Is Least Privileged Even Possible?

So lease ous access. I hope most of you understand what that is. It's obviously a very important element of the whole Zero Trust framework and it's actually mandated to some extended lease by many regulatory frameworks as well, although often with a very limited scope. I would say to really understand that, let me start with just some very basic thing quickly.

With data, we have a lot of data and there's privileged data, sensitive data. There's nonsensitive data, data and files, data and applications with loads of it. And this is my access to the data. Now obviously I don't have access to all data, but I have access to a significant amount of data. And if my identity or my accounts get compromised, then basically the bad actors get access to the exact same data that I have access to.

And in the case of ransomware, it also means that they typically will encrypt that data, making it unavailable to not just me, but also the people, the other people that rely on access to that data. But the breach, at least initially, will stop with me because they cannot compromise more data than I can access at that point in time. And that's why least privilege access is such an important element, such an important concept. And as the name suggests, it just means that you're only going to get the access you need to do your specific function, nothing more.

So lease privilege is important, and I think it's most important for the very simple reason that ransomware cannot encrypt what it cannot access. This is my go-to tag line if I need to explain this to senior management. In any organization, they don't understand the intricacies of what we do. They don't understand a lot about lease privileged per se. They do understand this. And ultimately this is about protecting our companies, our assets, our identities, right? To a large extent.

Now, unfortunately, in the real world, people have way too much access. In fact, it's not uncommon that 30 to 50% of all the access that people have is simply not needed. And if you look at your cloud platforms, it's typically 90, 95% plus. So it's far worse. Even most common reason for having so much access is that as you move position, very often people take most of their access with them to that new position.

Now, I've been with SailPoint for almost 13 years now. So if that would've happened to me, then I would've grown a little bit. Now I have grown a little bit, but not from an access point of view. And some of it may even come from old projects that you've been involved with. And the reality is you very often don't need an access anymore, but it's still there.

Now, much of it comes from probably just granting too much access in the first place. Maybe when you join the company, they used a donor user to give you the access that you need. And that person has been in the company for 20 years, is highly overprivileged. And as a result, you are now a highly overprivileged user as well. But no matter where it comes from, I think we can almost be all certain that we have way, way, way too much access. And that ultimately means that the impact of a breach is far larger than it ultimately needs to be. And that obviously causes all kinds of headaches.

We also should realize that we have more highly privileged users, overprivileged users in our enterprises than many of us can actually expect. We like to focus very often on the administrative side of things, which is good because those privileged access, that's definitely what attackers want. But if you look across your entire enterprise, there's a significant amount of Overprivileged users in there. We by the way, detect those using artificial intelligence. And we call that process identifying outliers and outliers.

In that sense, you can see them as people whose access is significantly different from what you could expect. So for example, we can detect if a person is highly connected to multiple groups within the organization suggesting that they've taken those excess rights with them as they move position. So being able to surface that, being able to have that presented on a platter obviously gives you great insight straight off the bat.

Now, when we all have too much access, it also means that the pr, the, the potential to commit fraud and remain undetected very often is just way too high. So we need to get SOD policies in place to prevent that. And in general, we just have a very hard time living up to all the compliance regulations again, because people have so much access and we need to review that and we don't really know what to revoke in the first place. And there's another element here. A lot of companies carry cyber insurance.

Now, I previously mentioned that regulation to some extent requires you to implement lease privilege, and it does so for a narrow scope, the specific data that it cares about, right? GDPR says, you only shall have access to PII data if you need that for your specific function, that's least privileged. But your cyber insurance policy is probably costing a much wider net than just a few specific systems. And unfortunately, some companies only find that out after they've been breached and they're not fully covered.

Now ultimately because we have too much data, when we are ultimately compromised, it gets much more costly than it needed to have been. So that's why Lee privilege access is so important.

Now, the big question is how do I implement this? And some may even ask, is it even possible to get to through Lee privilege? Let me start with some major improvements before we ultimately answer that question.

