Asaf Lerner’s work in the identity and access management (IAM) space has spanned 20 years and two countries. His first job was on the R&D side with a small Israeli startup called Aladdin. In that job and others, he designed many PKI and authentication technologies that are still in use. About 5 years ago, he transitioned into a business position in the Identity and Access Management (IAM) world that was more customer-facing. He’s currently at Thales, a large global security provider, as the Director, Business Development & Channel Acceleration AMER.
Asaf joined the Cloud Protection in Licensing (CPL) division, where he’s part of the product management team that is in charge of IAM technologies. We were eager to interview him because of his mix of technical skills, combined with a global perspective.
Read on to discover more about Asaf’s take on how Covid-19 is affecting remote work.
Q: Are you receiving a lot of frantic calls from people trying to figure out how to securely work remotely?
A: YES. I think that we are at an all-time record of usage of different authentication and identity access management systems. We are experiencing more than 5 times the usual load our cloud services usually experience, which is crazy. Just imagine if we, for example, are serving around one million customers daily. Now it's more than 5 million. It's just crazy. When we decided on this topic for this interview, I thought it may be a niche topic within the bigger Identity and Access Management space and then boom, we have this pandemic making this maybe the most relevant topic in security today. We are also seeing an increased number of customers using our on-prem authentication solutions.
Q: What's the number one challenge that you're dealing with as customers get in touch with you?
A: We are looking at two kinds of companies at the moment. One type consists of companies that already have an established infrastructure for their identity and access management structure and are looking urgently to expand it. Those companies already have the gates in place, have all deployment protocols within the service desk, people that know what to do and they just need to add more users and enroll more authenticators.
The second type of customer is those without any remote working culture implemented. They didn’t previously allow remote work. This is a very big challenge because they must start educating users who are not used to working remotely. They must educate them on what they should do now and how to authenticate. These companies are now having to allow this type of work and they have to do it quickly. This can be really challenging. But again, we are there to supply personal services and workshops and advice and whatever we can to set them up as fast as we can. In both situations, we are working through the weekends to make sure all of our customers are being supported.
Q: Wow. That is challenging. So what are the best practices when you're trying to protect information?
A: One of the tools one must implement is MFA. MFA stands for multi-factor authentication. We know that passwords are a very bad way of authenticating users. Passwords are easy to predict, easy to get a hold of. Most employees use the same passwords for their business needs and personal needs. If not the same password, a very close version of it. It's easy to get someone's password and to hack it. And once we hacked someone's password and that organization uses passwords alone to authenticate users to each resource, then those resources are out in the open. So, the first thing that we have to do is to make sure we protect all of our resources using multifactor authentication. Now, a multifactor authentication means another means of identity or a factor when the user is trying to login other than the password. Now it can be a one-time password sent by SMS, for example. It can be biometrics. We can use your face ID in order to validate your identity instead of using a password. And it can be the machine that you are using, your laptop or your phone that is being used. We can identify that device in order to make sure that you are you when you're working remotely.
This is also a best practice when you are working internally in your office. Many companies treat the office space as a secure place that if you pass through the doors, then you don't need to authenticate. To be honest, this is not entirely true. When people work remotely, we have to make sure that everything is protected by multifactor authentication. And by everything, I also mean cloud-based applications. Those are software-as-a-service applications that we're subscribing to. It can be our CRM, HR system, financial system, operation system, or an infrastructure-as-a-service system like AWS or Azure, for example. All those systems that are naturally open or exposed to the world should be protected by multifactor authentication.
On-prem legacy applications that we thought were protected because they were, as the industry calls, “the perimeter.” They're protected by our firewalls and physical security. They also should be protected by multifactor authentication. This is the step number one - protect everything with multifactor authentication.
Step number two, in order not to bug your users throughout the workday with many authentication requests... Just imagine that you knew that you had an employee using 15 different applications during their workday, right? They go from this system to that system and so forth. If we ask them to re-authenticate 15 times during the workday, that can create unnecessary friction with the user. You want to make sure those applications somehow should be able to speak with each other and say, “Hey, this guy just authenticated to his email five minutes ago and now it's trying to get to salesforce.com account. We don't need to re-authenticate him. He's good.” This is called SSO or single sign-on. Once I authenticated to one resource, I'm getting access to all the other resources. Having an SSO system is very convenient to the user because the user has to authenticate only once a day, but it's a heaven to the attackers out there because if they can breach that, they get to everything. We want to implement a smart SSO mechanism, which means that from one hand we'll keep the balance, making it very easy for the user going through his workday. But on the other hand, we limit the bad guys from coming in when they are being able to reach one account.
