Blogs

Why I am betting on Oleria as the future of identity security

Find out why Phil Quade, an enterprise cyber leader with decades of experience at NSA, believes Oleria is the key to solving identity and access control challenges and why CISOs need to prioritize identity security.

by
 
Oleria
May 21, 2024
 
 
 

About Phil Quade

Phil Quade’s impressive resume as an enterprise cyber leader includes serving as Fortinet’s Chief Information Security Officer and spending over three decades in various leadership roles at the NSA. He worked as the NSA Director's Special Assistant for Cyber and Chief of the NSA Cyber Task Force, with responsibility for the White House relationship in Cyber, and before that as the Chief Operating Officer of the Information Assurance Directorate at the NSA. His book, The Digital Big Bang: The Hard Stuff, the Soft Stuff, and the Future of Cybersecurity , draws on his years of experience to help people and organizations to think like scientists to master cybersecurity principles and overcome cybersecurity challenges.

Today, Phil works at Evolution Equity Partners, a renowned venture capital firm specializing in the cybersecurity space and the lead investor in Oleria’s Series A.

When we build our cybersecurity based on a complete understanding of fundamental elements of the cyberspace domain and how they can work together, we enable scientific revolutions in cybersecurity that will eliminate desperate acts of ignorance.
- The Digital Big Bang

Identity security innovation that delivers

It doesn’t take long working in cybersecurity to recognize that as much as change is constant (and keeps accelerating), the root challenges stay the same. In fact, a lot of what gets called innovation is actually just adapting existing tools and approaches to new technical realities (with sometimes disastrous results).

You also quickly see that some of the root challenges have never been fully solved. What often passes for “solutions” are more like patchworks that take a lot of work to hold together and never quite cover all the gaps.

So, when a company comes along with a true innovation that finally solves some fundamental challenges of cybersecurity… it piques your interest.

Oleria excites me because they’re doing exactly that: solving for the access control challenge — the root of so much risk and frustration for CISOs — with an innovative approach and an elegant technology that nonetheless treats cybersecurity like a science, not an art.

Complexity is growing, but the essentials stay the same

I can cite all sorts of statistics about the growing scale and complexity of the enterprise security ecosystem. I can scare you with facts on increasingly sophisticated cyber attack tactics. But when I talk to CISOs, my main message today is to focus on the fundamentals.

Beyond the basic cybersecurity housekeeping of robust authentication, known vulnerability hygiene, and personnel training, there are three fundamental cybersecurity strategies every CISO should be implementing — and executing at a high level — before they worry about adding anything else to the security stack.

  1. The first is to build a defendable architecture through strong segmentation — both macro and micro. Long the domain of firewalls, segmentation is what Zero Trust comes down to: firewalling to the nth degree. Segmentation is a superb strategy to mitigate breaches, limit the scope of breaches, and recover from breaches faster.
  2. The second is cryptography — the only real silver bullet in the cybersecurity toolkit. Correctly implemented cryptography is exceptionally good, and should underpin many of the deployed security functions.
  3. Finally, there’s access control — the third element in the “fundamental” category.  Since security should be designed to enable authorized access to information, rather than make it difficult to do so or create avenues for adversaries or lurkers, you need to understand who’s accessing what and have fine-grained controls in place around identity security — in a manageable scheme.

Why access control is the foundation (that most companies lack)

Access control has deep roots in our cultural history; those with belongings such as food or tools wanted to limit others access to their stuff by using doors, cabinets, keys, locks, chains, and many other mechanisms. Access control writ large is in headlines today in terms of mechanisms to control borders, immigration, and citizenship.

The business of Internet security is about granting or denying permission for people to get to assets. Assets can be either data — zeros or ones — or computing power the power to manipulate the zeros and ones.  Access control provides a means of ensuring that people, processes and technology touch only the assets that they're supposed to.
- The Digital Big Bang

I’ve spent 40 years at the leading edge of cyber technologies, shaping & watching the ecosystems evolve, the threats advance, and the challenges & opportunities grow.

In my NSA days, “access” was king; it’s how we provided authorized strategic and tactical intelligence on matters of national importance.  In my cybersecurity days, “access” is also king but the throne is under duress; with shaky access control, everything you try to put on top of it will fail.

Yet, ironically, of the three essential strategies, access control is typically done poorly, to be frank. In fact, Crowdstrike reports that 80% of breaches use compromised identities.

