In the ever-evolving cybersecurity landscape, some truths remain constant: managing risk, staying ahead of threats, and adapting to technological and regulatory shifts are non-negotiable for any security leader. If you’re a CISO or security professional looking for actionable insights to navigate these challenges, Veza’s podcast, Identity Radicals, is your must-listen resource.
In the latest episode, Veza’s Chief Security & Trust Officer, Mike Towers, sits down with Anthony Belfiore, Chief Strategy Officer at Wiz, to explore the enduring and emerging dynamics of identity security. This candid, technology-agnostic discussion offers a fresh perspective on issues that continue to shape the industry—even as technologies and tactics evolve.
The past 25 years have witnessed dramatic technological shifts—from on-premise systems to multi-cloud environments, from static access control to dynamic, AI-enhanced identity management. Yet, certain risks remain stubbornly persistent.
Although identity used to be all about password security, it is now the foundation upon which organizations build strategies to achieve and sustain least privilege. Even with the massive transition to the cCloud, similar identity challenges remain, leaving security teams asking the same question they were asking 25 years ago:
How do you protect your data, your people and your processes?
Identity is the most unifying constant in our careers
Anthony Belfiore (CSO, Wiz)
What is Cloud and SaaS doing to access control?
Access control strategies have evolved in response to multi-cloud and SaaS environments, but the scale of identities and their associated permissions in the modern enterprise makes solving the access puzzle more complex than ever before. Traditional approaches to identity and access management and governance (IAM/IGA) are no longer sufficient in a world where organizations deploy hundreds of apps and services, each with its own set of permissions and vulnerabilities. With non-human identities now outnumbering human identities by 17:1, the scope of entitlements is larger than ever. Machine identities, service accounts and AI models must be interwoven into the identity security fabric to enable organizations to reduce their identity attack surface.
“Back in the day, you had the humans, the end user accounts… now you have non-human identities. You have a whole new silo of access that needs to be understood, managed and controlled.” – Anthony Belfiore (CSO, Wiz)
Regardless of the changes in technology and approach to access control, the “human factor” continues to be a persistent risk. In the light of new, more sophisticated social engineering and phishing attacks, we still rely on the people within our organizations as a significant line of defense.
“People are the key to it all,” says Anthony. “Even if the technology is really exceptional, if the people operating it don’t have good risk management protocols or mindsets, the risks are still there.”
Many security professionals are considering how to take security a step further when AI and deepfakes allow social engineering attacks to masquerade too perfectly to rely on our teams to detect them. The only defense against the perfect enemy is least privilege.
Authentication vs. Authorization
A lot of organizations still depend on authentication without understanding the importance of access and authorization. MFA and biometrics have come a long way and the end user experience has improved. However, the adversaries are very advanced and they are still finding ways around authentication tactics. Authorization and access are the second line of defense that can be the difference between a security incident that cannot go anywhere and a breach that allows for significant lateral movement; when authentication and authorization work together, organizations can lock not only the front doors, but all the doors and windows and pathways inside, too.
“I’m in this massive conference center at this hotel,” said Mike during the episode, “and I’m imagining a world where we put too many eggs in the MFA basket and once I’m in the hotel, I can go into any room I want. That wouldn’t be a great experience for the people that are trying to get some sleep. So, I think it’s really important that we focus on both.”
Watch the full episode of Groundhog day in Identity Security on the Identity Radicals YouTube channel. Subscribe on YouTube to stay up-to-date with future CISO-to-CISO conversations.
