Entitlement management with Ron Nissim from Entitle: Entitlement management in azure, aws, google cloud or perhaps in all of them at the same time for most organizations would be complex and requires a different approach to how permissions and privileged access were managed in on-premise environment. For this episode we had Ron from Entitle to share his views on the topic.More IAM episode on www.cloudsecuritypodcast.tvQuestions asked: 00:00 Introduction 01:55 A bit about Ron Nissim 02:33 How Ron describes IAM 03:43 Why IAM is important in Cloud? 06:27 What is entitlement management? 07:57 At what scale does it become a challenge? 11:24 Privileged access in cloud vs on prem
Ron Nissim: [00:00:00] When you look at a permission management program, like I'm a company, I want to go about starting the whole concept of permission management or my organization. Where would you naturally start? You'll start with your more sensitive resources. What is that usually called? That's called PAM privileged access management, right?
So that's often the first. step that companies take in their permission management program is starting with the more sensitive resources. The approach around these more sensitive resources is usually what's often called the just in time approach. And it's an ephemeral concept of ephemerality of these more sensitive resources, the permission or access to these most more sensitive resources.
So that's kind of usually where companies like starting. That's where they like a place where you can get value quickly. These are products as they're easier to deploy. The time to value is quick. It's easier to see success there.
Ashish Rajan: Access management. One would have thought identity access management has been solved for years, but today I am having a conversation with Ron from Entitle because we haven't spoken about entitlement enough in the world of cloud. So why not talk about today? Things like why is it hard to manage [00:01:00] a lot of identities and access in a cloud context, the different kinds of identities that can exist in the cloud context, and what you could be doing if you're starting an identity program in cloud. All that and a lot more in this episode.
I hope you enjoy this. If you want more episodes on cloud security, definitely check that out on www. cloudsecuritypodcast or if you would like us to cover more interviews and training on topics like identity, access management in cloud, definitely leave that as a comment or email us at firstname.lastname@example.org and as always, if you know someone who's probably working on identity access management, please share the video with them.
And if you are here for the second or third time, definitely drop us a like or comment on YouTube. But if you're listening to this on audio, thank you so much for keeping us close to your ear. And if you have a moment, I would really appreciate if you can drop us a review or rating and I would talk to you soon.
See you in the next episode. Peace.
Welcome to another episode of Cloud Security Podcast. Today we're talking about my favorite topic because I started identity access management.
So I'm really excited about this. For this, I have Ron. Thank you for coming to the show, Ron. Nice to meet you. Thanks for having me. No problem. And for people who don't know Ron, what's your background and I mean, how'd you go to where you are [00:02:00] today?
Ron Nissim: The long answer or the short version? Which one do you think?
I grew up in Dallas. Last few years I've been spending in Tel Aviv. Started my journey in cybersecurity in the army. Did security research and development. And, you know, all the kind of low level research stuff. And when Avi, my co founder, and I finished our service, we realized that many of the core challenges were in the permission management space.
So that's why we decided to focus on that space as kind of the next core challenge of what we felt was yet to be solved. And that's kind of what leads that led us to start Entitle and kind of that snowballed into what we're doing today.
Ashish Rajan: Awesome. And I think identity and access management, because we find that a lot of the cloud security conversation is a lot about vulnerability.
Hey, we found this vulnerability that vulnerability in cloud. Identity and access management is usually looked at as a space that is. Actually, maybe if you can explain what IAM is for you, that would be a great preface for my question that's about to happen for people who do not know what IAM is. How would you describe it?
Ron Nissim: So IAM, first of all, identity and access manager, [00:03:00] right? That's the whole concept of governing who has access to what and who is the identity inside the different applications. So centralization of identity or using identity provides SSO is kind of usually that first step that usually often people think about and talk about in IAM but there are obviously other parts of that privileged access management takes the more ephemeral approach, IGA governance and administration, some more visibility and actual operational day to day. So definitely a multifaceted has a lot of different aspects to it, which is why often it takes huge teams to actually manage all that process.
I think people often think about IAM as a subcategory of cybersecurity. It can almost be thought of as like its own world, right? Yeah. I feel like it's consuming enough and large enough to be in parallel.
Ashish Rajan: I agree. It's funny 'cause I started my career, a cybersecurity career in IAM and I used to think that, oh, this is not gonna be like a thing, but to what you said, 'cause my thinking about, oh, this is a subset.
