Q&A, Simon Cuthbert, Tenfold: On the problem of over-privilege and IAM best practices

James is editor in chief of TechForge Media, with a passion for how technologies influence business and several Mobile World Congress events under his belt. James has interviewed a variety of leading figures in his career, from former Mafia boss Michael Franzese, to Steve Wozniak, and Jean Michel Jarre. James can be found tweeting at @James_T_Bourne.

To misquote Benjamin Franklin, in this world nothing can be certain except death, taxes, and security being the biggest concern for cloud migration. Flexera’s most recent State of the Cloud report last month laid it bare; more than four in five (81%) enterprises said security was the main challenge, ahead of managing spend and governance.

The latter two areas are, naturally, also linked to security. But as cloud workloads become increasingly complex, and as multi-cloud moves from a nice-to-have to key for competitive advantage, the security headaches only increase.

A key piece of the security jigsaw is identity and access management (IAM). Get it wrong, or neglect it altogether, and a major hole will open up. After all, if your admins don’t know who has access to what, how can you be sure of security?

Tenfold is an IAM and access rights management company based in Austria. CloudTech spoke with Simon Cuthbert (left), an IT security veteran and responsible for international business development at Tenfold, on challenges organisations face today, cybersecurity awareness, and how one trade show got him hooked on the industry.

CloudTech: Hi Simon. Tell us about your career to date – as well as current roles and responsibilities at Tenfold Security?

Simon Cuthbert: I have given 30 years to the IT security industry. Having been in sales since the age of 15 and cutting my teeth with Xerox in the mid-90s, I was given the opportunity to join Content Technologies, the developers of MIMEsweeper, as inside sales. Hammering through piles of leads each day taught me very quickly how to deal with rejection and hardening me for my future career. It was here that I attended my first trade show; I was hooked. I just loved everything about it.

Due to the external sales experience I had gained in previous sales roles, my sales manager at the time, the wonderful Catherine Jamieson gave me the chance to build a reseller and distribution channel. Along with the team around me we increased the channel revenue by 200% year on year and for me, channel has been the driving force behind my success.

Since then I have held various sales management and senior leadership role with companies such as CA, Varonis, Zeus Technologies, AEP Networks and Protected Networks.

Today I run my own company, VARChannels. We represent security vendors entering and growing new territories and my focus right now is with Tenfold Security where I am helping with global business development. My role is to help Tenfold to expand the business and grow revenues outside of their home market, DACH where they have seen massive success due to the quality of the software solution that they provide and their commitment to working with the channel.

We’re now growing the channel in the UK and US markets as well as other European countries such as the Netherlands and France and are seeing a positive uptake from both channel partners and their end users.

CT: What does Tenfold Security do in your own words and how does it aim to do it better than the competition?

SC: Organisations today have a massive problem. Most are using native Windows tools to manage users’ access to data via Active Directory. This gives them very little visibility of who actually has access to critical data, how they have gained that access and most importantly, if they actually require access to certain data to perform their role.

Essentially, users are over-privileged and this is a problem for a number of reasons. GDPR and other regulatory processes require organisations to have a least-privilege policy, meaning users should only have access to the data they need to perform their role, this in simply not possible when using AD to manage permissions. The next challenge you face is how to revoke permissions but again, without knowing who needs access to what, it is close to impossible to do this. This is what I really like about the Tenfold solution; it allows IT to not only get visibility of how access to data is structured but also enables them to work with the data owners (heads of departments) to manage that access through a really simple to use dashboard to set up policies and procedures that can then be managed by the business rather than IT.

CT: What are the key issues companies are facing with regard to identity and access management today? How has this landscape evolved over the past 12-18 months and what should we expect next?

SC: One of the biggest challenges faced by organisations today are what I call ‘cyber insiders’. These are the people that cause internal data breaches either by design or by accident. When users are over-privileged it leaves organisations wide open to internal breaches:

  • The sales guy moving to a competitor who thinks it is okay to take ‘his’ customer list with him
  • The developer that has been bribed by a third party to leak the latest piece of IP
  • The admin assistant who is just clicking through file shares during her lunch break, only to discover that the person next to her doing the same role is earning 40% more than she is

Lockdown has meant that millions of people are working from home. This only exacerbates the problem because the business now has even less visibility and control over data access.

CT: What is Tenfold doing for its clients amid the Covid-19 pandemic?

SC: It’s a really tough time for everyone right now both mentally, emotionally and physically. Many businesses were not prepared for the massive changes that they needed to implement in such a short space of time to ensure that employees could work from and still be effective. Here at Tenfold we have been working with many of our customers to help them make this transition as painless as possible by being available as much or as little as they have required us. Our support team have done an amazing job and have performed above and beyond to ensure our customers are still able to operate.

CT: What should organisations be more generally aware of with regards to cybersecurity during this time? Other companies have mentioned the risks of remote working and risks of misconfigurations.

SC: This is a great question – as I mentioned earlier, remote working brings with it a whole new set of security challenges and key to overcoming that is knowing who needs access to data, when, why and for how long. This should not be left in the hands of IT as they don’t know who needs access, why would they? This needs to be put in the hands of the data owners to ensure that only the right people have access to the right data at the right time.

Also, I think that we need to not only look at the technical risks but the risks of the mental health of our employees. Many are working from home for the first time, are having to juggle remote working with childcare, dogs barking in the background and also the loss of the social interaction that working from home brings. If they have to wait hours, even days in some circumstances to get on with their job, this could add to their worries.

CT: You were due to speak at the Cyber Security and Cloud Expo on ‘how to counter data theft by eliminating the insider threat’. What would the audience have learned from your session?

SC: I have to be really honest here – I love presenting. Educating audiences has been a passion of mine for over 25 years. I have specialised in data security for most of my career and without sounding like an egotistical monster, I have a lot of knowledge on the subject.

The key takeaways for the audience would have been:

  • Protect your critical data
  • Deploy a ‘least-privilege’ policy: Ensuring users only have access to data sets that they require
  • Regular review of access rights: Data owners must review access rights regularly to ensure these are up-to-date
  • Regular reporting: Gaining immediate visibility of changes
  • Put ownership of permissions onto data owners: They are the people who know who should have access
  • Traceability: If the worst happens, at least you will have a better understanding

CT: What does the rest of 2020 hold in store for Tenfold Security?

SC: Due to the outbreak of Covid-19 we have had to make some changes in our Go-To-Market strategy. We will continue to work with and support our Customers and Partners around the world. We had heavily invested in shows and events both here in the UK and also in the US but of course, while we observe lockdown, we need to look at new and innovative ways work finding new customers. We are currently offering free web demos of our solution (and this is keeping our pre-sales team very busy right now!). We have also developed a virtual machine so that prospect customers and partners can get hands on to test all the benefits that our solution offers without the need to go into the office to set anything up and this is proving to be a real asset.

CT: What is the key lesson you have learned from your 30-year career in cybersecurity?

SC: Another great question! I was asked this question by a young man entering the industry just a few months ago. I have had the opportunity to work with some amazing people during my time in this industry and have built some high performing teams.

People are what makes this industry great. I have always tried to conduct myself with humility, honesty and integrity, not because it serves any type of purpose but because, in my opinion, it is the right way to be and it has always served me well. Keep challenging yourself and others, don’t be afraid to ask questions, it’s okay to fail but above all, love what you do and do what you love.

Editor’s note: Tenfold are hosting a webinar on May 13 around the top five security risks in access management. You can find out more and register by visiting here. If you are unable to make the date, the webinar will be available on-demand.

Photo by Matt Seymour on Unsplash

Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.

View Comments
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *