EPISODE SUMMARY
Subscribe or listen now: 
Joseph Carson:
Hello, everyone. Welcome back to another episode of the 401 Access Denied podcast. I'm the host of the show, Joe Carson, chief security scientist and advisory CISO at Delinea. It's a pleasure to be here with you to bring another exciting, another thought leadership, and fun topic. I'm joined by another amazing guest in the industry, someone who have years of experience. So, Nabeel, welcome to the episode and the podcast. You want to give the audience a little bit of introduction about you, who you are, what you do, and some interesting things about...
Nabeel Nizar:
Thanks, Joe. Happy to be here. Hello, everyone. My name's Nabeel Nizar. I'm currently serving as the EVP of advisory at MajorKey Technologies. MajorKey's been in the industry for 25 years, focused on identity security. I've been in the industry far too long. Similar to Joe, started out doing identity and access management with Novell. I spent about six years running products and solutions for Saviynt before exiting out of the software ISV world and joining forces with the services industry. Nice to be here.
Joseph Carson:
Fantastic.
Nabeel Nizar:
Yeah.
Joseph Carson:
It's a pleasure. The theme of today's episode is all about the history and evolution of access control, something everyone has to deal with on a daily basis. Let's go back into... Since we've been in the industry for quite a long time, let's go back into the early years of your introduction even into computers and technology... even personal life. What was access control for you when you started? What was the experience?
Nabeel Nizar:
Wow, that's going to be dating me quite a bit, but let's get into it. So, I got into this era of computing back when we were doing networking with Novell and file servers. So, that was my foray into access control. Everything was driven by users, identities, and access control was pretty much derived off the attributes of a person's identity. Most of it was centered around access to data, file servers, read, write. I would argue that Novell had some of the best apples in this space. And then came Microsoft with Windows. It was NT in the beginning, and then access control shifted to everything in that primary and secondary domain controllers. Everything was tied to still identities, but it was driven by groups.
Joseph Carson:
Some resources and attributes and organizational units.
Nabeel Nizar:
Yup. Similar concept, but I think we lost a lot of the granular access control permissions along the way, and I use the term loosely. It was sort of Foreman's IAM, if you will. If you belonged to a certain group and that group was tied to access control lists on file servers, et cetera, you could do certain things. I mean, that's where everything started. One could argue today that that was the initial access control was an ABAC. The attributes were groups.
As we evolved and then you had identity management come into play and folks started figuring out, "Hey, if I wanted to create a much more overarching policy to drive access, I should probably do roles." And RBAC was born. If it wasn't for the complexities of driving the right roles for an organization, I think we'd be well along in that RBAC journey. But as we all know, coming to the right set of roles, it's always difficult. Roles are, if you don't have a governance program or on roles, they're going to be stale because your business is evolving.
Joseph Carson:
In many cases, everyone ends up consuming the same role. A lot of times, everyone became part of that group.
Nabeel Nizar:
Right. It had the same issue with groups. You did groups and then you had redundant groups, you had duplicate groups, you had overpopulated groups.
Joseph Carson:
I thought managing it was a nightmare, especially when you started getting into the double, triple digits of physical membership. It just became a constant nightmare of how we managed that.
I remember even one of the first projects I worked on in my career was an interesting project, because it was really one that got me very deeply understanding about access users. It was actually the digitalization of medical records. That was a really interesting one, because there was the traditional way of doing it, which was that the medical records were in a paper folder in the hospital in the medical records, locked away in a vault with a key. That anytime a ... 00:05:00], you had to then make a appointment with a doctor in the future, and that appointment had to be more than 30 days out, because the time it took for that medical record, you get from the medical records in the hospital to the GP's office for you to visit was more than 30 days. So, you had to make sure there's appointments.
And then, there was a chain of custody. So, your medical records would be taken out off the hospital's vault. You put it on basically a postal service. Everybody handled that along the way, because ... It was put in a folder, moved in a trolley, put into a vehicle, and driven to the clinic. The doctor would get it, and then you would have your appointment. And it was all of that concern about who has access, how do you determine who can read your medical records that way. The person who's carrying it from the archive into the logistics, the person who's driving it to the GP, the person who's basically the administration who's making sure it gets to the right... All of those left this void of who has visibility, who has access, who could change things.
