All Things Internal Audit Tech: Identity & Access Management

In this episode, Bill Truett talks with Nick Lasenko about the critical role of identity and access management in today’s organizations. They discuss common risks, best practices, and the impact of AI on identity and access management. The conversation also covers frameworks, regulatory requirements, and real-world use cases.

Host:

Bill Truett, CIA, CISA

senior manager, Standards & Professional Guidance, IT, The IIA

Guest:

Nick Lasenko, CISA, CISSP

cybersecurity, privacy, and risk management practitioner

Key Points

Introduction [00:00-00:00:07]
Overview of identity and access management [00:00:08-00:00:31]
The financial impact of data breaches [00:00:32-00:01:26]
Challenges in detecting and responding to security incidents [00:01:27-00:02:26]
Common identity and access management risks for auditors [00:02:27-00:03:26]
Weak governance and its implications [00:03:27-00:04:26]
Siloed organizations and identity and access management complexities [00:04:27-00:05:26]
Regulatory frameworks and standards [00:05:27-00:07:26]
Identity and access management controls and data governance [00:07:27-00:09:26]
Real-world use cases and security incidents [00:09:27-00:11:26]
Horror stories and lessons learned in identity and access management [00:11:27-00:13:26]
Best practices for managing user access reviews [00:13:27-00:16:26]
Continuous authentication and its challenges [00:16:27-00:18:26]
Privileged access management and audit considerations [00:18:27-00:21:26]
The impact of AI and machine learning on identity and access management [00:21:27-00:23:26]
Final thoughts on strengthening identity and access management controls [00:23:27-00:25:26]
Closing remarks [00:25:27-00:31:43]

The IIA Related Content

Interested in this topic? Visit the links below for more resources:

Visit The IIA's website or YouTube channel for related topics and more.

Resources Mentioned

View More Episodes

Get the Transcript

00:00:00

00:00:02 Speaker 1

The Institute of Internal Auditors presents all things internal audit tech in this.

00:00:07 Speaker 1

Bill Truitt talks with Nick Lysenko about the critical role of identity and access management in today's organizations.

00:00:14 Speaker 1

The conversation also covers frameworks, regulatory requirements and real world use cases.

00:00:22 Speaker 2

So Nick, let's just start it off.

00:00:24 Speaker 2

You.

00:00:24 Speaker 2

Me an overview of what identity and access management entails and why it's critical for organizations.

00:00:31 Speaker 3

Identity and access management is paramount.

00:00:34 Speaker 3

The.

00:00:35 Speaker 3

It's the Nexus, a malicious hack data breach incident is essentially unauthorized access.

00:00:42 Speaker 3

Absolutely paramount. I could talk a little bit of the the cost.

00:00:47 Speaker 3

I love that because we get to tie the business side with the technology.

00:00:50

Mm hmm.

00:00:52 Speaker 3

That's really valuable for making cost benefit decisions.

00:00:55 Speaker 3

The recent IBM cost of a data breach report could have mentioned some costs and a bunch of other sources, so they vary from 1.3% to 1.9% of revenues all the way to 25% of revenues. If you look at the ver.

00:01:15 Speaker 3

Report specifically about ransomware.

00:01:17 Speaker 3

So across the industries, profit margins vary from 2% to 20%.

00:01:23 Speaker 3

You can have a breach.

00:01:24 Speaker 3

Wipe out the entire profit margin for the year.

00:01:26

Yeah, yeah.

00:01:28 Speaker 2

At least a very good percentage of.

00:01:30 Speaker 2

And that's never a good sign to show on your financials.

00:01:34 Speaker 3

That's right.

00:01:35 Speaker 3

It also gives a way to measure the value of good identity and access management.

00:01:42 Speaker 3

Because that's an important component.

00:01:44 Speaker 3

On it and our control environment, it's even more important now.

00:01:48 Speaker 3

Costs and breaches have increased 10% over the past year, and leading attack vectors are fishing stolen credentials, and those are the ones with a higher cost.

00:01:59 Speaker 3

E-mail.

00:02:00 Speaker 3

Malicious insider attacks are less frequent, but also as costly, so you can see how everything ties to identity and for incidents, security incidents, cyber attacks on average.

00:02:14 Speaker 3

We're getting better at containing them about two months to identify.

