Unlearning old habits: CyberArk COO talks identity security

Image created by DALL·E 3.
- Advertisement -

In a digital-first world, both individuals and enterprises must be able to verify that the person or entity they are transacting with is who they claim to be. This is why security solutions must continually evolve; cybercriminals don’t need to get it right all the time — they just need to get it right one time.

For identity security and access management firm CyberArk, old habits can’t afford to die hard — they must be unlearned. Eduarda Camacho, the company’s COO, spoke to Frontier Enterprise about her customer experience journey, the evolution of identity security, and new ways to manage access to critical data and infrastructure.

What was your transition like from PTC, where you spent almost 24 years, to BMC Software, and now CyberArk?

Even before joining here, I spent a lot of time in my previous two companies focusing on customer outcomes and value. That’s something I’ve brought with me to CyberArk, more so than cyber knowledge, since we have plenty of expertise within the company. My focus is on how we approach integrated end-to-end go-to-market organisations. I was at PTC for over two decades, during which I lived in Asia and Europe, and I was there throughout the full transition from perpetual licensing to subscription, and then from subscription to SaaS. At BMC Software, I had a similar experience with the transition to SaaS.

When interacting with customers, there’s an expectation for self-service and all the nice things that we get used to as consumers to be mirrored in enterprise software. That’s a major area of focus for me. My current role is heavily centred on customer value, but I’m also involved with the internal operations, collaborating with the rest of our organisation.

What were your observations post-COVID about the increase in cyberattacks?

The rise in cyberattacks is largely due to changes in work practices, especially with the shift to remote work and the accelerated pace of digital transformation. We’re seeing increased use of contractors, and with that comes the proliferation of third-party and even fourth-party identities. This has led to an exponential sprawl of identities, which, as per our latest report, is expected to multiply by 2.5 times on average. A significant portion of these are machine identities, especially with the growing influence of AI.

Is that the reason why you’re acquiring machine identity management firm Venafi?

The acquisition hasn’t been finalised yet, but we want machine identities to be part of what we do. It makes sense that, over time, this will just become part of our brand. It will, however, take some time to get there, even after the acquisition is completed.

Speaking about machine identity, do you think that the IoT era is responsible for the massive uptick in machine identity requirements?

Eduarda Camacho, Chief Operating Officer, CyberArk. Image courtesy of CyberArk.

I think the uptick in IoT, along with all the developments happening on the edge, in OT environments, AI, and all the bots — all of those combined are responsible for this proliferation. We can say that we now have 45 million machine identities to one human identity, but with the much faster growth on the machine side, that number is only going to increase next year.

With this explosion of machines, certificates, and everything else, managing that lifecycle has become a nightmare. For us, it’s a combination of interests — we’re very focused on delivering security, but we also can’t overlook resilience because business needs to continue. That’s a large part of the combined value proposition we see.

In the case of digital supply chains, a lot of breaches are due to third-party suppliers and API attacks. How do you address these issues?

You want to have different levels of controls to prevent those types of attacks, but you never want to rely solely on technology to fix them. Another critical factor is pure diligence around vendor management. In the end, you need a robust approach because, with third-party and even fourth-party relationships, that’s just the reality we live in. There’s a lot of innovation in security, like secure web browsers, and we’re incorporating many of those innovations, such as embedding AI into our platform to detect anomalies.

There are so many different avenues for a cyberattack — whether it’s bad code, a stolen credential, or someone accepting a malicious cookie — so it really comes down to thinking about the whole spectrum end-to-end, not just focusing on IT privileged users. That’s why we say that at some point, every identity becomes privileged, and companies need to think that way and put the right controls in place. This doesn’t mean the same controls apply to everyone and all machines all the time, but rather the right level or the right layers. When you add hygiene best practices and a very robust security policy, nothing replaces that.

Speaking about provisional access, a lot of companies issue high-level access to personnel, but it’s often not rescinded at the right time, which can expose sensitive systems to unauthorised people. Do you also see this kind of problem across the board?

We totally do, and we’re seeing it more and more, both with IT personnel accessing cloud infrastructure and developers who have access to critical infrastructure.

One approach we’ve taken to address this is called zero standing privileges. What if we took a completely different approach? You take that whole community of end users, bring them onto our platform, and from that point on, all of these identities — all these usernames and passwords — have zero privileges when they log in. They can’t see anything; we remove all of it, and you do this for all the hundreds or thousands of people in the company.

Then, you start the other way around, asking, ‘Okay, what do they need?’ Maybe they need certain privileges for the time they’re in a session to execute specific tasks. In that process, you determine whether it requires approvals or if it’s something automated because it’s a job that they shouldn’t be doing. You work from there, incrementing what they can do, but it remains zero standing. The moment they finish or log out, the system deletes all the privileges.

How do large enterprises using dozens of security solutions affect your go-to-market strategy?

We have a very strong C3 alliance with hundreds of partners, where we’ve built integrations and made them available in the marketplace. You need all those connection points across all the layers of security to make it work. We have strong partnerships with some of these companies, while with others, it’s purely about technology integration. But our partner ecosystem’s go-to-market strategy is very strong. We’re an AWS house, and we have a strong partnership with them as well. So, we have technology integration partners, and we also have a lot of go-to-market partnerships with the big system integrators, with whom we do a lot of innovation, best practices, and maturity blueprints for programs. Then, you move down to the managed service providers and the telcos.

Skill shortages are also a factor. I think the technology partnerships play a big role because the ecosystem you need to put together to get a good security posture is pretty significant. The flip side is extreme fragmentation, with everyone using so many vendors, often with overlapping functions. It all adds to the tech debt, the fragmentation, the silos, and it diminishes the effectiveness of your investment. In the end, you spend all your resources managing that complexity instead of focusing on what you’re supposed to be doing. That’s one of the trends we’re seeing: the consolidation of trust, with fewer vendors but more strategic partnerships and relationships with customers.