you cannot be sure that it will be properly followed. Second one is having a proper password policy.
And this is at least while we have passwords, which hopefully won't be for, for, for too much longer, but passwords need to meet some complexity and rotation criteria depending on, on the organization that that matches clear and you, you can, you can put some tooling there to, to help you with it.
You can basically make sure that your IM solution or your ment solution enforces these, these policies. But cyber hygiene basically means that users must be aware of good, bad, bad practices.
If I'm enforcing 12 characters with, with special characters, random words, if I'm doing all that and rotating every, every month, which is a very rigid, a very demanding password policy, but people are writing their passwords in deposits or something like that, well yeah, you really haven't achieve match. So again, cyber hygiene practices is about, hey, be aware of this and, and and what do you have to do to, to keep those passwords secure?
Yes, you have to be scanning for common passwords, dictionary based password, we use password that is critical D of cyber hygiene. Your third practice is having an asset inventory. You need to know the assets that you have in order to be able to protect them. But cyber hygiene is not only about having an asset inventory, but making sure the inventory is up to date and there are no shadow assets.
And, and this is a, again, this is not something that you're going to be able to achieve simply with technology because then in your environment people are, if people are creating assets simply bypassing your, your procurement process or your development process, then again you have an achieved match. People need to be aware of why it's important to maintain everything in as inventory and, and the practice is, the process is for setting up new assets and, and including them there.
Fourth, practice manage your identities properly. So knowing which identity your, your organization has is, is paramount.
It's, that's definitely critical in order to, well basically know that every joiner gets an identity, but also making sure that every leader gets their identity revoked. That that's the most important stuff. Cyber hygiene is properly reacting to that joint removal, liver flows and having a reliable identity life cycle. So that that's, that's the same concept as the asset management life cycle.
But it's one thing to have your, your identity store, one thing to have even your your user account life cycle processes, but cyber hygiene is about making sure that there are no instances, there cannot be an instances and people are aware that they cannot be an instances in which identities are not following this flow. If you have this, but then it's manual and sometimes people forget to, to add them or remove them, well that's not cyber hygiene identity proving.
So identity proving is about properly validating newcomer identities.
So yes, I'm, I'm, I'm hiring people, but do I have I validated that they are who they say they are. So they know your customer approach from a, from a, even from a corporate perspective. Cyber hygiene again is about preventing fake identities for, from properly going through the identity life cycle.
But again, it's about making sure that that process of preventing fe identities, it's it's consistent. It, it, it's, those controls are working effectively and and reliably. Number six, ensure lease privilege. So this is the, the bottom line of access management. Access control. You need to make sure that only users, that the users only have access to what they need in order to do their jobs, but they don't have access to anything they don't need. Users are going to accumulate access over time in your organization.
Cyber hygiene is in this, in this case it's about identifying and revoking that access the moment they don't need it anymore. Now outstanding access needs to be reviewed regularly by the proper owners. So basically this is what we called by this is what we mean by access re-certification.
They, it's regularly reviewing that the access that you have, it's still, it's still relevant and it's very, very important to make this control effective or, or relevant, right? And that basically means providing, providing that information to them in a matter that they can react to. Making them aware of how important it is that they identify, well, who doesn't need access anymore? But if I'm presenting people with, with thousands of users to review every month, I can guarantee that's not going to be effective.
Therefore you're not going to have cyber hygiene because people are going to have more access than they need.
Number seven, having multifactor authentication. So critical systems or functions need to have MFA required to access these MFA practices. And this is where the cyber hygiene aspect comes into play, need to be resilient to MFA fatigue if you have implemented mfa, but it's, it's, it's prone to MFA fatigue and, and people can basically start reacting to to, to MFA challenges and allow an attacker in.
While that's not cyber hygiene, it's, it's not hygienic how you are presenting those challenges to your users. Cyber hygiene in this system is about avoiding situations where MFA is inconvenient and therefore disabled or designed to be meaningless. So if I'm saying, hey, every critical system needs to be mfa, there has to be a reliable process that prevents someone from not implementing MFA when we have said, hey, it's, it's required that is cyber hygiene. Do not find out one day that there are several systems that should have MFA but don't.
Number eight, single sign-on.
So implementing SSO is not only about convenience for the end user, it's also about reducing the attack surface. There's less times you input your credentials, less risk of having them, having them stolen, right? In this case iha, same thing is about implementing so consistently where appropriate. So if you are saying, Hey, these are our so practices, you don't want to find out, hey, we actually have some applications we don't really know which, and we don't even know why or when don't have a so implemented and, and therefore, well this attack first this attack surface exists.
Again, it's not about having the ability to have a so everywhere about having a process that you follow. And if there are exceptions, those exceptions need to be the outcome of a proper procedure and they need to be identified as, as exceptions and so on time would be behavioral pattern recognition or in other words continuous authentication. This is using behavioral patterns to, to identify whether the user is actually say they are.
So it's not only validating the identity of the user at one point in time when they, when they access a system, but continuously it is a very robust cyber hygiene practice because it allows identifying when credentials are have been, have been hijacked.
Again, same, same aspect as with SSO and mfa. I'm not saying behavioral pattern recognition is a practice in itself, but doing it in a, in a consistent manner, that is what, what the cyber hygiene practice would be.
It's about not finding out that you have tools where your process says you should have continued authentication but you actually don't. Number 10 would be one of the, of the more important practices in, in, in all of cyber hygiene is monitoring activity and monitoring exception. So it's one of the most critical, also one of the probably more boring and effective and effective practice I am. It basically means you need to have controls to, to, to review all these practices above, review all these controls, review that they work and it needs to be also relevant and effective that monitoring.
So if I'm monitoring everyday tens of thousands of events, it's not going to work, it's not going to be effective, it's not going to be a cyber hygiene in itself. You need to make it relevant so that it, it actually catches what we're going to catch. So whether it's it's someone using or obtaining access to a system, those relevant relevant events must be reviewed, signed off by, by the proper owner.
And again, it's easy to to misunderstand or misidentify what a relevant event is or to make this control simply a checkoff exercise.
If, if I simply say, Hey, I have this awesome tool collect, it's a, a SI tool collects thousands of events, I present that to administrators every day and they simply say, yeah, everything, everything's fine. Type hygienes about making that a little more relevant so that they can instead of tens of thousands of events, check a couple dozen events which are relevant and, and act on appropriately.
Yeah, you need to make sure that, that the reviewers are finding the exercise meaningful, otherwise that control doesn't work and you need to change it. Third party assessment is something that supply chain risk can get us into a lot of trouble and, and we, we need to make sure we have a proper consistent process to assess their I am cyber hagen practices and finally awareness and trainings.
So again, making sure that, that you are communicating to everyone how these practices will work and what they have to do and, and that they are aware of why they're important.
So yeah, that's what I was saying is very strong organization today. If you do nothing, you will be weak again in a year. So last thing, what are the ch challenges of maintaining cyber hygiene?
Well, complexity equals vulnerability. So our environment is going to grow more vulnerable over time. So you need to, to keep an eye on that, but of course mon monotony is going to be a problem because these are repetitive actions you need to make sure they stay relevant and for that you need to use your buying. Everyone involved needs to be understanding why it's important and what they have to do about it.
And yeah, Sorry I went a little bit of time, but that, that was it for me. Thank you very much. If there are any questions.
