Fraud and Identity
Kim Jones: Consider the following four individuals: a British fashion designer, an American rap artist, a Filipino influencer, and an old security guy. While there are many, many differences between these folks, there is one important similarity that is relevant to this discussion and that is this: Each of these individuals is named Kim Jones. With in-person interactions, the differences between these four Kim Joneses would be obvious. It would be as difficult for Kim Jones, the Filipino influencer, to masquerade as Kim Jones, the old security guy, as it would be for me to impersonate the rapper Lil' Kim. Online though, any of these individuals could at least begin the process of accessing data that is restricted to my personal use by honestly and truthfully providing their names. This example illustrates one of the fundamental challenges with combating online fraud. Establishing identity in a non-reputable yet convenient manner. While we understand that merely a name is nowadays woefully insufficient in establishing online identity, adding both layers of complexity, such as geolocation and authorizing financial transaction, and additional factors for authentication, have yet to stop the seeming exponential advancement of fraudsters. As we provide more data to organizations, it's theoretically possible to create a unique identity using seemingly innocuous non-regulated information, but this ignores another fundamental problem with establishing identity. Capturing the identity information in a pseudo-physical or atomic fashion. Once identifying information is given and stored in some fashion, that identity becomes a de facto token, and tokens can be tampered with or stolen. If we wish to get a handle on fraud, then it's time for us to start re-examining how identity works and functions online. Rather than assuming that traditional models of identity are the only solution, we need to start exploring concepts such as making identity bi-directional, reinforcing or strengthening a session or transactional identity, and exploring the concept of secret-less identity. I've written and spoken about these concepts before, all with the caveat that these concepts are by no means the only potential solutions to the problem. That said, it is clear that we need to move beyond rehashing or even complexifying old models of identity, which fail to address the real needs of our data-driven world. My Two Cents. [ Music ] Welcome back to CISO Perspectives. I'm Kim Jones, and I'm thrilled that you're here for this season's journey. Throughout this season, we will be exploring some of the most pressing problems facing our industry today and discussing with experts how we can better address them. Today, we're looking at fraud from a different angle than we did last episode. This time, we're going to look at fraud from an identity perspective. Let's get into it. [ Music ] Richard Bird is an internationally recognized expert on the topic of identity. Richard's goal, his push for our community, rather, is to look beyond the traditional bounds and mechanisms of how we approach identity and explore innovative solutions to this topic. I sat down with Richard to explore the concept of identity and how getting identity right might solve a plethora of challenges to include fraud within cybersecurity. A quick note that the opinions expressed by Richard in this segment are personal and should not be interpreted as representing the opinions of any organization that Richard has worked for past or present. Richard, it is really great to see you, man. We don't get to one another that often.
Richard Bird: Yeah, it is great to be -- having the opportunity to catch up with you.
Kim Jones: I would suspect that most of my audience, if not knows you, knows of you, but I don't want to be presumptive. So take a couple of minutes and tell my audience about Richard Bird.
Richard Bird: Yeah, it's always so weird. People are always like, well, you've got imposter syndrome. That's why you struggle to talk about yourself. And I'm like, no, what's weird is where my career has gone over the last three decades. Most folks have heard this story. Twenty-plus years in the corporate side and had this great opportunity to work first in IT operations. When I came into technology, I was also a big advocate for non-traditional technologists. I was a liberal arts major that got out of the Army and had been doing construction project management. And one day, some guy said, "If you can manage a construction project, you can manage a mainframe migration." Let's hope those opportunities continue to persist as the world changes. There was tequila involved.
Kim Jones: Only a little. Only a little.
