- Aembit Webinar Series
Identity Security Trends and Takeaways from RSAC 2024
- May 22, 2024 | 1:00 pm
Ashur Kanoon
- Aembit Webinar Series
Identity Security Trends and Takeaways from RSAC 2024
- May 22, 2024 | 1:00 pm
Ashur Kanoon
About This Webinar
If you followed RSA Conference 2024, you might have picked up on the heavy chatter around identity security – obviously for humans (that’s old news), but now more than ever for non-human entities too.
It’s no secret anymore – actually, it’s the worst-kept secret, wink wink – that failing to adequately manage and secure workload credentials poses serious risks.
In our upcoming webinar, we’re spilling the beans on the hottest identity security takeaways from the big conference, namely the need to automate, govern, and safeguard access across applications, scripts, and services, aka those critical workloads that drive your business forward.
RSAC is known for setting the stage for what’s next in cybersecurity, influencing trends and buying decisions. Here’s what we’ll share from our learnings at the show:
- The Growing Workload Attack Surface: We’ll discuss how the increase in non-human identities like keys, tokens, and service accounts can expose your core systems and sensitive data to risks.
- A Daunting Challenge: Non-human identities often outnumber human ones in large enterprises and they need their own specific solutions and management approaches.
- More Than Just a Security Issue: Securing non-human identities isn’t just a job for security teams; it impacts everyone from IT to DevOps, highlighting the need for a united effort.
- Learning from Past Practices: While we’ve been managing human access with privileged access management (PAM) and other policy-based controls, it’s time to apply those principles to non-human identities too.
- Collaborative Solutions: Both well-established and traditional IAM vendors, as well as innovative startups like Aembit, are tackling identity security challenges, working to enhance how we protect important digital assets.
Gear up for a no-nonsense webinar that arms you with the tactics you need to confront identity security challenges head-on. Secure your operations, outsmart potential threats, and ensure your business runs without a hitch.
By supplying my contact information, I authorize Aembit to contact me with personalized marketing communications about our products and services. You can unsubscribe at any time. See our Terms and Privacy Policy for more details.
Transcript
Alright.
Welcome, everyone.
Thank you for joining today.
I’m gonna get started in a second. Let me just share my screen and kick this off.
One second.
Sorry. I am sharing the wrong screen.
Alright. We should be ready to go.
Sorry. I’m having some technical difficulties there. Okay. Welcome everyone, to the identity security trends and kinda key takeaways from RSA, twenty twenty four. My name is Asher Kanoon. I’m the head of technical product marketing, here at Aembit. I’ve been in security space for about twenty years, and I’ve been going to, RSA for maybe just over twelve years, and I’ve been in various booths, so working working the floor.
And I at my days at Cisco, we had a really, big booth, lots of folks. We actually had booths sometimes in both north and south, and I’ve been at very early stage startups.
And recently, this last one, I was at the, early stage expo that was upstairs. So I’ve I’ve had, quite a bit of experience. And today, I just want to share some of these experiences that I’ve had, especially when it comes to identity, security.
So, quickly, just talking about the show.
I know some folks, that are on the call, may not have gone, but RSA is back.
The the level of people that were there, that were downtown, the the hotel rates. I mean, it all shows that RSA as a show is back, and it’s, still a great place to network.
Another thing that was obvious, and I think this thing everybody knows, AI was huge.
But one of the things that, I noticed this time is it it was more practical than last year. Last year was a lot of FUD and just trying to scare people about, what, you know, what are the problems that AI, brings. This year, there was a lot of, government, and and a lot of things tied around democracy, on what issues AI can, introduce, but also how to help, either leverage AI or combat some of those things. So I thought it was a little little different. And later on, we’ll talk about how AI plays into, identity and access management, directly.
The other thing I noticed is in terms of SWAG, it seems like folks have have done away with those little, you know, pens and other things. And there were a lot of bigger prizes, and there was one that was really pretty cool. There was a closest to the pin virtual golf at one of the, vendors, and there was a line, you know, there was at least twenty, thirty people in line for that. So it it looked like it was pretty popular, but, it looks like the trend, which is good for kinda us marketers, is, just not having to take swag and just doing bigger giveaways.
And then the other one was, looking at the talks, there were there were a few hundred talks, and a lot of these talks were around government and critical infrastructure.
So last year, they talked about, Volt typhoon and the low hanging fruit. While this is still a topic, I think one of the things that, one of the key terms I heard this year that was pretty interesting is our is around mutually assured digital destruction.
