Ian Todd: Hello and welcome to the fourth episode of the new realities of cyber security podcast series. My name is Ian Todd, I’m a data privacy and cyber security consultant here at PwC.
Today I’ll be joined by Richard Mardling, director of Access Governance. Having control over who has access to an organisation’s data, whether that be personal data, intellectual property or thought leadership is a fundamental security control. We’ll be discussing the tools and approaches to best protect organisations from external and internal threats.
Well Richard thank you for joining us on the podcast. I think today’s going to be really interesting and I know it’s a really interesting topic within the marketplace right now so we’ve be looking at identity access management, PwC’s offering with AccessAble. I think really what people will find interesting is how things have changed in the last 10 to 15 years, what’s important now, what was important in the past and how things are going to be looking in the future. So I think a good starting point here talking a bit about yourself, maybe a little bit of an introduction on what you do at PwC.
Richard Mardling: Ok, I’m Richard Mardling. My role is to lead the practice, I was brought in to build a practice from scratch. There wasn’t one here. We’re now up to about 25 people and still growing. Prior to joining the firm I was a partner in a small boutique. We got bought out and let’s just say I didn’t get on well with the people who acquired us so it was time to move on. Going back to the company where I was a partner of, I took them into identity management back in 1998, completely by accident, it was one of those things we, I was out doing a piece of work for a client and they needed to have some controls as to who had access to their intranet and I said ‘Oh you need role based access control then’ and they went ‘Yeah, yeah sounds really good!’ and I went home, I thought I’d better find something and I found a product and I imported it and we managed to sell it and then we sold some more and it sort of went from there.
Richard: But as ever, with these things it was never a planned things, it was one of those accidental things and it just happened.
Ian: Yeah and I think it’s interesting, I know we talked a little bit before the start of the podcast so you’re seeing more and more of this important interest in I-down rate now. What was it like 10, 15 years ago? What had you seen at that point when you’re talking about role based access, so that means for people who maybe just don’t know, different levels of privilege for different people within the organisation so the director of finance would have far more privileges than someone who’s maybe just the intern. So are we seeing this consistently becoming more of an issue over the last 10 or 15 years? Are people more aware of why it’s important now? Or is this just something that’s happened over the last two or three years?
Richard: Oh well a whole load of questions in there.
Ian: Yeah, it is.
Richard: So, how, what’s changed in the past 10 or 15 years? One of the main things has changed is that people are realising that they can’t just write it themselves. They’ve, 10 plus years ago it was really difficult to persuade people to effectively externalise their security. Developers wanted to build it themselves, they could do it and they could get on with it and they thought it was great and a good example of that was back in 2005 there was a thing called the Bichard Enquiry and a Bichard Report, which is back to the Soham murders of Holly and Jessica and we were brought in, and one of the things that happened as a result of that was a recommendation to have a national intelligence database. That was in June, announced in Parliament. In the end of September I got a phone call and they said ‘Richard, can you go and see so and so. It’s pretty urgent’. So off I go, I go and see a company, I won’t name them, and they had been given the job of writing the national intelligence database.
Richard: And they said to us ‘What we want you’ and the Home Office who’d given me the call, said ‘What we want you to do is put your technology in to secure it’ and we had a real battle with the software developer who wanted to do it and we said ‘No, no, externalise it, because it’ll make your delivery quicker’, ‘Well no it won’t’ and this sort of, we had this sort of backwards and forwards discussion. There we were at the end of September, the go live date was 23 December. It was immovable because Tony Blair had stood up in Parliament and said ‘It will go live on 23 December’.
Richard: So bit of a sort of shot gun marriage. We eventually switched the service on 22 December and it was tight. All worked, job done, client, end client very happy. Two months later the software development phoned us up and said ‘Thank you’. I said ‘Thank you for what?’ He said ‘Thank you for persuading us to externalise the security because we would have never have hit that go live date if you hadn’t have taken that off us and we just plugged into the services that you offered.