Richard Bird: Only a little, but I made an unexpected transition into security halfway through that career and ended up accidentally, truthfully, being the global head of identity for JPMorgan Chase's Consumer Businesses, and that led to a CISO role. So I've done both CIO and CISO, and I realized that I wanted to do something different and left and moved into the startup world. And that's really where people know me from is that I was given the opportunity to begin public speaking, which I'd never done before. And all of a sudden, people were coming up to me saying, "You don't speak like any technologist that we know." And I said, well, that's because I'm not a really good technologist, but I grew up in a family fishing business and learned how to tell stories. And all of that has created a lot of energy that has created a really unexpected personal brand in the marketplace. But I love having my hands in the startup world, working on new technologies, advising, participating in any number of different conversations about, you know, where standards are going and how do we change the hockey stick curve of cyber losses, and to be able to just every day have that be your job. And you get to have these really interesting and meaningful conversations, and then, hopefully, be able to, like, change things, it's a freaking awesome career. And I'm super, super humbled by all the opportunities that I get to be able to participate in these conversations.
Kim Jones: And we're glad you're here, man. As someone who's internationally recognized in this topic that not enough people care about, I'm here to actually talk to you today about this thing called identity, and I'm going to take it all the way back to basic concepts and get into challenges and concerns. So let's not make assumptions; let's start with when I use the phrase "identity" from a cyber standpoint. How do you define that as an expert?
Richard Bird: Well, yeah, my focus on identity when we talk about it in the current age is identity is the pathway that moves a human actor into the digital world, right? And I always love what -- yeah, I always love how John Kindervag phrases it. A couple of years ago -- John's an old friend, and he said, "I don't understand why people are using this non-human identity label." He goes, "All identities in the digital are non-human." And I've got to pause for a second, right? And what he said is really kind of impressionist, observant, right? He's saying everything that is an identity in the digital world is functionally a proxy for a human equivalent. Now, maybe not a full human, which gets into things like AI and that type of thing --
Kim Jones: Yeah.
Richard Bird: -- but maybe a human function. And so, yeah, for me, it is how do I move from this keyboard, from this device, to the digital world? And then, how do I navigate that digital world? And all of that is associated to identity.
Kim Jones: Which means that every interaction that we have, you know, is being done by this proxy called our "identity" within the environment. So the challenge that I see as an old guy and an old cyber guy is that if we get identity wrong, then I either, a),do not have the ability to do the things I need to do, or b), have to give someone else the ability to do things that I don't want them doing. I like to use the example, I give a presentation on identity, and I put five pictures up there and say, you know, what's the common thing for all these pictures? And the answer is all of those folks are Kim Jones to include the female influencer, to include 'Lil Kim the rapper, to include the British fashion designer, et cetera. So, you know, there's lots of opportunity for identity to go wrong, so what has been our approach to identity up till now, and what are the challenges with that approach?
Richard Bird: So that's why I was very specific in my choice of words "in the current age," right --
Kim Jones: Talk to me.
Richard Bird: -- when we're talking about identity, because the history of digital access is problematic, and it's problematic from the standpoint of how it started, which was, it wasn't a representation of me in the system. It was an access control mechanism to get into a system. So I always like to use the example of -- and first of all, I'm more of a history geek than I am a tech geek, but then, you combine the two, and then, I go and research stuff that nobody really has ever written about. So a great example is, is when were the first account and password constructs created? 1961. Why is 1961 an interesting date? It's because it's the time when IBM set up a brand-new mainframe lab at MIT, and it was only available to compute graduate ed students, and they got four hours of compute time a week, and it took exactly 11 hours for some dude to figure out how to spool off the access control log and hack the system so the graduate students in the mainframe programming classes could sell each other their four hours of time, right?
Kim Jones: Yeah.
Richard Bird: And so, like, when you hear that story, you immediately go, oh, well, I can understand why access is screwed up today, because not only did we start out with this construct that it was -- and it's also really important to understand what that was replacing. The reason why this identity or this access control mechanism was created, was you actually used to get into compute devices with real physical keys.
Kim Jones: Yep.
