Zero Trust or Bust

Real-World Implementation Without The Hype

Jun 23, 2021 1:30 pm2:30 PM EST

Request The Full Recording

Key Discussion Takeaways

Now more than ever, online security is a necessity. With the shift from the office to a remote worker environment, maintaining a Zero Trust environment is key to preventing a breach in distributed data over cloud environments. Protecting businesses from the threat begins at the company’s security framework. A business needs to protect its assets at a large scale while also ensuring compliance with certainty. Setting a solid foundation of authorization, authentication, and continuous security is what a business needs to protect its assets from the inherent risk of data breaches.

In this virtual event, Mike Kiser, the Global Strategist and Evangelist, Office of the CTO at SailPoint, discusses the importance of security for the cloud environment with Greg Irwin. They explain how a solid foundation can protect identity in different online applications. They also talk with other specialists in the field and discover how they utilize a Zero Trust model in their work domains.

Here’s a glimpse of what you’ll learn:

 

  • Mike Kiser talks about the conference, Identiverse, his background with IBM, and security governance at SailPoint
  • Mike tells the story of a customer’s massive shift to online work and the added elements of complexity
  • Implementing the Zero Trust model within the infrastructure of communication for increased security
  • The drawbacks of using VPN while working remote and changing security protocols
  • Stepping up identity verification services
  • Accessing web SAP and authentication methods
  • Mike talks about cloud governance tools that make abstraction easier
  • Seizing the opportunity of the Zero Trust Movement
  • How do you make sure control stays at a reasonable level?
  • What is the challenge of identity governance?
  • Mike discusses heightened awareness of identity protection — and how to improve your security posture
  • If you don’t know what is out there in your environment, you can’t protect it
Request The Full Recording

Event Partners

Guest Speakers

Greg Irwin

COO at BWG Strategy LLC

BWG Strategy is a research platform that provides market intelligence through Event Services, Business Development initiatives, and Market Research services. BWG hosts over 1,800 interactive executive strategy sessions (conference calls and in-person forums) annually that allow senior industry professionals across all sectors to debate fundamental business topics with peers, build brand awareness, gather market intelligence, network with customers/suppliers/partners, and pursue business development opportunities.

Mike Kiser

Global Strategist and Evangelist, Office of the CTO at SailPoint

Mike Kiser is the Global Strategist and Evangelist, Office of the CTO at SailPoint, and he is not your average bear. At SailPoint, they are unwavering in their commitment to protecting businesses. They protect from the inherent risk that comes with providing technology access across today’s diverse and remote workforce. 

Mike has held an array of positions — including a security strategist for IBM for 16 years — and he has designed, directed, and advised on large-scale security deployments for a global clientele. Mike is a “chronoptimist” and has an appetite for needlessly convoluted verbiage. 

Event Moderator

Greg Irwin

COO at BWG Strategy LLC

BWG Strategy is a research platform that provides market intelligence through Event Services, Business Development initiatives, and Market Research services. BWG hosts over 1,800 interactive executive strategy sessions (conference calls and in-person forums) annually that allow senior industry professionals across all sectors to debate fundamental business topics with peers, build brand awareness, gather market intelligence, network with customers/suppliers/partners, and pursue business development opportunities.

Mike Kiser

Global Strategist and Evangelist, Office of the CTO at SailPoint

Mike Kiser is the Global Strategist and Evangelist, Office of the CTO at SailPoint, and he is not your average bear. At SailPoint, they are unwavering in their commitment to protecting businesses. They protect from the inherent risk that comes with providing technology access across today’s diverse and remote workforce. 

Mike has held an array of positions — including a security strategist for IBM for 16 years — and he has designed, directed, and advised on large-scale security deployments for a global clientele. Mike is a “chronoptimist” and has an appetite for needlessly convoluted verbiage. 

Request the Full Recording

Please enter your information to request a copy of the post-event written summary or recording!

Discussion Transcription

Greg Irwin 0:18

Mike Ah, great to see you. So I understand you're actually at a conference. Yes, I'm in close to place. So I was given intro, please. Sure.