My role at that time was to digitalize, was to take those medical reports and put them into a file server database form that doctors could then access it on demand. And that was really where you started thinking about it really early, sometimes doctors would then have a shared account. It's one account that they all used to access all medical records, and then you couldn't really determine which was accessing and editing and changing and updating. And then, you get into the computer that they had, which was a ... 00:06:44] terminal, back into the IBM mainframe, which was literally the size of the frigging huge room that you would be in. Ultimately then, security and access was key to the room.
To really get to your point, when we digitalize things and those early set controls that... where let's have defined usernames and password schedules, that's getting into rules and groups... That moving from very general view of physical capability to getting into, you can actually start seeing who's looking at what... who made that... the auditability and the fine-grained control to the point where... That was so great because you had very, very specific details into who was doing what.
But the more people we added to that system, when you had very few people, it was so easy to audit and manage... adding hundreds of doctors, multiple people, and multiple people having different types of access, from surgeons to emergency staff, to paramedics to doctors, all getting access to this record, it became a huge nightmare, and I think that's really where we started seeing that's the way that we were doing it then in role-based access... limitations.
Nabeel Nizar:
It's interesting. I always go back to if your implementation of the security controls slows business, who's going to win that battle? And it's interesting that you picked the one domain where it's very hard to enforce these access controls, and that's healthcare. Patient care trumps anything that you're going to do. So, I always looked at it as if you're going to implement best practices, you got to make sure that it doesn't impact the business, you've got to be able to move at that speed of business, got to increase productivity. I mean, if you look at customer IAM, everything around access and customer IAM, if it doesn't help generate revenue, it's a showstopper.
Similarly, in healthcare, if you put too many controls in place and a nurse or a doctor can't attend to a patient's medical condition, that's a problem. So, I think a crawl, walk, run approach should be taken. And I think your example you talked about, what folks are dealing with today isn't necessarily who has access, what do they have access to, and why they need it anymore. I mean, I think we've come a long way that technology identity governance era has solved some of that. The question now is how are they using that access to then get to identifying the risks.
So, your example of folks having the access to medical records, just because my neighbor next door happens to be a physician, the medical practice that I go to, it doesn't mean that he or she can look at my medical records like my primary care physician. I think over the pond, I'm sure we've seen the situation with Princess Kate and her hospitalization. All of a sudden, you get news articles of, "Hey, these four people who work in that institute can tell you all about it." So, it's now gotten to a point where just because you have access, how you're using it is that next level of maturity and access control.
Joseph Carson:
Absolutely.
Nabeel Nizar:
Role-based has been around. As we know, the problem with role-based has always been what's the right role. If you're going to mitigate risk, IT can't be involved. You got to push it to the business.
Joseph Carson:
And the right role for people is everyone has a unique need. Not everyone's doing exactly the same job. They might have the same job responsibility in some regards, but they're not necessarily doing the same thing in a digital...
Nabeel Nizar:
Yeah. And it's like, hey, you're going to derive a role and you go to the business finance, "Hey, I'm trying to create an account payable role. Who should be in this role, and what are the permissions it should have?" Well, I don't know the answer. Look at Bob's permissions and let's try to create a role around-
Joseph Carson:
Let's copy. Let's just duplicate Bob, and Adam to John.
Nabeel Nizar:
Bob's been very successful. He's climbed the ladder. He started out in warehouse logistics and made it all the way to finance.
Joseph Carson:
He still has all of those roles.
Nabeel Nizar:
And none of that access has been removed. Well, the building of roles isn't an easy task. Again, I think with a lot of machine learning and AI and a lot of data analytics, it's become easier than hiring one of the big fours and having them sit down and spend a lot of money in developing a role that's stale the minute you publish it. So, technology has helped, but continuing down this path of what's next, I think there was an introduction of policy-based access controls, and I would even argue there are some very, very smart people even trying to get to knowledge-based access controls.