00:02:20 Speaker 3

That used to be 2 1/2 months.

00:02:22 Speaker 3

It's still a lot of time, so the more time passes, the more damage is done.

00:02:26 Speaker 3

Again, that's that's critical.

00:02:28 Speaker 2

It's good to hear.

00:02:29 Speaker 2

They're they're getting, they're improving on time to identify and then, you know, once they have identified, then we'll they can respond and react to.

00:02:38 Speaker 2

To the breaches.

00:02:39 Speaker 3

That's right.

00:02:40 Speaker 3

Now some of the biggest challenges to deal with that and respond have been just.

00:02:47 Speaker 3

If there's a malicious insider, for example, we need to distinguish between legitimate and malicious users.

00:02:53 Speaker 3

And if there's weak identity governance, it's very hard to dig through the environment and the data we have to get to the bottom of it to determine if it's malicious actor or legitimate user.

00:03:07 Speaker 3

So that that's kind of one of the challenges we have.

00:03:10

Nice.

00:03:11

So.

00:03:12 Speaker 2

Kind of digging more into identity access management. What are some of the most common risks?

00:03:17 Speaker 2

That internal auditors should be aware of in this area.

00:03:20 Speaker 3

Its weak governance and that is the foundation for.

00:03:26 Speaker 3

A solid cybersecurity environment control environment. When?

00:03:29 Speaker 2

You're talking about weak governance. Would you say that would include poor password controls?

00:03:35 Speaker 2

Poor just identity management, you know, like I DS not tied to single people.

00:03:40 Speaker 2

You may give some examples of what you would consider to be weak governance.

00:03:44 Speaker 3

Sure. When we have a clear path forward, it's really easy to navigate, to move forward when there's clarity of vision.

00:03:56 Speaker 3

Good governance and identity is clear vision in terms of how is identity defined, what are the rules, what are the policy standards, and by the time we get technical with the tools with the process.

00:04:11 Speaker 3

Es We're implementing with rigor, with clarity and with risk management in mind. And of course always keeping the business interests at heart.

00:04:22 Speaker 2

Yeah. So setting kind of a a strong and clear tone at the top and have everything trickled down from.

00:04:28 Speaker 2

That.

00:04:29 Speaker 3

That's right.

00:04:29 Speaker 3

And.

00:04:30 Speaker 3

It's difficult to do when you have large multinational organization because they're silos, there's different platforms. There's on Prem, there's the cloud mismatch together, there's employees.

00:04:44 Speaker 3

Remote on kind of on site. There's non employees that have access and when you try to improve an existing system it's really difficult.

00:04:55 Speaker 3

It takes a lot of time and analysis to go through and improve and rebuild the governance.

00:05:00 Speaker 3

That's kind of the the core challenge moving mountains.

00:05:04 Speaker 2

Yeah, I had previously worked at a very large bank and it was almost like it was like 12 different companies, each with their kind of own silo and ways of wanting to do things that were just kind of loosely tied together.

00:05:19 Speaker 2

Like definitely you know.

00:05:21 Speaker 2

A strong governance position would definitely be beneficial for those situations to get some uniformity across, kind of all the different lines of business.

00:05:32 Speaker 3

Yep, that's right.

00:05:34 Speaker 3

Lots of financial institutions, big banks, healthcare enterprises have a similar scenario where where they're siloed there. Now I've seen multiple environments where where there's just.

00:05:46 Speaker 3

Umm.

00:05:47 Speaker 3

Things all over the place, a lot of manual effort. You know, there's one or two people managing access.

00:05:53 Speaker 3

For thousands of employees, and they're about to retire so.

00:05:57 Speaker 3

It's challenging.

00:05:58 Speaker 3

It's challenging that that was kind of an example of some of my projects and the the need to success is like you said, top down.

00:06:09 Speaker 3

Governance tone from the top and leadership.

00:06:12 Speaker 3

The leadership has interest and the will to implement the solid governance, solid identity and access management and then that is that is the core to the success.

00:06:23 Speaker 3

That before we get to the, you know, technical, you know the encryption key management, authentication, authorization groups and all of that.

00:06:32 Speaker 3

That's the core.

00:06:34 Speaker 2

Awesome. Kind of moving.