Mike Kiser 0:31

Yeah, my name is Mike Kiser, I don't normally have a bear behind me. But I happened to be in Denver, I happen to be in Denver, Colorado at a conference called Identiverse, where one of the it's a very hybrid situation right now, but it's a probably the largest identity conference in the States at least. And so it's been a good week, have a couple talks, I'm going to get one at 130 here local time. But just just interacting with with other people in the industry and practitioners as well, discussing how to move the ball forward, actually, in things like zero trust, but it's a it's a lot like this call it you know, half the group is on virtual and presenting virtual and watching virtually and the other half well, third, maybe is in person, obviously all vaccinated. How many people are there? I'm not really sure, I'm gonna guess three or 400 presumably all vaccinated, the way they're behaving. But, you know, again, privacy, it's a very complicated world we live in, right. So but it's been a it's been a good week, but it's very surreal to be in person again, but I'm glad to see everybody on this call as well. So awesome. Background background for me, by the way, I worked for IBM for 16 years, doing international solution architecture for you know, very large organizations doing everything from identity to application security to you name it. And then I've been back in the industry for a while. And now I'm do strategy for SailPoint, trying to figure out where we're going and where we can and how to get there.

Greg Irwin 2:12

No sales pitch, but tell us, everyone probably has heard of SailPoint but sale point what is selling?

Mike Kiser 2:19

Oh, yeah, I'm not here to sell. So SailPoint is basically, we do primarily historically, I didn't need governance. So kind of the setting policy that aligns with business policy to make sure people have the right access at the right time when they need it. Not necessarily. Rocket surgery or brain science, as my 12 year old is fond of saying, but it kind of helps with the zero trust concepts, right? Because it's helping define least privilege, and ideally, at least standing privilege, which we can talk about later on. But part of the part of the whole thing, you know, part of an approach, not a one off,

Greg Irwin 2:57

Mike, you know, I like to run these forums by telling stories. So I'm going to ask you, if you could start us off with the first story. thing. Sure, a customer who's going through zero trust. Tell us a little bit about the pain point. Where are the tough parts? moving to a zero trust Mike?

Mike Kiser 3:19

Sure. I mean, a lot of it is wrapped up in the events in the last year and a half clearly, right. The company I often think is, is, you know, emblematic of most of the clients I've talked to, things changed. And things I would say went digital and what remote, right? We're all on a zoom call here usually don't have a bear. But usually I have the same framed infographic of Napoleon's invasion of Moscow that I always have. What that meant was for this organization, they obviously had a massive shift to online remote work, which meant there was digital. And so this involves things like across the spectrum, like procurement of devices, you know, and how do you bring people with secure devices, all the way to throwing in things like MFA. And at the same time, while those are the immediate measures, the shift to a remote worker environment, a distributed worker environment, spoke to the fact that their applications and data were also being distributed, not on premise anymore, but in the cloud, right? their data would be in s3, or GCP, or well, ever else it was. And that added elements of complexity. And so what we've been able to help out with is kind of defining that least privilege approach, but abstracting some of those complicated cloud environments. Because this company had to have those three of the three big cloud environments that they had information in. And so that was especially problematic in terms of being able to manage identity and give an identity centric app. proach for both of those environments, not just one. So it's always a turn. Why?

Greg Irwin 5:05

Why is that? Why was that complicated? I mean, I'm not sure I understand from an art, maybe it's an operational thing, maybe it's operational. But what's the challenge of running multi cloud? multi cloud?

Mike Kiser 5:18

Sure. And in this case, and in many cases, what happens is, because Amazon and Azure GCP, and these other cloud environments have their own fairly well defined identity and security policy infrastructure. And you get a tendency to dwell too centrally on one, or drill down too far into one rather than maintaining a holistic view of an identity or other real human right, like, here in AWS, for example. I've done implementations here before, and they're quite challenging, because they have identities, they have groups, they have rules, they have data and resources, you know, objects you want to control, which are great. And then they have security policies, right. And if you know, AWS, well, you can put security policies in like a bazillion places on the identity on the data bucket on the processor everywhere, kind of. And so you it's really easy to lose track, they can conflict. And so what you kind of need for even just one alone, but definitely multiple is something to kind of abstract that a bit and say, are we already being coherent? Or are we crossing our wires, even inside one cloud implementation, and then if we have multiple, now, sometimes the concepts don't even line up between these two. So it's just more of a challenge of everything being distributed out and needing kind of a 360 degree single view of what your policy is, and what that policy means for a real person or a real machine identity. But process, that's a whole other ball of wax, but same thing kind of applies. ganache,

