What's Up with Tech?

Why your organization needs a stronger approach to identity security right now.

Evan Kirstel

Share episode

Interested in being a guest? Email us at admin@evankirstel.com

PodMatch
PodMatch Automatically Matches Ideal Podcast Guests and Hosts For Interviews

Support the show

More at https://linktr.ee/EvanKirstel

Speaker 1:

Hey everybody, fascinating chat today as we dive into the world of cybersecurity and identity Fascinating topic with the IDSA, the Identity Defined Security Alliance. Jeff, how are you? I'm doing really well, evan, and how are you today? Amazing organization. We're going to dive into lots of interesting topics. Before that, maybe introduce yourself your bio and background and how do you describe the IDSA exactly?

Speaker 2:

Sure, and thanks for that opportunity and for the invitation. I really appreciate being here. My name's Jeff Rich. I'm the executive director of IDSA. As Evan indicated, I have a history. I've been doing security work for about 50 years, information security in particular, for a little over 45. I started the security programs at Arco Oil and Gas Company and at Dell and at Brackspace and a few financial services companies, worked in a couple of startups. So even though security has always been the spine of what I do, I've always been able to spread out and do additional things as well. And for the last couple of years over two years I've led the IDSA and had an even deeper dive into what identity security means, and it couldn't have come at a better time because it is in the forefront of everything now.

Speaker 1:

It is indeed such an amazing topic, and what gap were you trying to fill in the identity and security world when you launched the IDSA? What was the mission at the time.

Speaker 2:

Well, to be clear, I didn't launch it. Julie Smith was the founding executive director, she retired and they came in about two and a half years ago, but the gap, as you say, to be filled, really hasn't changed. In fact, it's widened. Because, you know, I could read the whole mission statement. But, briefly, our mission, our goal, is to raise the level of identity security and identity security awareness and the security of identity, and I can explain what the difference between those three are. And that gap really exists because everything we do now depends on what your identity is and how it comes across.

Speaker 2:

You know, if you go back 50 years, identity was easy. It was easy. You said your name, you might have a passport, you probably had a driver's license, which my first driver's license was a piece of paper with my name, which was not a really good way to identify someone. So, as we had more capabilities, we started to apply those to advance how identity works, got in a pretty good place, and then the cloud came, in particular, and AI. That has now exploded to the point where, with all the different machine identities that we have and all of the artificial intelligence behind different types of identities, it's now almost impossible to determine who's who. In fact, there's been many research surveys indicating that there are more machine identities on the Internet than there are human identities.

Speaker 1:

Yeah, what a brave new world, to say the least, and we hear a lot about identity being the new perimeter. What does identity define? Security really mean in practice, sort of on a day-to-day level.

Speaker 2:

Well, you could look at it as identity as new perimeter. There's a large contingent that believes that very phrase and there's almost as large a contingent that says no, that's the wrong way to look at it, just like any sort of new technology or how we're going to do it. But the concept behind that is the same for everyone, in that you have to be able to protect identities or you can't protect anything else. Now I get where identity is new perimeter, and I've often used that phrase because in my career in information security, you know, the perimeter at one point used to be the computer room, then it became the data center, then it became the local network, then it became the worldwide network. Now, especially with the cloud, the perimeter exists in every device that does everything.

Speaker 2:

I'm looking right now and I have more equipment than I need. I have six screens in front of me right. I have a microphone with a chip, I have a soundboard with a chip and a phone, and you know that list goes on. Every one of those chips has at least one identity associated with it. So with all of that going on, when you go back to the standard identity phrase, who goes there? You can't answer that easily anymore. So that's the gap.

Speaker 2:

That's the gap that we are bringing our members together to fill.

Speaker 1:

Let's talk about your members. You're a sort of vendor-neutral organization. Why is that important these days when it comes to bringing partners together?

Speaker 2:

Well, we're a nonprofit first of all, so by definition we have to stay vendor-neutral and almost everything we do is offered free to the public. We do have some member-only benefits. Public, we do have some member-only benefits. But specifically the reason that we are saying vendor-neutral really benefits everyone is that when we get something in front of the public or our members, we're saying here are some facts, there may be some missing, there may be more, but here are some facts and here is an unbiased view of what needs to be able to happen.

Speaker 2:

In some cases it's going to be here's some best practices. Other cases it's going to be here's a case study of what doesn't work or what does work. And in all cases we like to be able to say and when you look for a solution for your organization, for this problem, don't look necessarily to one vendor. Certainly don't go buy the solution and then figure out what your problem is, which happens more often than I think people want to admit. But specifically, we're together, we can see what the different issues are based on your environment, and then you can take a look at what solutions do you need. And in fact, often we have two or three members that will collaborate and say you know, all of these three products we have working together may work well for a customer, so we can guide people towards. Hey, here's some organizations that are willing to work together. Take a look at that.

