The current state of IAM: A Rick-the-toolman episode.
Rick Howard: In June of this year, I attended the Rocky Mountain Information Security Conference. I was there to present the Cybersecurity Canon Hall of Fame awards to the two 2024 inductees. The first was one of our cybersecurity founding fathers, Dr. Eugene Spafford, for his book, Myths and Misconceptions; 40 years of cybersecurity wit and wisdom contained in one easy-to-read book chock-full of hard-won knowledge over the course of an amazing career, and people wonder why I read books. Well, let me tell you, because in just a few short hours, I can be exposed to an entire career of knowledge, Dr. Spafford's for instance, without having to go through the pain he did to get it. I'm reminded of the quote from the great philosopher Socrates, "Employ your time in improving yourself by other men's writings, so that you shall gain easily what others have labored hard for." Or more to the point, from Otto von Bismarck, the man who masterminded the unification of Germany in 1871, "Any fool can learn from experience. It's better to learn from the experience of others." But I digress. The other winning author at the ceremony was Andy Greenberg, the fantastic Wired Magazine journalist for his Tracers in the Dark, the best cybercrime book I've read in over a decade. After the ceremony, I was loitering around the book signing table. Greenberg and Spafford were signing their books for anybody that wanted one, and who did I run into? Well, my old friend and colleague, John Kindervag, the originator of the Zero-Trust idea back in 2010, for his paper, "No More Chewy Centers. Introducing the Zero-Trust Model of Information Security," which got me to thinking about the current state of Zero Trust. You all know that we published our First Principles book last year. In it, we included a one-over-the-world diagram that captures all of the strategies and tactics we covered in the book. And just so you know, to get ready for our presentation at RSA this year, the N2K Art Director, Brigitte Wild, gave that diagram a complete makeover, and I have to tell you, it is gorgeous. You can check it out at the book's website at n2k.com/ cybersecurityfirst principlesbook, all one word. Scroll to the bottom. Find the Zero Trust Strategy blue balloon (bottom-left corner), and then follow the blue line up to the possible tactics that you might deploy in order to pursue the Zero Trust strategy, like vulnerability management and S bombs, just to name two. But what is not obvious from looking at the diagram is the importance of the identity and access management tactic. You can execute all the other tactics completely, like single sign on and software-defined perimeter, but unless you absolutely nail identity and access management, your Zero Trust journey will be stuck at the starting line, not making much progress. Ted Wagner is an old army buddy of mine. We've been friends forever, and he and I worked together in two different organizations, not to mention that he was one of the first people I called to be a regular guest at the CyberWire Hash Table. He's been the CISO at SAP National Security Services for over eight years. Here's what he had to say about the importance of identity and access management.
Ted Wagner: Every time I think about identity and access management, it always makes the hair stand up on the back of my neck because it's so foundational to everything that we do. I feel my pulse quicken because I know it's so central to the things that we do in security and so critical in securing our environments, our workloads, and our networks.
Rick Howard: And that's exactly right, so with all that said, I thought it was time to take another look at identity and access management and see if we can determine the current state. So hold on to your butts.
Samuel L. Jackson: Hold on to your butts -- butts --
Rick Howard: This is going to be fun. [ Music ] My name is Rick Howard, and I'm broadcasting from N2K Cyber's Secret Sanctum Sanctorum Studios located underwater somewhere along the Patapsco River near Baltimore Harbor, Maryland, in the good old U.S. of A, and you're listening to CSO Perspectives, my podcast about the ideas, strategies, and technologies that senior security executives wrestle with on a daily basis. [ Music ] Cassio Sampaio is the Chief Product Officer for Customer Identity at Okta, an identity and access management platform, IAM, that provides secure authentication and authorization services like single sign-on, user authentication, access management, and user provisioning. I ran into Cassio at the annual RSA Conference in San Francisco and asked him to write the Twitter line, 280 characters only, that explains the current state of IAM today.
Cassio Sampaio: Yeah, I think a Twitter line would be a little bit -- maybe I should call like an X line. The way we see the identity and access management market is that it's now pretty well-defined in between two classes of problems. You have a workforce or employee identity problem, whereas everything is about policy. The company defines the policy, employees follow those policies, and you have a customer identity policy problem, which is very different, like where it's about user choice. It's about creating the right incentives for users to adopt a different security intent that those brands want in order for users to get what they want from their consumer experience, but still in a very secure and compliant way.
