Identity And Access Management

Interview: Joseph Carson On The Convergence Of Authentication And Authorization

Joseph Carson, Chief Security Scientist (CSS) & Advisory CISO at Delinea, discusses the convergence of authentication and authorization, and the benefits of a platform-based approach to identity security.

Expert Insights Interview With Joseph Carson Of Delinea

One of the toughest challenges that many CISOs face today is the complexity of managing a myriad of security tools and services. Employing multiple, disparate security products is cumbersome and inefficient, and often leads to gaps in coverage and increased vulnerability to cyberthreats. Because of this, there’s a growing demand for unified, platform-based security solutions that offer comprehensive protection through a single, integrated system. We’re seeing this demand particularly in the identity security space, as CISOs want to consolidate their MFA, SSO, PAM, and access authorization tools.

“In the security industry, we can’t wait six months for changes,” says Joseph Carson, Chief Security Scientist (CSS) & Advisory CISO at Delinea. “Threats are changing so quickly and we’re seeing real-time campaigns, so we have to find ways to turn on security immediately, in real time. And platform approaches have the ability to do that.”

Delinea is a cybersecurity provider born of the 2020 merger between Thycotic and Centrify, two market-leading privileged access management (PAM) products. Since the company’s launch, Delinea has expanded beyond PAM to offer a comprehensive identity security platform focused on identity authorization; i.e., applying the right security controls to restrict what users can access with their credentials post-login.

In an exclusive interview with Expert Insights at the 2024 RSA Conference in San Fransisco, Carson discusses the convergence of authentication and authorization, and the benefits of a platform-based approach to identity security, and how Delinea’s recent acquisitions of Authomize and FastPath have expanded their existing portfolio.

Note: This interview has been edited for clarity.

Could you please introduce yourself and tell us a bit about your security background, and your current role at Delinea?

My name is Joseph Carson and I’m the Chief Security Scientist and Advisory CISO at Delinea. I’ve been with the company for eight years now and in the industry for over 30. My role at Delinea is to understand the security landscape—what’s happening in the industry, what the trends are, and what techniques attackers are using—and then translate that into things that we can do to help solve those areas. So, there’s an element of security research to it, but I’m also a voice and a sounding board for a lot of CISOs out there that are having challenges or looking for strategy, and come to us for our expertise around privileged security and privileged identity controls.

What is the #1 topic that the Delinea team is here to discuss at this year’s conference?

The biggest topic that we’re talking about is the evolution of identity security, and the convergence that’s happening in this space.

Delinea has historically been in the PAM area, focusing on privileged accounts and privileged access for those accounts. But there’s been a convergence that’s been happening in two areas. The first of these is around identity access management, which focuses on the authentication side of things and making sure that you can consolidate those “who” tools, like single sign-on, multi-factor authentication, and identity federation.

The other area of convergence is the authorization side. This refers to what are you allowed to do in the organization after you’ve verified who you are. Think of it like a hotel; when you check in, you get a key card that allows you to access the hotel, but that key card only allows you to access certain areas—the lobby, your room, maybe the gym. It’s not just about managing the privileges; it’s about managing every interaction after the access—whether it’s machines needing access to resources and networks, APIs needing to access databases, users who are elevating and accessing servers and workloads in cloud and SaaS-based infrastructure. But it gets a bit complex when you have that across a hybrid, multi-cloud environment.

That’s where Delinea sits. Delinea is here to provide that visibility, discovery, control, security, and entitlement, and bring all of those components together.

Privileged accounts are a lucrative target for hackers trying to gain access to critical business data. Despite this, 63% of security decision-makers say that high-sensitivity access for users in their organization is not adequately secured, 77% of developers have too many privileges, and almost half of all organizations have at least some users with more access privileges than are required for them to carry out their work. Why are so many organizations struggling to secure their privileged accounts?

There are three parts to this. Firstly, organizations have tended to try to use unsuitable tools to do various aspects of privileged account management, such as using password managers to manage privileges. What you’re still doing there is delegating security decision-making to employees to make the right decisions. You’re not integrating it across your different solutions, platforms, and services, so you have a lack of visibility and auditability. So, you’re using things that aren’t suitable for those areas; instead, you need a solution that’s dynamic and adaptive, so that it can evolve with your business as you move to new applications, services, and technology that’s released. That’s one of the areas that Delinea is really focussed on—making sure that the solutions we deliver today have the ability to adapt for the future problems that organizations will face.

