Interview: Securing Access With An Identity-Based Ecosystem

Larry Chinski is the VP of Global IAM Strategy at market-leading IAM provider, One Identity. With over 25 years of experience in the IT and cybersecurity space, and 15 in the identity security space, Chinski identifies trends in the market and uses that knowledge to inform strategic product growth and development within One Identity’s identity and access management portfolio.

As well as his role in mapping One Identity’s solutions to the ever-changing threat landscape, Chinski is responsible for the field execution of One Identity’s SaaS platform.

At RSAC 2022, we spoke to Chinski to discuss recent changes in the identity threat landscape, how organizations must adapt to overcome security risks, and how a holistic solution can help businesses to manage identity sprawl and unify their approach to identity security.  

Can you give us a brief overview of One Identity and the solutions you provide?

One Identity is the cybersecurity division of Quest Software. We focus on credential-based cybersecurity across four segments.  

Identity Governance and Administration is one of those segments, and we have a suite of solutions in that space. These solutions all have to do with lifecycle management and access certification. We also focus on Privileged Account Management, as well as Active Directory Management System services. Most recently we added a new segment with our acquisition of One Login around Access Management. In the industry, this is often referred to as Identity and Access Management or Web Access Management, and includes anything from multi-factor authentication to enterprise single sign-on through the web. 

Our goal at One Identity is to provide a unified, secure framework leveraging those four market segments in a way that’s not individualized and fragmented, to create an identity-based ecosystem that’s based on risk and can leverage components of each of those segments. My role as Vice President of Global Strategy is to look at certain trends that are happening in the cyber space, see how other companies and our customers are responding to those, and then figure out internally if we need to buy, build, or enhance our solutions to address what we see in the market. 

In recent years, we’ve seen huge changes in the way people work and engage in digital services. What are the big security risks that you’ve seen since the last RSA conference in 2020, and where are things going?

The shift that we’ve seen started around three years ago and was accelerated when COVID hit. The old ways of cybersecurity protection involved using infrastructure to protect people and devices. What we’ve seen over the last few years is a shift from an infrastructure-centric cybersecurity model to an identity-centric cybersecurity model.  

With everybody working remotely, we couldn’t rely on the infrastructure to protect individuals anymore. So, now companies are building their security posture on top of identities themselves.To successfully implement this strategy with people working remotely, companies need to consider how they’re giving employees flexible yet controlled access to the resources they need on a day-to-day basis.

That’s been the biggest change we’ve seen. Like I said, when COVID hit and suddenly everybody was working remotely, organizations were really scrambling to figure out a way to allow remote work and figure out how to do that securely. So, the biggest change has been figuring out how we protect these individuals that used to be protected by old infrastructure—but do it remotely.

That’s why solutions like PAM, IAM and IGA have really increased in the last couple of years because those are critical components used to help secure individuals. I think a bunch of organizations were ready for this change since a lot of them had kind of been moving in this direction already. But for many the challenge of protecting individuals in this new landscape is ongoing.  

Credential theft is a major issue at the moment for our readers across businesses of all sizes, especially in the wake of the pandemic and continuing adoption of cloud technologies. Why are credential theft and account compromise such a major challenge for organizations today?

Credential theft is very easy to do, quite frankly, especially compared to what it was 10 years ago when they were writing complicated algorithms to try and breach network firewalls. Now cybercriminals can purchase a batch of user IDs and passwords on the dark web and hand and then utilize social engineering tactics to execute these attacks.  The reason these attacks are so successful today is because there are many different elements organizations have to add and build to protect against these attacks and many don’t have the resources or understanding of how to start this process.  

What steps should businesses be taking in order to prevent account compromise and credential theft? What are the key technologies and processes businesses should be implementing?

When you look at how organizations have responded to the challenges we’re talking about, they’ve started to implement individual, fragmented tool sets; like one from IGA and another for PAM. This is a good start, but only the beginning. The problem with implementing different tools is that each platform functions individually leaving holes between systems that are easier to breach. For example, companies could use an IGA tool to manage some of their lifecycle management, but with these individual tools being separate from another application so there’s really no cross-pollination of the functions that each of those systems can handle.  

What we’ve done at One Identity, and one of the things that I’ve been putting together for the last couple of years based on what’s happening in the market, is create a unified security platform that ties every element of identity security together. Through a holistic platform, companies can achieve zero trust and privilege governance. There are a lot of alliances being formed in the market now between IGA companies and PAM companies to create this basic concept, but they’re struggling because they are individual companies.  

Based on these challenges, I’d recommend that organizations look at how to leverage components of each of those tactical tools to create a more of an all-encompassing framework based on risk to protect individuals. Because again, we’re building the security posture on top of the identity, which means they’re in the center. So, by taking elements of each of those components and unifying them, that’s going to be the best way to mitigate identity-based risk.  

We know the risk is always going to be there. There’s no way you can eliminate it completely. But, the best approach is to build a platform that can utilize all four identity components. It sounds like it’s really hard, which is why a lot of companies are still trying to figure that out. However, you really just start with one—companies can start with a PAM solution or an IGA solution, for example—and then incorporate those components for each of those to build more of a modernized framework around security. 

So, in light of that, do you anticipate that different identity security providers will be extending their portfolios in the near future? 

Absolutely, they’re doing it now. In fact, some of our competitors in the access management space are now investing in lightweight IGA tools for a couple of reasons. The main one is as a response to reports that were released as early as a month ago about the risks and predictions for the next two or three years. Those reports focused on how the convergence of these tool sets is happening both internally, and externally in the hyper-automation space, such as robotic processes.  

We know the extension of identity security provider’s portfolios is coming because a lot of these providers are either adding those capabilities to their portfolios, or they’re forming alliances to try and build those tools. When you look at a lot of our incoming customers, for example, they’re not just asking for a simple IGA solution anymore. Instead, they want components of each identity element in one solution. So, just about every vendor, in each of those segments I talked about, is adding capabilities or is partnering up to get those capabilities in order to meet customer needs.

Finally, what is your advice for organizations looking to protect cloud services by implementing processes such as multi-factor authentication and single sign-on; how should these technologies be chosen and implemented?

I’m sure it’s different company to company. What I recommend companies look at is what’s most critical to you right now, and typically that’s their people. So, by finding out where their risk profile is and implementing something like an MFA solution—these are fairly easy and quick, and they add a good element of risk mitigation right from the start—companies can really look back and see what things are mission-critical. Are they applications, are they specific people? It’s important to understand what type of access individuals have, and if they’re doing anything with RPA, they need to know that those are at risk as well because those are identities, and they’re typically not monitored or tracked. 

Do a risk analysis, or what we call a PAM pen test; look at where the privileged credentials are and who’s got them, and you’ll find out a lot by just spending a couple of weeks going through those types of exercises. 

Thank you to Larry Chinski for taking part in this interview. You can find out more about One Identity’s suite of identity and access management solutions via their website.

Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions with confidence.