00:06:36 Speaker 2

You know what frameworks or regulatory requirements should internal auditors consider when they're assessing their IM controls?

00:06:44 Speaker 3

There's a wide variety.

00:06:47 Speaker 3

I often work with the nest.

00:06:50 Speaker 3

There's a variety of those. They map to ISO.

00:06:55 Speaker 3

Those are great.

00:06:56 Speaker 3

The G tag is is great. The latest update. I love the fact that it includes a mention of NIST CSF 2.0.

00:07:07 Speaker 3

There's a really good control list control objective list in NIST 800.

00:07:12 Speaker 3

53R5 is the latest.

00:07:14 Speaker 3

It's highly detailed, but it's really good guidance of what we.

00:07:18 Speaker 3

Aim for.

00:07:19 Speaker 3

There's high, medium, low.

00:07:22 Speaker 3

It's the number of controls you have. The significance of the systems, but those are great, especially within the access control.

00:07:31 Speaker 3

Family and then.

00:07:32

Family.

00:07:33 Speaker 3

Identification.

00:07:34 Speaker 3

Those kind of groups.

00:07:36 Speaker 3

CIAPE families nest. 863 is great for fundamentals.

00:07:43 Speaker 3

Identity fundamentals. Those are important to know about. To understand what we're looking for. Kind of what our group's life cycle's identities, what we're trying to achieve.

00:07:53 Speaker 3

It's a great starting point.

00:07:56 Speaker 3

Nis CSF 2.0 the update is.

00:08:00 Speaker 3

I think especially given the recent usage of generative AI, there's one interesting thing that they added is it's both.

00:08:11 Speaker 3

Governance. There's a whole separate control group on governance, and there's a data governance. Data governance is a big deal, especially now because.

00:08:23 Speaker 3

You need to have a clearview of what data you have.

00:08:26 Speaker 3

Fine.

00:08:27 Speaker 3

Data catalog.

00:08:29 Speaker 3

Standards policies defining kind of both categories.

00:08:35 Speaker 3

Of data and classification of data.

00:08:39 Speaker 3

Then you kind of determine how you manage it.

00:08:41 Speaker 3

The reason being is that when you have good data governance, you can apply identity and access management identity governance to it.

00:08:49 Speaker 3

Hips 199 is great because it gives you a way of rating systems.

00:08:55 Speaker 3

And based on the.

00:08:56 Speaker 3

The risk that they have if you combine those together.

00:09:00 Speaker 3

Identity and access.

00:09:02 Speaker 3

Essentially, it's having the right.

00:09:04 Speaker 3

And have access to the right data at the right time for the right individuals or or systems.

00:09:10 Speaker 3

That's a key to success, and that's also important for implementing strong DLP data, less prevention and in turn with good governance, with good controls, with good vision.

00:09:16 Speaker 3

00:09:26 Speaker 3

AI tools.

00:09:27 Speaker 2

Can you share any real world use cases? We're.

00:09:29 Speaker 2

I am controls help prevent security incidents or improved operational efficiencies.

00:09:34 Speaker 3

Got a couple of win examples from different kind of.

00:09:40 Speaker 3

There's a scenario where I had hundreds of thousands of backlog events, security events around access management, and it was for database platforms.

00:09:50 Speaker 3

Or more numerous access lists, three to five ticketing systems.

00:09:56 Speaker 3

Over 4 server platforms.

00:09:59 Speaker 3

So thousands of servers, thousands of users, like 70,000 or more employees, introduced documentation of the governance.

00:10:09 Speaker 3

Was, you know, what was?

00:10:10 Speaker 3

And then documented and standardized standardized develop.

00:10:15 Speaker 3

Solid. This is how we do things and then boil up to the policy level standard.

00:10:21 Speaker 3

Consolidated kind of into a single CMDB cleared the backlog, and then that enabled us in several examples where we instead of weeks took us days to identify incidents and then escalate.

00:10:35 Speaker 3

To the C13 for for investigation and we we quickly imaged laptops that were affected so that that's few success stories right there.

00:10:46 Speaker 2

Yeah, I know.

00:10:46 Speaker 2

You know those those systems can generate incredible volumes of logs.

00:10:52 Speaker 2

But none of that information is valuable until you've had a chance to analyze it and filter out the ones that aren't important.

