CyberWire Daily - The current state of IAM: A Rick-the-toolman episode.
Episode Date: July 1, 2024Rick Howard, The CSO, Chief Analyst, and Senior Fellow at N2K CyberWire, discusses the current state of Identity and Access Management (IAM) with CyberWire Hash Table guests Ted Wagner, SAP National S...ecurity Services, and Cassio Sampaio Chief Product Officer for Customer Identity, at Okta. References: John Kindervag, 2010. No More Chewy Centers: Introducing The Zero Trust Model Of Information Security [White Paper]. Palo Alto Networks. Kim Key, 2024. Passkeys: What They Are and Why You Need Them ASAP [Explainer]. PCMag. Lance Whitney, 2023. No More Passwords: How to Set Up Apple’s Passkeys for Easy Sign-ins [Explainer]. PCMag. Rick Howard, 2022. Two-factor authentication: A Rick the Toolman episode [Podcast]. CSO Perspectives Podcast - The CyberWire. Rick Howard, 2023. Cybersecurity First Principles: A Reboot of Strategy and Tactics [Book]. Goodreads. Rick Howard, 2023. Cybersecurity First Principles Appendix [Book Page]. N2K CyberWire. Rick Howard, 2023. passkey (noun) [Podcast]. Word Notes Podcast - The CyberWire. Staff, 2023. 2023 Gartner® Magic QuadrantTM for Access Management [Report]. Okta. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you i was concerned about my data being sold by data brokers so i decided to try delete me i have
to say delete me is a game changer within days of signing up they started removing my personal
information from hundreds of data brokers i finally have peace of mind knowing my data privacy
is protected delete me's team does all the work for you with detailed reports so you know exactly Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
In June of this year, I attended the Rocky Mountain Information Security Conference.
I was there to present the Cybersecurity Canon Hall of Fame Awards to the two 2024 inductees.
The first was one of our cybersecurity founding fathers, Dr. Eugene Spafford, for his book, Myths and Misconceptions.
for his book, Myths and Misconceptions.
40 years of cybersecurity wit and wisdom contained in one easy-to-read book
chock full of hard-won knowledge
over the course of an amazing career.
And people wonder why I read books.
Well, let me tell you,
because in just a few short hours,
I can be exposed to an entire career of knowledge,
Dr. Spafford's, for instance,
without having to go through the pain
he did to get it. I'm reminded of the quote from the great philosopher Socrates,
employ your time in improving yourself by other men's writings so that you shall gain easily
what others have labored hard for. Or more to the point, from Otto von Bismarck, the man who
masterminded the unification of Germany in 1871,
any fool can learn from experience. It's better to learn from the experience of others. But I
digress. The other winning author at the ceremony was Andy Greenberg, the fantastic Wired magazine
journalist for his Tracers in the Dark, the best cybercrime book I've read in over a decade.
After the ceremony, I was
loitering around the book signing table. Greenberg and Spafford were signing their books for anybody
that wanted one. And who did I run into? Well, my old friend and colleague, John Kindervog,
the originator of the Zero Trust idea back in 2010 for his paper, No More Chewy Sinners,
Introducing the Zero Trust Model of Information Security,
which got me to thinking about the current state of zero trust.
You all know that we published our first principles book last year.
In it, we included a one-over-the-world diagram that captures all the strategies and tactics
we covered in the book.
And just so you know, to get ready for our presentation at RSA this year, the N2K art
director, Brigitte Wild, gave that diagram a complete makeover.
And I have to tell you, it is gorgeous.
You can check it out at the book's website at n2k.com slash cybersecurity first principles
book, all one word.
Scroll to the bottom, find the Zero Trust Strategy blue balloon, bottom left corner,
and then follow the blue line up to the possible tactics that you might deploy in order to pursue
the Zero Trust Strategy, like vulnerability management and SBOMs, just to name two. But what
is not obvious from looking at the diagram is the importance of the identity and access management
tactic. You can execute all the other tactics
completely, like single sign-on and software-defined perimeter, but unless you absolutely nail identity
and access management, your zero-trust journey will be stuck at the starting line, not making
much progress. Ted Wagner is an old Army buddy of mine. We've been friends forever, and he and I
worked together in two different organizations,
not to mention that he was one of the first people I called to be a regular guest at the Cyber Wire hash table. He's been the CISO at SAP National Security Services for over eight years.
Here's what he had to say about the importance of identity and access management.
Every time I think about identity and access management,
it always makes the hair stand up on the back of my neck
because it's so foundational to everything that we do.
I feel my pulse quicken
because I know it's so central to the things that we do in security
and so critical in securing our environments,
our workloads, and our networks.
And that's exactly right.
So with all that said, I thought it was time to take another look at identity and access management
and see if we can determine the current state.
So hold on to your butts.
Hold on to your butts.
This is going to be fun. My name is Rick Howard, and I'm broadcasting from N2K Cyber's secret Sanctum Sanctorum studios
located underwater somewhere along the Patapsco River near Baltimore Harbor, Maryland,
in the good old U.S. of A. And you're listening to CSO Perspectives, my podcast about the ideas,
strategies, and technologies that senior security executives wrestle with on a daily basis.
Cassio Sempao is the Chief Product Officer for Customer Identity at Okta,
an identity and access management platform, IAM,
that provides secure authentication and authorization services like single sign-on, user authentication, access management, and user provisioning.
I ran into Cassio at the annual RSA conference in San Francisco
and asked him to write the Twitter line,
280 characters only,
that explains the current state of IAM today.
Yeah, I think a Twitter line would be a little bit,
maybe I should call it an X line.
The way we see the identity and access management market
is that it's now pretty well defined in between two
classes of problems.
