CSO Perspectives (Pro) 11.14.22
Ep 91 | 11.14.22

Current State of Identity.


Rick Howard: Hey, everybody.


Unidentified Actors: (Singing) We're back. We're back in our own backyard. 

Rick Howard: Welcome back to the "CSO Perspectives" podcast, and for those keeping score at home, this is Season 11. And the interns down in the sanctum sanctorum have really outdone themselves this time. I'm not kidding. We might have to double their rations of bread and water. 


Rick Howard: Hey, hey, hey. Settle down back there. It's only for today. We go back to normal rations tomorrow. 


Rick Howard: They have built some fantastic shows around how to use the MITRE ATT&CK framework in the cloud. How do newbies in the InfoSec community become CISOs? What's this relatively new phenomenon in the InfoSec community called virtual CISOs? And don't forget, we have the live CyberWire analyst call before the Christmas break, exclusively for CyberWire Pro members, where we bring in a team of experts, sit them around the CyberWire hash table and discuss the most impactful news stories for the last 90 days. 

Rick Howard: Finally, we also have a special treat. Andy Greenberg, the famous WIRED magazine journalist and author of the Cybersecurity Canon Hall of Fame book "Sandworm," is coming to the hash table to talk about his latest book, "Tracers in the Dark," that will be published by the time you hear this episode. I just finished reading it, and I have to say it's the best cybercrime book I've read in years. 

Rick Howard: But for today's show, we're talking about the current state of identity management. At the 2022 RSA Conference in San Francisco this past year, I had the opportunity to sit down with Andre Durand. He is the CEO for Ping Identity, and he has been in the identity business for over 20 years. His vision for where identity will go in the future is fascinating, and he agreed to come to the hash table to tell us about it. So hold on to your butts. 


Samuel L Jackson: (As Ray Arnold) Hold on to your butts. 

Rick Howard: My name is Rick Howard, and I'm broadcasting from the CyberWire's secret sanctum sanctorum studios, located underwater somewhere along the Patapsco River near Baltimore Harbor, Md., in the good old US of A. And you're listening to "CSO Perspectives," my podcast about the ideas, strategies and technologies that senior security executives wrestle with on a daily basis. 

Rick Howard: Andre Durand has been in the tech industry since the early days. He attended the University of California at Santa Barbara studying biology and economics in the late 1980s. He founded and sold a couple of tech companies in the '90s, Durand Communications and Jabber. And then in 2002, he started his foray into digital identity by co-founding Digital ID World, a magazine and conference with identity as a focus. And at the same time, he founded Ping Identity, where he has been the CEO for the past 20 years, which, as you all know, is not typical. 

Rick Howard: According to the company M&A Executive Search, the average CEO tenure in 2022 was about five years. Mr. Durand is what you might call a unicorn. I started out by asking him, what about this concept of identity that caught his eye over 20 years ago? What was the opportunity that compelled him to start Ping Identity? 

Andre Durand: You know, back when I was in Jabber in early 2000s - I don't remember the exact date, but I remember when Microsoft announced Passport. And so this was, you know, definitely the dot-com fervor. And the notion that you could have a single identity that somehow could be used like a passport to roam the internet where you could be known rather than anonymous by default - you know, that did really capture my attention. I also made a couple of observations, that networking seemed to be a one-way street. And the utility of any device that was once standalone and later became networked - it seems like its original utility evaporated, and all of its perceived value and utility was only in context of it now being networked. 

Andre Durand: So I made the observation that networking is a one-way street. You don't unnetwork. You only become more and more networked, as a general concept. And on the heels of that, I surmised that, well, if any device that touches the network only has utility on the network, well, then at some future point it should be that if your device is lost or stolen by someone and they can only use it on the network, that we should be able to find and shut it off. It's exactly Find My iPhone in reality. And one step beyond that thought, I said, well, it only works if you can uniquely identify the device and you can uniquely identify the human that, in theory, is the owner of the device. And I recognized that we didn't have that concept on the internet. So it was the combination of those ideas that ultimately led to Ping. 