Greg Irwin 6:56

I want to talk to you long I'm checking over you by No, no, I find it I find it really interesting. And it makes sense. You have to you know, normalize the identity structures and policies applied across Salesforce and workday and in your in your on prem homegrown, and then your AWS or Azure, your Google etc, etc. Let's get right into the group. The what I enjoy about these calls, in addition to speaking to guys, like Mike is just hearing some stories and bringing up some some real challenges or, or opportunities, I don't want to be overly negative on this. So it doesn't have to be just tell me your pain. Tell me your problems. It could be Tell me your successes. So I'm going to go around our group a little bit if that's okay. And Morgan, you're sitting right here, just to the right, at least on my grid of Mike, would you do us a favor? Let me put you on the hot seat here and maybe ask a question or two, what's happening at your organization around identity? Sure. Please give a little intro.

Morgan 8:05

So, Morgan, recently, the director of Well, let's say was the director of, they've gone through a huge restructuring, organizationally the is organization decided that 90% of people now is needed to be elsewhere. So back, we were when I was there, we were implementing on the road to zero trust. And really looking at the those foundational technologies, that kind of putting things forward, we can utilize that just to leverage on the execution of zero trust. So things like things that weren't in house originally, say like, DK AI, that was something building those mean simple foundational items that are necessary, when you start to really look at that secure communication and infrastructure. One of my goals early on, even before zero trust was kind of put out there was that all internal communication was going to be encrypted. And PKR being kind of a solid foundation on that right. Now, the zero trust model definitely kind of incorporates that as well, knowing that all communication being validated and encrypted and trusted, right. That is not just free flowing. So we were doing a lot of things like that of of really looking at how were those key pieces that we could implement early on before. Really kind of going to that next step of pushing out the full, you might say a full zero trust model.

Greg Irwin 10:00

What we're going to talk here for, for our time on the call about all different aspects of zero trust. What's one area you want to hear about? Maybe something that's difficult operationally or technically, that you'd like to hear some stories

Morgan 10:14

that have no discussion, thinking on the feedback on, say, from a tech note, say, an incident or an alert or something in that's been observed, and how how something observed is, how are people actually implementing or utilizing that information? too? How are they doing that? Is it are they building home grown? Are they looking at some technologies or some? I know, some, there have been some platforms out there at least some marketing talk of how that all gets integrated. But what's everybody doing with that? Because gathering the information is one but the, if you can identify how that's going to be leveraged to improve security, or at least kind of limit the activity until that communication is re authenticated.

Greg Irwin 11:18

I think I've got it, I'll do my best to try and bubble it up. But I'd be interested at that. pick somebody else's thinking here in terms of how you're addressing, you know, incidents and, and, and alerts in your organization. Morgan, let me thank you. I'm gonna go over to the other side of the the top row here, John, I'm going to go John, if that's alright with you, John, do us a favor, real quick intro. And let's jump into the same story something, a pain point, or if you want a real success around your zero trust journey.