So when it comes to governments, if one’s attacking us, meaning the US, we’re probably in their networks doing things also. So there’s a lot of, back and forth on what can be done.
And, you know, if you follow things like NIST and CISA CIA, you’ll see that government is also trying to help organizations implement, stronger and stronger, security, either on premise in the cloud and in terms of all types of connectivity. And we’ll talk more about, this government and and critical infrastructure, bits, in a minute.
In terms of booths, usually, I’ll I’ll walk around the floor, get ideas on on some of these booths. And I wanted to give a shout out to Wiz. I thought Wiz’s booth was pretty interesting.
And if you’ve been kind of tracking Wiz, Wiz got, I think recently just a billion dollars, so you can tell that they spent it. It was very creative, and it looked pretty cool. The other booths, you know, there were some that were smaller. Like, I noticed Palo Alto Networks, wasn’t their grand booth that they always have. So I think folks are also, looking at, ROI from some of these shows. So that was pretty interesting, but I just want to call out the Wizmart booth and thought it was pretty interesting.
So now let’s pivot over to workload identity and security.
And if you’re new to the workload identity space, I think as we cover the first couple topics, it’ll become, clearer and clearer, what workload identity means. It can mean a few different things to different folks.
But one of the things that I found this time was I saw, two different approaches to this problem. And these are, strategic approaches, not just, the technical stuff. We’ll talk about the technical bits a little bit, further in detail later because there are many approaches on how to solve this. But one of the things, that I noticed is there are lots of possibilities, and there are some organizations that talk a lot about possibilities.
So as part of my, analysis and really preparation, not just for this, presentation, but just, for my day to day role, I’ve looked at around fifteen, vendors in this space, and not all of them were at RSA. I also looked at the major organizations like the Ciscos, the PAMS, the ZScalers, Netscopes, that kind of dabble their their feet everywhere.
And one of the things I saw is, most organizations are still talking about possibilities, rather than giving practical advice.
And this was obvious when we started looking at demos. So I did get a demo.
I gave demos of the Aembit product, and had some good discussions with, folks that are kind of in the space.
And there’s still a lot of, promises, that aren’t productized yet. And today, we’re gonna talk about some of those, but I’m also gonna mention some practical advice because there are folks that, need to solve this thing today.
They’ve been solving workload identity, and now they’re trying to, I’m sorry. They’ve been they’ve solved user identity, and now they’re looking at how they actually solve, workload identity today. So with that in mind, the topics, we’re gonna address are listed here. I kind of tried to summarize everything into nine topics. And, hopefully, by the end of this talk, and I’ll try to wrap it up before one thirty, We’ll have covered some of the stuff, and I I will give you considerations on what to look for and what to think about. So first, let’s take a look at names.
I saw similar products or similar, use cases being addressed by things called workload IAM.
That’s kind of the thing that we talk about. There’s also organizations that are talking about nonhuman identity.
And this nonhuman identity, some folks summarize it as the service accounts, but we’ll talk about how this is beyond service accounts.
There’s also the approach of workload federation.
So the workload federation piece is very similar to a service mesh, and and I’ll go into the details of the service mesh, and some of the limitations.
But the workload federation is what some of the cloud service providers are focused on. So a company like, Google Cloud, they talk a lot about workload federation.
And a lot of times, they’re making the assumption that the application is all within Google. So when it’s all within GCP, the workload federation makes sense. But when you start accessing things outside of GCP, other SaaS applications, things like Stripe for payment processing, other non GCP, that’s when, it just gets harder to do just full workload federation.
And then there was organizations talking about universal identity. And, really, what universal identity is is user plus workload identity.
And these could be kind of your traditional, user IAM vendors that are creeping into the workload identity space.
But they’re approaching it very similarly to, how they approach user IAM, and that gets us back to service accounts.
And then service mesh, as I mentioned, we’ll talk about that separately.
So when talking about, Beyond service accounts, so this isn’t it’s not just username and passwords. These are API keys. These are long lived API keys or tokens and then short lived, tokens. These are, you know, one of the one of the things that we help our customers with is going from a long lived token that the application supports to a short lived token that we inject. There’s also OAuth tokens. There’s JWT tokens.
There’s some vendors or open open source, approaches to, workload or service identity, that’s dependent on five zero nine x five zero nine certificates.