Rick Howard: Well, that's really early thinking because - I was reading some history on this - you can make an argument that the late, great computer scientist Fernando Corbato invented the beta version of identity back in the early '60s, when he implemented the user ID-password pair for mainframes. And I found a guy. His name is Dick Hardt. He's an identity evangelist in the 2000s. He says that, by the mid-2000s - this is 30 years later when you started your company, right? - we finally got to version 1.0 of identity for the masses when Microsoft rolled out Active Directory in Windows Server 2000, and that essentially means that users could log in to their organization to get access to resources. AD gave us a way to validate that - our identities for that. 

Rick Howard: Today, when you talk to security practitioners, they realize how important identity is in implementing their zero-trust strategy. But that strategy is, you know, relatively new compared to all this going on back in the 2000s, right? In hindsight, it's clear. You can see how important identity is. But back then, we didn't know that. And why do you think it took so long - 30 years - to get something that was workable for what you noticed in 2000? 

Andre Durand: It's such a big commentary, and maybe I'll generalize here a little bit. 

Rick Howard: OK. 

Andre Durand: Oftentimes, the simplest, easiest and minimum viable becomes ubiquitous. Passwords are an example of something that is simple and easy and subsequently became ubiquitous, which is why getting rid of passwords now is no easy feat - right? - 'cause we've... 

Rick Howard: Yeah, yeah. 

Andre Durand: ...Had 30, 40 years. I - if you go back to the notion that you needed to identify the user, the individual, the human that was behind the keyboard, in many respects, that concept was born when the resources we were accessing were no longer physically in our presence. So it used to be that you secured a computer by locking it in a room. So the user had to physically get through the door to sit down at the keyboard. So physical security was a proxy for the computer security. 

Andre Durand: When, all of a sudden, the user who was at the keyboard was accessing information through a network at a remote location, the physical security was no longer a proxy for a remote user. So the terminal that was accessing the mainframe is an example of where the physical security was no longer a good proxy for whose, you know, fingers were at the keyboard in a networked environment. So networking gave rise to the notion of having to identify the user of the keyboard. 

Rick Howard: So the model we had back in those days was - we were - it was tied back to the physical security model, like you said. 

Andre Durand: They were coupled. 

Rick Howard: And then when - coupled, yeah. 

Andre Durand: They were intrinsically coupled. 

Rick Howard: Yeah, yeah. 

Andre Durand: And the network decoupled it. All of a sudden, the resources that we were looking to protect - the CPU time, the data, the service - was remote from the user who was actually on their keyboard. So we had to recouple the user to the access, and, of course, identity was the linchpin. And COVID accelerated this. Say the pillars of security prior to zero trust were largely something like this. Put everything of value in a place. The users, the computers, the network, all the information, the applications and the data - they're all on our network, behind our firewall, in our building, so to speak. What is on the network is presumed trustworthy - trusted, if you will, known and trusted - and what's not on our network is presumed unsafe, unknown, untrusted. 

Andre Durand: So you have this trusted zone called the network and an untrusted zone, maybe called the internet, so to speak. The users badge into a building with a company-issued computer, log in with their credentials, you know, on wires that were physically in the control. And in the old days, you used to access an application running in the closet. Everything was behind the firewall. 

Rick Howard: Right. 

Andre Durand: All of that has now been blown up. Users' data applications are running everywhere, and we need to resow a concept of security back into this inherently distributed environment. And the notion of don't trust the user network or the device by default, zero trust or continuously adapt the level of trust based upon the circumstances - all of that has really risen in the last three or four years. But it all requires the notion of identity. 

Rick Howard: Yeah. We used to call that perimeter defense. I guess we still call that perimeter defense. Like you said, we built... 

Andre Durand: It's just the - but perimeter has changed now. 

Rick Howard: Yeah. Yeah. Correct. 

Andre Durand: Whenever you hear ID is the new perimeter - the thing that people are trying to get into because they know the assets that are being protected are everywhere - it's not the network perimeter anymore - they're trying to get into your account. So the perimeter is the identity, and - which is why all these attacks are essentially attempting to get in under somebody else's identity and inherit their permissions to access things they shouldn't. 

Rick Howard: Well, you know, I've been doing this a long time. And when we just had perimeter defense, like you described it, you know, we had a headquarters building where everything was behind this electronic fence. It was hard enough to do security with that model. But as things have changed in the last 15 years, where our data and our applications are everywhere - you know, we have multicloud environments. We have SaaS services. We still have data centers, and we still have headquarters buildings. Our data is all through that. I call all those things data islands, right? And that old model of being right next to the thing that you are interested in working on is no longer valid. And it took us a while to figure that out, right? That's what you were saying. 