Joseph Carson:
Actually, it's an interesting perspective because it's really combining the need and maybe what you've already satisfied before time also. So, it's a very interesting concept.
Nabeel Nizar:
Yeah. It's looking at how you're using it. It's looking at how the business is involved. You're trying to get to a point where you have just enough to create this birthright where people get exactly what they want. The alternative of it is you build this elaborate access request system, where it's like my kids and me going to the grocery store and going down the cereal aisle. Can I have that? Absolutely. Throw it into the cart. So, you deal with a lot of access requests, complex workflows, approvals ...
If you can get a set of just enough birthright roles for the person to do their job, give it to them. And then, every access request becomes exception-based. Now, you can start building a platform to externalize this access. Hey, Nabeel is requesting something that nobody else has. This isn't appropriate for his job or function. And then, you send that to the ...
Joseph Carson:
And it's never happened before and it's first time and it's not-
Nabeel Nizar:
Right.
Joseph Carson:
There's no other context that determines that there's a need for that. It's like going back to the example that I had with the medical records, is that doctor and nurses now going to request access to view, let's say even a specific record. It could be your blood work or it could be your blood pressure, could be bone fractures, whatever it might be. Not looking at everything but looking at specific ... And it might come up as ... you have an appointment, have you been to see them in the past? Do you have a plan surgery or a problem in that specific area? So, getting into looking at different data sources and attributes, really to your point, is getting to that. Is there enough knowledge to determine whether this is actually something that's authentic and should ...?
Nabeel Nizar:
100%, yup. And then it becomes dynamic, and then it truly becomes business-driven. But to get to that dynamic look, that cliche term, identities as security perimeter, yes, overused, overplayed. I personally think we're in a maturity stage where your context is king. So, to your point, and I go back to healthcare, I can't slap a role onto a person and say, "This is your static access." Because the way the healthcare business is evolving, you've got regional hospitals, umbrella hospitals, where you could be an LPN in hospital A, and tomorrow you're traveling to another site under the umbrella hospital where you're an RN. On the third day, you're an RN manager. You can't expect these people to show up and request access. It has to be much more dynamic.
I think that whole knowledge base is going to look at a much larger dataset to pull context from. Just because you're a CFO, and you can access the file share folder that has a 10K filings for your public company, doesn't mean that you can open it if there's malware in your machine. It doesn't mean that you can open it if you're sitting at a shared workstation at a hotel lobby. So, additional contacts needs to come into play so you can ensure that not only do the right people have access to the right resources, but at the right time and at the right place. And I think-
Joseph Carson:
And also updating it within the right parameters as well, so that people can't go... Financial, you can't go and then create an invoice that is way more than what you see boundaries have been, and that might have a four-eyes approach or might need to have additional security controls. So, make sure that you have proper separation segregation duties.
Nabeel Nizar:
... 00:15:44].
Joseph Carson:
You use your role and rights. Context has to be having at least, I would say, type of algorithm mentation, so you have ...
Nabeel Nizar:
Yeah. The reality of, and I think you touched on a great point, and I want to double click on it, the reality of separation of duties controls, is that you have to keep the lights on in an organization, and auditors really want to ensure that you've got a control in place. So, it's not enough to say, "Can Nabeel have access to create a vendor and pay them?" Just using a very base example here. No, he shouldn't.
However, if we don't give him that access to pay this particular vendor, because Becky's not available, then your business could be impacted. So, you apply that access, you put some mitigating controls around it, you remove that access when I'm done with it. However, that needs to be externalized. That needs to go to the business. You got to have a vehicle to then transfer that workflow in that integrated identity program, if that makes sense.
Joseph Carson:
Absolutely.