Richard Bird: And so, this was a digital means, the very first digital means. So we treated from 1961 until about 2012 or 13, we treated identity only as access administration, and only as access control. And I always like to tell people, like in '09ish or whatever, when I got my first identity gig, my corporate CIO congratulated my promotion. He said, "Way to go, you've got the easiest job ever." And I was, like, what do you mean? And he goes, "It's just giving people access to stuff. How hard can it be?" And so, the whole idea of de-accessing people or de-provisioning, or roles, profiles, grants, entitlements, all the complexities that really drive identity are completely obfuscated from most people in any organization. And because they always equate things with just giving access to something as being identity, we've had this very, very stunted thought process around identity, and why I think this is an important conversation is, a number of years ago, Julie Smith, when she was at IDSA, and I started working on something where I was, like, writing articles about why is identity the only control domain recognized in NIST, recognized in ISO? Very clearly, we are cybersecurity kids at the big dinner table, but why is identity the only security control domain that doesn't use security language? We talk about access. We talk about entitlements. We talk about grants. In the meantime, our brethren in the other domain -- and sistren in the other domains -- are talking about attack surfaces, exploit surfaces, you know, time to remediate, all of these different mechanisms. And we are still talking about -- even within identity security, we're still talking about identity and access administration terms. And I think that's a big, big contributor to the problem.
Kim Jones: So when we think about identity as a proxy for us in the digital world, what should -- not what does, but what should -- that change about our thought processes regarding identity as a cyber professional?
Richard Bird: Well, boy, that's a tricky question because --
Kim Jones: We've got time.
Richard Bird: Well, I know, but it opens up that whole can of worms of which end of the whale do you start with?
Kim Jones: I want you to go there, so let's take both sides of that.
Richard Bird: Well, you mentioned something that I think is a real key part of the mess that we're in, which is -- I'll use Chase as an example. I've been a Chase customer for, I don't know, 32-some odd years back to Bank One, right, but I've been a Chase employee. I'm also a Chase former Executive Director, which when you leave Chase, it provides you with some interesting benefits, but each one of those is a different me, right? So there's no singular representation of me like there is in the analog, in digital systems, and because of a propagation of 16 different versions of me, we run into massive conflicts. In the use case, it is always so easy to prove. Where, as identity specialists, experts, we should be focusing on solving problems is a very simple one. I am an employee of a company for 27 years. I leave that company and retire. Now I'm a retiree, former employee, but I come back six months later as a contractor. That simple use case usually blows most people's identity frameworks and identity stack apart because that contractor comes back, and there's some connection point that happens and all of their old accesses that were never hygiened and taken away because it was -- you know, we disconnected it at AD or Azure AD, but we never disabled at core application or core function. When you just look at the simple use cases like that, the problems that we have still not resolved in identity just bloom right in front of your eyes. And, you know, I think that a lot of our questioning about identity needs to come back to, did we ever actually build a functional taxonomy for the function? I raised this point, actually, at the last Identiverse. I said, I have a question about this whole is an AI and identity, which is a really interesting, big philosophical divide going on right now. And, you know, of course, all the identity people are like, of course, it's an identity. And I said, great. I said, who's ready to go talk to an enterprise buyer and tell them that their Okta bill is going to go up by 50% in any given year because they're going to get thousands and tens of thousands of AI agents that all need an identity now, and it's all value metric and subscription-based licensing. And they were like, oh. And I said, maybe the real problem here is what we are terribly bad at identity is the way that we have been abstracting identity. So we tend to specify identities and go dive fast into authorization, authN, authZ, entitlements, grants, privileges. And I'm like, maybe our entity classification at that top layer has never happened where an AI is an identity, but it's a different type of entity. And a great example of this is one that we've already mentioned, which is I love all of the excitement about this thing called NHI, right? But I always ask, and I know all the NHI players, and I always ask them the same question. I'm like, so we didn't have anything other than workforce identities until two years ago when NHI companies just blew up, right? And everyone kind of pauses. And I'm like, this is a 50-year-old problem. We have contractors that are not humans because they're actually financial contracts. We have service accounts that aren't human, and I used to certify 2.7 million service accounts a quarter under SOX obligations back when I ran Identity at Chase. I'm like, this has been a problem that's existed forever. How all of a sudden is this now a new thing? And it's a new thing functionally because we never did the top layer entity assignment, right? We've missed an entire layer in the taxonomy. Because if I had an entity that was called a contractor or a temporal worker, then the way that I would have managed that identity would have been different than trying to take that contractor and then stuffing it into my workforce solution and then in the State of California be sued because I have contractors in a human resources related system, and now, those by default, they are considered to be full-time employees, right? This entity classification thing has been really scratching at me for the last several months in the AI space because now we're seeing it very aggressively happening in conversations around AI. And I'm, like, and AI is not an actual full human, so if you stuff it into a workforce system, it probably it's not going to work, right?