Andre Durand: That's what I'm saying. So identity is becoming the steel thread. It is becoming the new perimeter. It is becoming the new control plane to, in essence, denote who has access to what. What is appropriate access? But in that concept, you have to strongly verify a user's identity before you give them an account. And then when you give them, quote-unquote, "an account" and they authenticate to that account, we need to make sure that the authentication is appropriately strong and can't simply be phished by socially engineering an ability to get a user's secret, aka their password, and replay their secret to take on the persona of their account. So strong authentication becomes important. 

Andre Durand: Then the next step, one step beyond that - we're not there as an industry, but it's coming - is the ability to authorize, then, what you can do once you do authenticate. So step by step, we have to get the pillars of this new security paradigm that is centered on the notion of strong identity. And we need to get those pillars right so that we can allow you to work from home securely and access any application or resource, whether it's still running in the data - in the mainframe or multiple clouds. We need to connect you - reconnect you to all of those things as frictionlessly as we can but also as securely as we can. 

Rick Howard: I was looking through the history of this, and, you know, mostly, when we had the old physical security model, where - identity was the only thing we really worried about - right? - because once you got in, you were on the inside, and nobody worried about what you were doing 'cause you were authorized user on the inside. But as we've described, there's all kinds of places where you... 

Andre Durand: That doesn't work with insider threat. So again, this whole notion of, like... 

Rick Howard: It doesn't work. I know, but that's what we assumed, right? Yeah. 

Andre Durand: ...The presumption of big trust - once you get through the big gate, nobody was monitoring your movements on the inside. In the new world, it's zero trust. Or maybe I should say small trust rather than zero trust. 

Rick Howard: Yeah. 

Andre Durand: But you kind of get my point. We're collapsing the amount of trust, both the physical space and the dimension side of the equation, as well as the time side of the equation. I might - you might have authenticated an hour ago. Do I still trust the authentication? Am I looking at signals of your behavior on the inside that would indicate maybe this is not the same actor that I thought it was 'cause we have not seen this behavioral pattern before? So maybe it's not who we think it is, and we need to do a step-up authentication, for example, in the moment that we see the abnormal behavior. These are all concepts as we're shrinking trust, I guess the holy grail being zero trust. 

Rick Howard: Well, I mean, you mentioned authorization. That kind of snuck in here in the last 10 years 'cause we weren't doing that at all. We weren't saying, now I know it's Rick Howard here in my environment, but what is he authorized to see and use? And that's a relatively new thing in the whole identity evolution, right? That's in the last 10 years. 

Andre Durand: It's been around for a while. It's been managed at an application scale. 

Rick Howard: Yeah. 

Andre Durand: And it now needs to be handled at a true network of networks or internet scale. So we have a lot of work there to do. But look, the point of identity as a security construct is not to simply verify and authenticate a user. The entire point is to ensure that we're talking to the right users so that we can actually authorize what they should and should not have access to or do. So the point of identity is authorization. It's just a harder, deeper problem to get at, and we've kind of been stuck in first gear, which is just attempting to simplify and strengthen the authentication services as step one. But step two is the thing that matters. 

Rick Howard: So I would call that identity 2.0, and we're trying to get there. And like you said, we're not quite there yet. In my perfect world, I'd want to be able to go anywhere I need to go, where all my data islands are, but I, you know, identify myself once, authorize myself once and then be allowed to progress to the - whatever job I was having to do. Like you said, I might have to be refreshed and - based on time and all that kind of thing. But I don't want to have to log into each - every, you know, data island I have, right? 

Andre Durand: No. You want to... 

Rick Howard: Yeah. 

Andre Durand: Yeah. That's exactly right. I mean, ideally, you wouldn't have to log in at all. You'd just be recognized. The holy grail of authentication, for example, is not just getting rid of passwords. The holy grail is when the devices recognize us with a certain level of assurance, and the assurance level is appropriate for the level of risk of the assets that we're accessing. So for example, it's very - if I'm logging in to Instagram, it's very different than if I'm logging in to initiate a wire transfer. 

