Join Sean Martin and Artyom Poghosyan for a Brand Story at the Black Hat conference as they explore how Britive revolutionizes cloud privileged access management, addressing complex security challenges and streamlining operational efficiency across multi-cloud environments. Discover how Britive's innovative approach can significantly reduce onboarding time and enhance identity security in your organization.
In this On Location episode Brand Story, Sean Martin speaks with Artyom Poghosyan at the Black Hat conference in Las Vegas about Britive, a cloud privileged access management platform. They explore how Britive assists medium to large enterprises in tackling identity management and security issues across multi-cloud and hybrid environments.
Sean and Artyom discuss the complexities that organizations face with cloud adoption, where traditional lift-and-shift approaches no longer suffice. Artyom outlines how the incorporation of new processes and tools, such as DevOps automation, complicates identity and access management in cloud environments. Britive's approach emphasizes the need for dynamic, scalable solutions that align with the speed and agility of cloud-based development while ensuring robust security controls.
A key focus is the balance between granting necessary access for operational efficiency and minimizing security risks from overprivileged accounts. Artyom describes Britive's method of dynamically granting and revoking access based on justified needs, ensuring that temporary elevated access is appropriately controlled and removed post-use.
Additionally, the conversation highlights the challenges of managing identities across multiple cloud platforms (AWS, GCP, Azure, etc.) and the diverse technologies used in modern enterprises. Artyom explains Britive's capability to provide a unified identity and access management approach that simplifies and secures these varied environments.
The episode also emphasizes Britive’s potential to significantly reduce the time required for onboarding DevOps engineers, streamlining the process from days to mere minutes through automation. This not only improves operational efficiency but also vastly reduces risk by limiting standing privileges, a key security vulnerability often exploited by cybercriminals.
Finally, they touch upon how Britive fits within broader organizational security strategies, particularly Zero Trust initiatives. By eliminating standing access risks and offering integration with existing security processes, Britive supports the implementation of comprehensive identity security programs that align with modern security frameworks.
Sean closes the episode by encouraging listeners to engage with Artyom and the Britive team to see how their solutions can enhance identity management and security within their organizations.
Learn more about Britive: https://itspm.ag/britive-3fa6
Note: This story contains promotional content. Learn more.
Guest: Artyom Poghosyan, Co-Founder, Britive [@britive1]
On LinkedIn | https://www.linkedin.com/in/artyompoghosyan/
Resources
Learn more and catch more stories from Britive: https://www.itspmagazine.com/directory/britive
View all of our Black Hat USA 2024 coverage: https://www.itspmagazine.com/black-hat-usa-2024-hacker-summer-camp-2024-event-coverage-in-las-vegas
Are you interested in telling your story?
https://www.itspmagazine.com/telling-your-story
Dynamic Access Control in Modern Cloud Environments | A Brand Story Conversation From Black Hat USA 2024 | A Britive Story with Artyom Poghosyan | On Location Coverage with Sean Martin and Marco Ciappelli
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
Sean Martin: [00:00:00] And here we are. And here we are, we are in Black Hat, not in Black, well I guess we are in Black Hat. We're in Las Vegas for Black Hat.
Hacker Summer Camp. And, uh, loads of research, lots of new technologies and innovations coming to bear and cool people, cool companies come together and help us all improve our identity and our data and our cloud and all this stuff and art. You're walking around out there. I pulled you in and said, let's have a chat.
Now we, we wanted to follow up. So we, for everybody who missed it, which is probably one or two people at this point, uh, art and I had a good chat the other day. And we wanted to continue the conversation, look, look at things a little more operationally today. And how what Brightive does actually fits in and helps cloud and dev and other ops teams do what they need to with respect to identity to achieve the outcomes they [00:01:00] want for their business.
And, uh, we're going to do that today. Art, it's good to see you again.
Artyom Poghosyan: Yeah, of course. Uh, anytime for you, Sean. I love it. Great.
Sean Martin: Anytime for me. All right. Perfect. Um, The elevator pitch for Bright Up. So I encourage everybody to listen to the conversation. But for setting the stage today, a quick rundown of what Bright Up does for folks.
Artyom Poghosyan: Yeah, um, Bright Up is a cloud privileged access management platform. What that means is essentially we help organizations, um, typically medium and large enterprise organizations tackle the, Identity problems and identity security, uh, issues in the, um, cloud, as well as hybrid, on, uh, on prem, uh, type of environments, which is very common today.
