The keys to managing identity risk: Insights from Craig Riddell, Field CISO at Netwrix

This episode features an interview with Craig Riddell, Field CISO at Netwrix Corporation, a provider of data security solutions for on-premises, hybrid, and cloud infrastructures. Craig is also a multiple award-winning Director and Strategist in Identity and Access Management. Previously, Craig served as Director of Identity and Access Management at HP. He brings a wealth of knowledge and experience around modernizing identity solutions while reducing costs and improving security. On this episode, host Tim Chase and Craig discuss managing third party permissions, how your tools are only as good as your implementation of them, and why a single daily identity authentication isn’t enough.Key Quotes*”A modern identity practice really needs to look at truly reducing the risk to the business, not just managing the risk to the business. A heavy degree of automation, especially in the concepts of, like, movers, joiners, and leavers so that you can prevent snowballing permissions, and then also needs to look heavily at third parties.”*”Just because you've spent money on something in the past doesn't mean it's still a worthy investment today.”*”A heavy degree in automation means if I hire somebody, I shouldn't have to go into any other system than my hiring system.”*”Just having a multifactor authentication check in the middle of the day, or at the beginning of the day, does not mean that your identity is now validated for the next 24 hours. We need to be looking at things like user behavior analytics. We need to be looking at things like adaptive authentication. If you move into a certain risk profile, all of those things. There is no silver bullet for identity.”*”Identity touches everything from the end user to the most complicated critical application. We have to know how all of these different workflows work. So it's a very hard skillset to staff with and collapsing some of these tools down and making them to where you can have one engineer to run multiple things obviously helps.”*”Your tools are only as good as the implementation. If it's super easy to bypass your PAM solution by, say, dropping in an SSH key and bypassing it every time instead of going through it, your engineers probably have the best of intentions. They're just trying to get their job done. But they just created a backdoor through a critical security tool.”<br /><br />*”It doesn't matter how good you think you are, you can be in hot water really quick. It's important to double check. And now I do, I double check everything. I don't push enter on a text message without making sure that it's good to go. Linux will teach you the hard way.”Time Stamps LinksConnect with Craig on LinkedInLearn more about Netwrix CorporationLearn more about LaceworkThis podcast is brought to you by Lacework, the leading data-driven cloud-native application protection platform. Lacework is trusted by nearly 1,000 global innovators to secure the cloud from build to run. Lacework delivers true end-to-end protection, empowering customers to prioritize risks, find known and unknown threats faster, achieve continuous cloud compliance, and work smarter–not harder–all from one unified platform. Learn more at Lacework.com.