EY helps clients create long-term value for all stakeholders. Enabled by data and technology, our services and solutions provide trust through assurance and help clients transform, grow and operate.
At EY, our purpose is building a better working world. The insights and services we provide help to create long-term value for clients, people and society, and to build trust in the capital markets.
How to use cybersecurity as a global business enabler
In this episode of the EY Microsoft Tech Directions podcast, we look at how best to navigate cross-border cyber security, focusing on digital identity and zero trust.
As cyber threats continue to escalate, companies worldwide are grappling with the complexities of keeping their operations both secure and compliant. Our conversation sheds light on the rise of zero trust — a method that minimizes access to what's essential — as a key element in modern cyber defense tactics.
Join host Susannah Streeter as she engages with cybersecurity experts Paul Frate, Security Specialist at Microsoft; Sam Tang, EY Digital Identity Leader for the Americas; and Kevin Runyan, Managing Director at EY. They'll discuss the shifting landscape of international data protection laws, the growing importance of establishing trustworthy digital identities, and the strategic combination of digital identity with zero trust concepts to enhance both digital security and business productivity.
Key takeaways:
Understand the essential role of zero trust and digital identity in strengthening cross-border cyber security.
Explore practical ways to navigate evolving international data protection laws and cyber challenges.
Examine the impact of digital transformation on security practices and why a comprehensive cybersecurity approach matters.
Gain insights into managing diverse identities and the integration of advanced technologies to safeguard digital infrastructures.
Recognize the necessity of continuous adaptation and education in cybersecurity to effectively protect against and respond to emerging threats.
For your convenience, full text transcript of this podcast is also available.
Susannah Streeter
Hello and welcome to the EY and Microsoft Tech Directions podcast. I'm Susannah Streeter, and in this episode, we're looking at how best to navigate cross-border cyber security, focusing on digital identity and zero trust. Businesses are being confronted with increasing challenges in managing secure and compliant operations across borders. Zero trust has become the linchpin of modern cybersecurity systems. This model essentially means granting access only for the right reasons to the right entities for the right amount of time. Cross-border data protection regulations addressing the safe movement of personal data outside of the border of its origin are evolving. Companies need to develop new overarching strategies to deal with this long term rather than relying on interim solutions. As organizations continue to digitally transform, the importance of secure and reliable digital identities is set to keep growing. It's becoming more and more relevant to focus on securing data because the vast majority of privacy compromises and data breaches occur due to a lack of awareness, cyber capabilities and coverage. In this podcast, we're going to discuss the intricacies of managing diverse identities in a cross-boundary context and look at the cyber security challenges posed. We'll also find out how integrating digital identity and zero trust principles can help build a strong defence against potential threats and bolster the safety and efficiency of the digital space overall.
I'm delighted to say we have a trio of thought leaders who will be navigating us through this subject and will provide some collaborative solutions. But before I introduce them, please do remember, conversations during this podcast should not be relied on as accounting, legal, investment, nor other professional advice. Listeners must, of course, consult their own advisors. But now, I'm really delighted to welcome Paul Frate, Security Specialist from Microsoft. Where are you today, Paul?
Paul Frate
Susannah, great to be here. Coming to you from rainy Atlanta. April showers are hanging on, but it's great to be with you today.
Streeter
Yeah, it's great to have you with us as well. Also, let me introduce Sam Tang, EY Americas Digital Identity Leader. Where are you, Sam?
Sam Tang
I'm in New York, and perfect weather in New York. Paul, you can keep the rain.
Streeter
Finally, let's introduce Kevin Runyan, who's Managing Director, Ernst & Young, LLP. Hello, Kevin. Where are you talking to us from? Hello.
Kevin Runyan
I'm splitting the difference. I'm in Raleigh, North Carolina, and we're halfway between. It's a pleasant day, a little bit overcast, no rain in sight, though.
Streeter
Good to hear it. Well, Kevin, let me start with you. I mean, how much of a challenge do you think it is to manage diverse identities across multiple networks and applications in a cross-border context?
Runyan
Well, that challenge is pretty big. You've got your typical workforce, contingent workers like contractors, consultants, and oftentimes third parties. Here you're thinking clinical trials, data sharing agreements, joint ventures. Then you've got nonhuman identities like service accounts, all on top of your end users like your customers, patients, and members. You start with this complex web of parties, and then you add in tonnes of places to store, move, and analyse data and different ways for these populations to access it.
