#CybersecurityMonth and what’s next for A.I., IAM, and authorization
We discuss 20 years of Cybersecurity Awareness Month and what's next as the authorization market continues to face A.I. and IAM challenges.
Kelly O'Dwyer-Manuel & David Brossard
Wednesday, October 4th, 2023
Download mp3 · File size: 42MB · Duration: 29:14
In this episode:
We discuss the celebration of twenty years of Cybersecurity Awareness Month as well as some of the happenings in the world of access control, including;
- Some of the major highlights in the last two decades of CSAM
- The challenges in dealing with prompt bombing
- The continuing growth of A.I. (Artificial Intelligence) and how authorization is evolving with it
- The future of Information Access Management (IAM) and authorization
Kelly: Well, we’re back! And this time we talk about everything from the twentieth anniversary of National Cybersecurity Month to prompt bombing, A.I., and what’s next for identity and access management and authorization.
Grab a cup of coffee or a chocolate bar, and join us!
Welcome back, everyone! We’re here with a brand new episode for National Cybersecurity Month. Hello! Again. I’m Kelly O’Dwyer-Manuel, and with me I have, as always, David Brossard. Hey, David! How’s it going?
David: I’m doing pretty good. Thanks for asking, how are you doing?
Kelly: I’m hanging in there, as my grandpa used to say. Can’t complain. Nobody’s listening. But of course we hope more people are listening. And with that, we should consider a stand up routine after this, I think, David. Yeah, we’ll get on that.
But we digress. So, National Cybersecurity Month. This is, you know, we know that every cybersecurity vendor out there is gonna have something going on.
But this is a particularly notable time for this this particular month. It’s the twentieth anniversary of National Cybersecurity Month. So the twentieth of anything, right as a marketer, I’m gonna automatically think, hey, let’s talk about what’s happened in the last twenty years.
Why is this such a momentous occasion? But I wanna be more specific here, David, because I know you have some viewpoints on not only the journey of identity and access management, but the journey of some of the stakeholder groups they’re in.
And I’m thinking particularly of our friends in the developer community and how their interaction with identity teams and with identity and access management solutions and technologies has changed in the last twenty years.
So, that was really long winded. Clearly, I need less caffeine before we record these.
But where do you want to start? What’s what’s kind of peaking your interest more the identity journey or the developer journey?
David: I think a bit of both and not just the identity journey. Of course it’s also the the whole. IAM landscape, and you know and IAM and over the past ten to fifteen years, not twenty, it’s it’s really been and then to a lesser degree it’s always been about the identity price. And you know, Kelly, you say it’s twenty years of Cybersecurity Month.
What were we doing before 2003? Where were we? Did security not matter how, was from from a business perspective. How did you do, employee on boarding? How did you do employee off boarding? How many rogue employees did you have like? What happened before those twenty years?
So, I think it’s fair to say that obviously everyone cares about security and everyone cares about cybersecurity.
I think one of the things that probably has changed over the past twenty years is how much we’ve become digitized. It was probably already the case. In 2003, we all worked with computers. And the Internet was a thing but the amount of data, the amount of services, the amount of identities has just have just gone up ever since. Everything is online.
And of course, stuff that has happened since then is a lot of SAS has happened right?
So the original SAS company, you could argue, might be Salesforce, founded in 1999.
But since a lot of people were saying, “Oh, well, yeah, you can move some stuff to SAS but we will never move core security products to SAS.”
And then Okta comes along and I don’t remember the date, I’m sorry. And they say, “No, no, we’ll run that from SAS.” And people were, like, “That’s crazy!” And look at them today. A lot of companies run their identity practice from SAS, and that changes the the whole cybersecurity landscape because it opens up new opportunities. But also new threats.
So, lots and lots has has changed. The vectors have changed.
And then, Kelly, you you were saying, the the developer angle twenty years ago, twenty plus years ago, developers quote only developed apps. They did not think about security. One of the big changes has been saying, telling the developers, Hey, you’ve got to think about a secure development life cycle, secure software development lifecycle.
Think about building security from the get go, not as an after thought. And that’s really fundamental, but also having tools and capabilities and services at their fingertips that they can use to implement security mechanisms.
So it for us. Of course, it means identity capabilities or access control capabilities. But it’s also encryption capabilities, you know, storing data at rest in in in a secure way.
The fact that those libraries and services are now more prevalent and easier to use makes it easier on developers to adopt secure practices, and to make their products more secure, we’ll have to count how many times we use the word secure, by the way, Kelly.
