I started my career in technology at the age of 10 years old. I was a self-taught hacker who didn’t even own a computer. I read computer magazines and then played on computers at the local electronics store, Radio Shack. I’m lucky because I always knew I would be in technology. Hacking was a way of learning, and I soon discovered it was also a way of causing significant damage. After years on the operational side, I got the opportunity to be an auditor in Big 4 consulting, where I learned the fundamentals of controls. I noted that company after company had control breakdowns in the most fundamental processes. Yet those control breakdowns, which often translated into vulnerabilities, could result in significant losses to a company. I saw such losses in a breakdown of controls while working as a consultant at Eron when it imploded. I learned it doesn’t take much to bring a company down. When I eventually became the first CISO of a major Fortune 500 company, I felt it was my duty to protect the company from such extinction events. Unfortunately, I have noticed throughout my career that the greatest danger comes from the identity ecosystem, the last mile to company resources.
Identity Management at Scale: Successes and Setbacks
I had the pleasure of deploying identity platforms for some of the largest companies in the world. Getting identity right is no easy task. It’s complicated work to juggle directories between customer, employee, and machine identities. I even ran what was likely the most extensive identity platform in the world, managing 2.2 million employees in over 100 countries. I also had the complicated task of deploying Multifactor Authentication (MFA) through a partner ecosystem of 75,000 team members worldwide. All the work in dealing with customer and employee-based systems yet barely touching the machine-based identities. These machine-based identities, – were always in my opinion the most persistent audit findings and the root of many major events.
Confronting the Cyber Threats of the Future: Non-Human Identities
While service accounts and certificates have always existed, this increase in use cases where workloads talk to one another, sometimes called machine-to-machine identities, now coined Non-Human Identity (NHI) by Astrix Security, has become central to an organization’s attack surface. The problem has persisted and expanded with the evolution of agile programming and the connectivity required to make systems communicate via Application Programming Interfaces (APIs) which has created more identities that are not assigned to a human to manage.
In the last ten years there has been a push to get everything to cloud platforms and the use of microservices architecture, adding to an already complex problem of manageability to an overwhelmed identity stack. Let’s not forget the layer of Software As A Service (SaaS) to SaaS connectivity which relies on NHIs is yet another area to manage. The problem has come to a reflection point where the tools in most cyber teams’ are ineffective in addressing the risk, which compounds itself as more and more APIs and SaaS systems mature.
As an active Angel Investor, I met with dozens of startups in the cybersecurity industry a week. I assessed many emerging solutions that claimed to address this problem. It wasn’t until I came across Astrix Security that I saw a holistic platform that did the discovery and the threat analysis, risk prioritization and actions needed to remediate and manage the problem. I also noted that many of my peers had the same challenges I had throughout my career. Although they had major identity solutions in their stack, none materially addressed the issue.
Embracing a New Challenge: Why I Joined Astrix Security
With 10,000 NHIs to every 1,000 employees in an environment it’s a safe bet that we’re in an age of a problem that needs solving. I’m ultimately driven by making my industry better and solving problems. I had an opportunity several years ago to do just that by being on a special task force for the White House focused on Trusted Identities for the Internet. It was an opportunity to work with regulators, politicians, and technologists to improve the industry and make people safer online. Here I am again given an opportunity to improve the industry and reduce the risk profile for companies with Astrix Security.
Acknowledging that NHIs are a significant threat today. The exposure NHIs create with API keys, tokens, service accounts, and secrets. It’s clear that NHIs have become the favorite vehicle of threat actors. Knowing what I know about most security shops and what they use to manage their employee and customer identities they are missing 90% of the problem with NHIs. My goal is to make my CISO peers and security practitioners aware of this risk. I intend to assist in maturing the best solution possible to combat this problem to improve the industry and stay on pace with threat actor activity. It’s my honor to join Astrix Security as their CISO in Residence to make an impact in a unique and different way from my past experience as an operational CISO. It’s a mission I accept and I am happy to contribute to Astrix Security.