Kim Jones: And it's going to get even more interesting as you begin to get more agentic AI operating out there. So now I've got additional functionality for this entity that more closely replicates what the human proxy can do within the environment. That's going to get even more interesting. [ Music ] Question for you, you mentioned that a lot of the -- you know, a lot of the focus in terms of fixing the problem, of looking at identity as more than just access, happened around 2012. What happened around 2012?
Richard Bird: Cloud, right? The very beginnings of cloud and, you know, commercialized cloud when it was very clear that none of the access control solutions that were currently present on the market were going to be able to manage what at that time was predominantly AWS, right? Now it has become the complexities of multi-cloud, multi-CSP, right? But, you know, you have to you know, companies like Okta. I had Okta come into my office in 2014 when I was a CISO and try and sell me, right? And I remember like the conversations of like, why would I put my identity stores in the cloud? That seemed like a very bad idea. And yet, the, you know -- with a lot of tenacity, and again, this is why you have a lot of respect to McKinnon, because he had to hold on for a long time until the world caught up to real full cloud enablement. But the cloud brought into focus the inability for us to manage identity at the technical stack layer across a broad, diverse infrastructure deployment. I think this is an interesting repeat. Really, we saw major technical advancements, technological advancements, during kind of the boom cloud years with identity, and it wasn't just them. It was Cloudentity. It was, you know, a whole laundry list of names. You can think of Beyond Identity, Delinea, Ping, you know, going Ping Cloud. Like, everybody, you know, finally got there. I think AI is the next massive litmus test, catalyst, for advanced changes in identity security. Because, yeah, go ahead.
Kim Jones: Let me push you a little bit.
Richard Bird: Yeah.
Kim Jones: This is more devil's advocate than anything else. While I see the advances that we made in terms of understanding that we can't manage identity, you know, not just in-house, but need to actually expand it and expand the capabilities, I'm not necessarily sure we saw the mindset shift regarding what identity is other than just another form of access go along with that advancement in technology, because I still see a lot of vendors using good companies who are still looking at this as just another method of managing access. Do you disagree, and if so, why? I'm good with that. And if you agree, what do we need to do to fix that still, because it sounds like all we've done is migrate -- taking the same problem that started 50 years ago that we're dealing with now, and migrating it and making it more effective and efficient to be broken?
Richard Bird: Yeah. Yeah. I love that observation, right, because you're absolutely right, except this is going to be interesting, but it's not a technological problem. Now, I'm going to be very, very specific. It's not a technological problem on the workforce side. And the reason I say that is because the triad always holds true, people, process, and technology. So it was probably about sixish years ago that I started saying something that sounded really contentious in the marketplace, which was, if you get popped on a workforce identity related hack, it's your own fault because the tech is here and there's no reason that you should get hit in the workforce space. We're fully mature in that space, and I definitely still fully believe that today. But we can use an example of how the people in process part has failed to keep pace with the technological advancement, specifically in workforce identity with another example with Okta, the MGM breach, right? The MGM breach was really interesting. Social engineering/phishing happening to a help desk, right, and that help desk then enabling the bad actors with access at the engineering level that had too many privileges. It was over-entitled, right? Now, who made that choice? I hope I'm not making anybody mad at MGM. I'm currently staying in an MGM resort.