Richard: So that’s, you know, that started the change, that was 2005 but we still today discovering people who are still writing their own stuff. What’s changed over that intervening period? So the main, one of the main things that has changed is that people have brought in identity and access management technology for operational purposes. Speed things up, automate things, take cost out and there’s been lots of successful projects that have done that but there has been a lot of unsuccessful ones …
Richard: … lot of failures along the way and what it was that type of pro, service was doing was actually just giving you access quicker to things and it was never taking access away. So actually all it was doing was actually making you more, your organisation more insecure.
Ian: So more and more and more people had more and more rights in …
Ian: … moving around the organisation but no-one was actually controlling that anymore, there was no, no-one taking away them, them rights.
Richard: That’s it. So 2009 Société Générale were defrauded of €4.9 billion and that was, the guy who did it was a guy called Jerome Kerviel and he’d started work for the bank and I don’t know in which department but he’d moved around different departments and he’d worked in front office, middle office and back office and all the time, every time he moved the provision in the identity management system gave him new rights.
Richard: And he worked out that he had rights to do things that he shouldn’t be able to do in whatever role and he ended up as a trader and he was making trades, he knew he was losing money but then what he did at night when everybody had gone home, he went into the systems and covered them up.
Richard: And this went on for a long period until somebody outside of the bank tapped, phoned them up and said ‘Think you’ve got a problem’ and it was €4.9 billion problem.
Richard: He ended up in jail as well for three years because of that. So where it’s switched to now is people are more interested in who’s got access to what and who approved it and is it appropriate?
Richard: We’re moving away from the let’s automate because again when you think about automation, do you want to automate all of your applications or the vast majority? Many organisations have thousands, you know it is not untypical to go to an organisation that, where they have at least 400 applications. Many of them have you know thousands of applications. You cannot automate the joiner, mover, leaver process for all of those.
Richard: But what you can do is get a view on who’s got access to what and is it appropriate across a vast number of applications? And that’s where the change has taken place because again, people realise that the cost saving of the automation in comparison with a fraud, there is no comparison.
Richard: They’d rather do it manually but have this overview than, and automate just 5, 6 applications that are the key ones.
Ian: Yeah, and I mean I’m just trying to picture from my experience, in a modern organisation you’ve got Cloud, Bring Your Own Devices, like you say hundreds of different applications, VPNs so people can get into the organisation externally so there’s, there’s so many different areas now and I imagine that you say as an identity management tool it has to encompass so many different areas.
Richard: Yes the, the, if you think of the trends that you are picking up on there, there again have occurred from mobile workers, people mobile, people want to work from anywhere, any time, it the old Martini principle.
Richard: So they want to, is that an age thing? They want to work in Starbucks, they want to work in a hotel lobby, they want to work on the train, they want to work at home and they never actually, if you watch people again, they just close the lid and away they go.
Richard: And that’s how people want to work. At the same time the makeup of workforces is changing, we’re not all, not everybody’s an employee, a salaried employee, some are contractors, some work part-time, work varying hours. We have third parties but they will run around with say an @ PwC.com email address. So trying to, who’s keeping your promises is a part of this but try to work out, at face value, who’s the salaried employee, who’s a contractor, who’s a third party is really difficult.
Richard: And because again with third parties, they will bring people in and out as appropriate. We’re doing some work with one client at the moment who, they do testing on behalf of other organisations. They’re a specialist testing organisation, I won’t mention the industry because you’ll, it’ll soon work out who the client, client is but the people that they’re testing on behalf of are all competitors to each other.
Richard: And they’re all trying to produce similar things. So what they need to be able to prove to, what they call their sponsors, their clients, is that there isn’t somebody from, who’s engaged in testing a product for a rival organisation who can access their data and because these tests are set up, they run the tests, they shut the test down, they move, they break up the team, they move the team on. So the identity management in there is quite significant because you need to be taking their rights away, granting them new rights and at the same time the sponsors are coming in, they have a sponsor a week come in and say ‘Prove to me that nobody else can access our data’.