00:11:01 Speaker 2

Then you identify the ones that you need to, you know, have action on now. So yeah, it's great.

00:11:06 Speaker 3

Yep, Yep. Got a correlated.

00:11:11 Speaker 2

Yeah, yeah, I.

00:11:11 Speaker 2

Kinda asked about success stories.

00:11:13 Speaker 2

Have any horror stories?

00:11:18 Speaker 3

It's. I mean, usually when I come in, it's it's a giant Horror Story.

00:11:22 Speaker 3

Yeah.

00:11:23 Speaker 3

Kind of dig through it and implement and govern it.

00:11:26 Speaker 2

You're there to help clean up.

00:11:28 Speaker 3

Yep, it wasn't large enterprise where this essentially kind of it's rinse repeat because there were several of these, I sometimes do kind of broad identity and access.

00:11:41 Speaker 3

Assessments and sometimes deep dives.

00:11:44 Speaker 3

Of the directory services get a dump of users, groups and all those records. I I try to get as as much information as possible with with scripts obviously working with the business closely.

00:12:00 Speaker 3

And it's one thing you you have automated.

00:12:05 Speaker 3

Scripts and functions to, let's say disable like disable user from opening a certain app from or just disable them completely.

00:12:13 Speaker 3

Because they're no longer working there and then you get an actual dump.

00:12:20 Speaker 3

The data report and export from the system itself and then you see thousands of users that haven't been disabled on time.

00:12:30 Speaker 3

Still.

00:12:30 Speaker 3

They're still being.

00:12:31 Speaker 3

There's hundreds of accounts that haven't had passwords changed or don't need passwords.

00:12:38 Speaker 3

Use old authentication methods.

00:12:41 Speaker 3

One of the more interesting things that I see is that often as auditors, we approach assessments.

00:12:50 Speaker 3

Basis and we focus on production environments and then we have a dev test the lower environments.

00:12:59 Speaker 3

But to make it convenient, developers sometimes take shortcuts. The teams take shortcuts and they reuse passwords.

00:13:09 Speaker 3

Then when you scan and compare the password hashes, you see oh, there's so many.

00:13:15 Speaker 3

Reused passwords across the non prod and the prod environments. That was a huge lesson learned for me when I first started seeing these.

00:13:24 Speaker 3

Don't ignore the lower environments.

00:13:27 Speaker 3

You know, don't necessarily reduce the amount of testing depending if passwords are allowed to be shared or can be shared. You have that in mind do.

00:13:37 Speaker 2

You think there's good value in at least allocating a portion of your time to.

00:13:44 Speaker 2

Looking at environments other than the top level production into the Nice.

00:13:48 Speaker 3

Absolutely. Absolutely. At least compare the the the password hashes across the environment.

00:13:55 Speaker 2

The environment and that's something that can be fairly automated, not a lot of time.

00:14:00 Speaker 3

In that a person comes in, runs a few scripts, assuming they're reviewed by the technology team and approved because not every script should be run, it should go through the proper change management.

00:14:12 Speaker 3

Process.

00:14:13 Speaker 3

And yeah, scripts commands would not. You need to know what you're running.

00:14:17 Speaker 3

Validate it.

00:14:19 Speaker 3

Test it in a small environment. Then you can run it.

00:14:23 Speaker 3

Sometimes commands are.

00:14:26 Speaker 3

Better because they're simpler scripts. You can see third party.

00:14:31 Speaker 3

You have to be very comfortable with the risk and and what you're leveraging. So it really depends on the tools you're using.

00:14:40 Speaker 2

Awesome. So kind of moving on to kind of the next area you wanna talk about and this is something I've had a lot of experience with as a practitioner is you know, what are the best practices for managing user access reviews?

00:14:55 Speaker 2

And you know, how often do you think they should be conducted?

00:14:59 Speaker 3

This is an interesting 1 and I have a couple of.

00:15:04 Speaker 3

War stories for that one.

00:15:08 Speaker 3

To start.

00:15:09 Speaker 2

I have a Horror Story as well associated with that.

00:15:10

Yes.

00:15:11 Speaker 3

Oh, awesome.

00:15:13 Speaker 3

Perfect, it's.

00:15:15 Speaker 3

This is like one of those classic areas where you find so much interesting stuff I had.

00:15:23 Speaker 3

A poor DBA just received.