Rick Howard: Right. 

Andre Durand: And so the level of assurance of my authentication needs to be higher in the latter case. So the perfect world is that our systems can recognize us with the appropriate level of assurance and that that assurance can be tethered to the authorization of what we should and shouldn't be able to see and do. And from an end-user perspective, this should all be, for the most part, invisible. But for those that are trying to protect the assets that you and I are trying to get into, we need to give them the tools to appropriately authorize and run the appropriate level of governance so that they can prove that they are securing things appropriately. 

Rick Howard: The history of identity has really taken the slow road from the invention of the password in the 1960s to something that Dick Hardt, an early identity evangelist in the 2000s, labeled identity 1.0, when Microsoft rolled out Active Directory in Windows Server 2000 and allowed a centralized repository of account information - essentially, you no longer needed separate credentials for each machine you needed access to - to identity 2.0, where we added authorization to the identity and access management puzzle in the 2010s. 

Rick Howard: After the break, we'll talk to Andre about software-defined perimeter, centralized identity providers, like Google, Amazon and Facebook, and Andre's vision of the identity future, where the entire identity and access management paradigm is flipped on its head and gives control back to the user. Come right back. 

Rick Howard: Let's talk about some of those new ideas. One of them is - it's an old idea, been around, but it hasn't really been implemented that well. It's called software-defined perimeter. And it's a horrible name, a horrible marketing name 'cause it doesn't establish a perimeter at all. But it's a place on the internet where you go and identify yourself and get authorized, and that location brokers the connection to the resource that you need to get to, wherever it is, in the cloud or your SaaS app or wherever it is. And that's completely different than the way we used to do it in the old days. You know, if I wanted to log in to a server in the data center, I would have to, you know, travel over there on the network, get on the box itself and then use my user ID and password. This SDP thing is completely different. It makes total sense to me. Is that the direction the industry is going, is we're all going to have some sort of software-defined perimeter mechanism in some point in our future? 

Andre Durand: Generally speaking, hardwiring our networks and our access does not work in an increasingly dynamic world. And what you're really seeing here is that the ways in which people needed to access systems - the hardware network did not map to the logical network. There was a disconnect between logical access and physical access. And separating those two and creating a more flexible logical layer... 

Rick Howard: Yeah. 

Andre Durand: ...Of how we define the network met the business needs better than having logical and physical bound to the physical limitations of our networks. It's like networking is a one-way street, so is the agility to redefine relationships and security boundaries. It only wants to become more flexible, more dynamic and more real-time over time. So trying to somehow control and secure a very static world as if everything were what I call custom cement doesn't work for today's business. These boundaries, what you should and shouldn't have access to, are being redefined all the time. And we want to make sure that the systems that we're using, designing and actually implementing allow for that face, you know, forward future view that we can't quite anticipate today. But we know it's going to be more dynamic and more granular than it's been in the past. 

Rick Howard: So today we choose three or four identity providers that do the bulk of the work for us. But they're still pipe systems, and they're big Silicon Valley companies. And what I mean by that is I can log into Google in the morning and then use the Google authentication system to log into Twitter for me. And I don't have to send passwords over in the clear. But that seems very - like a half step to solve some of these problems. Do you anticipate that there will be these trusted third-party managers that aren't the big Silicon Valley companies that will handle that kind of thing for us in the future? Or is that a dead idea? 

Andre Durand: It's not a dead idea because economics, economies of scale, user convenience play a major role in what actually gets adoption. And centralized systems can offer an economies of scale that's hard to replicate in a decentralized or distributed environment. And generally speaking, users are inherently lazy. So if they can get something... 

Rick Howard: (Laughter) What, me? What? I don't understand. 

Andre Durand: Yeah. And look; I'm in that bucket, right? So I'm not calling anyone out. And by the way, you know, what I'm describing, I don't think anyone would just argue with. 

Rick Howard: Yeah (laughter). 

Andre Durand: So it just happens to be fact without judgment. The - but there are - at any moment time, I have observed that there is a general tension that always exists between centralization and decentralization and that it's kind of a wave theory. At any moment in time, depending on the tech we're talking to - about, you know, the trend might be trending towards one end of the wave versus the other end of the wave, but they could just continue to oscillate in a never-ending wave. And so, for example, there's a tension between bandwidth and CPU in client-server and terminal-host, to borrow old terminology. And so if the bandwidth were infinitely fast and cheap, everything can be centralized, and you just have a remote view, so to speak. When bandwidth is expensive and CPU is cheap, then you might do a lot of compute on the endpoint. Does that make sense? 