Now, the first step is to please stop copying users. I've been in this industry for, I don't know, 25 years or so. 20 years ago. I was surprised that we still did that today. I'm still surprised that we still do that. It happens way too often. So instead, try and model access in a different way, clean up your access start modeling, you can always get more granular than that one person. And there's different ways to look at modeling access, right?

There's, there's R-A-C-A-A-P-A-C that they all have their pros, they all have their cons. But ultimately getting a role model in place is a good thing. So I'll be taking an example using RAC because I think it's the easiest to explain. It's the easiest for, for managers and organizations typically. Also to understand it doesn't just get us a great return on investment using roles, but it definitely helps us to get a lot closer to these privilege than not doing it. But let me unpack it because it isn't as, as simple as some things may seem to be. Roles come with inherent benefits, right?

And there's many that we will recognize. For example, a single business role can contain, I don't know, 50 or so entitlements. And that significantly simplifies having to explain 50 entitlements versus one role to business people. So it's a good thing from that perspective, that leads to less access requests, which leads to less approvals, which typically manages to kind of blindly approve anyway, which leads to ultimately less mistakes as well. So roles allow for automatic assignment where obviously you get a great return on investment.

They also allow for automatic revocation, which obviously is important as people change roles, that that access is no longer valid. So there's a great return on investment to be had roles, definitely make it easier for an average business manager or business user to understand the access, right? It's one description instead of the fine grain details on every single entitlement that's contained in there. It's also easier to review the access.

'cause as a manager, if I'm doing an access review, I can see two, three roles and I can see a dozen or so additional entitlements access that's been granted outside of the role model. And that means it's an exception and it could be a good exception and I can approve it, but it's definitely something that I should focus on a little bit more. So being able to reduce that number of individual items I have to review as a manager, that actually significantly helps in increasing the quality of an access review. But there are inherent challenges with roles.

In fact, I would say roles have a pretty bad reputation. If I have a conversation about roles in a large organization, at least one person in the room when the topic comes up, goes like this, roles have been pretty difficult. And the reason for that is roles are never done, right? Every company can get a role model in place, but then things change. The organization changes. You onboard new applications into the organization, you create projects, you dissolve projects. There's a lot of dynamics in your access. And those dynamics need to be reflected in your role model as well.

You need to be able to kind of tag along with that. So it is a little bit like painting the Golden Gate Bridge, as you can see here, where technically, you know, once you're done, you can go get to start all over again. M and that is to me ultimately why roles over the years have gotten such a bad reputation. But I think I can say it used to be difficult to get a role model in place and maintain roles. We've significantly invested in AI technology and through the help of ai, we're now helping you to define roles. We're even detecting roles that you haven't uncovered yourself yet.

But maybe more importantly, we're helping you to keep roles healthy. The AI will suggest to you, Hey, here's access that is not part of this role yet. Significant portion of people have it. Here's the impact. Here's the people that don't have the access. We suggest you update a role with this new data. So as soon as you, you know, purchase new applications or onboard new applications, you know, the AI model will be able to help you to absorb that into that role model, which is important because it saves on requests.

But it's also important because when people then change position and that role is no longer valid, that access is also automatically revoked, which otherwise it isn't. So I think the future of roles in general's looking a little bit more promising, a little bit brighter than it, than it was previously, especially because it is issue in the maintenance efforts of it. But let's now revisit lease privilege again, because the question was if lease privileged is actually possible, and some may argue that roles actually be a little bit at odds with lease privilege access. Let me explain that.

Here's an example from our role mining tool. The AI in this case has a role candidate, as we call it, and it's got a number of entitlements, the purple bars that you can see, and that that's the access represented for the group of people that were building this role for.

Now, at the far end, we see what we call the cliff. And this is typically where, you know, some people in that potential role have some additional access that everyone else doesn't have.

Now, obviously, you do not want to include this in the role because then lease privilege is straight out the window. But where are you going to place that threshold? True lease privilege means you're gonna set the threshold at 100%.

