The current state of IAM: A Rick-the-toolman episode.
Rick Howard: In June of this year, I attended the Rocky Mountain Information Security Conference. I was there to present the Cybersecurity Canon Hall of Fame Awards to the two 2024 inductees. The first was one of our cybersecurity founding fathers, Dr. Eugene Spafford, for his book "Myths and Misconceptions." Forty years of cybersecurity wit and wisdom contained in one easy-to-read book chock full of hard-won knowledge over the course of an amazing career. And people wonder why I read books. Well, let me tell you. Because in just a few short hours, I can be exposed to an entire career of knowledge, Dr. Spafford's for instance, without having to go through the pain he did to get it. I'm reminded of the quote from the great philosopher Socrates, "Employ your time in improving yourself by other men's writings so that you shall gain easily what others have labored hard for." Or more to the point, from Otto von Bismarck, the man who masterminded the unification of Germany in 1871, "Any fool can learn from experience. It's better to learn from the experience of others." But I digress. The other winning author at the ceremony was Andy Greenberg, the fantastic Wired magazine journalist for his "Tracers in the Dark," the best cybercrime book I've read in over a decade. After the ceremony, I was loitering around the book signing table. Greenberg and Spafford were signing their books for anybody that wanted one. And who did I run into? Well, my old friend and colleague, John Kindervag, the originator of the Zero Trust idea back in 2010 for his paper "No More Chewy Centers: Introducing the Zero Trust Model of Information Security," which got me to thinking about the current state of Zero Trust. You all know that we published our "First Principles" book last year. In it, we included a one-over-the-world diagram that captures all of the strategies and tactics we covered in the book. And just so you know, to get ready for our presentation at RSA this year, the N2K art director, Brigitte Wild, gave that diagram a complete makeover. And I have to tell you, it is gorgeous. You can check it out at the book's website at n2k.com/cybersecurity firstprinciplesbook, all one word. Scroll to the bottom, find the Zero Trust Strategy blue balloon, bottom left corner, and then follow the blue line up to the possible tactics that you might deploy in order to pursue the Zero Trust Strategy, like vulnerability management and SBOMs, just to name two. But what is not obvious, from looking at the diagram, is the importance of the identity and access management tactic. You can execute all the other tactics completely, like single sign-on and software-defined perimeter, but unless you absolutely nail identity and access management, your Zero Trust journey will be stuck at the starting line, not making much progress. Ted Wagner is an old Army buddy of mine. We've been friends forever, and he and I worked together in two different organizations, not to mention that he was one of the first people I called to be a regular guest at the Cyberwire Hash Table. He's been the CISO at SAP National Security Services for over eight years. Here's what he had to say about the importance of identity and access management.
Ted Wagner: Every time I think about identity and access management, it always makes the hair stand up on the back of my neck because it's so foundational to everything that we do. I feel my pulse quicken because I know it's so central to the things that we do in security and so critical in securing our environments, our workloads, and our networks.
Rick Howard: And that's exactly right. So with all that said, I thought it was time to take another look at identity and access management and see if we can determine the current state. So hold on to your butts.
Unidentified Speaker: Hold on to your butts, butts.
Rick Howard: This is going to be fun. [ Music ] My name is Rick Howard, and I'm broadcasting from N2K Cyber's Secret Sanctum Sanctorum Studios located underwater somewhere along the Patapsco River near Baltimore Harbor, Maryland, in the good old US of A. And you're listening to CSO Perspectives, my podcast about the ideas, strategies, and technologies that senior security executives wrestle with on a daily basis. [ Music ] Cassio Sampaio is the chief product officer for customer identity at Okta, an identity and access management platform, IAM, that provides secure authentication and authorization services like single sign-on, user authentication, access management, and user provisioning. I ran into Cassio at the annual RSA conference in San Francisco and asked him to write the Twitter line, 280 characters only, that explains the current state of IAM today.
Cassio Sampaio: Yeah, I think a Twitter line would be a little bit -- maybe I should call it an X line. The way we see the identity and access management, like, market is that it's now pretty well-defined in between two classes of problems. You have a workforce or employee identity problem, where everything is about policy. The company defines a policy; employees follow those policies. And you have a customer identity policy problem, which is very different, like, where it's about user choice, it's about creating the right incentives for users, like, to adopt the different security intent, like, that those brands, like, want in order for users to get what they want from their consumer experience, but still in a very secure and compliant way.
Rick Howard: I like the way you divide that into two buckets, right? Because on the consumer side, it's not just one identity I'm managing. I might be managing 100 different, you know, whatever that is, you know. I'm Rick Howard, podcaster for the CyberWire, but I'm also Daisy Mae, the, you know, seventh-level elf in my Dungeons and Dragons group, right? So I need a way to establish identities for both of those identities and make sure they don't mix, okay? That, you know, somebody can't figure out that the podcaster in the Dungeons and Dragons person is the same guy if I don't want that, right? So that makes the problem exponentially more complex, does it, or am I exaggerating that?