Kelly: Yeah, we could run a contest, I think, and whoever has the correct guest gets a jug of jelly beans. There we go. Yeah, yeah, some some security jelly beans.
That’s interesting, and I mean, you know I can. I’m old enough now. Or so I’m told that I can think back to twenty years ago, and even the experience from an end user side, right, was so wholly different.
We’d go into work. You’d sit down at your desk. You’d log in through a VPN or enter the code from your your little, your little tag from from RSA and bingo. You were in there. It wasn’t so much. It it wasn’t as easy. There was lots of friction to be able to get there, but once you were there you were there. The authentication was felt, at least from the end. User perspective absolute. So that’s certainly been a momentous change.
What would what would you say, David, if you look back. is something maybe you thought was going to change, but didn’t. And why do you think that is?
David: So, let’s talk about what has changed for the better and definitely authentication has.
If I think back to my first experiences as as an intern at at a company I would log in with Novell at the time, I think, on my Windows machine. And there was no other authentication. There was nothing else I could do. There was no Internet. I had an Internet. But Internet access was forbidden, so that kind of limited the exposure as well.
And then back then that the conversation was not about. It was not a security conversation it was not about, “Oh, you have the Internet. It’s a it’s a security threat”. It was more of a productivity thing. If you have access to the Internet, you’re gonna slack on the job. Who knew?
But the other things that did happen back in the day like Dick, you said you. You were going into the office, therefore you weren’t an internal deemed more secure network.
You would do the one login, and then for every single other service you had to use. Say, payroll, HR (Human Resources). Whatever it might be, you had a different credential. So one thing that has changed for the better is definitely single sign on that has been a massive thing.
And then, more recently, introducing MFA like expecting that employees have to enter a second factor to to be able to complete the authentication that has changed for the better. It doesn’t necessarily make.
Unfortunately, MFA does not necessarily make the user experience better. And that’s why a lot of folks are focusing right now on keypass and password less authentication. I think that’s gonna be the next wave that we see that’s gonna bring more secure authentication.
Oftentimes you’ll hear that there’s a balance to be had between great user experience (UX) and security, and that’s that’s a wrong balance to think of. You should be trading off one for the other.
MFA is better security, but it it flies in the face of good. UX, because it’s disruptive, and people don’t always know how to use MFA. And where do they get the code from? Is it an SMS? Which we all know is weak. Is it a is an authenticator app, in which case you have to teach people to use an authenticator app, which is, you know, a challenge, isn’t it?
A pop up on your phone? In which case you could have NFQ fatigue. Or, I think, Kelly, you you told me once that it was called MFA bombing.
Kelly: Prompt bombing.
David: Thank you. Those telling to be solved hopefully. Passwordless and keypass will get us there. In the near future to answer your question, though. What has not changed?
Yeah, selfishly, I’m gonna I’m gonna pull the cover to Axiomatics here. The authorization piece still needs to be solved to some degree.
I also think more broadly that we need to keep educating developers to the importance of security and baking security right from the very beginning, right from the requirements.
And I say, developers. I should also say the product managers right? The product owners those who design the products. They have to think about security, not as an afterthought, but as a first class requirement, making the app secure, making the UX in line with security as well.
And there’s lots of little things that you can do, but more selfish. Selfishly, I think, authorization, because it’s travel to worlds right, the world of identity and the world of authentication on the one hand.
And then the world of the application, the world of data, the world of services on the other authorization is, is the next thing, the next nut that we need to crack from a cybersecurity standpoint.
Kelly: sense. And it brings up a couple of interesting questions, David, because I think you know to your point, and I’ve had a few different conversations with people far smarter than I about these things.
But in terms of the next wave of authentication and authorization, I mean, so many organizations are still really struggling with authentication, and even those that are trying to adopt more forward thinking. Routes, like passwordless, almost meet resistance. It’s almost like we’ve been conditioned to believe that if there isn’t some friction in the end, user experience, it mustn’t be secure.
So, passwordless kind of makes people feel a little uncomfortable because it’s it’s not the the friction of having to answer a question or enter a password and then enter something else, and etc.
Is how much of an impediment is that? And and what are the things that the authorization space. So, you know, Axiomatics and others can be learning, as we see, the authentication space mature that we might look to adopt.
David: So you touched on a couple of really good points. First of all, there’s this this thing called Security Theater, that seeing security is thinking it’s more secure.
