SPHERE’s Head of Customer Success, Fredy Martinez-Pardo, was featured in TAG Cybers Quarterly Security Annual in the May, 2023 issue with a contributed interview, “Protecting Assets Through Identity Hygiene with SPHERE” download the full annual here:
All companies know you need to be prepared for an external security breach or hack, and privilege misuse is one of the main factors when it comes to financially motivated attacks. Identity hygiene helps companies keep their privileges and permissions squeaky clean, thereby eliminating open and inappropriate access, so that data quality is improved and assets are protected. SPHERE’S SPHEREboard solution is an end-to-end workflow that identify risks and remediate threats. SPHERE recently shared the platform’s innovative features with us, as well as their insights on identity hygiene.
TAG Cyber: What is identity hygiene, why is it important, and what is SPHERE’s unique approach to this topic?
Rosario Mastrogiacomo: Identity hygiene is a combination of activities that organizations perform to maintain the security of their data, infrastructure, and applications. It’s a practice that people and enterprises just know they need to do—very similar to personal hygiene. We know we need to brush our teeth and shower on a regular basis because if we don’t, our hygiene gets worse and ultimately, our whole body is at risk. Identity hygiene follows the same concept and that’s what SPHERE delivers. It’s a practice that companies have been trying to do for many, many years, but with different levels of success. If you don’t address your identity hygiene, security issues and breaches are almost certain to happen. What SPHERE does is look at the human involved. We look past the account and focus on the identity to determine the risk. Take Bob Smith for example. It’s not about Bob Smith’s account, it’s about the human, Bob Smith, and what he actually has access to versus what he should have access to. Databases, applications, SharePoint sites—we look at all these things to get a fundamental understanding of who Bob Smith is, who that identity is, and all the accounts Bob controls. This is truly the cornerstone of enterprise security in today’s age. It’s focusing on the human, whereas in the past, it was always just about the account. Fundamentally, you must go past the account and look at who is controlling it and the role that person has in the organization to understand and establish identity hygiene.
TAG Cyber: What are the major components of the SPHERE platform?
Fredy Martinez: Identity hygiene is the ongoing practice of knowing who has access to what, why and when—at all times. Organizations classify and categorize information based on its value to their ongoing activities. This information informs critical decisions about security controls that can be administrative, technical, or operational in nature. These controls depend upon “need to know” decisions—who inside or outside the organization requires (or does not require) the ability to create, modify, move, copy, or otherwise change the location, state, or characteristics of the data. Our identity hygiene platform provides a unique approach that helps organizations understand their identity posture with a unique end-to-end access management workflow—from discovery to remediation—of all identities across a company’s technological assets.
TAG Cyber: Explain the concept of an “evergreen IT strategy,” and how does SPHERE help achieve this goal.
Fredy Martinez: Essentially, something that’s “evergreen” is timeless and sustainable. The earliest definition of an “evergreen IT strategy” was created a decade ago; it is defined as the cross-section between on-premises and cloud computing, and instrument provisioning and management processes. It requires a combination of people, processes, and technology to continuously update, upgrade, and manage an end user’s software, hardware, and associated services like file storage, applications, and more. Just like personal hygiene, identity hygiene isn’t something you do just once. With SPHERE’s ongoing remediation, we help our clients along the evergreen path by implementing a continuous identity hygiene process to support an organization’s technical upgrades.
TAG Cyber: How does SPHERE help a company gain visibility into its data BEFORE it migrates to the cloud, and why is this a good thing to do?
Fredy Martinez: Digital transformation is more important than ever for all organizations. Our practical knowledge and expertise are an essential part of the blueprint for action, because we initiate an assessment based on the current state of identities, assets, data, and users to help our clients map out the best route for their cloud migration. With our SPHEREboard platform, clients have full visibility into the identities, users, and data that should not be considered part of the migration. This approach impacts three main areas of account migration. First, it reduces costs by identifying target data, such as stale files out of audit compliance. Secondly, it enhances data security by removing toxic combinations, and finally, it reduces the implementation timeline.
TAG Cyber: SPHEREboard is quite a powerful tool. Can you share its main features with us?
Fredy Martinez: Over the last few years, we have focused on building this robust identity hygiene tool. Our unique platform is continuously enhanced with new capabilities to help some of the largest and most highly regulated organizations improve security, enhance compliance, and achieve ongoing identity hygiene. Its main features include modules for unstructured data, accounts, and groups, as well as privileged accounts management. The platform’s Unstructured Data Module enables end-to-end workflow on file storage devices, Office 365, and Confluence. Its capabilities support file store discovery, ownership correlation, access control reports (such as open and excessive access), and automated file access remediation. Data classification, privacy and lineage on file systems can be achieved as part of our partnership with BigID. Next, the Accounts Module is one of the platform’s features that is most adopted by clients. It permits any organization to discover, detect, and remediate any account (human and nonhuman), ensuring that the access to assets is authorized and restricted based on business and security requirements. Additionally, the Groups Module helps organizations understand the current state of the AD groups platform (on prem or cloud), and its discovery engine can report and remediate use cases like stale and empty groups, nesting, structure analysis, excessive membership analysis, unclaimed accounts or groups, AD groups identified by Ddivision, groups with elevated permissions, group policy permissions and more. Lastly, Privileged Accounts Management is highly utilized by organizations lacking a just-in-time strategy. It provides full visibility of users and accounts with elevated permissions across an organization’s assets. Automated Privileged Accounts Vaulting can be achieved as part of our partnership with CyberArk.
TAG Cyber: We’d love to get your take on any important trends you see in enterprise cyber security, offense and defense, along with any advice you might have for practitioner readers.
Fredy Martinez: As cyberattacks increase, a similar number of trends and tools arise to combat them. At SPHERE, we’re constantly upgrading our platform and looking for new partnerships to provide our customers with the best tools. Above all, we try to stay focused on the basics of identity and access management (IAM) practices— the principle of the identity lifecycle. It’s important to remember that every identity starts its lifecycle at the provisioning stage and ends when it is disabled and deprovisioned, but the latter doesn’t always happen. It may sound simple, but as any organization operating in today’s complex, threat-rich environment knows, it’s not. Our clients turn to us as a trusted partner in their cybersecurity efforts and rely on our solutions as critical elements in their IAM programs. Sure, our SPHEREboard platform provides advanced technology, stringent controls, and ongoing reporting and monitoring, but we also have extensive in-house experience as boots-on-the ground practitioners of risk reduction. In other words, we know the real-world challenges facing organizations when trying to protect their enterprise from ever-increasing threats.