Speaker 1:

Wonderful, and I'm looking at your website, idsaallianceorg, and you do some amazing research around identity-related security incidents. Maybe give us a state of the union. What's happening at the moment? What can we do better?

Speaker 2:

In addition to our working groups and other things, we have an annual research report, which, I'm guessing, is what you came across. Typically, this has been published in May and beginning this year we are doing a September release. So we're in the process of doing that research as we speak, actually, but I can still give you a pretty good state of the identity, which I'm not sure if I just coined that phrase or not, but you know, we're kind of past the is everyone using strong passwords? Almost everyone is. The good news is, more and more people aren't even using passwords. They either use a token I'm sure I have one hanging around here somewhere, in fact, here's a couple of them. If they're going to use a token to be able to authenticate themselves, to log in, they may use a fingerprint, they may use a facial scan. They may still have a password, because you still need something to say. When I originally signed up, this is who I said he was and here's how I can validate that. But, beyond everything else, you're going to say only accept my authentication when it comes from this machine, from this MAC address. So all of that is there now, which is good. That being said, everyone would say oh good, ransomware is done. No, no, no, no.

Speaker 2:

Data can still be stolen and it is and when that happens, denying access to individuals with identities can sometimes be worse than simply stealing an identity. Identity theft still occurs, but more and more now it's ransomware in control because of all of the integrations and no ID simply stands alone and people still use repeat IDs and, in some cases, repeat passwords to get into different sites. It's easy to be compromised and therefore have all your data, whether it's for yourself or, you know, for the organization you work with, be stolen, sold or unavailable. So that's probably the big thing right now. You know we also have deep fakes. We have fake identities we have to deal with. There's a lot going on around that Ransomware and stealing.

Speaker 2:

The availability and use of data and identity, I believe, is still the number one issue. You know we ask questions as we prepare for our research number one issue. You know we ask questions as we prepare for our research. It's through a third party, so that we're not aware of who's answering or what companies are answering the questions on purpose, and some of the questions we had asked that we dropped this year are you know has your company been affected by a cyber incident involving identity. Last year it was 98%. We knew what this year was going to be, so we didn't bother asking that question.

Speaker 2:

However, there are some things we're working on now, such as how many organizations believe they aren't using AI for identity. We have to ask it that way because simply because the IT department says we're not doing that doesn't mean it's true. How many organizations are doing it on purpose and how many organizations have efforts in place to defend against the evil AI and machine identities that are out there? That number is still pretty low and that's the current gap. If I want to go back to the original question you asked, that's the current gap that needs to be filled.

Speaker 2:

Blend that in with zero trust. Zero trust is a framework. It's not a product, it's not a solution and it shouldn't be applied everywhere because it's far too expensive in many ways. But where zero trust does need to apply, identity is the very first pillar. Where zero trust does need to apply, identity is the very first pillar, and organizations that want to implement zero trust but want to take a shortcut to I'm just going to use the identity we use for everything else and not worry about it are going to run into problems. So if you're asking for a state of the identity, I think in general, we're doing better. However, I think the potential for fraud and evil doings is growing and we run the risk of falling into that pit rather than keeping ourselves in a pretty good position AI and automation, gen AI, et cetera for good reason.

Speaker 1:

But what do those technologies mean for identity management, especially when you think about bots and machine identities and this tsunami that we're facing?

Speaker 2:

So there's a number of ways it applies. The first is that organizations can use AI to really streamline how they do their identity management, whether it's provisioning a new account or granting access to a given resource or decommissioning an account. That all takes time and it's done by people who I'm sure are all competent, but for the most part, they follow a script and we're at the point now. Anything you do that is script driven is a really good candidate for automation, so automation should really be a good thing for people dealing with identity. You can also use automation to rotate identities, and that's a concept that I believe in, but not everyone's doing yet.

Speaker 2:

To say whether it's authentication methods or identity, I don't want to appear to be the same as I did a few minutes ago. I need a way to reference that, so whoever's authenticating me knows. But by changing you know, I'm kind of a moving target. I don't know if you have a credit card, for instance, and, by the way, which is a form of identity, A lot of online places say give me your credit card and I accept that as your identity, right. I don't know if you have the kind of credit card where you can easily change your credit card number. I do two of them and there's one that I rotate every month. I just say give me a new number and I'm okay with that, because you know, I can't remember the last time that I got a. Hey, your credit card number has been compromised and I feel good about that. Plus, if someone even wanted to try, good, please waste your time, go right ahead. That number doesn't even work anymore.

