This episode features an interview with Craig Riddell, Field CISO at Netwrix Corporation, a provider of data security solutions for on-premises, hybrid, and cloud infrastructures. Craig is also a multiple award-winning Director and Strategist in Identity and Access Management. Previously, Craig served as Director of Identity and Access Management at HP. He brings a wealth of knowledge and experience around modernizing identity solutions while reducing costs and improving security. On this episode, host Tim Chase and Craig discuss managing third party permissions, how your tools are only as good as your implementation of them, and why a single daily identity authentication isn’t enough.

Key Quotes

*”A modern identity practice really needs to look at truly reducing the risk to the business, not just managing the risk to the business. A heavy degree of automation, especially in the concepts of, like, movers, joiners, and leavers so that you can prevent snowballing permissions, and then also needs to look heavily at third parties.”

*”Just because you've spent money on something in the past doesn't mean it's still a worthy investment today.”

*”A heavy degree in automation means if I hire somebody, I shouldn't have to go into any other system than my hiring system.”

*”Just having a multifactor authentication check in the middle of the day, or at the beginning of the day, does not mean that your identity is now validated for the next 24 hours. We need to be looking at things like user behavior analytics. We need to be looking at things like adaptive authentication. If you move into a certain risk profile, all of those things. There is no silver bullet for identity.”

*”Identity touches everything from the end user to the most complicated critical application. We have to know how all of these different workflows work. So it's a very hard skillset to staff with and collapsing some of these tools down and making them to where you can have one engineer to run multiple things obviously helps.”

*”Your tools are only as good as the implementation. If it's super easy to bypass your PAM solution by, say, dropping in an SSH key and bypassing it every time instead of going through it, your engineers probably have the best of intentions. They're just trying to get their job done. But they just created a backdoor through a critical security tool.”

*”It doesn't matter how good you think you are, you can be in hot water really quick. It's important to double check. And now I do, I double check everything. I don't push enter on a text message without making sure that it's good to go. Linux will teach you the hard way.”

Time Stamps

[0:26] Introducing Craig Riddell, Field CISO at Netwrix Corporation

[1:26] Why did COVID make identity a priority for businesses?

[2:53] What does modern identity look like?

[4:51] How can you automate identity?

[6:43] How do you navigate over-provisioning in identity management?

[9:58] What acronyms should you know in identity management?

[11:52] How will identity tools change in the future?

[14:16] How has cloud changed identity?

[16:40] What does zero trust mean to Craig, and how does it play into the future of identity?

[19:22] How did Craig get involved in identity?

[27:44] What advice would Craig give someone wanting to get into cyber?

[30:13] What was the biggest learning of Craig’s career?

[32:00] What’s the best habit an IT leader can have?

Links

Connect with Craig on LinkedIn

Learn more about Netwrix Corporation

Learn more about Lacework

This podcast is brought to you by Lacework, the leading data-driven cloud-native application protection platform. Lacew