I wanna learn all these other things. But there are companies with dedicated teams, It's just for IAM as well out there, right? And I'll be curious to know from [00:04:00] your side, because it's a problem that's been there for a long time. A lot of people were here and this would go, isn't that already solved? Why is IAM such a topic now when we're talking about in the cloud world?
Ron Nissim: Well, this goes back to where you started your first question of like, You know, vulnerabilities, IAM, what's the relationship? I think that companies are realizing over time that, you know, misconfigured permissions or mismanaged permissions is a vulnerability. And when you look at all the major compromises that happened to the largest of companies over the last few years, Uber and Okta I think are two large examples that happened fairly recently.
It was boring old stuff, you know, Okta, what it was, it was customer success teams having access to a very wide range of environments and one of them getting compromised. That is the basis of IAM. That's the bread and butter. First of all, it's proof that we still have not solved that issue.
The fact that the biggest of compromises are these boring old things. But second of all. I think that a lot of industry changes have opened the opportunity to solve this problem at a wider scale. I think that, you know, CNAPP, CSPM, cloud [00:05:00] security was kind of that first step in realizing that misconfiguration of something is a vulnerability.
It doesn't have to be zero day, it can be just a setting that's not configured correctly and it's very similar in the IAM world, if a permission is misconfigured, that in itself is a vulnerability. And so, how do you go about orchestrating, managing that whole process, especially as you take on more SaaS applications, more infrastructure?
People are opening themselves up to multi clouds, managing that, you know, maybe you're really great at AWS, you bring on GCP, that's a whole nother world. And as you start diversifying your assets, it just becomes more and more challenging.
Ashish Rajan: Interesting. You say that because most people would think that, yeah, SSO is like the reason, right?
I mean, doesn't that mean we'll solve the problem? The complexity of multi cloud, having multiple SAS providers and managing access across that as well. So it's not just. Identity access management is a lot more complex now than what it used to be.
Ron Nissim: Well, I think there are aspects of it that become more challenging.
Just to give a concrete example, SSO has become very widely adopted. And so the [00:06:00] whole concept of local users and things like that, those are becoming, you know, things of the past. I'm not going to say they're totally behind us, but definitely things that, you know, all of a sudden SSO is something that's taken more and more for granted.
But now that we have that basis behind us, we can start thinking about the more granular, the more forward thinking the more specific aspect of permissions inside the different application. That's kind of that next step, right? The governance administration permission provisioning inside the applications themselves.
Ashish Rajan: Interesting. And how would you describe entitlement management? Because I think we were talking about this offline as well about entitlement management as a space. Yeah. And we spoke about IAM as an identity access management in the top level. You can kind of go granular even further as well. That's how complex this field is.
How would you describe entitlement management?
Ron Nissim: It's interesting because first of all, I think because the space is really in its early innings, it's evolving and changing off and companies come to me and they'd say, we're looking for CIEM and they mean totally different things. So, I mean, let's put the term aside real quick and let's talk about the problem statement and the different aspects of it.
I think that generally [00:07:00] there are two sides to things. Governance, the more visibility, understanding of who has access to what identifying overprivileged, identifying permissions that are not in use, things like that is kind of generally considered more on the like visibility. Maybe even cloud security side of things.
And then there's the administration, the actual operational day to day of how employees get access. What is the process they go through? How do you define these policies? And that's. You know, first of all, they go hand in hand. I spoke with a, with a French CISO a while ago. He gave me, I'm not going to try to imitate the French accent, but he said, you can't show me the shit without giving me a broom.
You can't give me a broom without showing me the shit. So the two very much go together. And so. Anyways, generally to say, I think putting the term aside, CIEM can tackle both of them, can be just the visibility side, maybe just the provisioning side. Let's put the term aside and we'll let Gartner and KupringerCole define what that means.
But generally I'll say that those are the two sides of permission management that still need to be covered.
Ashish Rajan: And is that for every level of a [00:08:00] company? Like would a startup have to consider that compared to like a big enterprise? Where do you see entitlement management becoming more of a challenge? At what scale, I guess.
Ron Nissim: Yeah. So I think, you know, when you're really early in your process, you're 10 employees, 30 employees, that's probably not top priority for you. You're probably just managing users through Okta and that's probably good enough. There comes a size where you start having hundreds or thousands of employees and tens or hundreds of SaaS applications and different resources.
Then it's that matrix becomes really large, right? If you have like a 10 by 10 matrix, it's fairly easy to manage. A thousand by thousand matrix, that starts to become really, really challenging. And so that's where automation starts really showing its strength is being able to define these policies across different infrastructures, across different business units.
