Alan Mitchell is vice president and global chief information security officer (CISO) at Brunswick Corporation, which is headquartered in Mettawa, Illinois, and is well-known for its industry-leading marine engines, boat brands, and parts and accessories. In his role as CISO, Mitchell manages more than 13,000 identities for Brunswick.
In our conversation with Mitchell, we discuss how the challenges of identity management have changed over the years, and how cloud computing has changed not only the role of identity but how organizations should approach security.
Here’s our edited conversation.
Thanks for taking the time with us, Alan. Can you tell us a little bit about your background in identity and IT?
The network at my employer started to grow, and I found an interest in moving my career away from the mainframe and into the client/server environment. In the mainframe environment, I learned an appreciation for the traditional identity and access management model, which consists of a secure perimeter and strong role-based access controls. With that experience, I saw all of the security challenges that exist in the client/server architecture, such as user IDs and managing the lifecycle of those IDs. With that, and then the tech and Internet booms, it was an exciting time.
I’ve been involved in software development, product development, and security for the last 25 years. I’ve seen a lot of evolution, and I’ve deployed nearly every identity and access management product that’s been out there over the years, at some point, with varying levels of success, complexity, and shortcomings.
One of the fastest-growing trends today that affect identity is the move to cloud computing. This means the traditional perimeter has gone away. With the rise of SaaS and PaaS applications and cloud infrastructure, organizations can exploit the agility, speed, and scale of computer resources demand.
What this adoption of cloud computing has done is make identity the new perimeter. That means the focus on identity — how users are authenticated, their identity context and lifecycles are managed — is only going to increase in the future.
How has the approach toward identity evolved at Brunswick?
Brunswick is adopting a cloud strategy. Part of my leadership is to ensure that the security of our infrastructure, as we move to our virtual private cloud environment, is that we’re focused on the concept of managing identity as the perimeter. By embracing that principle, we enable a business to be more agile and to have greater flexibility and avoid the fixed costs associated with having to spin up and down computer hardware as demand tapers down or increases.
What are some of the biggest changes that you’ve seen in identity since those mainframe years and the late ’90s when identity management began to see mature products come to market for the client/server?
Most of the products, when they first came out, centered on managing the multitudes of IDs that existed at the time. Then, the number of IDs exploded even more to include not only access of systems across an enterprise but then outside of the enterprise as the market evolved from being centric to internal enterprise applications to applications outside the enterprise and then the rise of e-commerce. All of this required a more mature approach to identity technology to make it more governance-focused.
That includes managing the complete lifecycle of identities — from birthright provisioning to access revalidation and deep provisioning. This is why we’ve seen much of the focus of the products in this space go from a central collection and management point-of-view to more of a governance perspective.
Additionally, increasing regulatory compliance and regulations have come about that drive the compliance side of identity and access management demand. I believe that has been in a good way. This is how we’ve seen products mature and continue to evolve — from identity and access lifecycle management to privilege access management.
How does that help with identity being the perimeter? What does that look like in practice with your approach to identity?
Typically, we’ve relied on the network as the perimeter. That includes network controls and having visibility into network flows. As the network has now become something that we don’t always control, we still need to have that same contextual visibility, and that is today having visibility into the identity element. That’s the persona. That way we can customize the user experience. We know attributes about you and then utilize that identity as a mechanism to protect the data and the systems that they’re accessing.
And a lot of that has to do not necessarily with how mature the company is in their thought leadership; it has to do with the economics around technology. Anywhere that you go where you have an established company, you’ll run into legacy systems. The challenge today for people who are CIOs and CSOs, and even identity vendors, is not only do they have to be able to support the new and emerging technologies, applications, and platforms, they also have to support those legacy systems. That’s where we see that challenge, and that’s an age-old problem within IT.
I imagine it’s even more of a challenge for those organizations that can’t go straight to a cloud-only environment but still have to manage their on-premises legacy systems?
People still have mainframes today. People still have legacy environments that may, or may not be, current or even supported. And that’s just the reality of the business. It’s not optimal, but it is a reality of the IT environment today. If you’re lucky enough not to have that problem, that’s great, but I think the majority of people in the industry are facing that predicament.
But they can either embrace the new technology or choose not to and then potentially lose a competitive advantage. If one doesn’t keep up, the world moves on without them. You either embrace technology and figure out how to enable it in a secure fashion or get left behind.
Let’s look at the other aspect of identity for a moment, and that’s security. When you look at all the attacks that happen in organizations, the vast majority involve credentials to some degree.
Exactly. That is probably the number-one foothold, amongst many footholds, that an adversary can use to gain access to your systems. It starts with harvesting credentials and techniques of that nature. The defense is multifactor authentication and managing those identities so that you have the awareness you need when an identity is being used and how it’s being used. Additionally, moving to the cloud, because that traditional perimeter is no longer available, you need to establish some kind of choke points to manage the way identities are being utilized. If you can do that, you can then have behavioral analysis around the activity identities as well.
Speaking of that, you are focusing more on privileged access management. Can you explain why?
Yes, privileged access management is crucial because that’s essentially the keys to the kingdom. We have lots of legacy environments that we are challenged with, and those IDs with those technologies and service accounts have to be shared with trusted administrators. This has to be managed closely. So, coupling privilege access management and privileged session monitoring is something that most companies should be doing if they’re not doing so already. We’re seeing that if you’re a public company, a lot of the external audit and regulatory bodies — if they are not actually requiring it today — are highly suggesting it.