00:15:26 Speaker 3

Stacks and stacks of.

00:15:29 Speaker 3

I mean, if he printed out, they haven't printed it, exports of users and their privileges across a multinational enterprise across different databases that this individual was supposed to send to business.

00:15:45 Speaker 3

Owners, sometimes business owners, sometimes it owners and it it was such a volume of accounts to review and validate and the detail of access that was listed.

00:15:57 Speaker 3

No human could possibly.

00:15:59 Speaker 3

Be able to do that 100% accurately and keep track of everything.

00:16:03 Speaker 3

It's it's overwhelming.

00:16:05 Speaker 3

Too much?

00:16:08 Speaker 3

To understand, to deal with kind of, maybe it helped to reach out to the individual owners, but it's it's still a.

00:16:16 Speaker 3

Of you know.

00:16:18 Speaker 3

So I think it's it's good to take user access reviews and and kind of just.

00:16:24 Speaker 3

In Whiteside, specs so.

00:16:26 Speaker 3

I have have this drawing and I published it in the.

00:16:31 Speaker 3

Year or two of the identity management, kind of the the pillars of different.

00:16:36 Speaker 3

Racy chart groups and the responsibilities and you have identities and you have business roles it roles and entitlements goes left to right and then you have the business side, the HR, the business side and more technology side.

00:16:51 Speaker 3

As you go to the right from left being the the HR side that would validate the the business rules and job descriptions to the middle, which would be management and they would validate the business roles and it roles.

00:17:06 Speaker 3

And to the far right, you would have the more technology people that would validate the specific technology, specific entitlements, specific figurations. So each group would play a role, not not one individual taking the whole user.

00:17:22 Speaker 3

Soup to nuts review of their access.

00:17:23 Speaker 3

That's impossible.

00:17:25 Speaker 3

I think that would be helpful if if we.

00:17:30 Speaker 3

Chop up identity into several functions like business rules, it rules, and treat them all as as a life cycle.

00:17:37 Speaker 3

Then validating those would be much more.

00:17:41 Speaker 3

There's tools that do that, but I'm pretty too agnostic.

00:17:45 Speaker 3

Depends on how you implement what the governance is.

00:17:48 Speaker 3

Tools that help with that. I think that's kind of the the main one, just make it feasible for employees to do that.

00:17:57 Speaker 2

Yeah, I. So I had this Horror Story of a user access review where, you know all of our internal.

00:18:04 Speaker 2

We were good at, you know, we would do the user access reviews anywhere between one one time a year for lower risk applications up to about four times a year for the higher risk.

00:18:14 Speaker 2

We had this one application we didn't own, but we had a lot of the.

00:18:20 Speaker 2

Used a lot and we are on very good terms with this other company where like you know, we don't really have a process for communicating any of this.

00:18:28 Speaker 2

So let's get with them, and let's get a listing of all the users and let's that they have and compare it to kind of all of our current employees and let's see 'cause. This has never been done in like over 20 years.

00:18:41 Speaker 2

So we get it.

00:18:42 Speaker 2

The listing we get from them of active people is more than the current number of employees we have at the.

00:18:49 Speaker 2

'Cause once again, it's never been done.

00:18:53 Speaker 2

And the only kind of field that we could use to tie the, you know, their list between their listing of users and our listing of your current employees was e-mail address.

00:19:05 Speaker 2

So we we bump it up and we find the ones that that don't mix.

00:19:09 Speaker 2

That don't match and we're like.

00:19:10 Speaker 2

It kind of did like it was a.

00:19:13 Speaker 2

It was many thousands of people 'cause. It was a area where there was a good amount of turnover and once again there was more people on their system than we actually had employees.

00:19:23 Speaker 2

In our company, so we were able to get that listing to them of like, hey, these are the people that don't are no longer employees here.

00:19:31 Speaker 2

Unbeknownst to me, who I was, the one that was managing this, is that a long time ago they used to have a different e-mail convention.

00:19:41 Speaker 2

So unfortunately it was.

00:19:43 Speaker 2

It was very limited, but it was. There were about 20 or 30 people that came in the next day that had their access cut off that we had to get them back.

00:19:50 Speaker 2

'Cause I didn't.

00:19:52 Speaker 3

That's another good way of validating access.

00:19:54 Speaker 2

Yeah. And that is, I know we we like to threaten that a lot.

00:19:55 Speaker 3

To set it off.

00:19:58 Speaker 2

Is one time where it actually happened.

00:20:02 Speaker 2

But that was that was that was interesting.

00:20:05 Speaker 2

I felt terrible, but fortunately wasn't too bad and everybody took it in stride.

00:20:11 Speaker 3

Fair.

00:20:11 Speaker 3

Well, it's it's a good thing they they let you know right away.

00:20:16 Speaker 3

I've had instances where we cut off access and we haven't heard from people, and in a few weeks we would hear from them and.

00:20:24 Speaker 3

Sometimes it's tricky because sometimes you have fire call accounts that are just set up but not used. Technically could be disabled and tracked with Pam system and all that, but that happened. And then Dr. testing comes and then they can't use it.

00:20:41 Speaker 3

You find out.

00:20:42 Speaker 3

Always good to test.

00:20:44 Speaker 3

It reminds me of a time when when we were doing a scan and we scan through users and filtered those groups. We filtered those and then we decided to do kind of this obscure.

00:20:55 Speaker 3

Script that pulled out inactive directory privileged entitlements just as entitlements.

00:21:03 Speaker 3

Not map to anyone individual, not map to a system, just they turned out to be orphan.

00:21:11 Speaker 3

That just were sitting there not cleared up. And then if you wanted to, you can if you gained the right access, you can assign those.

00:21:20 Speaker 3

To just orphans.

00:21:21 Speaker 2

Yeah, it's a potential vector for someone gaining access. They shouldn't have.

00:21:28 Speaker 3

Absolutely.

00:21:29 Speaker 3

So yeah, orphans is A is a big deal.

00:21:32 Speaker 3

Orphan users entitlements we had a time when there was a a group owner that was everyone left and the only kind of group owner that was left in the company was was an audit. They've totally forgot about that group too. And I think that group had privile.

00:21:48 Speaker 3

So it's always good to prove the access not only of individuals, but of systems, machines, entitlements groups.

00:21:57 Speaker 2

How about continuous authentication?

00:21:59 Speaker 2

Thoughts on that?

00:22:00 Speaker 2

What challenges it might present for auditors?

00:22:04 Speaker 3

It really depends on how it's implemented, it continues.

00:22:09 Speaker 3

Leverages the existing data.

00:22:11 Speaker 3

Existing user groups.

00:22:14 Speaker 3

And I I've seen clients where they have that in place.

00:22:18 Speaker 3

And I wouldn't stop at seeing continuous authentication in place.

00:22:25 Speaker 3

You know 2 factor continuous re authenticate based on risk.

00:22:30 Speaker 3

I think identity and access management based on risk.

00:22:33 Speaker 3

Is excellent because it's a sliding scale depending on what data you have access to, and Pam should be a continuum of that.

00:22:42 Speaker 3

It's it's not like admin versus not admin accounts.

00:22:45 Speaker 3

It's a sliding scale.

00:22:47 Speaker 2

OK.

00:22:48 Speaker 3

So I I think we should make sure that if there's if that is in place, then make sure that it's.

00:22:57 Speaker 3

Enterprise wide because as as we talked before, users have a tendency of bypassing controls for convenience.

00:23:05 Speaker 3

So the core systems might have that in place, but you could still have orphaned accounts.

00:23:12 Speaker 3

You could still have hidden local.

00:23:16 Speaker 3

Kind of accounts and groups within like network devices that are just waiting there to be.

00:23:24 Speaker 3

So I would I would verify the completeness. I often see it as too good to be true, and only when I verify.

00:23:31 Speaker 3

That it's everywhere then.

00:23:33 Speaker 2

So you definitely want to make sure it is a a complete shift to this. You can't do it piece meal.

00:23:38 Speaker 2

'Cause, that's just right for vulnerabilities.

00:23:42 Speaker 3

That's right.

00:23:44 Speaker 2

Perfect. So.

00:23:44

Yep.

00:23:45 Speaker 3

That's right.

00:23:47 Speaker 3

I think and we touched upon privilege access.

00:23:51 Speaker 3

Don't know if this is something that.

00:23:54 Speaker 3

We're going to talk about.

00:23:56

We can go.