John 11:57

I'm the director of custom software engineering within it. There are several applications that fall into my portfolio. Single Sign On is one of them. So we use ping identity as our VPN using p 90 as our single sign on solution for last several years. It's been plus MFA Single Sign On plus MFA. What I find a bit interesting, I'm more curious about is this entire notion of no trust as switched paradigm, the focus or she seems to have shifted from trying to figure out what's the right level of access, managing everybody's access, coherently. With this court situation it's become now everybody's working from home. The entire since it's more about how do you restrict people from the right machines now, because the laptops are people are using their own laptops, people are using their own devices. And now and now people are finding VPN, like typically, part of TIBCO software, typically used to be about 98%, or 95%. Working from the office, and 5% was roughly remote, of course, for us, except for the sales guys who don't work in and out. But now it's like everybody's remote. The and everybody hates VPN, because they have to log in to log in and access. So now, there's a lot more going fast, because partly, it's easier to infrastructure, was it partly? It's because yeah, it's convenient. Just Just go into a work day, anywhere. No VPN, your things. So people think of it as benefit. But there are drawbacks. So I'm more interested in how what's the thought process now in terms of, you know, this, because this seems to be going to be the trend for some time, I mean, there's going to be probably a hybrid situation where, you know, people are going to get to be asked back to come back to the office at least part time, but the general population is going to be remote in some form or the other. So what does zero trust me out to people?

Greg Irwin 14:09

I'm not entirely following in the question is, because somebody's dialing in now from their, from their teenage son's laptop at home. Does that change the security protocols that people have in place? I

John 14:26

because there's a lot I'm not part of the infrastructure team in it. But the infrastructure teams are heavily concerned about that because up until the pre COVID, it was about application consistency, but now it's seems to be even more. So I'm more interested in what's the perspective what what what is considered important in the in the zero trust or building trust, you know, yeah, it's scenario now that I'm more interested in WhatsApp perspective. No,

Greg Irwin 14:54

going for my picks, pick up some of the best and then I'm going to ask the group and while Mike said answering all that, I'll ask everyone to multitask and drop your own comments here in terms of chat. How has worked from home shows? Or maybe it hasn't, but at least in your organization, to what extent has worked from home change? Some of the priorities related to, you know, access and identity security procedures might have your hand up? Do you want to? You want to jump ahead here?

Rod 15:28

Yeah, if that's okay, you've got so by way of introduction, everyone. Their center, there is the fourth largest retail bank in the world 100 and 50 million clients, mostly in Latin America, parts of Europe, us. We have to take zero trust very seriously, because we're protecting something like 3 trillion in assets. And we have to make sure that both big companies and grandma have all their savings there when they need it. Right. One of the things that in order to facilitate zero trust that what you need is or we've found as a engine to be able to step up, and constantly in real time, analyze the risk associated with whatever somebody is doing anywhere in the system. And then step up the authentication capabilities that we do on the individual that's accessing whatever it is whether it's somebody from a systems perspective, or somebody who's a client. One of the things that we're also doing and folks may be interested in, is trying to pull together something that we're calling the open digital trust initiative, it's the idea of turning banks into institutions that can provide identity verification services. It's something that exists in the Nordics already, it's called bank ID. And the idea would be that in your environment, it doesn't solve all the problems. It's all some of the problems, but not all the problems. But in your environment. If you have the right risk engine, and you want to do that step up authentication, you can actually call out to an API that, that allows you to get whoever's bank and that bank goes through the full, you know, I scan your face, I look at the way you tilt the device site, I can in Mexico and get your fingerprints in Brazil, I can get your thumbprint and do voice real time liveliness detection, bot detection, and we can put insurance behind it and say, that's really Mike trying to log in right now. And we'll guarantee it. Now what you do with that information at your end is part of what your zero trust environment should be and how you can step up and do it. But there's lots of pieces to this, this puzzle. We're interested in, in, in our environment in getting participants to participate in this open standard. It's an extended open ID. So it's not it's not any central company. It's free. Anyone can use the standard in any context. But it is a it is a thing we're interested in and interested in partners. So if you're interested, please, please reach out to me. But it's also an illustration, Greg, as you asked for what it means to do really complex step up authentication, and to facilitate a real 00 Trust environment, which is not easy by half and legacy things that we created. Didn't envision this. We have to wait. There's a lot of technical debt to pay.