It’s not true, right? The the best security is probably the one that you don’t see right, or or at least the visibility, the the annoyance, the the presence of security doesn’t mean that it’s more secure, less secure, right?
So we shouldn’t rely on on that. I mean, CSA is a great example of that. You go through airport security. It’s very visible today. Does it make it more secure? I don’t know.
Are there things that we could do better may maybe so the the amount of visible security is definitely not an indicator of how good security is right. And so prompting a user for a very complex password. Doesn’t make the system more secure, and there have been quite a few studies saying that, you know password policies are are no longer the way to go.
Sure you do have to have some kind of strong password, but not to the extent that the person has to write it down on a, on a, on a post in note, and stick it on their monitor, because that actually defeats the purpose of having that that strong password in the first place. So that’s when we need to. We need to have MFA or password. That’s authentication, or these other mechanisms.
What it means for us, though. The authorization vendors is that we should not put all our eggs in the authentication basket. And what I mean by that is, historically, you’re authenticated. You’re in. You can do whatever but actually, we need to start thinking in more fine grain ways, whereas if you’ve been authenticated, good for you. It doesn’t mean you can do everything in anything within the enterprise.
We’re gonna have to put policies in place that control what you can do and under what circumstances, and that’s where fine grain authorization comes in and that ties into what 0 trust has been mandating right? It’s verify, always verify that you are who you say you are. Verify that you’re supposed to do what you’re trying to do right?
So, we wanna be doing that check continuously, not just when you go walk through that door.
Kelly: No, that makes good sense. And, I mean, certainly even the. And as we were just talking about even the the way in which people are accessing corporate assets has changed monumentally. Even. I think you could make the argument even in the last three to five years.
And when I think of the last three to five years, David, and I know we talked about this a little before we we jumped on our our podcast together. I think about Zero Trust and the evolution that that particular strategy has made in the last few years has been monumental, but yet still, I see lots of figures saying anything from 50% to 80% of implementations aimed at Zero Trust are gonna fail or are failing, or people aren’t don’t know where to start.How we’ve learned all this stuff.
Why is stuff like this still a struggle? Why is this still a problem for folks? I think you can solve all these things. These are why I ask. This is why I ask you these questions.
David: There’s a lot of fear. If there’s if there’s one thing you don’t wanna mess up, it’s security and and and controlling access to your most most valuable assets. An,d of course, the more you’re online, the the the riskier it gets.
And that’s that’s kind of the thought that was around when Cloud came about. And and some folks started saying, we can move our identities to the Cloud, and other folks said, “No, you’re not moving mile that to the Cloud”, staying on private, because it’s more secure, right? So there is that fund that if it’s online it’s more vulnerable.
I would counter that an identity vendor is probably more secure than any one random company, because that’s what they do for a living. So they’ve thought through all the threats. They have a recovery plan they have, you know, detection mechanisms to make sure that their systems are not under attack.
So if if I was going to implement an identity solution. I would probably buy service from someone. Then I would write my own, because the the odds of me making a mistake or higher than a specialist making that mistake.
But it it doesn’t mean that it makes the problem easy to solve you as a CISO. You have to think about the different threat vectors and the evolution of the threat vectors. You have to think about the malicious employee, and how you prevent the malicious employee from from doing something you don’t want them to do.
Bear in mind that the malicious employee can authenticate right. There’s there’s nothing to stop them, let’s simply from logging in because they are a legit employee. So you now do pattern detection. And you know, behavior and overly detection. These are things that you have to start looking into.
You also need to make sure that you’re and and we’re only by the way, in all the examples I’m giving, we’re only focusing on employee identity. There’s a whole other slew of problems for consumer identity, too. And it’s a different scale because a company might have a thousand employees, or maybe one hundred thousand employees, if it’s a big company.
But if you talk about consumers, a a retail company has millions of consumers. This skill is vastly different with, you know, potential for brand damage, much, much bigger.
So you you have to think about the so the malicious employee, the malicious consumer you have to think about the onboarding the offboarding. You have to think about provisioning the right permissions, deprovisioning the permissions that someone no longer uses, making sure that you always have the least amount of privileges that you need.
And that’s where, what we do. Of course, you know shameless plug comes in right. If you have a clear policy that states what users can’t, can and can’t do.
And I say users. It could also be services and clients doesn’t have to be humans. Then you’re going to be in a better shape.