Streeter
So, Sam, how difficult is it to keep abreast of all of these developments in an ever-changing cyber environment?
Tang
Well, ever-changing is the word I'm going to key in on for my response. Changes in geopolitical landscape that were the business, financial, and operating models that changed. Culture, and more importantly for those of the audience that's in the digital identity space, there's actually going to be a shift where the importance of the digital identity leader is going to start seeing actual C-suites identified as digital identity leaders as well. So, as these changes happen, the main challenge is clients and organizations don't realize exactly what they're really managing in terms of access. Holistically, a network, infrastructure, cloud, devices, people, processes, applications, and data. And notice that it's no longer just people, process, technology anymore. It's across the board. What that translates to is really about the inability of people to see how they prioritize what they need to work on in terms of digital identity. The bright side is that OpenAI is going to enable all of that. In addition, it is really the ability for you to make the run-time decisions on identification, authentication, and, most importantly, authorization.
Streeter
Thanks very much, Sam. So Paul, just how difficult is it to keep abreast of developments in your view? How should this be approached?
Frate
It is very difficult. As solution providers, we're very much on the fast path of seeing, for example, the power and the value of AI. But unfortunately, so are the bad actors. Our customers know their businesses better than we ever can. And really, at the same time, as a solution provider, we have to present the solutions in such a way that, process-wise, it makes sense. So Sam used the right term, the prioritization. So as we begin our engagement with clients and we talk about the deployment of AI, what we're learning and what our clients are learning is that data security should probably precede AI deployment, meaning a little more rigor around the identification, the clarification, and the protection of the data is probably a best first step for AI deployment.
Streeter
Really interesting stuff, Paul. Kevin, as Paul points out, the bad actors are really on their toes and are evolving super quickly in their strategies. To what extent can cybersecurity problems be traced back, though, to a simple lack of awareness of data protection regulations in different countries.
Runyan
In my last two decades working with clients, I've seen a lot of people who want to do a great job. At high-performing organizations, they typically want to get stuff done quickly. Despite a lot of good efforts from cyber evangelism and cybersecurity awareness teams, the focus on making the business run profitably can lead workers to not having time to read and interpret the regulations of every place their firm does business.
Streeter
There's a lot to keep across, isn't there, Kevin? To what extent do you think is a reliance on manual processes and silo data protection controls at fault?
Runyan
Well, with manual processes, the big risk is the inconsistent application of your policies. It's really hard to establish a defendable position when you're handling the same type of data in different ways in different business units or different locations. Similar to the awareness issue, siloed controls can lead to gaps where each group thinks that their remit ends without someone else taking a holistic view across the enterprise to make sure we really have the entire problem handled.
Streeter
Paul, what implications are there in terms of risk when the data is shared with or collected from a third-party vendor?
Frate
Well, this really reminds me of the sharing and collection of data when we engage with clients who are using what we call sanctioned and unsanctioned cloud apps. Many times, these sanctioned apps certainly are governed and under the direction of enterprise IT, but many times, they're ubiquitous, these unsanctioned cloud apps, but users like to access them. The key discipline that we stress is to train on the understanding of whether a SaaS app or a solution that they're about to, if you will, sign up for authorizes that SaaS provider to access the client data, which the enterprise may or may not allow. So, cloud apps like this should be evaluated by the enterprise for these types of authorizations and, quite frankly, score for their enterprise readiness and potentially their vulnerability.
Streeter
Well, let me bring you in, Sam, on this. What's your take on how best to manage third-party vendors? What education do you think is needed?
Tang
Yeah, and I'll hit on something that Paul just said: it depends on the organization from the sensitivity standpoint on the cloud apps and so on and so forth. But the word I wanted to actually use here is tolerance. It's the tolerance level that is really subjective to the business that you're in, and the tolerance that's associated with trust, and the trust of the data, the trust of the data that you're generating. It's really about how to make sure that you classify information when you're trusting what you're generating. You're trusting what you're using in terms of the AI. However, there are some guiding principles that we always follow. I'll give you some examples. Granting of data access should not be perpetual, and all data should be classified and labelled with trust, risk, privacy, ownership, usage, and so on and so forth. Access needs to be verified always, go back to the zero trust principles, and use third-party data to do identity proofing in terms of trust. So, you have to make sure that you use third-party data and have access to multiple countries around the globe. Data on the regulations and laws will continue to change, will continue to evolve, and will continue to expand.