Richard: And that’s, and it’s challenging.
Ian: Yeah, yeah.
Richard: But again it’s that, the change in the workforce of how again we outsource things, you know before those organisations would have done their own testing, now they outsource it but there’s a risk associated with that.
Ian: Yeah I think the whole thing is fascinating, truly interesting. I think for me personally looking at this, the perception I think is that cyber security is about hacking and about these big elaborate schemes to get into organisations but as you’ve talked about the insider, the person who’s working there with other data privileges can be the biggest threat to an organisation, they’ve got so much potential to go, so much damage than a very elaborate hacking scheme might have. I don’t know if people are quite getting that at the moment, it’s just starting to be illuminated now?
Richard: The past two, three years' Global State of Information Security Survey have indicated every time that the majority of breaches are initiated by staff, current and former, especially if you don’t take their rights away …
Richard: … especially their remote access. Contractors and third parties, they’re the main sort of breaches, over 40, 40-45% are breaches in that region. You look at the other ones, you say you talk about whether it’s hackervists, whether it’s a nation’s state, it’s things like that, they’re down in the 10, 15%.
Ian: Yeah, yeah.
Richard: They get the headlines but actually it’s the insider that causes most damage, whether it’s Jerome Kerviel who’s an insider.
Richard: The guy at UBS two or three years ago was an insider. He, you know, he emulated what Jerome Kerviel did. Ashley Madison was an insider. A number of these breaches, ones closer to home over the past year or so have been insiders.
Richard: So the thing with Ashley Madison was that, why the considered opinion is it was an insider breach was the vast amount of information that was removed and made public. Not only made public but it was also quite diverse. It wasn’t just a large data set of people who’d subscribed, there were floor plans, there was all sorts of things that actually you know, somebody who would break in probably wouldn’t want, you know why do they want a floor plan of an office? It’s, so it, every, all the signs indicated it was an insider, somebody either had some morals and you know and thought ‘No, no I can’t be working with this sort of organisation any more’ or something happened or they didn’t a pay rise or something but they’d obviously got significant access.
Ian: And I think that point you made there is really interesting as well because we imagine data breaches and myself from a privacy perspective is either it will be some kind of financial information or it could be some kind public, sorry personal information about an individual, but as an insider you can release anything, you know that’s going to harm the company and that’s what your motivation is, if you don’t care about financial gain or you don’t care about finding out some confidential information, if you just want to hurt the organisation, the insider’s the best position personally to do that isn’t it? Really they can cause all kinds of problems from inside and I guess that itself is incredibly difficult. I know there’s been a case of a bunch of disgruntled employees, I think it was in India, who were working for a call centre and as you talked about earlier their permissions weren’t taken away once they left the organisation, they knew this, a bunch of their friends had left and when they all left at one time, they could also access the system, they got back in, they pulled all kinds of things off the system just to cause problems, maybe to steal some information, to sell some stuff on, but again it goes back to that whole, this is such a huge issue right now.
I guess my fourth question to that for you is are the board seeing this as an issue? Cos I know we talk about firewalls and we talk about doing pen testing and secure application development. Are the board and the exec members of organisations now realising the importance of this?
Richard: Access is becoming more and more important. The people who are realising this are audit committees and that’s because whether it’s their internal audit team or their external auditors who are coming along and testing the controls as to who’s got access to some of the key financial systems. I say you know you’ve got lots of stale accounts on this system, you’ve got accounts on this system that don’t appear anywhere else. You’re not in control of who has access to your financial data and because of that it’s been raised at the audit committee and of course the audit committee comprises some members of the board. So I wouldn’t say it’s a board level topic yet …
Richard: … but it is rising up and becoming an agenda item on audit committees.