But why is it so hard?
Simply because it involves everyone at the company it involves. You talk about developers. It involves the developers building apps. It involves that you it. It requires that you have a good overall picture of what services, what applications, what data you have, and how you’re exposing it.
So it kind of requires an almost like an enterprise architect who has that vision? Who has that understanding of what you’re exposing in the enterprise? And that’s not an easy feat.
Kelly: No, that makes that makes sense. I think I think that’s that’s quite right. And it does certainly explain a lot of the not only hesitation, but frustration with some of of how people are are able to move forward in this and what they want to expect, and you know, certainly from a marketing perspective as well right?
There’s lots of organizations that say they are. The Zero Trust solution which we know isn’t doesn’t exist. There’s no one solution that’s going to be the magic button that’s going to give you zero to rest across your organization.
But it certainly has been one of the biggest changes, I think in the last twenty years has been 0 trust moving from ideology through to actual pragmatic strategy that you can implement within your enterprise.
David: Yeah, I think, Kelly, to expand on the point, you just made something that we have successfully achieved in the past twenty years is getting rid largely getting rid of the authentication silos, where in the past, within a given company, you might have had 1020, 30 different LD apps or ads running around that would keep copies of who you are, Kelly, and keep copies of who I am, and maybe the same password. Maybe not the same password. Who knows?
We’ve we’ve managed to sort of get rid of those silos and have one single source of identity for the entire enterprise. That’s a huge win.
At the same time, we also to some extent manage to achieve authentication on multiple layers.
So going back to Zero Trust so authenticating within the app, but also authenticating within the network layer authenticating within another layer. So that’s also interesting. Because, as you go past, these different layers will be able to verify your identity. That’s also fundamental.
And then, little by little, what we’re starting to address is is cleaning up the entitlement mess, where, historically, we’re very much in a provisioning, the provisioning mode, where you rely on how good the intolerance are, how good the roles are, and how good your process for enabling and disabling is.
And of course there’s there’s lots of issues with that such as the time to provisioning the time to the provisioning. That could be too long right? And now we’re we’re seeing those policy driven approaches in the marketplace.
And then the standards community address the intolerant mess that we’ve been in. And I think that’s what we’re gonna see. And that’s what we’ve been working on.
Of course, that accident for the past few years. And that’s what we’re gonna be keep working on for the next few years. And in a previous podcast Kelly, I mentioned the work that we’re doing under the umbrella of the OpenID Foundation with the Policy Charter group. Are we gonna keep doing that work?
And we’re actually getting together in just under a month? At the I keep forgetting with Iw stands for I think it’s the Internet identity week or the identity Internet week. I keep getting the acronym wrong.
Don’t quote me on that. But yeah, that is, for me, at least, it’s one of the next steps.
Kelly: I mean that that all makes very good sense, and it really does. As soon as you started talking about just all of those layers and and gosh it deep provisioning discussions about provisioning and deprovisioning have been around forever.
So it really is identity-first security. And that term sounds like it should be really redundant.
But it’s it’s almost like it’s even more essential than ever, because identities themselves, while while you know, my identity certainly hasn’t changed the way in which I’m using that online in corporate networks and things like that has changed substantially. It’s more difficult than ever to get that right.
So that’s that’s really interesting. And I think it does probably lead well to my next question, which is, what happens now? If we were to go, you know, five, ten years down the road, David, where are we going to be? Best guess, if you were to look into your crystal ball in the identity landscape, and you know again, shamelessly in the authorization landscape.
David: So I kind of have 2 answers to this.
So, the the first thing is tied to, or they’re both tied to AI, so one thing we know is gonna happen in the next five to ten years is that the amount of data, the amount of services, the amount of clients. The amount of everything is just gonna keep on growing. We’re gonna be more and more dependent on digital assets.
Today, parts of the population do electronic health records, not everyone. Tomorrow everyone will. And, you know, ideally, hopefully, in the future, we can actually ex exchange those medical records between the hospitals, whereas right now, although I as a patient, I can see my medical records from Hospital XYZ, I can’t easily share it with hospital ABC, that’s probably hopefully gonna change in the future, which means a lot more need for authentication, for authorization, for data, sharing consent, for patient consent, for user managed access like a A, all of these things already become even more critical.
So just the amount of things we do online is is gonna go up dramatically.
But the other thing is, of course, AI and back at Identiverse 2023. I think we we mentioned it a little bit more on one of the previous podcasts, Andre Durand of Ping Identity did a really cool presentation.