Sean Martin: And, and we'll get into the, the fact that it isn't all just cloud, right? Some haven't moved to the [00:02:00] cloud yet, some have moved and moved back some things to the cloud, so there's a lot of shifting and whatnot going on there. Um, But when we look at some of the challenges and we're going to touch on some of the use cases and case studies that you've put together over the years, um, what are some of the challenges early on that organizations were facing that existing technologies then just you couldn't lift and you might lift and shift your stack to the cloud, but not all the other stuff, not the tech, the security tech did not naturally lift and shift.
So tell us a little bit about some of those challenges that companies face.
Artyom Poghosyan: Yeah, very true. Lift to shift may have worked in the early stages of cloud option, but it's very quickly becoming, um, uh, impossible to do. And there's a lot of learnings from that, you know, organizations have from, uh, from their experience now challenges what they were trying to [00:03:00] tackle.
Um, and specifically from security and identity standpoint. are different than those from the data center world. Um, to name one example, there's, um, a lot of new processes, um, and, uh, workflows and tooling that was introduced with adoption of public cloud, for example. AWS, GCP, Azure, DevOps teams use, um, a number of different tools to automate their business.
Workflows and processes like application development and deployment, like CICD pipelines, common names like Terraform, GitHub, and so on. And all that is very different from how access was done in the data center world, which now created the, um, the big challenge of how to do it for this environment, for this type of new environments, for what teams and what are their, their needs and requirements.
And very often organizations run into this. [00:04:00] Conflict almost to have to support the agility and the speed of cloud based development yet insert, you know, security controls and be able to track and monitor these environments like they used to in the data center world. And that has been a very difficult challenge to, to address because of the inherent conflict.
When you introduce security, things slow down. And the cloud doesn't like it. And given that cloud is very dynamic, it changes much more often than you would expect in an on prem environment. It complicates things. So that's how, um, cloud, like one example, how it's different.
Sean Martin: And I, forgive me for not knowing, and maybe you can help educate me as well as the audience, but There might be some similarities in the Microsoft on prem world to the cloud with Azure and Azure AD.
But I'm sure there are changes there too that aren't, aren't easy to handle [00:05:00] when you're building new stuff. But when you talk about other clouds, when you talk hybrid cloud, but certainly multi cloud. Some people are running stuff in GCP, some are in Azure, some on AWS for different reasons. Maybe acquisition or.
Workloads run better in those for some reasons. Um, How does identity kind of work in those environments? And sure, let's go ahead and toss in the fact that there's still legacy stuff with on prem identities and things, right? Mm hmm. Yep. So, talk to me about that, what that world looks like from a security perspective and a dev perspective as things are getting built and set up.
Artyom Poghosyan: Yeah, there's a couple of different things to unpack in that, really. In the first one would be, from a major cloud provider standpoint, like Microsoft, who has historically been very, like, dominant in the enterprise [00:06:00] space and has also products, like identity management products built in, um, very popular technology like Active Directory and so on.
Now, when you look at the cloud side of the stack, Microsoft has, um, yes, there's a lot of great tools and technologies, but still it's mostly for Microsoft stack. Arguably there's a few that support other technologies and it's, it's kind of the dilemma for every organization where they have a major provider like Microsoft, but they also have other technologies that they have to support.
And that's where the cloud, um, landscape is very challenging that they all have, GCP has a very different identity access management native stack, if you will, and the tooling, the maturity level is different than, say, Microsoft or AWS, for an organization to be [00:07:00] able to manage that across these environments.
And I just gave you three major infrastructure examples. Now. Not just infrastructure, there's Snowflake, there's Salesforce, there's all kinds of other new technologies, right? How do they manage those, um, in a kind of a unified fashion and be able to consistently implement identity and access management controls and processes?
It's very difficult. And that's what identity is all about. You can't really just have one system per application or per platform identity management system, right? You have to have something that works for the landscape.
Sean Martin: Beyond managing the identity, because there's, there's also access and the rights that you have to do certain things. Does that just add a whole nother level of complexity to the mix?
Artyom Poghosyan: A great observation. Sean, I'm, uh, every time we speak, I, I, I'm impressed how much you know about this. I [00:08:00] pretend to know something.
No, but the truth is this, right? You have, uh, identity is multilayered. And it's so true when it comes to something like what we call the privileged identities, right? And it's a very broad term if you think about it. But what it really means is access is not binary, like you have it or you don't. You always have access, but the levels determine what you can do.
This is the part that in, especially in the modern new technologies, makes a whole lot of difference. Previously, if they were thinking about Authentication is access, essentially. Identity authenticates to a system or application. Access granted, great, do what you need to do. What we're learning very quickly in the new modern world, especially with things like automated processes, LLMs, I don't know, RPAs, and API based workload, all these things require a different level of [00:09:00] access.