That balance is what we call a smart SSO or policy-based SSO, and the most known buzzword around that is Zero-Trust. And again, it doesn't matter if it's a cloud-based resource or an on-prem resource, we'll go and check everything, all the different aspects of that request and we decide if we're allowing it or we are asking the user to re-authenticate or we are denying that request altogether because it doesn't make sense to us that someone is trying to log in from an unfriendly territory on Sunday at 2:00 PM.
Q: That’s great. Do you have anything else to add to that?
A: As I mentioned, the first step is to MFA everything. This includes legacy applications, cloud applications, etc. It might be VPN access or VDI access, virtual environment. However, make it easy for your users. There are many authentication techniques out there, but I personally believe that simplicity creates security. If we will not make it super-simple for our users to act securely, they will not do it because they don't care. We should make sure that the user is using modern authentication techniques. A very popular buzzword now around this “passwordless authentication.”
That means that we are making all the passwords redundant. We don't need them anymore. We will verify the user's identity by other means, using a pattern that the user knows. We will use biometrics, a thumbprint, eye scan or facial identification.
The second step is to create smart policies to keep the bad guys out. For example, if I know that my users are working only within the United States or Canada or North America and maybe the UK, I can automatically tell the system that all other authentication requests will be denied because I have no one working in, say, Africa. By reducing the number of authentication requests, I’m creating a calmer environment for our admins and our security system to manage—and this is very important to make sure that I will authenticate the users only when I need to and block everything else.
Q: What are companies dealing with as they try to transition over?
A. After we took care of all the back end things that we spoke about earlier, we need to enroll the users. We need to have a very efficient way of telling the users that this moment on you have to use a mobile application or a hardware token or any other means to login to your work environment. We know that these kinds of deployments are time-consuming and create a huge load on the service desk, which is probably already working in full-blown capacities. We will recommend using as much automation and self- or user-initiated enrollments as possible. For example, if a user needs to start working remotely tomorrow, he can get a link or he can go and login the regular way, then receive a notification that says, “Your organization said that from this moment on, in order to enhance security, you’ll need to use multifactor authentication when accessing this resource. Please click here to enroll a token.” That takes the load off the service desk and the IT department and shifts the responsibility of enrolling tokens and setting up passwords to the users.
Q: Obviously, there's a ticking clock going on right now, but are there things companies should think about to be strategic in terms of the changes they're making right now?
A: Yes. When I consult with companies, I ask what is your most urgent topic? Where's the pain right now? And we'll solve it. But let's look down the road. In three months, this virus may go away. I'm not trying to be pessimistic, but even if the thing goes away quickly, we don't know what will be next. And we must be prepared. So, let's start and build a strategy three months down the road, six months, one year, and two years.
Where are we going to be? It’s not just about allowing people to work remotely, but also about restructuring our all identity and access management posture. Now in the past, many organizations were reluctant to engage in strategic activities because they figured they were migrating most of their applications to the cloud or just going full-blown cloud. They thought they’d deal with identity and access management when the time comes. The whole infrastructure is moving to the cloud, but they are being left back on the security, like legacy identity and access management systems that were not built to deal with modern threats like a hybrid environment, a phishing attack, and ransomware.
What we are doing at Thales is creating those strategies with our customers. After solving the most urgent pain points, we create a plan with our customers to make sure that all the different changes and migrations will be addressed with the identity and access management.
We advise looking at applications, and even deeper than that, examining where our sensitive data is, who has access, and from where. Usually in companies today, half of the applications will be internal and half of them be delivered from the cloud. If legacy applications are being kept internally, is there a reason for that or is it just a matter of habit? Are we keeping them internal because we cannot really protect them if we make them external-facing applications? If so, let's think of ways we can protect them. We've seen a lot of companies that use legacy applications that they don't really need; if you don't need an application, there is no need to protect it. Migrating out of it is something that happens in many different small steps. But, it’s very important to have a strategy and then you won't get blindsided when you have to allow your users to work remotely.
Q: When employees work remotely on personal devices or mobile devices, are those any kind of particular threat that they need to be thinking about differently?
A: There is a whole world of what we call endpoint protection that helps you make sure, for example, that your phone is not being compromised and your laptop is intact. A good identity and access management system knows to protect the assets (or access to the assets) and makes sure that the machine is not being compromised. For example, mobile-based authentication can know if it's an iPhone, it has been jailbroken or if it's a rooted Android, which can compromise the security a lot. It knows if your PC is compliant with corporate policy.
To learn more about what Asaf and Thales do, click here.