Greg Irwin 19:03

By the way, Rob, thank you very much. And absolutely I take your offer and request earnestly and and I'll push it in a group that people want to learn more on the open digital trust initiative. Let's do it. Let's see if we can find one or two groups here that that might like to explore it. Let's keep going around here. By the way, guys, please use the chat window. Obviously, in an organized fashion only one person can chat at a time I can speak at a time but chat everyone can do it at the same time keeps everybody involved in. I like the sidebars it keeps everybody active. So please use it throughout. And Andrew, I'm sorry. That's that's Andrew leaf. Let's let's get you in here. Tell us a little bit about that balance between both security posture as you say versus given the flexibility for that. employee who's, you know, doesn't have their, their work computer but has to use their teenage sons, and how you accommodate that. And what you do about that thing.

Andrew 20:12

I'm Andrew, focusing on workforce, so anybody who does work on behalf of principle, and during the pandemic, we had a lot of we have global workforce, we have a lot of people from around the world that had to suddenly work from home. And there were many people who were used to come into an office had desktop computers didn't have we hadn't been issued laptops, anything like that. What we did was we actually set up a VDI infrastructure for for those individuals for them to log in, from whichever device that they wanted, essentially, with the VDI, we get to protect the data, the DLP protections of not, you know, not being able to copy and paste off of it. Obviously, somebody can take a take a picture with a phone of data that's on there, but not being able to copy into the device. The keyloggers is still a problem. That was a risk that we kind of accepted for the short term and then tried to get everybody issued laptops in a laptop scarce world.

Greg Irwin 21:18

We're happy to have you had there been issues with rolling out VDI we had

Andrew 21:24

we had we had some issues rolling out VDI initially, but a lot of those were fixed with some patches from Microsoft for teams. We're a Microsoft shop. So once we get some of the patches, and we worked with them, we've had relatively good experiences with VDI even working through the chat software.

Greg Irwin 21:43

Cool. Very cool. I appreciate that. Perfect. How about Akash? Akash? thing, same question later on on here with with Andrew, what have you done to enable more remote remote employees or an increased number of remote employees?

Akash 22:02

Yeah, so I'm the director of it. We're a FinTech startup. And we're one where we're cloud native. Everything is in the cloud, we're we're startups, and there's still a lot of growing pains. One of them is just trying to, you know, the buzzword of zero trust, it's out there everybody's zero trust, zero trust or trust, what does that really mean? And how does that apply to what we're trying to do and and try and explain that the management was a bit of a challenge, we're still going through it, we do have, you know, certain zero trust, like features that we're that we're implementing, and I've kind of assisted our infosec department as well, we're working very closely with, with the with the CFO. And, you know, we're continuing to push forward with, you know, implementing, and we don't allow BYOD, where we're trying to make sure that employees don't use that. So we're using device trust with our identity providers. And we're also a Mac shop. So we're, you know, all Mac, everybody has Mac, so we can control that through various management tools. And we use author, so we kind of tried to device trust, and and provide cash, how many employees were when I started, we were about 85. I think we're we were about 170. Now, so we're growing pretty pretty quickly. That was about eight months ago. So it's a pretty rapid growth rate right now. And I don't see that slowing down anytime soon. So there's a lot more work to do. But we're trying to make sure that we do it in a way that we're a secure bottle, and especially because we're a financial institution again, just like, you know, Rob mentioned earlier, right. So that's truly important that you know, we ensure security as our number one feature, right, so,

Greg Irwin 24:13

yeah, I got an excellent Akash Thank you. Let's get one more and then we'll change the change the thread. Terrence. Terrence, I see you here. I'm not sure you're on with us. Are you with us? I am. Hey, nice to meet you. meet you. Give them a little intro.

Terrence 24:31

Yeah. Terry And I lead identity. Who?

Greg Irwin 24:38

I mean, that sounds like a big place. It's a little bit of scope.