You have a workforce or employee identity problem, whereas everything is about policy.
The company defines a policy, employees follow those policies.
And you have a customer identity policy problem, which is very different, where it's about
user choice, it's about creating the right incentives for users to adopt the different security intent
that those brands want in order for users to get
what they want from their consumer experience, but still
in a very secure and compliant way.
I like the way you divide that into two buckets, right? Because on the consumer side,
it's not just one identity I'm managing. I might be managing a hundred different, you know, whatever that is,
you know, I'm Rick Howard, podcaster for the Cyberware, but I'm also Daisy Mae, the, you know,
seventh level elf in my Dungeons and Dragons group, right? So I need a way to establish
identities for both of those identities and make sure they don't mix.
Okay, that, you know, somebody can't figure out that the podcaster in the Dungeons and Dragons person is the same guy if I don't want that, right?
So that makes the problem exponentially more complex, does it? Or am I exaggerating that?
No, I think it's actually a very, very interesting point of view that you just brought up, Rick, where if you think from the point of view of like any consumer brand, you really want that single point of view of each one of your consumers.
Because that will allow it to provide better personalization, like to tailor offerings, like provide the right user experience.
Not every user, not every consumer is expected
to behave in the same way.
But you also need to respect the fact that users may not want that same relationship
back.
So which is why when we think of customer identity, we always think of giving users
or consumers absolute control of their profile, absolute control of their settings.
Everything should be opt-in,
both because that's where compliance is moving.
The best way to adopt compliance
is to just self-regulate yourself,
just adopt, do the right thing first.
Don't wait for regulation to come down your way.
So give users control of that
and let users decide what's best for them.
So give users control of that and let users decide what's best for them.
We've had quite a history of trying to figure out who that person is on the digital line.
It goes all the way back to the early 1960s with the invention of the user ID and password.
And it's amazing to me that still after 60 years, it's still the dominant way to log into places.
I'm reminded of the old 1982 Star Trek movie, The Wrath of Khan.
I'm a bit of a Star Trek nerd, as you all might know, and I say that The Wrath of Khan is the best movie in the 13-film franchise.
And I'm prepared to die on that particular nerd hill for anybody that wants to challenge me. In the movie, Captain Kirk, played by the indomitable William Shatner, breaks into another starship, the Reliant, by guessing its five-digit password. Not five characters, five digits. Reliant's prefix number is 16309.
I don't understand. You have to learn why things work on a starship. Each ship has its own combination code to prevent an enemy from doing what we're attempting.
Using our console, Tord are reliant to lower her shield.
Assuming he hasn't changed the combination, he's quite intelligent.
Fifteen seconds, Admiral.
Khan, how do we know you'll keep your word?
Well, I've given you no word to keep, I know.
In my judgment, you simply have no alternative.
I see your point.
Stand by to receive our transmission.
Sir, lock the phasers on target and await my command.
Phasers locked.
Time's up.
Here it comes.
Now, Mr. Spock.
Sir, our shields are dropping.
Raise them.
I can't.
Where's the override?
The override.
Fire.
Fire.
Fire. Fire! Fire!
Five-digit passwords for starships notwithstanding,
we really have come a long way in terms of having confidence
in identifying who that person is on the network.
We have other choices these days.
In the first principles book, I organized those choices on the road
to cybersecurity nirvana, with the least effective at the beginning of the journey to the most effective at the
end.
In sequence from least effective to most effective, they are email verification, SMS verification,
authenticator soft tokens like the Google Authenticator app, push authentication like
from Google, Apple, and others, passkey, and finally, FIDO2 hard token universal two-factor authentication systems.
Actually, we published the book before Passkey was really a thing,
so it's not in the diagram.
But if I was doing the diagram today, I would have Passkey right before the hard tokens.
So, like I said, we have options.
But as a profession, we haven't quite made the turn.
We haven't eliminated passwords yet,
but you can see that we will eventually make that happen
somewhere down the line on the road to cybersecurity nirvana.
Here's Casio.
Let's think aspiration.
I mean, eradicate passwords,
because we all know passwords are insecure.
In the case of our fellow, like Captain Kirk,
being able to exploit that in the ship.
But it happens all the time, increasingly, and particularly in consumer and other customer
identity apps.
But we believe, I believe, the technology is here now to solve this.
You have a myriad of options.
And it's not only about...
And that's not only about... world of cybersecurity. If you want the full show, head on over to the cyberwire.com slash pro
and sign up for an account. That's the cyberwire, all one word, dot com slash pro. For less than a
dollar a day, you can help us keep the lights and the mics on and the insights flowing. Plus,
you get a whole bunch of other great stuff like ad-free podcasts, exclusive content, newsletters, and personal level-up
resources like practice tests. With IntuK Pro, you get to help me and our team put food on the
table for our families, and you also get to be smarter and more informed than any of your friends.
I'd say that's a win-win. So head on over to thecyberwire.com slash pro and sign up today for less than a dollar a day. Now, if that's more
than you can muster, that's totally fine. Shoot an email to pro at intuk.com and we'll figure
something out. I'd love to see you here at Intuk Pro. Here at Intuk, we have a wonderful team of
talented people doing insanely great things to make me and the show sound good.
And I think it's only appropriate that you know who they are.
I'm Liz Stokes.
I'm N2K's CyberWire's Associate Producer.
I'm Trey Hester, Audio Editor and Sound Engineer.
I'm Elliot Peltzman, Executive Director of Sound and Vision.
I'm Jennifer Iben, Executive Producer.
I'm Brandon Karf, Executive Editor. I'm Simone Petrella, the President of N2K.
I'm Peter Kilby, the CEO and Publisher at N2K. And I'm Rick Howard. Thanks for your support,
everybody. And thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.