Now, you may wanna place it at 75%, and in this case, that means that you know, a few additional users get two additional entitlements, two entitlements that apparently they've never needed before. Now that's not very least privileged, is it? But you have to make a decision here. Do you include it in the role? Do you exclude it from the role and let all those people request it, which leads to additional requests and approvals and possibly mistakes? Or do you create a separate role for it, which might lead to role explosion?

And maybe at 75% you actually think, well, I don't find that a very difficult decision to make. So let me up it to 90, 95% outta say 40 people. One person doesn't have these two entitlements, which should then be inclined to include it into the role. So I think what I'm trying to point out here that truly is privileged, well, that's pretty hard to achieve. But the reality is that despite those challenges and despite the fact that roles are ultimately a compromise, they are a very necessary compromise.

And they're necessary because we need to step away from an absolute tsunami of access requests and approvals that are costly, but also lead to a lot of mistakes. They introduce risk. We have to step away from an insane number of approvals that many managers have stopped paying attention to, to be quite honest. And we have to step away from an insane number of access review items. And because of those large lists that we present people in access review, quality goes straight out the window. We're achieving the opposite of what we're trying to achieve with access reviews.

And ultimately, you need to find a balance here. You need to find a balance in your role model. I've seen many customers out there, large and small, that have ended up with more roles than employees. If that happens, something's wrong. And it's been primarily because it was so hard to maintain a role model that a few years in, they just create an additional role model for all the access that wasn't covered yet. That was easier for them than to redo everything. But what's the answer to this then?

Well, funny enough, the answer is roles. Because roles may be a compromise, but they are absolutely necessary because without roles, there's no way you're gonna get close to least privileged if you are managing hundreds of thousands of entitlements. Many companies have millions of entitlements actually under management. There is absolutely no way for any company to be able to have any control over access without doing roles. No way to get anywhere close to lease privileged without having roles.

And in our case, these are roles where we're helping you through the adoption of AI technology, helping you create those roles, but more importantly, helping you to keep that role model healthy by suggesting the changes, even suggesting additional new roles that could be of benefit that shows the impact, et cetera. So ultimately, let me get back to kind of the R-A-C-A-A-P back. What type of role model do you want? I think the reality is that RAC has been the simplest one, but there's a lot of different options out there.

And if you have multiple role models in place, well then you need to start looking at people's effective access in the sense that effective access is just, you know, the sum of the different role types put together. But to understand every single model ultimately uses policy under the covers. Some have a little bit more policy than others, but ultimately having roles, no matter what model you have, is going to be a good thing.

Aback P back, they certainly add additional elements to it, like device fingerprints, you know, your external, you're internal, you can access it on a, on a Sunday, you can go crazy if if, if you want on that front. And then there's the concept of zero standing access, right?

It's, it's essentially the same thing. It's still a policy that you define who should get access to what. The challenge though with policy is very often that not many people truly understand what that policy is about.

Now, here's an example of a decentralized policy, a policy in AWS. How many managers do you think would understand this? And this can go on for pages and pages and pages, and this is just one policy. How do you govern that? Now we do solve for that, right? We are displaying that resulting access. So we're traversing the whole path of how you get this access to be able to then present during an access review, for example, what the effective access is that a user has. But that's a topic for a whole other session.

I would, I would think to come back to it least privileged, maybe we should achieve managed privilege at a minimum within our organizations least privilege absolutely remains the north star. The closer the we can get to it, the better it is. We should always try to reach for more and more and more. But it's hard to get there and we have to accept that, I think. But investing in identity security, putting roles in place, especially with the help of AI to make that more successful, that gets you significantly closer towards that goal of lease privilege.

It is a major step in the right direction, and it effectively helps you to protect the company against the fallout of a breach. And at the same time, it allows you to get a significant and sustainable return on investment from all the manual changes that we keep doing on a, on a daily basis. Ransomware cannot encrypt what it cannot access. I said it before, I think that's a powerful message you could send to your management to start having the conversation of why the implementation of a lease privileged access model is so important. So get started today.

I've got a contract with me if you wanna sign on the dotted line. No kidding. But it is available today. I think.

You know, we should all get started on this. Thank you very much.