So you have to think about PKI, and we’ll talk a little bit about that, because one of the things that we’ve seen is, the open source organizations that took this approach with the five zero nine certificates, they’re actually introducing now, JWT, for tokens because they don’t wanna have to manage, PKI. And we’ll talk a little bit more about that in a little bit. And there are also our username and passwords. So it’s all of these things.
It’s not the service accounts. I think some, vendors or some, prospects were asking, okay. What do I do with service accounts? How do I store those?
They’re looking for things like secrets managers. And our approach is not just the identity piece, but the, the access piece as well.
Another thing that, was apparent with all these, vendors, some of the things that they were talking about and what prospects we’re talking about is the identity governance and administration.
And the one thing that they kept talking about was both of these are needed.
So there are some vendors that, focus heavily on the visibility piece, maybe for audits and compliance, but they don’t do anything on the administrative side. They don’t do anything on the, let’s call it the life cycle management for the workload authentication.
So it’s kinda clear to everyone that both governance and administration is needed, and vendors that are focusing just on user IAM or just on identity storage and just on compliance and audits, are really taking approach that, this is like a long term phased, deployment, whereas the prospects we talk to, the customers we have are looking for all of this stuff today. So it’s important to, understand when somebody says, you know, we provide IGA. What does that actually mean?
Okay. In terms of service mesh, so I looked at a few vendors here, and I spoke to some that, were looking to possibly do integrations, technical alliances, and things like that. And one of the things that’s really clear is with the service mesh, there is limited support and integrations.
So I picked a couple of the service mesh organizations that I talked to at RSA. When I went to their website, a few things were, pretty clear. One, it’s a very specific set of applications or service services that they work with.
And in in one case, one of the real more popular ones, they basically work with sixty total.
The other thing is it takes time for more to be added because their approach is they have to build connectivity between that SaaS application and their own servers, and they have to go through everything it takes, to work through a technical alliance. And sometimes that could take months. So if a new customer comes and says, hey. I need, you know, I’m adding this new, bit or this new module to my application.
I need you to support it, it could take months for them to support it. And then, also, one of the things I found pretty interesting is one of the one of the more popular service mesh vendors, the second the second bullet that they talk about is they kinda talk about, the pro services and the third party, vendors that they work with to, in a you know, to provide pro services. And to me, I just took that as this thing is complicated. There’s a lot of steps that need to be taken to deploy the service mesh, thus, the pro services, are needed.
So we know that, service mesh is, limited. It works great under certain conditions, under other conditions, especially when you’re rapidly, developing application and the application is distributed and you wanna move from one type of vendor to a different one, it’s, really hard to do. You just basically have to use whatever the service mesh supports.
Kind of related to that is deployment options.
And I kinda summarize this in two different ways. I summarize this as, support for where the application lives, and this could be something like a a VM or in a Kubernetes pod.
This could be on prem. This could be in a CSP.
Applications can also live in serverless, things like, AWS Lambda.
And the way these things, talk to the world, it could be via proxy and an API or an API. So we know we know we have, folks that wanna build applications that they own the infrastructure so they can deploy a proxy. And then we talk to others that say, a proxy isn’t gonna work for me. I need to make API calls for workload identity and, access.
So you wanna look for a vendor that actually has both of those options.
Most people will probably default to using a proxy, but will rely on API, when needed, when a proxy just can’t be deployed close enough to the application to make sense.
And then you also wanna make sure that there is support for what the application is talking to.
It could be talking to different SaaS applications. It could be talking to remote databases.
The the type of server workload doesn’t matter, but where it lives matters, right, because there are some folks in this space that think this is a on prem to cloud service provider. They they have something that they host on prem. They’re trying to access something in Azure, and that’s the, only requirement they think customers have. But we know customers wanna be able to talk anywhere.
They wanna have the most flexibility in terms of, what services they can use. So it needs to be able to talk to SaaS third party services. It needs to be able to talk to cloud service providers, in a private or public cloud, and it needs to be it needs to be able to talk to on premise as well. You could have you could be developing something in AWS, Lambda, and it needs to access some data store, on prem or in your colo.
So when you’re looking at deployment options, you wanna make sure that, you can basically, access from anywhere to anywhere.
The other conversation that we had consistently is, you know, folks that are using a solution today. So it could be, they’re using AWS secrets manager. So they ask, okay. So how do I migrate from what I’m doing today, to, something else?
So a few of the customers and prospects we’ve talked to, one of the things that they’re doing is they enable workload I’m in new code. And then the old code, there’s a few different approaches, that some of them are taking. Some of them just say, if you detect authentication for specific API calls, just let it pass through. Don’t do anything.