It was kind of funny. He was on stage, and he was sitting down, not moving, which is very unlike him, and he was talking, and he was showing some slides. And you know, like I was whispering to a peer of mine next to me, who also knows Andre? And and you know both of us were like, What is he normal like? Did he hurt his ankle, or what’s up with him, and actually like. After five minutes of of a monologue, he stands up and he says everything you heard so far was a I. The slides were a I. The speech white was a I did not open my mouth, and yet you thought it was me.
Trust is broken. and what that means is account recovery is going to become harder.
It used to be that if you were the the CEO, or an employee of a relatively small company. You could call your admin and say, Hey, Kelly, the admin. I’m David, and you know I have this customer presentation. In five minutes. I’m in a taxi.
My credentials went toast. Can you please reset the access and please set the password to I am the best 1, 2, 3 X Commission mark.
And of course, Kelly, the admin wanting to help the CEO who’s got this really important meeting? Does it? Right? That’s exactly the example that Andre took, and at at the conference with AI.
We’re not gonna be able to trust that, by the way, no one should ever do that right. But when there is pressure, you know, when the scammers put pressures on pressure on on individuals, it’s incredible what humans are capable of doing, even though they know it’s wrong. AI is gonna make that even more even worse, if you will, because we’re gonna think it really is that person calling.
We’re gonna think it really is our grandmother who needs $500 because she’s stuck somewhere in the middle of nowhere.
So, AI is gonna break the trust that we used to have. We can no longer trust what we see. We can no longer trust what we hear. It’s gonna become very, very difficult to, you know, discriminate between what’s what’s right and what’s not right.
And that’s gonna create a lot of issues around account recovery. If you lose your and the cal recovery in the Enterprise world is not easy, but at least you could always walk up to an office and meet an admin person with perhaps your government issue ID, and they can verify a few things about you and reset your password. But as a consumer it’s it’s way harder like. If you have a Paypal account, and for some reason you forgot the password, or you lost your MFA method.
How do you walk up to Paypal office to get that’d be reset. It’s all online. It’s it’s gonna be very hard to recover those accounts. So account recovery is, gonna be really hard to it already is hard. But with AI is gonna be even harder.
And then. going further. I’m wondering. And this might be a little far fetched, maybe a little blue sky.
But I’m wondering whether a I can get to a point where it can consume all the events we’re generating all the time and essentially do anomaly detection on the fly so fast that maybe we we no longer need security up front, but rather we can do security on the fly because AI is monitoring the systems and is realizing there’s a deviation that shouldn’t be happening.
What’s really cool with that is, it also helps with scenarios that you could not possibly foresee like the disgruntled employee.
So, for instance, you know, in in a traditional authorization scenario, you could say an employee in finance can can download finance documents, but it’s really hard to put a limit like an employee in finance can’t download more than ten documents in a day, because maybe they need to do it right. So the policy is not gonna prevent you from doing that.
The AI, however, could determine that. O, this employee. Every single Monday, first Monday of the month they download seventeen documents. No more, no less. Okay.
But today, Tuesday they downloaded 247 finance documents, including pay slips for one specific employee who is not the same employee that looks fishy. Maybe I’m going to prevent that from happening.
So I see, there’s huge opportunity for AI to help us with better security, because it’s going to be able to listen on a scale that humans can’t.
Kelly: That that makes sense. And it’s moving towards a more proactive, almost real time everywhere model. Whereas you know, instead of having that that constant need for okay, stop point in time. Analysis of things. Which right? I mean, we’re those are almost redundant as soon as they happen, because you move a second past the time in which that has occurred, and there’s a whole new set of events that you haven’t looked at yet.
So, that would be a very, a very hopeful way to engage AI.
Maybe that might be a good note to end on there, David, as I see, we’ve covered a whole lack of information. It’s always an insightful and interesting conversation, and I think we’ve we’ve done a service to twenty years of National Cybersecurity Month and twenty years more, more specifically around identity and access management and authorization.
So thanks again for an always engaging, an interesting conversation. I look forward to the next one.
And, thanks to all of you for listening in. We hope that you’ve enjoyed this conversation as much as we have, and if you have ideas for a future conversation, please hit us up and let us know until next time. Take care!
SUBSCRIBE AND NEVER MISS AN EPISODE: Join the converrsation on LinkedIn
Corporate Communications Manager