Kim Jones: That would be bad.
Richard Bird: Yeah, but who made that choice to allow persistent excessive privilege and access for that engineer, that engineer's account? MGM did, right? Somebody within MGM made a decision that maybe one day this engineer needs this really heightened access capability in order to be able to continue to do their job. Therefore, we're not going to extract that from them because they are too important of an employee, a resource for us. This is the guy that if he steps off the curb and gets hit by a bus our production systems stop. So we cannot take and segment that information -- or that access -- and put it into privilege access management. That has nothing to do with technology. That is a series of process and people-related decisions that represent that antiquated mindset of access versus control. And that's why, and this is why I really love that you went there, that's why, I think the AI era is the catalyst for the next gear change. And the reason is, is because I have never heard non-identity people talk about the fine-grain control layer as much as I hear about it today, which is the fine-grain control layer is what those bad guys were capitalizing on in the MGM hack, knowing that the fine-grain control layer was subject to the people in process weaknesses. If you want to allow people in process weaknesses on an AI agent, I'm going to guarantee you right now, you're going to have a very bad day, multiple days in a row, right?
Kim Jones: And faster.
Richard Bird: And faster, because AI agents do not suffer from indecision bias, right? They will do what they have been tasked and coded to do, and they will capitalize on all of those same weaknesses if it allows them to accomplish that mission that you have tasked them to do. The only way that we're going to get our arms around that is diving into fine-grain control deep waters that I'm going to be really frank. Identity people, we're terrified of it, right? And the reason that we're terrified of it is because we don't control authN and authZ. We distributed that to the developers years ago. And if we think about the construct and the framework of that entity into identity, then who should have been controlling those fine-grain entitlements, grants, privileges? When we gave it things like authorization control over to developers, they didn't even bother to associate those authorization calls to users. They associated them to the app.
Kim Jones: Yep.
Richard Bird: So if you get access to the app, you can control the app through the authorization layer, whether or not it's assigned to you or not. We've seen AI agents doing this already actually in the last year. And so, this is why I really -- it's so weird that for everyone else that's freaking out about AI, I am stoked, not because of all the cool things that AI can do, but because AI is going to become the 10-ton weight, the grand piano dropping on Wile E. Coyote, that wakes up everybody in security beyond just identity to go, oh, my gosh, our architecting of this Rube Goldberg device that we call identity for the last 30 years/35 years is going to get absolutely destroyed by AI, unless we start talking about these difficult problems and get after it.
Kim Jones: Yeah, so let's -- that's a perfect segue. Let's double click on that. So I'm a CISO of a company smaller than Chase, significantly smaller than Chase. What do I do today? There's an argument that says AI is already here, which means this problem is already here, which means I'm already at least one to four steps behind.
Richard Bird: Right.
Kim Jones: But let us assume that by listening to this podcast, I realize, oh, crap, I'm probably five to six steps behind. I need to catch up. What do I do today to try and get in front of this, and I want to get more operational, you know, versus strategic?
Richard Bird: Yeah. What's the first thing?
Kim Jones: What should CISOs be doing, yeah?
Richard Bird: Yeah, the very first thing that every CISO needs to ask is what AI am I allowing into my organization? Because frankly, 90-plus percent, 99-plus percent of most companies' exposure to AI is external, right? It is not in-house developed, and because of that, that means I'm allowing things into my network, and the network still exists, and the network still is a protection layer. So every CISO needs to demand a full inventory and visibility into everything AI that is coming into the organization, question number one, right? Once there's knowledge around that, question number two is which of these AI services, features, functions or agents has persistent access that is not challenged or verified on a transactional basis? The other question that I ask that I think is another first starting point for CISOs is I ask, okay, what's your relationship with AI innovation within the organization? And they say, well, I've been told to just block the services that we don't have an enterprise contract for. And I look at a CISO and I'm like, okay, can we be intellectually honest for a moment? Are you blocking everything?