Terrence 24:43

Yeah, we have. We have about 40,000 employees. We have roughly 7000 contractors that that access our systems regularly, and I would say under the zero trust journey. It's interesting to listen and I'm definitely in a no very different industries, but but when I listened about Santander, like boy would I love to get to that, you know, we're, I think we're doing kind of the basic blocking and tackling right now our, our goal is, if you're coming from a General Mills device, got a certificate on it, we're not gonna enforce MFA on that, if you're coming from anything else, we're going to, we're going to apply MFA. We're not, we're not, we're there in terms of that philosophy. But we do have some applications that are externally exposed, that we're still working through to get MFA in front of them. And some of that is just that, like SAP is an example where we have contractors accessing web SAP, we really want to put put MFA in front of the portal. But you're dealing with with authentication methods that don't always play nice with Azure, we're heavy micro, you know, big Microsoft shop. And so for us identity, we do have one, we use single sign on for nearly everything. And that could be be facilitated through Kerberos, or SAML, which, you know, has its benefits. So we've got one account type for everybody. And we've been that way for a very long time. So that makes that fairly straightforward to manage, where we've got more challenges as we get into hybrid cloud, and we accelerate our path into the cloud. And we're multicloud as well. We, we use Azure Active Directory as our Federation source. And we're we're finding that that has, it works pretty well. But it's certainly not not seamless. GCP is our second cloud that that we do a lot of work in and then and then in China, we use like le cloud. So I would say if he asked me what keeps me up at night, that does, because of just the lack of visibility to everything that's going on there. And I think I think it was actually Mike that mentioned, you know, the fine grained entitlements and GCP he was talking about Amazon same thing applies in GCP. Same an alley and how do you have visibility to that? How do you manage that? You know, and then as, as others have talked about zero trust and geolocation and behavioral and step up authentication, there's always that that balance of, you know, you don't want to create too much friction, but you also want to be very secure. So I think we're very early on our journey we've got we've got a lot of other, I would argue basic blocking and tackling that we need to address. You know, before we even get to that,

Greg Irwin 27:47

Terry, what's what's one initiative, you're working on across kind of a two year time frame, you know, a big a big improvement, maybe it's, you know, maybe it's MFA across the board, maybe it's governance. What's 111 thing,

Terrence 28:04

I'm going to give you two, I'm gonna cheat. It's, yeah, it's MFA across the board. So continuing to expand that. And then the second thing is, is just, it's it's cloud governance. Now, we're not necessarily responsible for the governance suite, it's really management of identities. But because we're, we want to move very quickly, from our on prem data center to cloud. That, that's very much top of mind. And we'll probably start looking at Kim tools this summer. And it hopefully that will will help us manage. You know, I'm less concerned about Azure, because tools are better, they're more concerned about GCP. But that those are the two big things on our mind.

Greg Irwin 28:49

unserer, I'm going to demonstrate my ignorance, what aspect of cloud governance are we are you? Are you thinking about? I'm not sure I'm getting what the problem to be solved is with cloud governance.

Terrence 29:00

Yeah, so specifically around the infrastructure is the risk piece. We don't, we don't have good visibility to like all the service accounts or all the permissions that are being granted. And so with, with all those fine grained permissions, one of the things we're looking to get from, you know, a Kim tool is, is that ability to and maybe even go all the way to automating it, but to be able to monitor the permissions monitor what's being used and not being used making those recommendations. That's the thing I like about that. And, you know, I'll be I'll be completely transparent. We We are a sell point identity IQ shop. We are we're virtually through our implementation of that. And so, you know, we're looking at ways to continue to expand the use of that platform.

Greg Irwin 29:51

Awesome, and good answer. Mike, tell us how are some of your clients manage Doing cloud governance and visibility into the different permissions of, you know, system system access across the different the different clouds. Yeah,

Mike Kiser 30:11

let me let me start by saying, the reason I like being at this conference in particular is because it's not just vendors, it's a lot of practitioners who my friends who are been doing this stuff for years and years, by which I mean to say that you guys talking to each other is way more important than anything I can really say, because it's not my job. Right. My job is not to make an implementation successful, it is secondarily. But the relationships here, I would weigh yells advice to each other, much more highly. In response to the cloud governance by there, there are a couple tools, there's one that actually abstracts all that logic from those hybrid clouds and, and puts it into a an interface that you can actually see how things relate and makes that abstraction quite a bit easier. And then MFA, you know, it just depends on the vendor. And that's more of a policy kind of approach. I think, with zero trust, it always kind of bugs me, the term itself bugs me, because it's not like we shouldn't have been doing all this from the first place. Right? No one set out saying let's give lots of access that no one needs to everybody at the wrong time. Yeah, like that mean that, you know, I mean, and I'm, I'm, I'm glad for, I'm glad for the marketing, you know, but there's all these people are like, if it's behind our firewall, it's safe. And it's no, it's not a firewall. It's just as dangerous as everything else. Right. That's my point. Right? It never was. And people were living in a false reality. So backwards doing architecture. Yeah. It's always usually defense.

