Deploy and De-provision Identity Management Controls for a five thousand Employee Hospital Group

Transcript

Opening

Welcome everybody to What’s the Problem, the show that explores problems that buyers, operators, leaders, practitioners, analysts, and anybody involved in the world of cyber security face.

Today, we are fortunate to have Tom Johnson joining us.

Conversation

Mike Krass: Tom, wave digital Hello to all of our listeners.

Tom Johnson: Hello, everyone. It's nice to be here.

Mike Krass: Awesome, Tom. It’s nice to have you. Getting right into our first question now, Tom, why are you qualified to talk about security?

Tom Johnson: I am the CEO of Nimbus-T Global. We are in the cybersecurity space and focus on identity and access management. I have a lot of experience from working in previous corporations designing and setting up various cybersecurity defense strategies. I'm not a securities engineer and not certified in security to qualify. I just had a lot of experience in this space is probably the best way to describe it. In my role as the CEO of an early-stage cyber startup company, I'm in the ecosystem and around a lot of people that are very good with security.

Mike Krass: Awesome! Thank you, Tom. What's the problem you want to talk about today with our listeners? What's on your mind?

Tom Johnson: There is a real problem with identity management and all the pains surrounding identity management. And when I say identity, it's how you prove your credentials to access systems. Identity is a real problem whether you are trying to log in to an account or access a network. It's one of the primary attack vectors for cybercriminals.

Mike Krass: So talk to me a little bit about identity. Can you just define the difference between identity and access management for our listeners?

Tom Johnson: Identity is proving you are who you say you are. Is the painting authentic? Can I verify that you are the person you say you are? And there are a lot of different ways to do that, which we can dive into. Then access management is more around the authorization side that says you're allowed to go in here, go into the store, or go into this screen, application, or system. So typically, you have a directory service like Microsoft Active Directory that manages both the identity and the access or authorization. There are a lot of other directory services out there as well.

Mike Krass: I got it. Here's a follow-up question with what you mentioned, Microsoft. Is it usually a simultaneous action with identity and access management? Are they decoupled in some cases?

Tom Johnson: It's usually simultaneous, but it's usually not fast, meaning that once you're authenticated, a profile gets applied to your account. You get a profile applied, which determines what you're allowed to get to what you're authorized. Every time you log in, you immediately have a profile sent down to your session that applies the rules that allow you to access the resources in that profile. And often, it can be very nested, very complex, and a simple basic user profile.

When I was in healthcare, we had one for doctors, nurses, and aids. These different rules would apply to the end-user and what they were allowed. It's the authorization part to access.

Mike Krass: This seems like I'm going to jump off your healthcare example. It seems like it could be a bit painful to think through identity and access management daily for all these different roles within an organization. Is it painful, or am I just inventing that story? And that's not real,

Tom Johnson: It’s super painful. I had a whole team of people that struggled with this daily. Rarely does someone come into an organization and wear one hat. They might be a registered nurse and like, “Oh, that's easy. We'll just copy another profile from a registered nurse, and that's what you get.” They say, “Yeah, but I also do infection control. So I need access to these systems.” “Oh, well, let's look at an infection control and find out what they have, and we'll add that to your profile.” Now you're starting to customize the profiles. A year later, they get promoted to a supervisor, so they get even more access. Maybe they can switch to a completely different unit, and nobody tells us they still have all the access they had previously, as a supervisor, as an RN, as someone with infection control. The longer you're with an organization, your profile builds in what you have access to unless there's a rigorous process to screen and control those transitions or a routine audit. But to be honest, those regularly do not happen in most organizations.

Mike Krass: You mentioned having a whole team working on this. What was the size of that team you talked about?

Tom Johnson: It was six FTE to cover 5,000 employees, and the process is called de-provisioning. You’re provisioning them access to resources, and you may hear the word "auto provisioning," where someone's automatically given their profile. We've tried hard to do auto-provisioning, which is nearly impossible. You can do a base profile to get you the minimum access that someone might need. But ultimately, the team has to go in and curate, customize, and build specifically the credentials you need, and then it rarely stops there, meaning that you get a phone call. I was assigned to work on this special project. I needed access to this person's G-drive into this person's this and that, so someone has to look at it, approve it, enable it, and then remember to enable it or disable it once they're no longer on that project. People rarely think to call and tell you, "Oh, that project is completed. You should remove all my access."