Rick Howard: I like the way you divide that into two buckets, right, because on the consumer side, it's not just one identity I'm managing. I might be managing a hundred different, you know, whatever that is, you know? I'm Rick Howard, podcaster for the CyberWire, but I'm also Daisy Mae, the, you know, seventh level elf in my Dungeons and Dragons group, right? So I need a way to establish identities for both of those identities and make sure they don't mix, okay? That, you know, somebody can't figure out that the podcaster and the Dungeons and Dragons person is the same guy if I don't want that, right? So that makes the problem exponentially more complex, does it, or am I exaggerating that?
Cassio Sampaio: No. I think it's actually a very, very interesting point of view that you just brought up, Rick, where if you think from the point of view of, like any consumer brand, you really want that single point of view of each one of your consumers, because that will allow it to provide better personalization, like to tailor offerings, like provide the right user experience. Not every user, not every consumer, is expected to behave in the same way, but you also need to respect, like the fact that users may not want that same relationship back. So which is why when we think of customer identity, we always think of giving users or consumers absolute control of their profile, absolute control of their settings. Everything should be opt-in, both because that's where compliance is moving. The best way to adopt compliance is to just self-regulate yourself, just adopt, do the right thing first. Don't wait for regulation to come down your way. So give users control of that and let users decide like what's best for them. [ Music ]
Rick Howard: We've had quite a history of trying to figure out who that person is on the digital line. It goes all the way back to the early 1960s with the invention of the user ID and password, and it's amazing to me that still after 60 years, it's still the dominant way to log into places. I'm reminded of the old 1982 Star Trek movie, The Wrath of Khan. I'm a bit of a Star Trek nerd, as you all might know, and I say that The Wrath of Khan is the best movie in the 13-film franchise, and I'm prepared to die on that particular nerd hill for anybody that wants to challenge me. In the movie, Captain Kirk, played by the indomitable William Shatner, breaks into another starship, The Reliant, by guessing its five-digit password, not five characters, five digits.
Spock: Reliant's prefix number is 16309.
Saavik: I don't understand.
Kirk: You have to learn why things work on a starship.
Spock: Each ship has its combination code.
Kirk: To prevent an enemy do what we're attempting. We're using our console to order Reliant to lower her shields.
Spock: Assuming he hasn't changed the combination. He's quite intelligent.
Khan: Fifteen seconds, Admiral. [ Music ]
Kirk: Khan, how do I know you'll keep your word?
Khan: Oh, I've given you no word to keep, Admiral. In my judgment, you simply have no alternative. [ Music ]
Kirk: I see your point. Standby to receive our transmission. Sulu, lock phasers on target and await my command.
Sulu: Phasers locked. [ Music ]
Khan: Time is up, Admiral. [ Music ]
Kirk: Here it comes. [ Music ] Now, Mr. Sulu. [ Music ]
Joachim: Sir, our shields are dropping.
Khan: Raise them.
Joachim: I can't. [ Music ]
Khan: Where is the override, the override?
Kirk: Fire. [ Music ] Fire. [ Music ]
Rick Howard: Five-digit passwords for starships notwithstanding, we really have come a long way in terms of having confidence in identifying who that person is on the network. We have other choices these days. In the First Principal's book, I organized those choices on the road to cybersecurity Nirvana, with the least effective at the beginning of the journey to the most effective at the end. In sequence, from least effective to most effective, they are email verification, SMS verification, authenticator soft tokens like the Google Authenticator app, push authentication like from Google, Apple, and others, passkey, and finally FIDO2 hard token universal two-factor authentication systems. Actually, we published the book before passkey was really a thing, so it's not in the diagram, but if I was doing the diagram today, I would have passkey right before the hard tokens. So like I said, we have options, but as a profession, we haven't quite made the turn. We haven't eliminated passwords yet, but you can see that we will eventually make that happen somewhere down the line on the road to cybersecurity Nirvana. Here's Cassio.