Or you can inspect and flag, just so that they know you typically for the inspect and flag, what they’re actually doing is inspect it, flag it, and then, there’s a process to open up a Jira ticket that says there’s this, API call coming from this, server, that’s part of this application, and it’s making a call out to this API, and there’s authentication there. Go fix it, remove the authentication, let it be injected by the workload IAM vendor. And then the other one is the detect and substitute. So we detect, API calls with with authentication.
We remove the authentication that’s there. We inject whatever it needs we need, and then we send it on its way.
In terms of conditional access, this is beyond identity.
What we heard is that I identity isn’t enough.
Again, identity goes back to I have an API key or I have a, username and password stored in my secrets manager, but that’s just not enough. When services are running, you wanna find something that has conditional access. And this is, you know, you know from where the device is, located. So if you have an application that’s running in AWS East based out of Ohio. You can create a policy that says only allow, the application call to come from this place.
Win, you can have some cron job that runs, make some API calls. It only runs Mondays at six AM. You wanna be able to lock it down, and anything beyond that just doesn’t that call never makes it through. And you wanna do posture assessment the same way you do, posture for user IAM.
So looking for integrations with things like CrowdStrike, other things that run on the server itself.
And then there’s also this concept of multifactor attestation.
So attestation, ensures that the system is, what it’s who it says it is. So it could be like a Kubernetes pod name, Kubernetes pod, prefix.
There’s a lot of different, bits of information that can be used to do attestation. And under the conditional access and and determining if I trust the the workload, you wanna make sure you that the solution, allows you to do that.
And there are some vendors open source that are that are doing that today.
Okay. In terms of PKI certs and management, manage PKI is always the easiest. Some vendors are doing that. Other vendors allow for their, for folks to bring their own PKI, and we’ve seen both. Some for you know, some really big organizations that have been there kinda forever say they want to manage their own, PKI. Others say, just manage it for us, make it easy. And this has you know, the feature functionality you wanna look for is private key storage, certificate rotation, and the ability to revoke certificates, especially if it’s, if it’s proxy proxies that are distributed everywhere.
It could be, like, a short lived proxy. And if if it’s doing certificate off, you wanna make sure you’re able to revoke those certificates.
In terms of integrations, one, the integration that folks were asking about is, they wanted to work with their environment, whatever that means, wherever they run their applications.
They wanna also work with existing, authentication and authorization. Again, whatever that means. It could be something on prem. It could be, like, active directory that’s on prem, and you’re running, like, a Kerberos.
They wanted to work with their existing security stack, and they also wanted to work with their CICD stack environment workflow, whatever that is. So those are those were some of the integrations that, we were hearing about that folks were interested in. How do I make it work? And, obviously, they don’t want it to just work. They also want it to be easy. They don’t want, you know, to worry about code changes, custom scripting, and things like that.
Alright.
I’m also gonna jump ahead just because I’m aware that we’re we’re coming up to the top of the hour and just talk quickly about AI and and identity. So one of the things we constantly heard is, hey. AI is important because it’s it’s nonhuman.
So what do we do regarding AI? So AI access, API access for for, AI, can be treated just like any other server workload.
But one of the things that we saw is, folks, vendors are actually leveraging AI today.
And, again, it’s in this practical phased approach. So first thing they’re doing is contextual help. So taking all the docs, taking, knowledge based articles, putting them into an LOM, and then getting, really contextual aware natural language type of help. A lot of vendors are doing that today.
There’s also the log analysis and policy recommendations. So you feed in a customer’s logs, constantly and then recommend, policy updates, and then they they can go through and say, yeah. I’ll I’ll accept that or not. And then the thing that’s really further further, down the road is fully automating all of this stuff.
So, like, a fully self directed automated generative policies.
You see exactly, what’s needed. It could be a server workload that’s not supported. The AI goes and figures out how that configuration is done for that particular service, does whatever it needs to do, and then generates a policy, for for, the workload to service connectivity. So those are things that are further down the line. Step three is further down the line.
But step in one and two are things that, vendors are doing today. Alright. With that, thank you very much.
If you have any questions, you can contact me at akanoon, first first initial, last name, @aembit.io. Or if you wanna reach out, via, LinkedIn, please go ahead and do that or just access the contact page on our site. Thank you, so much for joining us, and we will, talk to you soon. Thank you.
Related content
