Improving Adoption of Least Privileged Access

What are we doing to improve access management? Make it too loose and it's the number one way organizations get breached. Put on too many controls and now you've got irritated users just trying to do their job. How does each organization find their sweet spot?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark , the producer of CISO Series , and Geoff Belknap , CISO, LinkedIn . We welcome our sponsored guest Paul Guthrie , information security officer, Blend .

Creating a first-tier defense for least privileged access. In the discussion we agreed that proper tooling for internal and external access is a good first step, "We use SSO to reduce user abrasion due to the separation and an enterprise credential manager. MFA is required for all external access by employees and customers," said Jesse Webb of Avalon Healthcare Solutions . Kevin Qiu of SafeBase added that they used "Okta with managed device trust via Jamf to prevent users from using non-work devices to access sensitive apps."

Getting a handle on identity is critical. This can be as basic as a user access review of account, or more advanced role mining. Aby Rao of 毕马威 laid out the philosophy that "job responsibilities should match their access especially for privileged access." This can be a large-scale effort in an organization that can upend existing business processes. All that effort is worth it and it often requires embedding security champions in each team to make sure everyone is protective and not in block mode, noted Laurie Kenley of 微软 .?

Dynamic systems might point the way to a more sustainable approach. We’re starting to see systems that can adjust permissions with real-time context. Avani D. at Schellman was impressed when he found a system that “utilized artificial intelligence and machine learning algorithms to analyze user behavior, location, time of day, and other relevant variables to dynamically determine access privileges."

Those not possessing full capabilities won’t be able to use all access options. If someone is blind, or cannot hear, certain two-factor efforts will simply not be usable. "Consider digital accessibility when considering access management tools as most current offerings are not always accessible leaving those with disabilities at risk," said Justin M. of Deque Systems, Inc .

Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.

And thanks to all our other contributors (witting and unwitting): Patrick Garrity ?????? of Nucleus Security , Kris Arthur of SEKO Logistics , and Lloyd Evans of LastPass .

Huge thanks to our sponsor, Opal Security

Cyber Security Headlines - Week in Review?

Make sure you?register on YouTube?to join the LIVE "Week In Review" this Friday for?Cyber?Security?Headlines?with?CISO Series?reporter? Richard Stroffolino .?We do it this and every Friday at 3:30 PM ET/12:30 PM PT?for a short 20-minute discussion of the week's cyber news. Our guest will be Jeff Hudesman , CISO, Pinwheel .

Thanks to our Cyber Security Headlines sponsor, Opal Security

CISO Series Podcast LIVE in Washington, DC 09-2023

We’ll be the closing entertainment of the?Convene conference, a full day event about security awareness at the Watergate Hotel in Washington, DC. Event will be happening on September 6th, 2023. It’s brought to you from the National Cybersecurity Alliance, the same people who bring you?StaySafeOnline.org.

Joining me on stage will be Rob D. , deputy CISO, 沃尔玛 and Aaron Hughes , CISO, Albertsons Companies .

Use this link?to take advantage of the CISO Series discount. We will also be playing a game show the following evening, on September 7th, 2023.

Jump in on these conversations

"What are some myths about security products you would like to see busted?"?(More here)

"Had an interview today where the interviewer said to not pursue cyber security because AI will replace the industry in a few years."?(More here)

"Discarded, not destroyed: Old routers reveal corporate secrets"?(More here)

Coming up in the weeks ahead?on?Super Cyber Friday?we have:

• [08-18-23] Hacking Conferences

Save your spot and register for them all now!

Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at?cisoseries.com.

Interested in sponsorship,?contact me,?David Spark.