Ian: Ok. So I suppose that the next question I have for you is looking at the future, and the horizon for identity and access management, I know we’ve got the General Data Protection regulations coming in, obviously PCI compliance has been around for a little while now but there’s more scrutiny over, over data that organisations hold. Who has access to that and then obviously on top of that we have all the Cloud access, VPN, Bring Your Own Devices. How do you think things will move in the future? How do you envision things moving?
Richard: Ok so to take that two parts. One, let’s talk about just the explosion of data. I can’t remember the source of this but I don’t think my numbers are too far out. Of all the data that we have, an organisation have, 20% will be in the structured system,
Richard: Whether that’s in an ERP system, some sort of financial system, that needs only 20% of you data.
Ian: So that’s like an HR database.
Ian: A nice structured form of information.
Richard: Yeah, yeah. Your ledgers, your purchasing system, things like that. The other 80%, your sales, your CRM, etc. The other 80% is in Word, Excel, Powerpoint, …
Ian: Everywhere yeah.
Richard: … it’s just extracts and if I give you an example. So somebody could go along to the ERP system and do an extract and suck that down and put it into a spreadsheet. They could go to the sales system and do another extract and into the same spreadsheet. Do some sort of correlation so right. So the first two systems we have application owners we can go talk to. First question is who’s the owner of this merged set of data?
Richard: Who’s in control of that merged set of data? So we’ve, that person who’s done those extracts does some analysis on it, produces some graphs. Takes the graph, picks it up out of Powerpoint, out of Excel and drops it into Powerpoint. They add some more, send it on its way and next thing you know they send it to somebody outside of the organisation.
Richard: We’ve now gone from some systems where the controls are really good, of who’s got access to the data, to it’s now in the wild. It’s come out, it’s in the Excel spreadsheet, we have no known owner. Because there was a graph, the person who created the graph probably doesn’t realise that the way the Microsoft products work is that if you create a graph and you just copy it out of Excel and put it into Powerpoint, the data goes with it.
Richard: And now you’ve sent it to somebody outside the organisation, so all those controls have just, are now null and void.
Richard: And we, that’s happening in lots and lots of places so the next thing really is we start to get control of the structured systems is going to be the unstructured data. So not only what does it contain? Does it contain personally identifiable information? But who’s really got access to it?
Ian: Yeah, yeah.
Richard: And then who owns the data? Once we’ve found an owner, you can then put access policies in place, you can then monitor who’s accessing it. So let’s say, you’ve got some data, some documents somewhere and on Google Drive and only a particular mergers and acquisitions team should have access to it and late Friday night somebody comes along from IT and says ‘Oh that looks really interesting’, opens it up cos they’ve got the entitlement just to have a read of it, don’t modify it …
Richard: … but now they know an acquisition of some organisation is taking place.
Ian: Yeah, yeah.
Richard: We can pick that up but then what you can do is, let’s take that team and it’s been, that project’s been running for a while. Some people may have moved off, they should, now shouldn’t have access so you can run a re-certification …
Richard: … to make sure that only the current team have still got access. So that’s one area I think will be big …
Ian: Yeah, yeah.
Richard: … because of the volume of data we’re now generating.
The other area is all round mobility but organisations will have a policy that says ‘If its, this document is marked as highly confidential, it can’t be taken in printed form outside of the organisation’. Good, but I got it sent in an email.
Ian: Right, yeah.
Richard: I’m sat on the train, I can read it on the train, hold on that’s wrong because what’s the difference between the policy that says you can’t have it in printed form outside of the organisation, I’ve got it in electronic form. So some of the things that will come along will start to detect where you are …
Ian: Interesting. So geographically knowing that you’re on a train or you’re out of the office or say a certain conference of the office you can be within two miles of the office but no further …
Richard: … Correct.
Ian: … or at this exact office, somewhere else in the city.
Richard: Yeah. The policy to look at these documents maybe that you can only read them when you’re in the office.