00:23:57 Speaker 2

We can go talking about that right now.

00:23:59

Oh, perfect.

00:24:00 Speaker 2

Yes.

00:24:01 Speaker 3

I love Pam.

00:24:03 Speaker 3

I think it's a subset.

00:24:04 Speaker 3

Pardon, parcel management.

00:24:05

Yes.

00:24:07 Speaker 3

It shouldn't be limited to admin accounts.

00:24:11 Speaker 3

Not, I mean, how do you define?

00:24:13 Speaker 3

That's that's what I see in in organizations. We don't have a defined clearly and it it's critical because is privileged access, the ability to add remove users.

00:24:26 Speaker 3

Sure, if it's a low risk user, maybe it's, you know, higher lower risk.

00:24:31 Speaker 3

I don't.

00:24:33 Speaker 3

Now is privileged access the ability to view.

00:24:38 Speaker 3

The CE OS e-mail the Ciso's e-mail.

00:24:43 Speaker 3

Maybe. And then can have have visibility into that data read only access.

00:24:48 Speaker 3

It privileged.

00:24:49 Speaker 3

It could be right.

00:24:52 Speaker 2

The ability to see unredacted Social Security numbers.

00:24:55 Speaker 2

Credit card numbers, yeah.

00:24:57 Speaker 3

Oh, absolutely.

00:24:58 Speaker 3

100%.

00:24:59 Speaker 3

We have different definitions of a privileged access across different standards.

00:25:06 Speaker 3

I do like the fact that some of them now I'll kind of read excerpts of definitions.

00:25:12 Speaker 3

NIST mentioned security relevant functions that ordinary users are not authorized to perform.

00:25:18 Speaker 3

So it's it's above ordinary, which is great.

00:25:20 Speaker 3

It doesn't limit it to certain you know you can change how to remove users. It's more than that.

00:25:26 Speaker 3

One of the vendors sale point mentions a more powerful access rates that are normal user.

00:25:32 Speaker 3

That's risk.

00:25:33 Speaker 3

That's a sliding scale.

00:25:35 Speaker 3

Cyber Ark mentions special access or abilities above and beyond that of a standard user.

00:25:41 Speaker 3

And then privileges. Access can be human users, non human apps. I added machine kind of learning kind of bots.

00:25:49 Speaker 3

AI devices, scripts, etcetera. So.

00:25:52 Speaker 3

So, so important to see it from a a risk based access kind of a sliding scale and then this way we can manage it better and easy pickings for.

00:26:02 Speaker 3

Red flags for auditors.

00:26:05 Speaker 3

There's no privileged access.

00:26:07 Speaker 3

Management, Pam or definition of Privilege Act is it's not sufficiently defined. If you find that that's right there, it's it's a glaring deficiency that we need to have clear vision, clear definition of privileged access.

00:26:22 Speaker 3

Not this is something that's not supported by enterprise wide.

00:26:27 Speaker 3

Of the ERM program, it should be.

00:26:30 Speaker 3

Erm, program should be tied into our privileged access definition and governance and, you know, safe sort of scattered, non centrally managed.

00:26:39 Speaker 3

We're not tied to tickets.

00:26:41 Speaker 3

You know, we have a privileged access kind of activity and then we can't.

00:26:45 Speaker 3

Have a ticket in place, but can we validate it?

00:26:48 Speaker 3

Was an actual legitimate activity.

00:26:51 Speaker 3

That's something I still don't see.

00:26:53 Speaker 3

Service providers privileged access tools do.

00:26:57 Speaker 3

Maybe one or two are starting to, but they don't have the ability to for you to. If you're checking out a privileged account to go into the service ticket.

00:27:08 Speaker 3

Portal and then connect that service ticket. Then say I am performing this change based on that existing service ticket. I only see I think one if any of the tools that.

00:27:19 Speaker 3

Actually do.

00:27:20 Speaker 3

And this was a kind of something that I.

00:27:23 Speaker 3

Way back when.

00:27:24 Speaker 3

A little bit of a war story and and.

00:27:27 Speaker 3

It's it's hard to validate if the activity was legitimate if you don't. Even can't even tie it to the service ticket.

00:27:34 Speaker 3

Anything like that?

00:27:37 Speaker 2

Very true.