Mike Krass: It also seems another inflection point would be. We talked about onboarding. What if you're leaving the organization? That could be another example of an identity and access management point where it might get done eventually. Still, it might not get done in a prompt time based on you talking about half a dozen people with a 5,000-person organization? That's a lot of people that could be turning over or going on leave or whatever. It seems like offboarding, or a temporary hold or restriction on access to certain directories would be another concern.

Tom Johnson: Absolutely, it's ten times harder to provision somebody than it is to provision them, to begin with, depending on their role, how long they've been there, and what their responsibilities were when they left. The common logic is you just delete their account. No! Someone's taking that job over, and they need access to all those files. What typically happens is whoever replaces the person that left immediately asked for, “Hey, I need full access to everything they had. You disable their account, so they can no longer log in when they leave the organization.” But their profile and all their history linger on almost in perpetuity because it's rare that somebody's going to replace them take on the new role, read all the files that they have, move them in under their home directory, and clean out everything that was in the previous environment, and then notify IT and say, “I've cleaned everything out. I've deleted everything and moved everything. It's now an empty profile, and you can shut it down.” So what ends up happening is your directories services keep getting bigger and bigger. You have 5% of its terminated employees than 10% because it's super hard to truly eliminate their digital fingerprints and work history from the environment. If they were a basic employee and had no files, zero emails, nothing in there, then it's no big deal. But if you have executives that have been there a long time and then retire, their files will be there forever. And then you have compliance and HR pressuring the CIO to get that done because it's a new legal and discovery risk. If any cases come up, they will discover all of our files. They're going to sneak back into the previous executives, emails, and you got to have all those roles in place regarding retention because everything now becomes discoverable. There's some legal matter, and the answer is that it's mostly always discoverable. We never had a good way to deal with it, and let's say, delete it or archive it so we could keep things clean.

Mike Krass: Outside of the executives, I'm just going to stay in this hospital because we're already here. Are there certain law compliance guidelines you must follow for data retention in healthcare? Is it like seven years and then seven years in a day, you get to nuke anything deemed non-essential, or will it just keep holding on to stuff forever.

Tom Johnson: As far as legal, medical records if that's what you're referring to. The federal government has its roles, and the state has its own rules, and whichever ones, the stricter of the two gets applied. I live in Pennsylvania, and it's seven years, plus another 15. If it's minor, you must wait until they turn 18 and add the additional seven. So depending on the age, you could be looking at 25 years for a newborn or young child of record retention. What ends up happening is you just said, “We're going to keep everything forever.” That's the mentality now that certain things get purged because they're not critical to the record's value and just extraneous data captured for physical, logical monitors, or other scan documents that just aren't applicable. But other than that, physicians' desire for good analytics is stretched past that period. The logic was just to keep everything for clinical decision-making, especially with people with chronic diseases.

Mike Krass: When in doubt, just don't delete anything.

Tom Johnson: And on the non-medical record side, it's based on your policy. If you set your policy saying we'll keep emails for six months, that's what it is.

Mike Krass: We've been talking about all the painful skerries here. Let's talk a little bit about potential solutions, which, again, is the CEO of Nimbus-T. I imagine you got some ideas for solving some of this pain regarding identity and access management. Talk to us a little bit about solutions. How can we make this less painful?

Tom Johnson: I usually describe it: if you get identity correct at the beginning, generally downstream things tend to go pretty well. If you get your identity wrong initially, it's a nightmare downstream. If you register the wrong patient under the wrong name, what do you think's going to happen to all the billing records? What do you think's going to happen to their clinical records? You're now documenting new things on the wrong patient. That's just an accident. That's not even anything malicious or some kind of cybercrime; that's just the registration clerk registered Tom Johnson under the different Tom Johnson. Bad things can happen if somebody borrows somebody else's insurance cards because they don't have any. They can come in and say, “Well, here's my insurance,” And they register them. Bad things happen. You have identity theft and probably some type of insurance fraud. Those are just two simple use cases.