Rick Howard: Totally makes sense. Yeah. 

Andre Durand: And so these two things are, like, in constant battle. And I believe there's a certain tension that can and will exist between the notion of decentralized identity and centralized identity. What you just called out was we've been living in a world of largely centralized identity, whether it's the big three or four that you described, like your Gmail account, your email account, a global unique identifier that you can use to authenticate to Google, but then subsequently leverage that authentication at other third-party sites so you don't have to have accounts on their systems. You can have a Google account. The good and bad of that is that it's free. 

Rick Howard: Yup. 

Andre Durand: It's easy. The bad of that is that Google sees all your activity... 

Rick Howard: Yeah. 

Andre Durand: ...When you leverage them. And so there's a privacy - it runs at odds with the privacy. People trade privacy for cost and convenience all the time. And that Gmail example is a great example. You can go through the hassle of creating an account with your email, or you can just click the sign in with Google or SSO or sign in with Apple. That's another instantiation of the same thing. What we haven't had is an ability for individuals to prove who they are or to authenticate or verify themselves in a manner that they own and control versus some centralized big tech provider. 

Rick Howard: That's the idea that really intrigued me. You and I met - the first time we met was at the RSA Conference this year in San Francisco. And you were telling me about this idea where we're going to flip the whole identity authentication system on its head, and we would own - the user would own the - your identity and we would be the owner of that whole thing. Explain what that means to the typical user. 

Andre Durand: Yeah. And here I will maybe focus a little bit on the choice of words because ownership and control are two different things. 

Rick Howard: Yeah, you're right. 

Andre Durand: And we have to recognize that we as individuals - we don't live in a vacuum. Our entire reality is a collaboration with other entities - entities being other humans, entities being corporations for the most part, entities being governments. So acknowledge that we don't live in a vacuum. And what we say about ourselves holds less trust or weight than what others say about us. Almost like segregation of duties, right? If someone else says something about us, it carries a little bit more credence than a self-asserted claim. And so what we don't have control over today is the hoards of information that exists in all of the logs and CRM systems that we have with companies that we interact with. Our digital identity, aka, where did we graduate? What certifications do we have? What is our credit worthiness? Our health record, where we're employed and the history of our employment. All of that digital information is stored in the identity systems and databases of all the companies that we interact with as we interact with societies and communities at large, from cradle to grave. 

Andre Durand: Where and how that information then gets used without our knowledge has been the abuse of power and centralization and the issues with privacy over the course of the last 20 years, as more and more of those interactions have essentially been funneled through fewer and fewer players and the sharing of that information for financial gain, where we're the product, and our identity and our behaviors and our preferences have essentially been propagated without our knowledge, which is why we have regulation where the citizens unite and come up with things like GDPR that says no, companies need to capture consent before they share information to any of their partners, because that information about us is not being - you know, we don't know what that information is. What I'm going to argue is that that model is inherently broke as well, right? 

Rick Howard: Yeah. 

Andre Durand: The reaction of regulation to force even more burdensome regulatory tech upon companies just trying to do business, just trying to know their customers, serve their customers personally, even that's broken. So I think we have an opportunity here leveraging the compute that we as individuals now have in the instantiation of our mobile phones. Always on, always connected, secure enclaves, biometrics embedded in the platform to help unlock those secure enclaves - we now have an opportunity as individuals to leverage compute, to begin to collect and store some of that digital identity information on our phone. And then as a result of that, we can control the dissemination or distribution of that information to third parties. 

Andre Durand: So you want to know something about me? Ask me. Now, what I share with you isn't just a claim about myself, meaning I don't tell you I'm Andre Durand and you believe me. But if I tell you I'm Andre Durand, and that claim came from the DMV and that is a legally binding verification of my identity in society, OK, now that has some value. And that's what I meant - the difference between own and control. Do I own? That term assumes that I have the right to change anything about it. And that's not true. The DMV does a certain - we hope, a certain amount of vetting of my identity before they issue me a Real ID or driver's license. I now can store that information on my phone. You can ask me about it, and I can control disseminating it to you. So we're changing the privacy model here. 