Tang
So it's very important to really classify your information and trust that your metadata is a It's accurate.
Streeter
Yes. So trust and tolerance criteria are key. What else do you think is at play here which stops organizations from taking the right steps?
Tang
This is a very good question. And it's not really what stops organizations from taking the right steps. It's really the organization's willingness for the company to adopt transformative thinking. And this is a transformation. And most companies don't have full visibility in terms of what they're really managing in terms of access. And what that translates to, what I said earlier, was prioritization, but more importantly, fear in our customers and the ability for people to really deal with media requirements in terms of data sensitivity and take advantage of OpenAI. OpenAI is going to enable full visibility but also, more importantly, to translate that visibility into value people are going to actually see.
Streeter
Paul, do you agree?
Frate
I do. There's one other aspect that we have visibility on from the vendor side. As I've worked with clients over the years, we've been met with what we call silos in organizations. Different organizations may not be as aligned as they should be. I believe it's gotten better on the enterprise and customer side, and they've certainly made huge strides here. In the past, we would see that network engineering rarely talked with security. I think, frankly, most recently, the development team and the coders sometimes view the application security teams and their required tooling as a hindrance to productivity. I believe those silos have largely broken down, and things are, if you will, getting better. I think it's happened for a couple of reasons. I think enterprises have recognized the fact that the pain felt by breaches has become too significant. The fact these silos exist probably is a bad thing, and we need to do things to help tear them down. I think the second thing is that the perimeter has evolved away from data centers and devices to become more identity-based. For those two reasons, I think that enterprises have gotten away from a siloed reality and moved to a more collaborative approach.
Streeter
What kinds of cybersecurity threats are posed by ineffective digital identity security, Paul?
Frate
Really, the things that we are also really sensitive to are the threats that can be unintentional ones, maybe internally generated to the enterprise, that can be avoided through a process of education and training, really the dos and don'ts. One aspect that we stress at Microsoft is to minimize the unintentional risk through a program of continued and mandatory education by employees. Our foundational principles here are to verify explicitly, use least privileged access, and assume breach. I think you'll find those types of tenants really throughout the enterprises at large now because it makes sense. But I believe that an education process is necessary when we think about internal unintentional risk.
Streeter
Kevin, let me bring you in. What's your take on this?
Runyan
I want to echo Paul's perimeter comment. Be it an insider or compromised credentials, the old perimeter is really no longer effective. But when your data protection measures or when you use data protection measures that rely on identity context, and as Sam mentioned, too, really asset metadata or tagging, they can provide better decisions to reduce risks and better visibility into who's doing what with your data.
Streeter
Sam, what are the other risks to companies if they don't get this right, if they don't understand that the old perimeter is no longer effective? I mean, not just in terms of fines, but reputation, too, because once lost, it's so hard to win back, isn't it?
Tang
Reputation and fines are just two small components of the net impact of not doing it right. It's really about doing it right, is the bottom line. Obviously, the board and the C-suites are always looking for the bottom line. That's really about the cost of the growth. Doing it right, the cost that you're talking about is actually in two different ways. There's a cost of doing nothing. There's actually a cost of doing something. You need to be able to have visibility into both in terms of how it impacts your bottom line. There is a strategy against that. That is what we consider as the four R's. Realization - which is the full visibility and transparency of what you're really dealing with. Readiness - which is being ready for things like political attacks, culture, M&A, and the best of your operational structure changes. Resilience - the ability to actually lock down your environment so that you're very comfortable and that you're following zero trust strategies where you really don't have to worry about persistent access from an optimization standpoint. The last is remediate - make sure that you take a look at how you remediate and recover from attacks because preventing all attacks is probably more likely. But at a minimum, you want your remediation so that it has the least impact on the business.
Streeter
Paul, why would you say this is so important to address right now when you consider the scale of change we're seeing, particularly when it comes to artificial artificial intelligence?
Frate
Well, I see a couple of drivers to the scale of change. Really, there are two factors. First is the rapid adoption of cloud-based services, and in particular, SaaS apps, and the second is a more highly distributed global workforce. AI has really presented a new set of challenges. It's also provided us with some new opportunities. What I mean by that is we can now take AI and begin to integrate it into our broader security platform, whether it's data protection or identity or the SIEM. For example, on the identity side, we have the ability to prevent identity compromise and to respond to threats more quickly. AI capabilities and what we call our copilots, which is our AI functionality, should also recommend ways to automate prevention and resolution for future identity risks.