Rod 31:58

It's not it's not was living. Most are still, I think that's the fair thing to say. And we still have a lot of education to get there to. I don't know if any, anybody else experiences this. But yeah, I'm on board with you, Mike, I agree with you. It's just, it's worse than you think.

Mike Kiser 32:17

I think that this moment, this moment, for a lot of my clients. This moment is an opportunity to be seized in a way, because the combination of COVID and zero trust meant that now if the board wasn't paying attention to you before they are now and you you get an opportunity to put in bandaid things like I talked about people throwing in MFA, right at the last minute or two people I've had clients find out Yeah, they didn't really stress test the VPN, until everything hit the fan, and oh, crap, now we're in trouble, right? But then also, there's an opportunity for innovation and saying, Okay, let's not just bring up let's not implement things that are bringing us to more of a modern technology. Let's, let's look into the future, and see what we can implement. So to Morgan's question earlier, he's dead on right. He what I think he started talking about is, is you can have all the data you want about people. But if it's not real time and not communicated in real time, for access decisions, then you're not really doing what you might call zero trust in the moment, right? Because what you want to be Dreamworld on some level, but it's distributed real time at scale, which means you need some kind of mechanism to communicate changes, right? If I have some attributes about my identity, or me changes, right change devices, or whatever else. Ideally, I want to be able to communicate that in session. I don't want to wait until next time the person logs in, if I change devices, or by some attribute changes about me, if it's dangerous to a particular relying party, I want that rolling pretty good. No. And I want to be able to nuke that session from orbit before something bad happens, right? So for Morgan, you might want to look into an open standard that's being developed as part of the open ID foundation called shared signals. And it tries to do just that. What it does is it sends notifications between where you are and where you start the session and relying parties as kind of a distributed web so that everyone knows stuff about the identity, and you can broadcast out and say, Look, this account has been compromised, or this identity is has been weakened. We're not going to tell you how to deal with it. But we want you to know, in case you need to do something drastic, right. And so identity governance is another part of that web, but it's distributed, which is key, you know,

Morgan 34:42

yeah. And I mean, being able to, to kind of feed that into your IDP and your identity governance and your note and your, basically your ID see your internal firewalls and whatever else controls you want to have on that. That's going to be the impact.

Mike Kiser 34:59

Right And so, let's You know, that's that's a work in progress, right? You can't just throw that immediately. It's already at least beta in Azure. So for example, the standard has already been supported internally for Azure AD, for instance, we have we have hooks into it as well. It's, it's an open standard, but it's, you know, it's something to know about, and some people don't know, because it's it's relatively new. But so keep your eyes on.

Greg Irwin 35:22

Excellent. innovation for a second. Look, we're here with sell points. So let's talk about governance or for a moment, Mike, it's a simple question. How are your clients to extend to your clients using AI or ml to, to really simplify some of the management of the the moves or the ads or the leavers, and basically make sure that, you know, the data and the access control stay where they you know, at a reasonable level? Depends on the business in that could be a loaded question. But I'd like to know in terms of, you know, how truly effective this stuff is, you know, what the promises?