Cassio Sampaio: Let's think aspiration. I mean, eradicate passwords because we all know passwords are insecure in the case of our fellow like Captain Kirk being able to exploit that in the ship, but it happens all the time increasingly, particularly in consumer and other customer identity apps. But we believe, I believe, the technology is here now to solve this. You have a myriad of options and it's not only about just do multi-factor authentication, just do MFA to everyone because that doesn't cut in consumer apps. Depending on the level of engagement that you have with that specific consumer, they may not be game to go and enroll their phone number, get a message. That's not going to fly, but you have optionality. You have the ability to do things via what some will call magic links by email. You have biometrics. Biometrics are available today, speaking from the point of view of most of the Western developed countries, pretty much pervasively on everyone's device, right? Android, Apple, like Microsoft, and it's there. It's being a challenge and a process to get those technologies in the apps that are out there, and we can talk a little bit about how Passkey, we believe it will help to accelerate that adoption, but the technology is here. I think it's a process of education like now and making it simple enough for those technologies to be adopted. >> I agree with that. You know, it's still too complicated. Even the nerds have trouble, even the cybersecurity nerds, have trouble figuring out how to make all that work. Because there's, like you said, there's a lot of options, right, and which one you decide and how you do that is not clear to most people, and so it is -- the water is a bit muddy. But I would characterize the industry, though, as very site-centric identity and access management. I mean, if you, what I mean by that is some big entity owns your identity. For example, CyberWire, we're a Google shop. So I log into Google and then if I want to log into Twitter/X, I can say, hey, go check my credentials out over Google, and they kind of own that identity, which is fine. It seems to work for the consumer, but that means I have to give my, you know, privacy stuff over to a big entity that I don't really know or trust. I'm wondering if you think there's a chance that we may move to a user-centric model where if I want to log into Google, Google comes to me and checks my, I don't know, passkey, let's say, and says, yeah, that's the guy. You know, reverse it some way. Is that in the future somewhere or is that fantasy that we'll never get to? Well, I believe a lot of that is here today, and I'll come back to verifiable credentials like at the end of this conversation, this very topic, but what you're describing as social login.
Rick Howard: Yeah.
Cassio Sampaio: Right? Like logging in with Facebook or signing in with Apple, Microsoft, et cetera. It's been around for quite some time. I think it has the challenges that you are calling out. Some users may be reluctant. There are some geographies where like these large U.S.-based tech companies don't have the same credibility, reputation. They're under government scrutiny. So if you think of global applications, which is what we think a lot here, like at Okta, you have to take this into account. But there's a lot of mechanisms today for consumers that have a social account. Let's use Google as an example for you to consent a specific app that you're sharing with what details are you consenting, like, that application to have access to? And those large technology companies have a very strong track record in terms of how they maintain the integrity of your identities, et cetera. Let's leave all the privacy issues aside. Can of worms, lots of opinions, lots of facts, not even going like into that, but I do believe the two recent developments that you alluded to, one is Passkey, right? Passkey, the password, the credentials are going to be stored in your device in a very secure way. It's as close as possible to something that you own so that without the need for some of the privacy challenges that we just talked about it. You do need the user mindset. You do need that, which is part of the challenge. How do you nudge? How do you create opportunities for users to enroll on biometrics, enroll on Passkey in a way that don't raise more questions than you want them? Because in consumer apps, users have options. If they're shopping from company A and you're making it hard, they'll go to company B. So we've seen some of our customers being very successful with creating the right enrollment opportunities with very little friction for users, and the second development to this, which is becoming very exciting, is the one in the U.S. It's being done under the umbrella of mobile driver's licenses or MDL, right? Like there's a standard now that is being adopted by a few states that's likely to go nationwide, and essentially now is the digital version of a government-sanctioned identity that allows you to share only specific attributes with companies or entities that want to verify. So the beauty of that is you don't have to show every bit that is in a document. You maybe just share the date of birth if you want to access some restricted type of content. You want to -- like it's becoming a regulation in Europe, for example, that you buy liquor, et cetera. You're going to have to not only say that you're 18, because everyone can say that you're 18, like but verify with a government sanctioned identity. So we are very excited about the mobile driver's license development. It's more developed in some parts of the world. Some countries are way ahead in that respect. But the fact that the U.S. like is making a big move, I think it's very transformational.
Rick Howard: So that's one step closer to a national digital ID card, right? I know people will freak out if I say that out loud, but that's what that is, right?
Cassio Sampaio: It does depend a lot on the geography, right? And then if you're saying some parts of the world, people are going to say, well, my ID is -- I'm from a part of the world where my ID was sanctioned by the federal government. Liking or not, that's it. It's different in the places like U.S., Canada, Australia, et cetera. But I think there's an element of trust, and to be candid with you, I ask myself this question a lot. If as a citizen and consumer, I trust my identity to Facebook, why shouldn't I trust -- I mean, the government has my driver's license information there, right? It's not like I'm giving anything new.