Richard: So there you are, you’ve got it on your laptop and you think ‘Fancy a decent, well I fancy a cup of coffee. I’m going to go to Starbucks. Pick your laptop up, off you go, down to Starbucks, back onto the network, their network, so geographically I’m in the same place. Actually I’m on a now non-secured network, what the technology will now do is say Richard, you’re on an unsecured network and you have a highly confidential document. The policy says you can’t do that, [click figures],I’m taking it off your screen.
Richard: Or it will blank certain bits out on your screen.
Richard: So that you can now start to enforce the policy a lot better.
Ian: An interesting example, I heard about this which is quite similar which is hospitals in I believe it was Iran or Iraq, one of the two, were using iPads instead of having physical pieces of paper to write on and they had a similar system in place that if an iPad was to leave the hospital, and I think it was a five mile radius of the hospital, the iPad would be wiped.
Ian: So that try to enforce that policy that you can’t leave a certain area otherwise I guess it has to be wiped.
There’s another question for you as well is looking at something that I heard you speak about, probably about a year now, is the idea of identity as a commodity, as a currency and people being able to regain control so the way I think about this is all the information you put into Facebook, into Twitter and all the different social media, altered to extract your personal information, regaining control over that as a consumer. I know you talked a little bit about that. How do you see that in the future? How will that change?
Richard: Where things have moved to, so if you go back 10, 15 years and even really in today’s age, the user has very little control over their own data. It has to be done, something has to be configured somewhere by somebody in an IT department and that’s fine in many instances, but if you think, start to think now about wearables and stuff that you know, things, there are things, things, it is the right term, collecting data about us you know every second of the day, whether it’s something on your wrist, whether it’s your car and where you’ve been. All these things are all happening, it’s your phone and you know. Now that data is all to do with me.
Richard: So let’s do, let’s do a for instance. Wouldn’t it be great if, well I go to see the doctor and I’m not sleeping. Right, real problem sleeping and so I go and see him and the doctor only starts to ask me some questions. ‘So how much do you drink Richard?’ You know the usual type of stuff, you know ‘Do you drink a lot of coffee, tea?’ things like that ‘When do you eat? Do you do any exercise?’ All these types of questions. What time do you go bed? And I could turn round and say ‘Well actually would you like to see my sleep data?’
Richard: You know the wearable I have says what time I go to sleep, quality of sleep and what time I get up in the morning. So you can analyse that and see if there’s any patterns in there.
Richard: Now where I think we’ll be able to get to is that we will be able to take data and I’ll say to you ‘There you are doctor, there’s my data. I will allow you to look at the data until the end of December’ because it’s still my data. ‘I will not allow you to share it with anybody else and all the other data that’s in there that’s to do with what I eat. How much exercise I do or don’t do, you can’t see that’. So now I’m in control of data that’s associated with my identity, to help me as a human being get better, be healthier. We’re at risk of saying that data being shared with an insurance company.
Richard: Or the doctor saying ‘Actually the real reason, actually I had a look at your data and you’re sleep is absolutely fine but you could really do with more exercise and you know cut down on the beer and do this and that’ and hold on ‘I didn’t you know …
Richard: … I didn’t come and ask you about that and so please don’t tell me about it’. So I think this sort of approach of people being able to set the controls on their data will become more and more prevalent and you know the technology is coming along to do that and people will start to, because of data breaches and things like that, they will want, start to demand that they’re in control of their data rather than it being in some faceless system somewhere in the Cloud, somewhere in the world.
Ian: Yeah I agree. I think there’s a real thirst for that in Parliament. Again I think people understand that data’s been kind of abused, maybe over the last 5, 10 years and I think they want that back so that’s a great way that’ll happen.
So as a final point it will be interesting to see what we do and what we offer clients, maybe something a little bit about AccessAble and what that means when you go into an organisation.