00:27:39 Speaker 2

So I know we, we.

00:27:41 Speaker 2

We were gonna touch on this subject.

00:27:43 Speaker 2

It might be time.

00:27:45 Speaker 2

Artificial intelligence. AI how does artificial intelligence, machine learning impact IAM?

00:27:52 Speaker 2

What should auditors know about AI?

00:27:55 Speaker 2

With regards to.

00:27:56 Speaker 2

Love to hear your thoughts on this, alright.

00:28:00 Speaker 3

AI is.

00:28:01 Speaker 3

I mean it's it's emerging still on its way to kind of its being improved is is being generative AI is is being improved.

00:28:14 Speaker 3

We're moving towards something that can reason a little better.

00:28:19 Speaker 3

Still not perfect.

00:28:21 Speaker 3

And in a way, it's it's it started off with kind of machine learning and and kind of automation and then turn something into something akin to advanced machine learning. Now that can generate text.

00:28:36 Speaker 3

In reality, that's what it is. It kind of generates something that's more the most plausible kind of solution to the problem you're presenting to it, and it ties into data governance.

00:28:47 Speaker 3

Trust in kind of the.

00:28:50 Speaker 3

Generative AI implementations I.

00:28:53 Speaker 3

Scenarios where a generative AI a corporate solution was implemented and because not all data was was secured and it was treated as open. Employees could see, you know, sensitive information.

00:29:08 Speaker 3

Something like text passwords or or personal data and all that, so that that's something.

00:29:17 Speaker 2

They ended up feeding it too much information and without thinking of the consequences.

00:29:22 Speaker 3

Yeah. And you could think you have it buttoned down and you have your data labeled, but somewhere someone has a little repository of of unencrypted data and it picks it up.

00:29:34 Speaker 3

So it's it's important.

00:29:36 Speaker 2

People find ingenious uses for little notes, fields that are in applications.

00:29:41 Speaker 3

Yep.

00:29:42 Speaker 3

Oh yeah, yeah.

00:29:43 Speaker 2

A little free text areas.

00:29:45 Speaker 3

Unstructured data, that's.

00:29:47 Speaker 2

Yeah.

00:29:47 Speaker 3

Yep, Yep.

00:29:48 Speaker 3

And we we have to, we have.

00:29:51 Speaker 3

We have to know and Nest has a a framework that came out the AI risk management framework which is essentially NIS CSF for AI. It gives kind of control objectives.

00:30:03 Speaker 3

Across the kind of designing, developing and deploying steps of of an AI system.

00:30:10 Speaker 3

So it points out all the different what we're looking for different areas, controls and control objectives. And for example, if you want to, you want to catch the instances of people kind of leaving the unencrypted data and then it gets picked up.

00:30:25 Speaker 3

And have controls in place. It it mentions one of the controls is making sure you monitor the outputs to so it doesn't disclose any.

00:30:35 Speaker 3

Or any sensitive data.

00:30:36 Speaker 3

That's a great framework that US auditors can use.

00:30:39 Speaker 3

I would say nothing highlights areas needing support as in budget allocation like audit. Nothing except for maybe a data breach.

00:30:50 Speaker 3

But then it's too late.

00:30:52 Speaker 3

So it audit and business we we should work together.

00:30:57 Speaker 3

Proactively to build trust and take this opportunity to shape a more resilient organization.

00:31:04 Speaker 2

Awesome. Thank you very much, Nick.

00:31:06 Speaker 2

Appreciate your time and hope.

00:31:09 Speaker 2

To hear from you guys again soon.

00:31:10 Speaker 3

Absolutely.

00:31:12 Speaker 2

Awesome.

00:31:12 Speaker 3

Thank you so much.

00:31:14 Speaker 1

Are you concerned about security in the age of AI joining the IAS 2025 analytics automation and AI Virtual Conference on April 24th?

00:31:23 Speaker 1

You can hear from industry experts how cutting edge technologies transforming internal audit by securing their spot and registering today at the iaoa.

00:31:33 Speaker 1

If you like this podcast, please subscribe and rate us. You can subscribe wherever you get your podcasts.

00:31:39 Speaker 1

You can also catch other episodes on YouTube or at theia.org.

00:31:43 Speaker 1

That's T.

00:31:45 Speaker 1

Eia.org.