Nabeel Nizar:
So, it's got to be infused. You got to look at all aspects of it. I think granular permissions within the core applications. I mean, look, Enron happened, what, 2000, 2004? The solution has been out there to solve the identity problem, but what have we been doing? We've been certifying access to AD groups. Stop ... the critical permission lends. It really-
Joseph Carson:
We can learn a lot when we think... Because one of one industry that I worked with quite a few years ago, I learned a lot from them, was... There's two industries that I think that they do this really well. One is ... casino, because they want to make sure that there's no collusion. If you want to update a casino machine, it's two people. You got one person that has the key to unlock and the other person has key to change. And again, that combination when you look at financial industry, used to be back with ATMs, somebody who had the key to open the ATMs and somebody basically had the key to make changes to it.
So, those two industries, for me, it really got down to... Especially when you're dealing with very large amounts of money, they took separation of duties very seriously. And not just from the access to systems, but they had it through the entire ... and background checks and about who was allowed to work together. I even remember when I was ... years ago, I was called a infrastructure tool specialist for massive data centers. So, my job is to go in and make change to data center. And I was allowed to go in and make changes, but I wasn't allowed to sign off on my own work. I was not allowed. Yes, I've done it. There was a team that followed me on a monthly basis to audit everything that I did, and they would sign off. I wasn't allowed to do it myself.
I would say that I noted it down as completed, and this is the changes I made, and this is what has been removed or ... in place. You've got all of those documentation of serial numbers and all version numbers, integration, but it was never completed until the auditors come back and said, "Yep, ... serial number machine." Because again then, it was all about costs. Because then, you could properly then bill back the costs afterwards. So, I was not signing off my ... because that's where you start having abusive ... That's where people start having shortcuts. And when you know that you can't take shortcuts, people don't do it because they know they can't get away with it.
Nabeel Nizar:
Right. And I think what you're honing in on is the access controls are privilege. Every access is privilege at the end of the day. I think everyone's-
Joseph Carson:
You all have different skills and risks.
Nabeel Nizar:
Everyone's got different levels of entitlement, different levels of privilege that comes along with it. So, even if there's two people working in marketing and they're doing the same job and same function, they're based on projects, one person might have additional entitlements and that's a privilege at the end of the day. I think we're shortsighted if we keep looking at just domain admins and who's got Linux root access. Privilege extends across the enterprise.
Joseph Carson:
Even if I have... I might not have the ability to create users or modify users, but I had the ability to look at lots of data. That's privilege. I was going back to the healthcare pieces. I'm a doctor and nurse and have access to one person's medical details. That's true. I might have access to everyone's medical records. That's a very highly privileged high risk. So, yes, they're all privilege, they all have entitlements, but they all come with different risks and different... If those risks are abused, it's having the impact of one person versus many. So, you're absolutely right.
Nabeel Nizar:
I'll go back to the start of this conversation. I mean, the problem with access control has always been can't have it impede productivity in your business. You've got to help the business move along with these controls. So, in my years of doing this, the advice I give is don't try to boil the ocean. Take baby steps. Everyone's out there thinking roles are going to solve the problems of the world. No, it's going to be a combination, but it shouldn't be all about technology. It should be about how it's going to be leveraged by the business to improve the business, and then you take those baby steps and employ them static ...
Joseph Carson:
You're absolutely right. One of the mistakes I think many organizations have made over the years is that they've taken the out-of-the-box roles that many solutions provide, and they take those as these are the ones that we should be using. Rather than thinking about these are the guidelines, these are the ones that we should be thinking about. As using as a guide, not as using as the role. Because if you think about domain administrator and active directory Entra ID, ... does anyone need have that amount of power? Probably not. Those are, for me, emergency types of accounts. That's the last resort when things go wrong. That's when you need to be able to figure things out. I think we've taken that those defined roles comes with many solutions as the ones that we should be backing to, and many organizations just basically say, "Here, this is a role." Put users ... that's all of sudden just put users in those roles, and they can be easily abused.
Nabeel Nizar:
That's a role maturity problem. It's partly an enablement problem, but also a role maturity. I mean, I think they stop at the app level roles as you mentioned, and say, "Hey, these are my business roles." No, they're not. They're application level roles. And I talk about this in some of our webinars too. You got to get the bookends of roles done. Level roles are must, sure, because they come out of the box, but then you also have to have enterprise roles on the other end. Things like FTE, contractor. Establish those, and then everything in the middle, you need to derive it based on the richness of the data that you're collecting to come to that middle set of roles, business roles, which can be geo based, functional roles, departmental roles, job roles.