That's where it becomes more challenging. I think that when you're talking about a cloud native company, cloud resource intensive companies, they have one set of challenges, right? That matrix is kind of fairly vanilla. They're early in their process. When you're talking about more enterprise [00:09:00] company, you know, they already have a lot of legacy that they brought with them.
They have a lot of homegrown solutions, things like that. And then that becomes its own issue, right? It's like, how do you juggle between this new era of cloud infrastructure, SaaS applications that I'm adopting and what I'm using there versus all this old stuff that I still need to maintain. I still need to manage.
And I think that what we're seeing in a lot of these companies is they end up having almost two different business units, two different organizations tackling them separately. You have the IAM team that's tackling the more corporate workforce identity stuff. And then you have the cloud security side tackling the more cloud identity stuff.
Exactly. You know, AWS and databases and SaaS applications.
Ashish Rajan: What are some of the use cases that people would kind of start? Because I imagine people just kind of going. Yeah, I think what's Ron saying it makes sense. But what are some of the use cases when people start seeing it, they should consider? Oh, that's my permission management challenge.
Like, are there certain use cases that you think of? I think we were talking about just in time provisioning and all of that. Are there use cases that you think that would become a challenge at scale in cloud? [00:10:00]
Ron Nissim: Yeah, totally. So first of all, when you look at a permission management program, like I'm a company, I want to go about starting the whole concept of permission management of our organization.
Where would you naturally start? You'll start with your more sensitive resources. What is that usually called? That's called PAM privileged access management, right? So that's often the first step that companies take in their permission management program is starting with the more sensitive resources.
The approach around these more sensitive resources is usually what's often called the just in time approach. And it's an ephemeral concept of ephemerality of these more sensitive resources, the permission or access to these more sensitive resources. So that's kind of usually where companies like starting and that's a place where you can get value quickly.
These are products as they're easier to deploy. The time to value is quick. It's easier to see success there. And I think that what's happening in the cloud world is that the whole concept of privilege of sensitive assets. Companies are realizing it's not a binary. The whole concept of privileged access is not a binary.
Yes or no. [00:11:00] It's not privileged or not privileged. It's a spectrum. There are things that are more sensitive. I think there are less sensitive. And so how do you manage that over time? I think that's where permission management programs start to evolve, right? So you start with this just in time approach around sensitive resources. That's a low hanging fruit. That's the first thing you do. And then you start to expand into the rest of the organization, the rest of the applications that obviously need to be managed just as much as the more sensitive aspect.
Ashish Rajan: Would that be different between say an on premise world versus the cloud world?
Ron Nissim: Totally. Totally. I think that, you know, privileged access manager in the on prem world takes on a slightly different meaning. People often, when you say privileged access management, they often think jump servers. They think, right, how do I wrap the authentication of legacy systems for very sensitive aspects?
And so that's, I think one side of things, I think that's getting solved over time, right? You're having less local accounts. You know, Azure PIM as a simple example, right? How do I assign roles in Active Directory in an ephemeral manner? That's a simple approach in a [00:12:00] cloud manner. That's actually no different than any other permission management, right?
The whole concept of, you know, who's an admin in Active Directory is not that dissimilar to who has access to a SharePoint website. They're both permissions that I'm provisioning. And deprovisioning based off of attributes and other aspects that are slightly more dynamic.
Ashish Rajan: Yeah. And well put together as well.
I mean, that's kind of most of the technical questions I had. Where can people find you on the internet to connect and talk more about the entitlement space?
Ron Nissim: I mean, Entitle. io, obviously that's, hopefully that's a fairly indicative name. That's straight into the point. We try to keep things simple and straightforward, not too much marketing fluff.
And so obviously our website, happy to reach out. I'm happy to connect on LinkedIn, Ron Neesam. Yeah. Looking forward to talking, having some more interesting conversations, you know, somewhat what's beautiful about Black Hat. We're here at Black Hat. Beautiful about Black Hat is just having a lot of security practitioners that are really happy to share their perspectives.
And I think that's where we thrive as startups is keeping, staying on the cutting edge, understanding what we could be doing differently. And if I'm [00:13:00] wrong, I'm happy to be called out on it.
Ashish Rajan: That's pretty awesome, man. And I'll leave the LinkedIn profile in the shorts as well. But thank you so much for coming on the show.
Ron Nissim: for having me. Thank you for coming on
Ashish Rajan: and thank you everyone for watching. I'll see you next episode.