Companies like my old shop, Fortinet, offer firewall products that are used widely and used well. Cryptography, as I mentioned, is very sophisticated and very effective — provided it’s implemented correctly.

But there’s not much to brag about on access control.

Every organization has some hodgepodge of identity security and access control tools. But they’re usually insufficient because there has not been an end-to-end solution that does access control in a systematic way. You can see that in the rampant problem of over-provisioning: In the typical enterprise organization, 95% of permissions are unused and 90% of identities use only 5% of their granted permissions, according to Microsoft.

How Oleria got my attention (and Evolution’s investment)

I spent the last several years helping Evolution identify true visionaries and innovators in the cybersecurity space, and I had my eye on the access control challenge because of my personal experiences.

I got to know Jim and Jagadeesh during my time at Fortinet. So, when I first saw their vision for the future of access management, I knew right away that Oleria could be a game-changer for CISOs. 

That confidence was reinforced when Marty Trevino joined Oleria as Science Advisor. Marty and I worked together for several years at the NSA. He and I saw first-hand how ineffective access control and identity security led to some of the most serious and public security breaches of the past two decades. Like me, Marty believes that Oleria is onto something unique.

The Oleria solution takes on the fundamental access control problem all the way from governance down to technology and operations. And Oleria is doing it in a way that acknowledges that the solution can’t increase complexity, affect privacy, or be susceptible to human fallibility.

A story any strategic CISO will understand

It got me excited, to say the least. And I knew it was a story that I could easily tell to any strategic CISO: You know that whatever you do needs to be done at speed and scale. Those are your first-order mandates: enable, don’t inhibit or add friction.

But conventional access control is a messy problem.

Today, you’re probably paying for four or five different tools to patch together identity security — and still falling short of an ideal state. It’s still nearly impossible for CISOs to answer the fundamental questions of:

  • Who has access to what?
  • Where did they get it?
  • How are they using it? 

So, someone — Jim and Jagadeesh — is finally taking on the access control problem from end to end. And it’s not just a technical solution — it’s accounting for the human factors and reducing complexity along the way.

Why CISOs need to make access control/identity security a top priority

The biggest problem CISOs are dealing with right now is where to put attention, resources, budget and investment. Right now, a lot of companies are just focusing on the squeakiest wheel — reactively focusing on the root cause of the most recent breach or incident.

The result is that identity security is getting overlooked and under-prioritized. IBM reports that attacks targeting identities have increased by 71% year over year. Moreover, cybercriminals aren't just hacking in; they are increasingly logging in, which became the most common entry point into victims' environments in 2023. Yet Gartner reports that 66% of organizations are not investing enough in Identity and Access Management (IAM).

In my conversations with CISOs, here’s why I’m making the case that access control should be a top priority, worthy of proactive attention: First, there’s the simple fact that compromised credentials are the main “open door” for hacks and breaches (it’s a matter of “when” not “if”). There’s also the new wrinkle of SEC Wells Notices which brings personal legal liability for CISOs. You need to be able to prove that you’re being proactive and systematic about identity security.

Then, there are the more day-to-day pains. How much time do you waste trying to figure out who has access to a document that’s been leaked? To add insult to injury, how much time and money are you spending juggling multiple point solutions that still aren’t stopping breaches — and are adding (rather than resolving) complexity to your job?

Given all of this, why not try out a new approach to identity security — one that aims to decrease complexity, cut costs, and ultimately close the gaps in the conventional identity security front?

Let’s stop treating cybersecurity like an art and treat it like a science.  
- The Digital Big Bang

Until we do this, we’re doomed to suffer the consequences of those before us, who have failed to systematically address the access control problem once and for all.

If I sound critical, it’s because we — the collective cybersecurity community — have failed to sufficiently address access control. I’ve come to see that as a particular shame, because it’s one of the most fundamental strategies and needs of our domain.

We’re overdue for a modern approach to identity security

Oleria grabbed my attention and earned my enthusiasm because they’re bringing genuine innovation to the cybersecurity world. They’ve created a single solution to address access control from top to bottom. And they’re doing it with a uniquely adaptive and intelligent approach that accounts for the dynamic nature of modern business and the erratic nature of human behavior. They’re helping CISOs be more than just business protectors, but true business enablers.

Learn more about Oleria Solutions

Schedule a demo

Media contact
For media inquiries, contact pr@oleria.com

See adaptive, automated
identity security in action