Cassio Sampaio: No, I think it's actually a very, very interesting point of view that you just brought up, Rick, where if you think from the point of view of, like, any consumer brand, you really want that single point of view of each one of your consumers because that will allow it to provide better personalization, like, to tailor offerings, like, provide the right user experience. Not every user, not every consumer is expected to behave in the same way, but you also need to respect, like, the fact that users may not want that same relationship back, which is why when we think of customer identity, we always think of giving users or consumers absolute control of their profile, absolute control of their settings. Everything should be opt-in, both because that's where compliance is moving. The best way to adopt compliance is to just self-regulate yourself, just adopt, do the right thing first. Don't wait for regulation to come down your way. So give users control of that and let users decide, like, what's best for them. [ Music ]
Rick Howard: We've had quite a history of trying to figure out who that person is on the digital line. It goes all the way back to the early 1960s with the invention of the user ID and password. And it's amazing to me that still after 60 years, it's still the dominant way to log into places. I'm reminded of the old 1982 Star Trek movie, "The Wrath of Khan." I'm a bit of a Star Trek nerd, as you all might know. And I say that "The Wrath of Khan" is the best movie in the 13-film franchise. And I'm prepared to die on that particular nerd hill for anybody that wants to challenge me. In the movie, Captain Kirk, played by the indomitable William Shatner, breaks into another starship, the Reliant, by guessing its five-digit password -- not five characters, five digits.
Spock: Reliant's prefix number is 16309.
Saavik: I don't understand.
Captain Kirk: You have to learn why things work on a starship.
Spock: Each ship has its own combination code.
Captain Kirk: To prevent an enemy from doing what we're attempting. Using our console to order Reliant to lower her shield.
Spock: Assuming he hasn't changed the combination. He's quite intelligent.
Unidentified Speaker: Fifteen seconds, Admiral.
Captain Kirk: Khan, how do we know you'll keep your word?
Khan: Oh, I've given you no word to keep, Admiral. In my judgment, you simply have no alternative.
Captain Kirk: I see your point. Stand by to receive our transmission. Sulu, lock phasers on target and await my command.
Sulu: Phasers locked.
Khan: Time's up, Admiral.
Captain Kirk: Here it comes. Now, Mr. Spock.
Joachim: Sir, our shields are dropping!
Khan: Raise them!
Joachim: I can't!
Khan: Where's the override? The override? Captain Kirk: Fire! Fire! Fire! Fire!
Joachim: We can't --
Rick Howard: Five-digit passwords for starships. Notwithstanding, we really have come a long way in terms of having confidence in identifying who that person is on the network. We have other choices these days. In the "First Principles" book, I organized those choices on the road to cybersecurity Nirvana with the least effective at the beginning of the journey to the most effective at the end. In sequence from least effective to most effective, they are email verification; SMS verification; authenticator soft tokens like the Google Authenticator app; push authentication like from Google, Apple, and others; passkey; and finally, FIDO2 hard token universal two-factor authentication systems. Actually, we published the book before passkey was really a thing, so it's not in the diagram. But if I was doing the diagram today, I would have passkey right before the hard tokens. So like I said, we have options. But as a profession, we haven't quite made the turn. We haven't eliminated passwords yet. But you can see that we will eventually make that happen somewhere down the line on the road to cybersecurity Nirvana. Here's Cassio.
Cassio Sampaio: Let's think aspiration. I mean, eradicate passwords because we all know passwords are insecure. In the case of our fellow, like, Captain Kirk, being able to exploit that in the ship. But it happens all the time increasingly -- particularly in consumer and other customer identity apps. But we believe -- I believe the technology is here now to solve this. You have a myriad of options and it's not only about --
Rick Howard: And that's our show. Well, part of it. There's actually a whole lot more and it's all pretty great. So here's the deal. We need your help so we can keep producing the insights that make you smarter and keep you a step ahead in the rapidly changing world of cybersecurity. If you want the full show, head on over to the cyberwire.com/pro and sign up for an account. That's the cyberwire.com/pro. For less than a dollar a day, you can help us keep the lights and the mics on and the insights flowing. Plus you get a whole bunch of other great stuff like ad-free podcasts, exclusive content, newsletters, and personal level of resources like practice tests. With N2K Pro, you get to help me and our team put food on the table for our families, and you also get to be smarter and more informed than any of your friends. I'd say that's a win-win. So head on over to the cyberwire.com/pro and sign up today for less than a dollar a day. Now, if that's more than you can muster, that's totally fine. Shoot an email to pro@n2k.com and we'll figure something out. I'd love to see you here at N2K Pro. Here at N2K, we have a wonderful team of talented people doing insanely great things to make me and the show sound good. And I think it's only appropriate that you know who they are.
Liz Stokes: I'm Liz Stokes. I'm N2K's CyberWire's associate producer.
Trey Hester: I'm Trey Hester, audio editor and sound engineer.
Elliott Peltzman: I'm Elliott Peltzman, executive director of sound and vision.
Jennifer Eiben: I'm Jennifer Eiben, executive producer.
Brandon Karpf: I'm Brandon Karpf, executive editor.
Simone Petrella: I'm Simone Petrella, the president of N2K.
Peter Kilpe: I'm Peter Kilpe, the CEO and publisher at N2K.
Rick Howard: And I'm Rick Howard. Thanks for your support, everybody.
All: And thanks for listening. [ Music ]