Streeter
It really does seem right now, in particular, that there is this pressing need to take action. Kevin, what challenges do you see your clients facing?
Runyan
I'd say one of the toughest ones is following the daisy chain that is accessed. What I mean by that is sometimes, in the old world, I've got an ACL that says Sam can access this data, and Paul can't. In today's world, Sam may have access to a service account. That service account may be used to call an API, a microservice, which is called a database proxy that actually accesses the data. Being able to cut through all those layers to see what that effective access is a place where we can really rely on something like AI to help cut through that murkiness.
Streeter
Sam, so how can companies adopt a more proactive rather than reactive stance to all of these threats? How should they better prepare for ever-demanding requirements from regulators in particular? To what extent does this have an impact on prioritization?
Tang
Notice what Kevin said. There are a lot of threats and risks associated with cyber and digital identity. Traditionally, the way that people think of prioritization is always about understanding what the current state is and figuring out what the target state should be. Then, in the middle, you really need to generate your actionable roadmap. However, that only works within an environment where it's static, and things are changing rapidly. So the new way that we're driving change, driving transformation, is really looking at three main components. Tactically, what needs to happen? Because there are always tactical things that people have to address. You have to understand the value that you're gaining by doing so. So, ethically, what are some of the things that we need to work on, and what's the value associated with them? The second step is to evaluate the foundational gaps that you may have in order for you to satisfy your business and continue to chase the changes that you're seeing in the environment. The third is to implement and execute transformative strategies, prioritized strategies such as cross-border access, cross-ponder access, physical-logical access, and third-party access, and get to the point where you can truly say he'd have, just in time, access determination for everything. But again, every step of the way, you need to determine what value you're gaining.
Streeter
You also need to have a long lens. It's clear, and it's difficult to predict which regulators will increase demand next. So Sam, how should companies approach all this? How can they prioritize intelligent investment and spend smarter, not just on more data protection?
Tang
There are four different things that we always educate our clients, and education is key. It's simplify, optimize, transparency and alignments, simplifies processes, simplify your controls that you're mandated to adhere to, simplify the technology that you're using, and optimize the use of technology like OpenAI to help you along, to help you prioritize, help you protect, order and compliance, which is transparency. Every step of the way, take advantage of things like OpenAI to make sure that you are actually capturing the evidence that's necessary in order for you to prove that you're protecting the data correctly. And then last, alignment. Alignment with business. Again, going back to what I said earlier, the board in the C-suites are looking up online. Make sure that you are aligned with them to continue to show them the value that you're actually providing.
Streeter
There are some really great steps there, Sam. Paul, tell me a little bit more about the transformational benefits of integrating digital identity and zero trust principles in cybersecurity. What are these benefits, ultimately?
Frate
Well, we're seeing that certainly, as many have said, that identity is the new perimeter. This reality has led to the emergence and adoption capabilities that integrate network and security. In using a Gartner coined term, it's called Secure Access Service Edge, which is certainly identity-focused. It's an architecture; it's a framework. This has been beneficial for a couple of reasons. Number one, it's brought some standards to these types of frameworks, and this has been a rapidly evolving market and market space, and those standards key. Looking at it from the customer perspective, it's been extremely helpful because, as you know, they have to make sense of the various vendor solutions. Feature functionality is not the same across the board. I think, number one, the framework and the creation of it have been key, and certainly the standards that have emerged to help customers evaluate capabilities like this and really prioritize what should I do first and what maybe is a step two, three, and four.
Streeter
Kevin, what's your take on this? How can these strategies that Paul's outlined be applied together to help build fortifications against potential threats? Have you got any good examples of how it's really worked?
Runyan
Sure thing. We've helped clients find and remediate millions of instances of potentially out-of-policy access. That's multiplicative because any one of the many pathways that exist can lead to fines or a data breach. Then finding all those various paths, like I was talking about before, lets you put controls on top of them or just remove the path if that's not really helping the business. There are certainly times when a service gets spun up quickly to enable a business process, and the creator doesn't realize they've opened a door or exposed more than they originally intended to. Then you're just left having to hope your team finds it before someone looking to exploit it does. Now, if you're not comfortable with that hope approach, then you really need to dig into that data and use your analysis to make sure you get there first.