Rick Howard: So does Facebook. So true.
Cassio Sampaio: That's very true.
Rick Howard: Right. So what's the difference is what you're saying? Why are you reluctant to share it with the government, who we could argue how good their security programs are versus Facebook. But yeah, what's the difference? I totally agree with that, right?
Cassio Sampaio: And the implications too, right? Like the -- again, without going to like the validity or the merits of some of this, but some of these organizations that are using your identity, like they're using your identity, they have an interest, they're monetizing your identity in different ways. Your driver's license is a very different proposition like no one's monetizing your driver's license, like at least not up to this point.
Rick Howard: So that's the consumer side. It's very exciting that things are moving along, right? But on the enterprise side, there's this whole thing called identity governance and administration, which is really complicated. Right, you know, as a startup, I don't have the resources to do all these things. I mean, you've got to have a group of people who define policy. You've got to have people to figure out what the priority accounts are, the privileged accounts, and then you have to have some way to manage all that. It's, you know, a little startup like mine, it's really hard to do. What do you say to customers like me that says, I don't know how to do this?
Cassio Sampaio: Yeah, the spectrum of complexity that exists around the space of, I mean, call it identity governance or IGA or anything like that, I think the same advice that we offer, even like for consumer companies that are adopting anything around identity, is that focus on the problem that you currently have like a hand. We see this happening over and over again, where you try to really anticipate the use cases that you're going to have five years down the road, and then you get basically tied up in analysis paralysis and your project just grows and then you never deliver. So you don't want to box yourself in with finding a technology that just does exactly what you have. Today you want to have optionality, which is picking the right technology is important to that. Focus on the current problem that you have at hand. If you have a 40 people company, 20 people company, and you're going to control access to a number of SaaS applications, plus potential some other like privileged like resources, focus on that problem like that you have. Like nail that and move on without trying to anticipate what's going to happen like 10 years down the road.
Rick Howard: So don't try to build the entire identity and access management system that we might need 10 years from now. Solve the problem that you have right now and work your way towards it. Is that what you're saying?
Cassio Sampaio: Yeah, and ensure that you have the right technology, the right toolkit, like that you're making a choice. Of course, I'm biased. I'll tell you like that's how you should choose Okta, but in all --
Rick Howard: What a shock. Shocked, I say.
Cassio Sampaio: Yeah, so am I. No, no, but in all seriousness, the idea is pick the technology like that you believe gives you sufficient flexibility, sufficient extensibility, to be able to support those use cases, but don't try to design precisely every single one of them because for all things technology and IT, that's a recipe for -- like for disaster. [ Music ]
Rick Howard: And that's a wrap. I'd like to thank my colleagues Ted Wagner, the CISO at SAP National Security Services, and Cassio Sampaio, the Chief Product Officer for Customer Identity at Okta, for coming on the show and helping me get a feel for the current state of identity and access management. CSO Perspectives is brought to you by N2K CyberWire. Visit the cyberwire.com for some additional resources that accompany this episode. I've added some helpful links in the show notes to help you do a more of a deep dive if that strikes your fancy, and check out our book, Cybersecurity First Principles, a Reboot of Strategy and Tactics for another deep dive on a lot of the topics covered in this podcast. And by the way, we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app, and you can also fill out the survey in the show notes or send an email to csop@n2k.com. We're privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your team smarter. Learn how at N2K.com. Here at N2K, we have a wonderful team of talented people doing insanely great things to make me sound good. I think it's only appropriate that you know who they are.
Liz Stokes: I'm Liz Stokes. I'm N2K CyberWire's Associate Producer.
Tre Hester: I'm Tre Hester, Audio Editor and Sound Engineer.
Elliott Peltzman: I'm Elliott Peltzman, Executive Director of Sound Vision.
Jennifer Eiben: I'm Jennifer Eiben, Executive Producer.
Brandon Karpf: I'm Brandon Karpf, Executive Editor.
Simone Petrella: I'm Simone Petrella, the President of N2K.
Peter Kilpe: I'm Peter Kilpe, the CEO and Publisher at N2K.
Rick Howard: And I'm Rick Howard. Thanks for your support, everybody.
All: And thanks for listening. [ Music ]