Richard: Ok so we’ve split what we offer into quite focused areas. One around access governance, that who’s got access to what and is it appropriate? And on the structured side we also replicate that. On the unstructured side we call that data access governance. We do work around consumer identity so that if you think of the digital age and all the number of people that need access, and going back to that, take the document off the screen because you’re in an inappropriate location. So they’re three areas that we focus on. We also do strategy work for clients, so I was with one this morning where they wanted to go from their home, plan to move from their home built system to something that’s off the shelf, that they can maintain, that, and keep the costs down. So, and we can do everything from the process part of it, the design, the strategy part, the design, the technical implementation because we did the acquisition of practices earlier this year and brought in a whole load of great technical expertise.
Ian: And that’s a thing, we have real knowledge now don’t we? Real thought leadership and expertise around this area.
Richard: That’s it. We are now from, one of our partners is a company called SailPoint. they’re the leading people in terms of the access governance technology and we are their largest delivery partner in the UK and that, a lot of that came through because of the acquisition and the expertise that they had. So that’s what we do on the advisory part of it but when we were going out doing that sort of work, and we were asking clients about do they have confidence that their access control policies are working? Do they have current, are they able to identify the insider threats, things like that and we were getting ‘Mmm, well, mmm no not really’. Ok so what are you doing about it? And they said ‘Well, yeah, well’, so we said ‘Have you thought about using technology to help you because you’ve a large number of applications, surely some technology can help you’. And the answer came back consistently was ‘We’ve looked at technology but it’s a long time until we see value. It’s a huge upfront cost and it’s really complex to design, build and run’ and this was quite consistent talking to clients so we came back with you know ‘Surely we can solve that’. So we sat and thought well to shorten that delivery time, that time to value if we prebuilt something …
Richard: … then that shortens it down. We can reduce it from nine months to two months. If we changed the payment profile that they only pay for it when they’re actually using it …
Richard: … there’s not this huge leap of faith in the upfront investment and because we’ll do the design, the build and then the run and offer it as a Cloud service, we take away the complexity. So AccessAble has been, we’ve driven by need that we saw with our, our clients have and it’s just about that where we see identity management moving which is prove to me or tell me who has access to what and is it appropriate? And we can do that for five applications, 500 applications, however many applications …
Ian: So it is scalable to a small organisation or a full sized financial institution?
Richard: Correct. Anything from a thousand users up to half a million users, anybody who’s got just a small number of applications to a large number of applications. And we will look for segregation of duties breaches, so has somebody got update salary and approved salary? We will look for things like accounts that haven’t been accessed for over 60 days, so go back to the audit committee, and what’s rolling up to audit committees. Accounts that appeared overnight in the financial system that don’t seem to be related to anybody and got torn down the next day. So we will start to identify things like that for clients and what that will do is tighten up the security. So you mentioned earlier on about hackers and firewalls and the concentration in terms of building big perimeters around organisations, that’s been really good but what it’s done is, organisations have got the soft centre, they haven’t managed who’s got access to what and because we now know that if people want to break in they’re get in, but as soon as they get in they want to find something that they can elevate their privileges on. If the security of all of the users is all locked down, they’ve got through the front door and they’re in reception.
Richard: Can’t get any further ...
Richard: … because we’ve locked everything else down and again, so AccessAble not only satisfies the auditors and the regulations will come in and say ‘Prove to me you have the correct access’ or in that case of that testing organisation, ‘Prove to me that none of our competitors can see my data’ but it will also improve the security so that if there is a breach or an insider somewhere, we prevent the fraud happening or a data loss.
Ian: Incredible. Well thank you so much. It’s been a really fascinating podcast. I’m sure people will have more questions for you so hopefully we can get you on again at some point and try and answer some more questions but I really appreciate your time.
Richard: No thank you very much indeed. Thank you for the time.
Ian: Thank you for listening. Next week I will be joined by Christian Arnt to discuss one of the hottest cyber security topics right now, CISOs of the Future. In the meantime if you have any questions, please feel free to contact me directly on Twitter @IanTodd86 or email me at firstname.lastname@example.org.
Don’t forget to subscribe and leave a review.
Cyber Threat Operations - Manager, PwC United Kingdom
Tel: +44 (0)7841 803680