Art Poghosyan from Britive Talks about the changing Information & Data Security Landscape & How Cloud-based Access Management will shape the Future of Hrtech.
1. Tell us about your role at Britive.
I’m the CEO and co-Founder. I have been in the InfoSec industry for over 20 years. Prior to the launch of Britive, I co-founded Advancive, a leading Identity and Access Management (IAM) consulting company that was acquired by Optiv in 2016.
2. Can you tell us about your journey into this market?
Before we launched Britive, my two co-founders and I dedicated several years to identifying and resolving security challenges in the on-prem identity and access space. A few years ago, we realized that the shifting of workloads to the cloud presented the greatest risks to organizations. The driving force behind those risks is the proliferation of identities and permissions cross-cloud that must be secured. That was never a major concern during the on-prem days.
We identified three significant challenges and made a commitment to solve them. The first is the basic need to automate the process of uncovering and managing thousands of permissions across SaaS, IaaS, PaaS and DaaS. A tremendous amount of SecOps, CloudOps, and DevOps teams are relying on old school spreadsheets to accomplish this, which is both time consuming and error prone. Add to that the fact that each cloud service has its own access logic. If you don’t use automation, it must be painstakingly learned before being managed and secured. One of our goals at Britive is to provide cross-cloud visibility and automated controls for cloud permissions.
Second, we identified the proliferation of permanent standing cloud permissions as an open invitation to threat actors to exploit identity based vulnerabilities. The infamous SolarWinds attack is a classic example of cloud account credentials being compromised by malicious actors to gain access to sensitive data. Britive’s vision is to assist companies with enforcing Zero Standing Privileges (ZSP) through Just in Time (JIT) permissioning where permissions are only granted for a set period of time and then revoked at the end of the cloud session. By doing that, we minimize the organization’s attack surface. It is easy to understand why this needs to be a priority when you consider that cloud access threats have now surpassed those caused by malware in recent years.
Third, we identified the demand from DevOps teams to help them build access security into their CI/CD processes without adding additional complexity or management overhead. From our experience, we saw that DevOps teams are often resource constrained and have to maintain singularly focused on the development process. Given the fact that developers – like their cloud admin colleagues – hold elevated privileges, their accounts are considered high-value to threat actors and therefore, in need of the highest level of strong security. By enabling self-service JIT permissioning, you can secure DevOps users with minimal overhead. Additionally, DevOps needs to manage secrets dynamically to more effectively secure non-human identities such as APis and access keys. We enable DevOps to spin up temporary services swiftly by generating JIT secrets on the go.
3. What are the major challenges companies face with securing cloud native solutions?
Undoubtedly, one of the biggest challenges facing cloud security pros today is the fact that the “cloud-native technology stack” wasn’t logically planned or built as an integrated entity. It came together and grew from a collection of security solutions that were originally designed to address immediate security needs. Today we are faced with a confusing hodge podge of CASBs, PAMs, IAMs, and more to secure cloud services. There’s some overlap and some have been repurposed from on-prem solutions that are now imperfectly retrofitted for the cloud. Others leave holes in security between them and adjacent technology solutions. But quite possibly the biggest challenge is that they often provide limited insight or controls over identities and permissions. Our solution is designed as a cloud-built cloud access management platform that adds its unique JIT permissioning and secrets governance capabilities plus complementary capabilities that span things like the CEIM and PAM chasm, among others.
4. ML / AI / automation has impacted virtually every industry. How is it specifically impacting cloud native security?
Attempting to do everything from discovering shadow identities and privileges to securely onboarding and offboarding cloud users to enforcing Zero Standing Privileges to managing, securing and right-sizing permissions manually is time consuming and prone to error, if not impossible. Automating these processes in cloud native security ensures both better security and significantly reduced effort and cost.
5. How would a company use your technology?
An organization can use Britive in a wide variety of ways. Many – if not most – companies find specific value in our unique JIT permissioning, which is useful in both saving costs by minimizing or eliminating standing privileges and multiple accounts (i.e., an admin who must otherwise maintain both non-privileged and privileged accounts to maintain SoD) and for enhancing security by keeping the company’s attack surface to a minimum through enforcing ZSP.
We also feel strongly that Britive can be indispensable in the efficient onboarding and offboarding of employees and contractors. It ensures that cloud users have the right level of permissions when they start work, continually have their privilege right-sized during their employment, and their permissions are fully and quickly deprovisioned when they leave the organization.
6. What breakthroughs in the cloud-native security space are you most looking forward to from a technology perspective?
Recognizing behavioral-based threats targeted at cloud account access as the most prevalent threat vector in the cloud is one of the most significant paradigm shifts in security.It’s critical to maintain clear visibility and control that tracks all risky actions and misconfigured permissions back to a specific permission set, its associated identity, and ultimately a specific user. This applies to minimizing the attack surface of organizations, limiting the blast radius of risky users and permissions, and fast and easy post-incident investigation.
7. Is there anything on the product roadmap that you’re particularly excited about?
We have data analytics capabilities on the roadmap, which will allow users to right size permissions and enable the query engine—providing standardized visibility, easy querying, saving and export reporting, dissection of data from different dimensions, and more.
8. What advice would you give to new entrants, especially DevOps / DevSecOps professionals?
My counsel would be to fully embrace securing cloud identities and privileges as a core responsibility, even if it means taking on those responsibilities traditionally held by CloudOps. I’m referring specifically to the provisioning and de-provisioning of users, as well as the new responsibility of enforcing least privilege access and right sizing privileges in the cloud.
I would also strongly encourage new players to embrace conceptually, if not organizationally, the DevSecOps concept. Today perhaps more than ever before, security must be extended into CI/CD processes and that must include forging a close working relationship between security and cloud development experts.
For more such updates and perspectives around Digital Innovation, IoT, Data Infrastructure, AI & Cybsercurity, go to AI-Techpark.com.
Art is an entrepreneur with 20+ years InfoSec experience. Prior to Britive he co-founded leading Identity and Access Management (IAM) consulting company Advancive, acquired by Optiv in 2016. There, he shared the confidence of enterprise execs as they wrangled with protecting growing cloud landscapes.