There is no one size fits all. I think if you can get the bookends done, it'll help move the needle, and then start working on the roles in the middle. But you still have to be dynamic. You have to be flexible, and I think that's where context is going to provide some of that down the road. There's some great things being done around authorization and externalizing it, and there's this whole movement for next gen op, which I think is going to be that next phase, the maturity phase of ...
Joseph Carson:
Absolutely. Absolutely. So, getting into a little bit more in the dynamic side of things, the context-based, because that's really the evolution, that's where we're going, and we're seeing that maturity happen quite quickly. What's your view? How does AI pull into all of this and machine learning and algorithms? What's your view when we start really getting... Right now, ... we are building those pieces of dynamic access based on different types of data points ... how do you see this evolving near term for future-wise?
Nabeel Nizar:
Yeah, that's a great topic that I think is going to take a longer time to discuss, but a couple of key points. Applications are evolving, which is helping quite a bit. I think there were times when an app would just tie to an LDAP group or an attribute. I mean, those days are gone. Everyone's exposing API. So, things like OAuth is really driving a lot of this, and the Microsoft World Service Principles ... out there as well. So, I think from the app level or the application side of the house, there's much more interoperability coming to be able to drive.
Joseph Carson:
That's a key word, interoperability.
Nabeel Nizar:
My gosh, yes. I think that ... standards has really helped that quite a bit, and I think there's some really smart people in the industry driving those standards as well. Look, we used to have, in the early days, with Kantara and the Liberty Alliance, who had a lot of this sharing of metadata to help businesses move along, Star Alliance, things of that nature. But I think we're going to see it at a faster pace because you've got machine learning now homing through all this data. If you look at identity governance as an example, I think people get sidetracked with building connectors and doing provisioning policies, and they lose sight of the fact that, hey, I need to just get these apps onboarded into a warehouse to try to get my AI and ML to go do something ...
Organizations, if they've got 100 critical applications, they'll take five, six years and only get 10 done. Why? Because they're not mining data to build this utopia. They're integrating to just get provisioning done. And legacy connectors, non-standard APIs, you waste a lot of time. I say in today's world with a lot of advancements, with a lot of different technologies, onboard all the applications, start curating the data. Don't care how you get it in there. Get the permissions in there. Start letting your ML and AI do its thing and come up with what are the right set of access controls based on your algorithms. Look at all of the different computations of access-based, all those permissions. Look at privilege, look at SOD.
Again, if you look at context, you can pull things like usage. These five permissions have never been used. Well, let's reduce your risk and remove those from a role. ... started doing this even before-
Joseph Carson:
They made the mistake of having everything on by default, and then learned the mistakes is that that's probably not a good idea. ... actually buckets default to everybody, and ...
Nabeel Nizar:
Why do my DevOps users have access to prod and dev at the same time? Wait a minute, they're not even working at the console on these things. They're working through GitHub and Ansible and pushing out code. Have we looked at those tools to figure out what access they have? I mean-
Joseph Carson:
Those zero trust push step back to the surface and the person of least privilege was that-
Nabeel Nizar:
Yeah.
Joseph Carson:
Things shouldn't basically be all by default. We want to make sure we actually make those decisions ourselves.
Nabeel Nizar:
Correct. And that's where we're at now. And I think cloud is changing a lot of that, and I think people are waking up to the fact that they have to do their part of the responsibility. It's not just I signed an SLA and I'm all good. No, you've got to figure out access control to the cloud, otherwise... I mean, we're seeing this left and right. Someone decides to use an S3 bucket for data storage and extractions and sharing and collaborating, and no one knows who's got access to it because they went with the default out of the box.