Streeter
Absolutely. Paul, what else are customers telling you about their experiences?
Frate
There are so many, what I'll call control points in enterprises today that must be managed, and they have to be integrated to deliver actionable intel. Customers are required to deploy even multiple vendor solutions, but they do stress integration. I believe that's led to a platform cloud-based approach to security. The other reality that we're hearing from clients is that they're challenged from an FTE perspective. Those analysts and SOC operators, quite frankly, they're stretched. So, they need solutions that are operationally streamed. I think one more thing that I'll add here, which is really a testament to how we're starting to see AI really the applied year, especially as in the SOC, the Security Operations Centre. It's a busy place, and there are certainly many different layers, control points, sending signals. Those signals have to be assessed and managed. The feedback that we're hearing from clients has to do with the impact in a couple of areas as it relates to the SOC. Number one, AI and what we call our copilots are giving more enriched alert context on emerging threats. Really, the second benefit of AI is more rapid investigation and response by providing incident summaries and their impact and actionable recommendations for remediation, which is really key to that prioritiztion.
Streeter
It's great to hear about all those current solutions and benefits. Ultimately, Sam, what should be at the forefront of mind when bolstering an organization's security measures.
Tang
I'm going to go back to what Paul said about identity being treated as a perimeter. I'm going to be even bolder than that. Identity is actually at the center, at the core of cybersecurity, in protecting access. Transformation, I talked about earlier. But more importantly, organizations have got to be able to address the value aspect of what we do. The value should be measured in three different fashions: maturity and the KPIs in the back. So maturity is based on the four R's I've mentioned before: realisation, readiness, resiliency, and also remediate. But KPIs are associated with things like operational efficiency. Risk reduction, the ability for you to set the complying order in compliance, and user experience and adoption. Of course, we spoke a little bit about cost earlier as well. I'll give you one more example. How much value would you say it would be if we were able to actually state the wrong statement? No one has access unless it's verified access to data or classified data. So if something is not classified, don't grant access. And what if we're able to say from a DOP standpoint, no information is to lead the environment unless it's classified, unless it's actually verified.
Streeter
Okay, well, thanks so much, Sam. We are nearing the end of the podcast. Can you tell me what other trends you're seeing which could loom large for companies in the years to come, which they need to prepare for now?
Tang
Well, before it was people talking about zero trust, so on, so forth. But what I'm saying here is be ready to adopt just-in-time access for everything that we do. It could be identification transaction, it could be authentication transaction, it could authorization transaction. But we were even seeing using identity-verified trust as a technique to even handle business transactions like a payment fraud detection.
Streeter
Paul, what trends are you following the most?
Frate
I feel the most exciting security trend that I'm seeing is really in the use of AI in secure code development. It's real, and it's happening today. It will continue to evolve quickly. Software is really everywhere and the coders are under extreme pressure to deliver new apps at an alarming rate. At the same time, we have to make sure that that code development is secure. This is where I see AI really making a huge impact because What's actually happening is AI is suggesting more secure ways to write that code, and that is a huge plus.
Streeter
Kevin, what are your final thoughts?
Runyan
It's really that identity is the central piece of a lot of these controls. Cyber teams have been creating multiple layers based on the idea of defense in-depth for years. But if you don't know who is going to do something, you can't really make good decisions. If we're going to leverage OpenAI to assist in these types of controls, your AI can't render good decisions if you don't know who is out there and what data they're trying to use.
Streeter
Okay, well, thank you so much. Those are some really great takeaways for the listeners. Thank you all for a really fascinating discussion. Some really useful insights on how businesses can navigate cross-border cyber security while focusing on digital identity and zero trust. Thank you so much for your time.
Tang
Thank you for having us.
Frate
Great to be here. I appreciate the time and the insights.
Runyan
Thanks so much for having us and for the good discussion.
Streeter
t has been really good to talk. A quick note from the legal team. The views of third parties set out in this podcast are not necessarily the views of the global EY organization nor its member firms. Moreover, this should be seen in the context of the time in which they were made. I'm Susannah Streeter. I hope you'll join me again for the next edition of the EY and Microsoft Tech Directions podcast. Together, EY and Microsoft empower organizations to create exceptional experiences that help the world work better and achieve more.