On the human side, you have, you know, Software engineer that requires different level of access than the infrastructure operations team, right? So you have to really treat access like it is a multi layered access and provision, deprovision properly and secure that level properly. It's not just about just add a multi factor authentication and you're done.
Sean Martin: So of course you need to understand what you want to do so that you can then do it. Yeah. What is acceptable use? When, when does that apply? And how do I create my policies to do that? And I presume you help with a lot of that stuff, right?
Artyom Poghosyan: We help with that, yes, of course. Uh, let me actually even add one more thing.
Okay. Uh, again, in the cloud world, things are actually a little bit worse. Uh, in, in the sense that there's even a fundamental, um, challenge in having visibility to it. Who has what [00:10:00] access where on the on Prem site. This has been mostly sold with tools like IGA, for example, identity, governance and administration.
Now, cloud site, you start there. First of all, what do you have? Who has what is this justified or not? So we help with that discovery. First, look at what you have as is understand the risk exposure, the risk posture based on that, and then make the right decisions or more of the informed decisions about who What identities require what level of access?
We help also with defining the new level of access and implementing that on an essentially ongoing basis. So through Bridev, through our platform, users will have the opportunity to elevate their access or be granted specific levels, like I was talking about earlier. Let's say you're a storage administration, AWS, That's the only access you will get, um, when you come [00:11:00] through Bridev and you prove to Bridev that you're a trusted identity and that you were authorized for that level and off they go do their, do their thing and we make sure we automatically remove that access after that each session.
That helps reduce the, the, the risk or the exposure because of standing access.
Sean Martin: Because, correct me if I'm wrong, but a lot of the challenge, especially when we're talking about. Policies. It can be about any policy, but certainly around access identities and access. We tend to set, we don't want to deal with multiple requests.
So we set the greatest level thinking let's just, they're going to ask for it at some point, let's just give it to them and then they, they need a little more and we grant that and then they shift roles so we add more to that and we tend to not remove. The access and then the rights that they have to things.
And I guess my [00:12:00] point is, yeah, it continues to grow. But I guess the other point is the reason we do that is because of the exceptions is my understanding, my understanding is dev needs dev access. But there's that one moment in time where they, they can only troubleshoot and decode in Right? Yep. And they get access to prod and then guess what?
They live with prod for forever. As an engineer, I remember, yeah, just give me, just give me access to prod. So it's about managing exceptions and dealing with that at scale. So we don't, we grant everything and just let things continue to grow out of hand.
Artyom Poghosyan: Sean, the problem you're highlighting is so fundamental to why it exists.
You hit my standpoint, you hit the nail in the head because Yes, you, you, uh, when you're dealing with access and management, um, there's always implications when access is not granted on [00:13:00] time. Um, that's why things were done like you described, you know, Oh, developers asking for production access. We better give it to them right now because they're troubleshooting a very important application and valuable.
application, right? So that's why we're here in this situation. Now, from a brighter standpoint, how we decided to tackle that problem is to say, okay, uh, we understand the business is always going to have that need, or the developers, whoever, um, we're looking at, um, for access requests, right? You have to give them something that they need at the time so that they can address the need.
How do we make sure that A, That access doesn't stay there when it's not needed and be how to make it easy, yet secure and compliant for getting that access. These are the things that in the in the in the existing products, uh, it was maybe addressed for, [00:14:00] For, for one part of it only just give them access.
Yes. They go through approval. They get it, but to your point, that access remains after they don't need it anymore, and that's how we approach this from the product and technology standpoint. So we can make it easier. Um, and two, two concepts here. Pre authorized if your job requires occasionally to have production access for troubleshooting, you're authorized for that, but you don't have that access, you still have to invoke.
Activate when you need it. And there's a justified reason, like you have a service desk ticket, right? Sure. We can go off of that to make sure that that's a legitimate reason for you to have that production access. And second important concept, we give it for only a set amount of time to perform the task, and then we take it away automatically, no user will remember to go and say, I don't need this access anymore, or maybe they just We don't want to give up that access, right?
But we make sure [00:15:00] automatically that gets, uh, expired, eliminated from the environment. So there's no need to go every quarter, bring in a lot of data and start doing reviews to find, you know, the unauthorized access.
Sean Martin: So talk to me about the onboarding. I think you have a customer that, you have a good example to share for this.
Um, Um, where things may have taken a long time to do, they now are pretty streamlined.
Artyom Poghosyan: Every customer wants to know, okay, great, this sounds really great. It's almost too good to be true. Some proof points. Have others done this? Of course. Um, and we're very fortunate to work with a lot of great, you know, uh, companies, organizations, Fortune 100.