The second part of this comes down to getting the right knowledge and education. Organizations know that privileged accounts are important and high risk, but what are the best practices and guidelines they can do in order to reduce the risk, but at the same time, keep up productivity and efficiency?

The final part is knowing how to get started, and Delinea offers a lot of support here. We provide a lot of educational material—eBooks, best practices, and guidelines—and we’ve also got maturity models that show you your next phases of maturity, and the journey that you can go on.

Another of the issues that organizations sometimes struggle with is the complexity of managing all these different tools that we’ve been talking about. How does Delinea’s consolidated platform help reduce some of that complexity? 

We’ve invested heavily in our platform approach. We’ve recently done several acquisitions—we acquired Authomize earlier this year, and more recently FastPath. And what we’ve seen is, it’s very easy to take those solutions and quickly adopt them into the platform itself. So, not only can those solutions be delivered from the platform, but customers are also getting all the additional benefits that the platform provides, like the reporting capabilities, and the built-in artificial intelligence capability that allows you to do better analytics into your users and privileges.

It means that organizations simply click a button and get the feature or use case. It’s no longer a matter of going through extra deployments and evaluations; you’ve got the platform, and you just add the functionality that you need with a click. That makes it much more seamless and easier for organizations to get value quicker.

In the security industry, we can’t wait six months for changes. Threats are changing so quickly and we’re seeing real-time campaigns, so we have to find ways to turn on security immediately, in real time. And platform approaches have the ability to do that.

You mentioned Delinea’s acquisitions of Authomize and—more recently—FastPath. How will these acquisitions enhance Delinea’s existing PAM portfolio?

Authomize brought Cloud Identity Entitlement Management into the portfolio. It’s about being able to apply the right policies across multiple cloud environments and SaaS-based applications. A lot of times, organizations misconfigure these, so you might make a change over one cloud environment and that change is not replicated or synced in the other environment, so you get this mismatch of misconfigurations that could lead to exposure. From a threat perspective, you might remove certain users in one environment, and it didn’t apply in the other, and therefore you leave those accounts open to attackers.

Authomize also enabled us to provide identity threat detection and response, or “ITDR”. We have the ability to detect abuses of privileges across multiple clouds, so users can act and make necessary changes, and also apply the right entitlement to lock it down for the future.

What FastPath brings into the portfolio is identity governance and administration capabilities. IGA is a big area that we previously didn’t cover, but now we can lock down end-to-end all the privileged interactions you’ve got across the entire business, both on-premises and in the cloud. So, not just the first time the user logs in, but at every interaction they have.

For example, if a user logs in or checks in to an account, then uses that account to log into another system, you have the ability to apply security controls on the checkout, apply security controls on the login, and then if the user laterally moves, you can also apply multi-factor authentication at every interaction.

If you could give one last piece of advice to the CISOs and security leaders attending the conference this week, what would it be?

Don’t be afraid to ask for help. If there’s something that you’re challenged with or need advice on, or you want to know what best practices are or what other organizations have been doing, don’t try to do it alone.

Many other experts have lots of knowledge that can help you accelerate your own strategy, so reach out to a vendor like Delinea, and we can provide you with knowledge and best practices and help you fast track your strategy.

Finally, what are you most excited to see in the cybersecurity space as we continue into 2024, then beyond into 2025?

We’ve heard a lot about artificial intelligence, and there’s quite a scary thought about the direction it’s going to go in. I recently did a piece of research, which found that most people believe that it’s not here to kill us, it’s here to save us. And I’m hoping that that’s going to be the reality towards this end of this year and beyond. I’m hoping that we can use the capabilities of generative AI and other AI tools to really make the world a safer place, and that we are able to use AI with responsibility and accountability and not abuse and misuse it.

Thank you to Joesph Carson for taking part in this interview. You can find out more about Delinea’s privileged access management solutions via their website.

Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions with confidence.

For more interviews with industry experts, visit our podcast page here.