Joseph Carson:
Absolutely. And that's the challenge. I would say one of the terms, I like CISA's view of secure by design, but I always keep reiterating that, yes, secure by design is a great idea and it does include in there in the life cycle of that is by default. But I still think you need to reiterate. It needs to be not just by design, but it also needs to be by default. If you need to change the security, it needs to be the exception. Because by default, it should be actually something that's ...
Nabeel, it's been awesome having you on. What types of resources do you say are up-to-date? How do you stay in the industry? What are some of the things... Is there any conferences you go to, any resources that ... 00:28:44]?
Nabeel Nizar:
There's a lot of smart people out there when it comes to... So, I joined quite a number of LinkedIn communities, follow a lot of folks in that community. I think I also follow a number of vendors that are bringing new emerging technologies out to the market. I don't want to name names here, because I think I'll leave quite a few people, but I think you and I are very much in touch with a lot of these leaders and innovators and thinkers in this space. Some of the things that I've been reading more recently have more to do with Web3, how a decentralized identity, autonomous identity is I think going to become more mainstream. And I think the reason that folks have been really adverse to jumping on board with a central government identity is they just don't want their identity to be infringed on.
Joseph Carson:
Bring your own identity approach type of where the trust anchor of those identities becomes critical into ... Yes.
Nabeel Nizar:
Right. But ... It's like where the movement today is going along the lines of be your own bank. Your wallet becomes your identity.
Joseph Carson:
Absolutely.
Nabeel Nizar:
No one needs to know your private-
Joseph Carson:
It's the transactions. It's the transactions that become the deciding critical factor here is how do you transact, how do you exchange it in the secure, safe way, and what needs to go. I've had many discussions with ... one of the few from the Jericho Forum days and stuff, and one of the discussions we had on a way previous episode was that it opens down to, do you even need my ...? You need to ask me the questions.
Nabeel Nizar:
Right.
Joseph Carson:
And it's like, "Are you all doctors?" You don't need to know my date of birth. You just need to know. Just hold it off the drive. That gets into the vital parts.
Nabeel Nizar:
I mean, I think that's where you're starting to see the Web3 integration with blockchain and the whole know your customer at the end of the day. If you know your customer, you don't need to ask them for their birthday. You'll know that they're old enough to drive.
Joseph Carson:
Absolutely.
Nabeel Nizar:
And the entitlements are stored in the custody chain there. So, I see that coming and I see that coming really fast.
Joseph Carson:
And there's persistent data as well. There's data that doesn't change, the data that does change. And that's where you also get into is that if I have asked that question over a piece of data that is persistent, I don't need to ask it again. But later, I might need to ask, "Do you have valid insurance?" And there are things that might change or might have expirations. Those are ... You might have the valid data ... continuous replication.
Nabeel Nizar:
Yeah. And as long as those ledgers can be affected by the business externally, I think you'll get a much better use of access controls in the future, or for employment of access controls in the future.
Joseph Carson:
Absolutely. Nabeel, it's been fantastic having you on. I've had a really fun, interesting discussion. It's always great to... I always enjoy going down memory lane. It shows us both how long we've been in the industry, but it also shows that over this maturity and evolution, that exciting things are happening. There's lots of great innovations. There's lots of amazing people out there doing great things. At the end of the day, it all makes our lives easier, digital lives easier online, makes our society much better, and it makes a much more safer world. Thank you for everything that you do in the world, in the industry, and it's been a pleasure talking with you. So, any final words of wisdom ...?
Nabeel Nizar:
Be an agent of change. Don't try to impact security by affecting your business productivity. And I think that's key. And as long as you can help the business move forward in a secure and a safe way, I think that's going to become the successor for your identity program as well.
Joseph Carson:
Awesome.
Nabeel Nizar:
Thank you, Joe.
Joseph Carson:
It's been a pleasure.
Nabeel Nizar:
It's my pleasure joining.
Joseph Carson:
Thank you. For everyone out there, this is another episode of the 401 Access Denied podcast, brought to you by Delinea. I'm the host, Joe Carson. It's been a pleasure. Tune in every two weeks for new episodes, new thought leadership with exciting guests. Stay safe. Take care. Until next time, thank you.
Nabeel Nizar:
Thank you.