Other, you know, enterprise organizations and they have all been at different stages of their cloud journey, multi cloud, uh, hybrid environments. Uh, some of the proof points that we have seen [00:16:00] consistently is how our technology helps reduce the amount of time that it takes for users to get what they need.
And some examples I can, I can quote here from, you know, uh, customers is A typical onboarding time for a DevOps engineer used to take a minimum of three days, often is about a week long or more process.
It's a lot of
training before they actually start doing it. They're sitting in training get access to it.
Yeah, they're very expensive resources for the business. Once Bridev is deployed, the process is almost entirely automated how they get onboarded and their access provision. And we've seen, on average, about 30 minutes. So we go from a minimum of three days, sometimes a week long process, to about 30 minutes.
That's all because of the integration and the automation workflows.
Sean Martin: And it [00:17:00] doesn't matter which cloud? If it's on prem or hybrid or any of that?
Artyom Poghosyan: Uh, not really, because the onboarding process, um, It really is where the time, uh, the consumption is. Creating access in GCP, creating access in Azure, in Snowflake, and so on.
When we have it all integrated, and the identity is mapped to specifically, um, an access that already exists, defined in, in variative, it literally becomes a matter of like, data synchronization from your HR system, or from your, um, identity provider like, I don't know, Azure Directory if you, if you're using that.
So it becomes much more simplified and streamlined process. The second. Good example, a proof point is, of course, the security teams want, um, to see, uh, what, what Brightive does for, for them, for the security teams and CISOs especially. What Brightive does, um, for the security teams, what the [00:18:00] value for them is massive reduction of the, um, the risk, the, uh, what we call the, the risk of standing overprivileged identities and credentials.
Right. And what that means is anytime a customer deploys Bridev in even like one major cloud environment like AWS, we see the number of standing privileges that are in the environment at a given point in time to go from something like 30, 000 down to nothing standing or minimal for only exceptional cases.
That's a massive security risk reduction if you even just think about it. Yeah. And the size and the scale of that 30, 000 privileged roles, groups and so on, that at any point in time are a target
Sean Martin: by cybercriminals, right? Common successful targets.
Artyom Poghosyan: Yeah. And when you [00:19:00] extrapolate it to the entire landscape, including, you know, infrastructure, cloud infrastructure, applications, data, hybrid environments, that is.
A tremendous sort of a risk reduction. So CSOs love that story.
Sean Martin: Absolutely. We're coming up on the end here. So final question is, how does this fit into a current security program? How would a CSO strategize and pull Brighton in to the mix?
Artyom Poghosyan: Um, today, um, how we see sort of organizations, um, think about. Risk, uh, risk reduction generally, um, uh, across the cloud and non cloud environments.
Uh, we often hear the Zero Trust Initiative, Zero Trust Security Initiatives, right? Um, or sometimes more specifically, it's Identity Security Initiative. To be able to, you know, implement, uh, [00:20:00] new controls, new, new technologies and processes, in order to eliminate that risk or reduce as much as possible. So.
We align very well with that, let's take Zero Trust for example, with that um, priority of the organization because as I was describing, our technology, it, it's built to eliminate standing risk, so it's a very natural fit with any other like broader Zero Trust security initiatives. Identity security is kind of a, I would say is a, a, a specific example of that.
How zero trust can be implemented for identity. There's a term in the identity space, um, relatively newer term. It's called zero standing access. Okay. To directly correlate zero trust and zero trust, zero standing identity and access. Um, to, to make sure that, that there's alignment between the identity program and the zero trust security program.
Zero [00:21:00] Zs PS zero, zero standard privileges. Yeah.
Sean Martin: I love it. Well, art, it's always a good. Good time chatting with you. And, uh, pleasure to see you here in Vegas. It's been a while since we saw each other first. We did the last one online, which was still fun. Great chat, and I encourage everybody to listen to that.
It's the origin story and more about Brightive and, uh, why and how you founded the company, and it's an amazing story. So I encourage everybody to listen to that. More importantly, Connect and talk to ART. If you have a ZTNA or a ZPSA or whatever the SPAM, I don't know whatever it is. Um, a program where you need to reduce the risk in your identity management.
Talk to ART and the Bright IF team and they'll, uh, they'll help you sort through that. And keep your programs running agilely and get the outcomes you need for the business without security getting in the way.
Artyom Poghosyan: Absolutely.
Sean Martin: Thank you. All right. And thanks everybody for [00:22:00] listening and watching. Uh, appreciate you enjoying this brand story with Brighton and art and stay tuned for more from Black Hat.
Thank you, Sean.