Speaker 2:

So I think the more we can use automation to do the things that we know need to be done routinely, the better off we're going to be, as long as we know it's the right process. In addition, we should be able to use AI, and automation AI in particular, to start identifying. When is the person that identifies themselves as Evan not Evan? It looks like Evan, it sounds like him and, because of what you do, there are hundreds, if not thousands, of opportunities for someone to grab your facial features and your voice. All right, so you are in that high risk range. I don't know if you knew that or not, but congratulations.

Speaker 1:

Yes, thank me very much. But yes, I see that with bots impersonating me all the time.

Speaker 2:

Yeah, and how do you defend?

Speaker 1:

against that Difficult these days. Now scale that to an enterprise and I can only imagine so. One challenge is you know there's a flood of security tools out there. You talk to banks. Sometimes they have a hundred vendors plus. Is it unusual? They have 100 vendors plus Isn't unusual. How does the IDSA help companies make sense of what they need versus what's noise, versus what's proven, tested, et cetera.

Speaker 2:

Well, first of all, we don't have a silver bullet. If we did, we wouldn't be a nonprofit, we'd be doing something else. But seriously, we have working groups that, like we have one that works on know your customer. Right now, banks have a lot of extra emphasis on that because the perimeter of the bank has moved. The perimeter of the bank is no longer the four brick walls that hold the building. As an example, if you go to a dry cleaners and you write a check for the service, that dry cleaner is now a part of the bank. They go through the risk management process as to whether to accept your check or not. Even though it's a system that goes back to the bank that says we don't see any problem with this, there's still a number of things they need to do to secure that. So the perimeter of the bank has moved. So banks have to put a much larger emphasis on who their customer is.

Speaker 2:

If any organization that does any consumer-based work works in the EU, just as an example, you are required by law now to have a know your customer program in addition to GDPR. That says you know who the person is, you can validate them, you know they're not being impersonated and you know their history. So that's one example. That's a working group that works, and working groups have deliverables that could be blogs, webinars, white papers, and we've done that. We have a framework architecture right now that we're going to start filling with white papers and supplementing with webinars on Know your Customer. We have another one with AI and identity, which we've already talked about, and we have one that we're starting now non-human identities, since they now outnumber us, we figure we now have a working group about it.

Speaker 1:

Brilliant Important topic. So give us a peek behind the curtain at the IDSA. You got so many different voices involved vendors, security pros, analysts, etc. How do you keep the conversations productive and on track and not off the rails?

Speaker 2:

You know, sometimes it's good to go off the rails and I'm very serious in that because if we always stick to the well, we need to talk about identity and authentication and what tokens are going to work. I mean, those are important discussions, but the novel idea that's going to break through the next problem is only going to be discovered when someone does something that might be crazy and then when someone else says, hey, wait a minute, that may not be a bad idea. We get a lot of those. We like those discussions. So what we do?

Speaker 2:

We have some member meetings, we hold webinars where members they can't sell their products in webinars but through thought process and good webinars generate a lot of questions. And we like off the rail. You know, as long as they're reasonable. We like off the rail questions because it makes the speaker in the webinar think about what it is they're presenting. And we've had that's a good idea. I'd like to get your information because I think that's something we may want to try. So I like off the rails. The only thing I do. I'm a time keeper when this happens. That's it, and I think that's a good thing.

Speaker 1:

Great point. So just in the last few minutes you mentioned some key trends You're keeping an eye on passwordless login, zero trust, decentralized IDs. What are the other key themes? We can't go into all of them, but you're tracking at the IDSA.

Speaker 2:

Well, I think, without question, non-human identities and AI, those two are going to take most of the oxygen in the room for the next six to eight months, I believe, because there aren't enough solutions or not enough knowledge yet, and we have reached the point where technology can move faster than we can. Now, it's always been that a computer can do computations faster than a human can, but we're at the point where the new breakthroughs on capabilities is happening faster than humans can keep up with it, in my opinion, at this time. Yet another gap. I really liked your question If you don't mind, I'm going to start using that more and more that we we have to see the gaps and what do we do to bridge or cover the gaps or jump over them?

Speaker 2:

Um, and I think those two are going to really drive, um, what a lot of identity, organizations in particular, are going to want to do, because organizations, you know, big retailers, everyone else they're going to be stuck with technologies out there. The bad guys know how to use it and they really have no rules. And we are trying to catch up. How can we close that gap? And I think you're going to see, especially coming out of our research report and our working groups, you're going to see a lot of good thought leadership on either what the problem is or what sort of not technology, but what sort of process and philosophy is going to get us through it.