Kim Jones: I don't even know everything I should be blocking.
Richard Bird: Yeah, and you see every CISO, and I do think that there's a certain hold your nose and throw up in your mouth a little bit right now that CISOs are having to deal with because of, you know, the grand hope and dream of all the things that AI can do on the business side. Now, I will say that this is also the first time in my career where I'm seeing a lot of CIOs who are responsible for that innovation who are like something with no guardrails is probably bad.
Kim Jones: Yeah.
Richard Bird: Right? That's a good that's -- that's a good evolutionary movement, right? We want to, you know, we want to progress the conversation. The way that people become security aware is not because they do cyber security awareness training. You know, nobody learns how to run away from a bear by reading a book about running away from a bear, right? A CIO who's now understanding that the reward component of AI comes with a very possible risk component or damage component, like, to see that kind of recognition among other C-level technologists is incredibly important.
Kim Jones: Absolutely.
Richard Bird: And that's why I think AI is driving these really interesting conversations. I am so glad, like, this -- this is going to sound melodramatic, but I'm so glad that I'm not retired. I'm so glad that I'm not. I'm so glad that I didn't hang my cleats up, you know, a couple of years ago and just say that I'm going to go do whatever. Like, I think we're in a super-exciting time for security and identity specifically because of AI, because it's forcing us to think about all the things that we a) did bad in the past, and that's a lot, right? And b) what we're going to have to do not to repeat those things, because like you said, the consequence of -- the catastrophic consequences are faster. The blast radius is bigger. The damage is going to be insane, right? And it's forcing conversations that I haven't heard in the practitioner community in years and years and years.
Kim Jones: Let's end this the way I end all my podcasts and give you an opportunity to tell my audience one thing that you want them to know that we haven't brought up, we haven't discussed, et cetera.
Richard Bird: Well, the thing that I talk about a lot now is while we're talking about all of these founders in the AI space that are just so eager to hype up what they're doing, right, there's a there's a reality here that I think is both exciting and fascinating, which is we're in an age of technology that is the first what I call the "pop culture age of technology." So my mom, 79 years old, my mom has asked me if she needs to be concerned about AI.
Kim Jones: Wow.
Richard Bird: Yeah, my -- my mom has never asked me what my quality scan results were, right? Like, my mom has never expressed any interest in what I do on the security side, and there's huge opportunity for conversations as families, as parents, as children amongst each other, about technology and what it means in our lives because of what's happening currently with AI. I think there's a need for us to kind of collectively, as human beings, to embrace this pop culture moment of AI and go, okay, like, what could we do? What could change for the better? What could we leverage these capabilities to do besides, you know, lay off a thousand call center workers, right? Like, let's be more let's be more thoughtful. Too many people feel like this AI thing is such a tidal wave that is just washing everything out into the ocean, and they can't keep up with it. And I'm, like, that's not really true. Like, just be observant; dig into it. I think that's -- that's really what I'm encouraging people to do. [ Music ]
Kim Jones: And that's a wrap for today's episode. Thanks so much for tuning in and for your support as N2K Pro subscribers. Your continued support enables us to keep making shows like this one, and we couldn't do it without you. If you enjoyed today's conversation and are interested in learning more, please visit the CISO Perspectives page to read our accompanying blog post, which provides you with additional resources and analysis on today's topic, and there's a link in the show notes. This episode was edited by Ethan Cook, with content strategy provided by Ma'ayan Plaut, produced by Liz Stokes, executive produced by Jennifer Eiban, and mixing, sound design and original music by Elliot Peltzman. I'm Kim Jones. See you next episode. [ Music ]