You somehow hacked your environment when you dig into the cyber criminal world where I've stolen your credentials because I've social engineered. I'm pretending to be you to gain access to systems so I can steal information or lock you up with ransomware or whatever my malicious purposes. It all starts with identity. Identity doesn't solve every cyber issue but addresses various serious ones with a primary attack vector of employees, which are easy to social engineer and relatively easy to hack.

Mike Krass: If you can get identity right, at the very onset, access management should follow. Say we get identity right. But something goes wrong with access management. What could go wrong in Access Management?

Tom Johnson: It's all those things we previously talked about. Your profile is not correct because your job role has been changed. You have too much access to information based on your day-to-day responsibilities, and you've transitioned through roles throughout the organization. Let's say you're high up relatively in the organization and in some type of management role with a lot of access. And for some reason, you change job roles or are demoted down to a relatively low-level position. It's not always automatic that your access will be restricted. Those are the biggest risks, from an authorization standpoint, is just keeping up with a very dynamic workforce, where you're granted permissions to things very often, but not often. Are those permissions removed? Are there files or folders or documents or other accounts? It's easy to give them, very hard to remove them. So that's the core problem with that side of the equation.

Mike Krass: We've been in Hospital Ville USA in this discussion, but I was also thinking if someone is demoted with an organization, or you're talking about the public sector. You're in the military and do something incredibly unwise for your military career. You get busted down from Lieutenant Colonel to a private, and how quickly are your accesses demoted. You will probably get your lapels demoted faster than most of your IT access. And that's all speculation. Of course, I'm not speaking as a representative of the US military in any way from an IT standpoint. I'm just thinking of those different situations where, essentially, what you and I are talking about here is that the business might end up moving faster than it or security systems within the business. And when that happens, you might not have an Access Management demotion as quickly or at all as you might want to as a leader within the business.

Tom Johnson: Absolutely. And remember, none of the things we're talking about are malicious. They're just business processes, and we're not saying somebody's maliciously intended to give somebody significantly more accessibility so that they could harm an organization. No, this is just common business practice. This is just what happens as organizations evolve and employees make their way through the ecosystem of the HR world. Promotions and transfers, new skills, new projects, new bosses demanding you get this access or that access every day. But what it does is it opens up the door to problems, where people are getting access to information they shouldn't have. I compromised your account, and you have way more access than you should. I can say that this person had a lot of access. Now, I'm going to capture that information and use it maliciously against the organization. And that's where the real problem comes in, when there's a compromise. Because if you had extremely limited access to just the key pieces of information, you needed to do your job, that's all the malicious actor can access. But if you have an enormous war chest of information available to you, because of the things we're talking about, bad things happen.

Mike Krass: Let's finish this interview with the final question here, Tom. Tell our listeners about a terrible haircut you've had at one point in your life.

Tom Johnson: I am a member of the US military. I'm a veteran and I got a very terrible haircut when I went to Fort Sill, Oklahoma, and became a private in the United States Army, and then found all these weird scars on my scalp that I didn't know existed from my rough childhood.

Mike Krass: Well, I want to say thank you for your military service and for being brave and sharing that haircut. If our listeners have heard this conversation, and they want to speak to you, Tom or they want to speak to Nimbus-T, how do they get in touch with you?

Tom Johnson: The best way would be to go to our website is nimbus-t.com. There's information for me as the CEO or founder and a contact page where you could put your information, which is the best way to reach out to us.

Mike Krass: Excellent. To our listeners, just repeat that that is nimbus-t.com, and I am the US nimbus-t.com. Tom, thank you so much for spending time with our listeners today. Sure,

Tom Johnson: It was a pleasure, Mike. Thank

Mike Krass: To our listeners, thank you for your loyal listenership to What's the Problem, the show that explores problems buyers, practitioners, operators, leaders, and anybody involved in the world of cybersecurity are facing today. Until next time.