Rick Howard: So in one version of this, one way this could go, which I really think is - I love the idea. All right. Instead of me having to read through 300 pages of legal boilerplate and then agreeing to let the DMV, you know, release my data to somebody that I don't know anything about, the alternative to that is when someone is requesting my information from the DMV, either the DMV or that person, that organization, has to go to my mobile phone, let's say, and I have to agree to let them see it, right? It puts the control back in my hands, you know? 

Andre Durand: That's the idea. And then the exchange of value becomes obvious. 

Rick Howard: Yeah. 

Andre Durand: Right? Do you authorize the release of information to a third party? Well, the question is, what's in it for me? And right now, that exchange of value is being traded off without our full understanding. So does anyone know what's an active identity worth on Facebook? And the exchange of value is not fully understood. We know we're receiving free social networking, for example, in all of these platforms. But are we fully cognizant of the trade-off of our identity and our privacy out the back end? And that's where it's opaque. And the regulation is trying to insert some level of control, but it's just doing it in a manner it's - you know, it's like a Band-Aid for a deep cut. It's just not the right approach. We have to fundamentally change the way this whole interaction works. 

Rick Howard: So, Andre, I could talk to you about this forever, but I'll give you the last word on this. Can you forecast into the future a little bit to tell us where we're going to be in the next two, five, 10 years? How fast are we going to go on this kind of thing? 

Andre Durand: I think a lot goes slow, and then a lot goes fast. So I think... 

Rick Howard: (Laughter) That's very true. 

Andre Durand: ...The building blocks are very slow, and seeing the whole system end to end feels like watching grass grow. It's an eternity. 

Rick Howard: I know. 

Andre Durand: And then once the blocks are there, then all of a sudden, things go very fast. So it's a little bit like, you know, loose tight and slow fast. I think this is going to be one of those slow fast. If you're in the industry, it feels very slow. If you're outside, it'll feel very, very quick. And so, yeah, the next two to five years, I think a lot comes together. I think a lot of the building blocks of what I'm describing are now actually present. And many times, they're just missing a breakout use case to make the general concepts very tangible to individuals. I've seen several candidates. Time will tell which one breaks out. 

Andre Durand: But I think in the next five years, the act of authenticating will inherently change. I do believe the devices' true biometrics will recognize us, if we allow them to, with a certain level of risk-adjusted assurance. And I think we will also have better control over the release of our identity information to others vis-a-vis what I just described earlier. I think we're coming into a real, real incredible period of time both in terms of end user control over identity, the security posture and, ultimately, the end-user convenience. All three of those, I think, come together inside of the next three or five years. 

Rick Howard: So a hopeful message - I like that, Andre. Thank you for doing that. I appreciate that. 

Rick Howard: And there you have it. I really like what Andre said there about how, for InfoSec practitioners, it seems like the progress of identity and access management has been slowly crawling along with incremental improvements. But in reality, the entire concept has been gaining weight and gravitas. And in a few short years, the entire model might be flipped on its head, taking control of user identity away from a handful of big Silicon Valley vendors and giving it to the user, who it rightfully belongs to. That's a vision of the future that I can get behind. 

Rick Howard: And that's a wrap. I'd like to thank Andre Durand, the CEO of Ping Identity, for helping us understand where identity is going in the near future. And as always, if you agree or disagree with anything I have said, hit me up on LinkedIn or Twitter, and we can continue the conversation there. Or if you prefer email, drop a line to csop@thecyberwire.com. That's csop@thecyberwire.com. And if you have any questions you would like us to answer here at "CSO Perspectives," send a note to the same email address, and we will try to address them in the show. 

Rick Howard: Next week we'll be talking about how to apply the MITRE ATT&CK framework in the cloud. You don't want to miss that. 


Tim Allen: (As Tim Taylor) Oh, yeah (laughter). 

Rick Howard: The CyberWire's "CSO Perspectives" is edited by John Petrik and executive produced by Peter Kilpe. Our theme song is by Blue Dot Sessions, remixed by the insanely talented Elliott Peltzman, who also does the show's mixing, sound design and original score. And I'm Rick Howard. Thanks for listening.