Speaker 1:

Wonderful. Well, speaking of philosophy, I mean a lot of CISOs are, you know, pretty overwhelmed with the challenge they're facing. Not that you can be a psychologist here, but what do you think when it comes to shifting the mindset, changing the mindset when it comes to security priorities and identity and other issues, because there's a lot of burnout, there's a lot of overwhelm and there's a lot of just checking the boxes versus truly changing the way you're thinking and acting.

Speaker 2:

So good compliance is worthwhile. Compliance for the sake of compliance, which is a checkbox, is actually a false sense of security and it's not only not good, it's bad for you because you get the feeling well, I did everything I was supposed to. I'm going to give you another example of that. I'm guessing you might be aware of the PCI standard. That's the security standard dealing with transmission and use and storage of credit card information by merchants. Every single credit card breach with very few small exceptions, but every big credit card breach that occurred that organization was PCI compliant until the moment the breach occurred.

Speaker 1:

Wow.

Speaker 2:

And, by definition, when you have a breach you're no longer compliant, which is why it works that way. So simply being compliant is never enough. Pci standard's good, but you need to have good security that results in compliance rather than being compliant and thinking you're secure. So there's certainly that and I think CISOs need to keep that in mind that simply having a good GRC program, which is good and needed, isn't enough. And I came up way back from law enforcement, then through a technical background into a CSO. Actually, I've never had a CISO title. I've been a chief security officer, I've been a chief risk officer, a number of things but I never officially had the CISO title and at this point in my career I don't think I ever will. I'm fine with that.

Speaker 2:

But the stress that I see on CISOs now are I came up through the technical ranks and I'm not getting the support I need from the rest of the executive team, if they even are on the executive team and they're having trouble bridging that gap. And that's because although they may be great technically and they may be good communicators, they never learn to speak the language of the audience and they're not all good at reading a room. And that adds a lot of stress because, no matter what you do, you end up, you know, in the food line, you're last in line and you get only what's left over and the security organization needs to have an equal part. I'm not convinced that identity management needs to be part of a security organization. In the past it was separate, then it's been folded in. It may be time for it to move out again and have security focus on security and have an identity organization focus on identity. So I think that could help relieve a lot of stress.

Speaker 2:

And as a CSO at a couple different organizations early on I learned that CSO stood for chief scapegoat officer and you have to recognize that kind of comes with a job.

Speaker 2:

You know you're not catching bullets, which is a good thing, but you have to recognize that when something bad happens on your watch, you run the risk of having to take the fall, for that shouldn't have happened, whether that's justified or not, I think as more CISOs accept that that can happen, they can get more comfortable in doing the right thing rather than worrying about am I going to lose my job?

Speaker 2:

You know having a job is important. I'm not trying to minimize that but they need to focus on doing the right thing and not let the pressure of am I going to, you know, am I going to get sacked drive what they do, and and you know I'll I'll repeat the first one they need to learn the language of their executives and read the room, that they need to take them to lunch and just have a conversation, because until they do that, they won't know who they're dealing with and they're going to be looked at as overhead and the enemy, and that doesn't help at all. I really think that that helps bring down the temperature of CISO stress in a big way.

Speaker 1:

Wow, such an important and overlooked insight. Thanks for that. So, as we head into this hot summer, especially for you down in South Texas, what are you looking forward to personally and for the IDSA? What's on your radar?

Speaker 2:

Well, we're focusing on the research report this summer, so that's important. We're always looking to bring in new members because the more voices we have whether you're an identity vendor, a consuming organization like a retail organization or an individual contributor the more voices we get, the better the the messages that we can get across and everyone benefits from that. So we're looking at those two things. The presentation of that report will be at identity week in washington dc in september, so that's really like the next focal point for us. I have a couple other security conferences that I'm going to be engaged with after that in September, mainly some that are hosted by our members, which is good. We facilitate some events for our members as well, bringing on you know here's a third party.

Speaker 2:

Look at what we're doing rather than you're only going to hear vendor pitches. I happen to be. I'm going to put a real pitch into this real quick. I'll be at B-Side, san Antonio, this Saturday. Chances are, if you're near a city, there's a B-Side at some point during the year that's near you. I can't recommend it highly enough because it is still the original grassroots organization and it's great that in my opinion, it really hasn't changed much. So I'm volunteering there. Besides, this Saturday, go find one if you haven't yet, and that's, I think, going to be pretty much the summer.

Speaker 1:

Well, have a great one, so informative and insightful, and keep up the great work, really important mission.

Speaker 2:

Well, thank you very much. It was a pleasure being here and I really appreciate the invitation. I look forward to coming back.

Speaker 1:

Thanks and thanks everyone for listening and watching this podcast and check out our new TV show as well techimpacttv now on Fox Business and Bloomberg TV. Thanks everyone. Thanks, jeff.

Speaker 2:

Thank you.