Mike Kiser 36:07

It can be really effective. But you have to commit to it. I think, as my answer. The idea, you heard me talk earlier about these, these policies, and these decisions being made distributed and at speed and at scale. Yeah, you're going to outstrip humans, you're going to outstrip static policy really quick. And so using ml not as a marketing banner at a booth at a conference, but in more of a real concrete way. It's, it's getting all the data that's going on seeing identities and their access their attributes, and as much as their behavior and condition get into your collection as possible. And then you figure out what's normal, right? Sometimes that's good. Sometimes it's bad, right? You don't always just like when you do a role development program, you don't say, Well, what are your roles today? Let's use those. You want to think about it a little bit, right. But if you're doing that from the beginning, then you have these groups of normality where Yeah, everyone engineering has basically this set of access. And why does this engineer have access to our customer database? That's, that's messed up until you can prove that. And so I think they're getting, they're getting benefit. But it's just like, the process we've seen over the last few years, like 10 years ago is like big data, big data, big data, we need all the data we can get. And then it turned into Okay, now let's use that data. And so that's kind of where the phase we're at, it's you have to be able to to have all the data collated, but then, and the visibility that we talked about before and to the dark places in your enterprise, but then you can start to use that to automate stuff. In other words, if I know what's normal, then I don't have to ask for approval necessarily for every request for access or for every decision because I can have ml, learn what's normal, what's not. And then I just asked my humans about the border cases. And its reinforcement. If you do it the right way. I have a whole talk about how this relates to the sting song, every breath you take. It's a it's a whole thing. But if you do it the right way you can have human learning and machine learning, inform each other. Hello.

Greg Irwin 38:20

Can I ask the group is there? How big of a problem is this? At least for organizations? Maybe this is, you know, hey, it may be one of those situations where it's an ongoing problem in constant iterative improvement. Or maybe this is something that people can really make some make some progress with and take a load off of the off of the teams. I'd love to hear in chat. Or if somebody wants to raise your hand and tell the story is how much of a challenge is identity governance? across words, someone want to share a story good, bad or ugly. We have data on it. Oh, cool, Rob.

Rod 39:05

It's scary. McKenzie says that if if we solve identity globally, we increase GDP in developed countries by 3%. By 2030, in developing countries by up to 13% by 2030. If we can figure out how to verify the identity of people in a digital space, from our perspective, we wipe out globally 1.5 trillion in fraud and crime, financial crime. Oh, wow. We see we all see it personally every day, right? It's the spam phone calls. It's the misinformation is the global problem that we've had with trying to get a clear bead on how to handle the pandemic. It all comes down to who is the person Who's on the other end of this anonymous digital channel. And by overemphasizing anonymity, we've created an environment where anonymity can be weaponized, and it's weaponized. But the the job I did before this, one of the things I did some of you may note was I, I co founded NPM, which is the package manager for node.js, and JavaScript. So about 20 million developers every day, use that code, or use NPM. To install code. It's how they build everything, right? Every one of the systems that uses JavaScript, somewhere along the line, somebody npm install the package, they don't write it from scratch, who wrote that package? Who wrote the package that that package was dependent upon? It's the easiest way to create backdoors into every system, whether it's military or three letter agency or otherwise, is just to go and start hacking these open source packages, the people then blindly install. It's, it's crazy. But it's amazing that what we don't have in addition to information on scanning the code itself for possible hooks and exposures is who wrote it. Hmm, not an end. You know? No, I don't want to single things out. But if if I'm running a US government agency, I'd like to know if my code was written by Russians. Pretty simple. Yeah. Yeah. If I can prove their identities Russians, I'll do an extra double check to make sure it's okay. Could be brilliant. Great, like nginx? Or it could be a backdoor.

John 41:49

Yes. Yes. Rod, thank you. I had a question on this perspective. So on from an enterprise perspective, that is a great thing, because we try to protect each enterprise protecting our own assets, but our global front when we try to enforce digital identities, and no, is that gone? Do you guys like banks, for example, work with people, while you while you do need to have the need to authenticate? Does general need for not tagging me? privacy? Not with that? Do you guys see that becoming an issue? Yeah, I

Rod 42:30

know that that that flips, right. And that's also part of the big effort that we're doing, which is to say, it needs to be you who's in control, we need to change the paradigm from double check everything about me, I'm some random person that made some claims. Now you have to do behind the scenes checks, to how can I show up and prove to you that I am who I claimed to be, which is just to opt in and to give me as the individual the control. But all of this is is is rudimentary and under under the scene so that the workflow is really simple. You know, how you log in with Google or login with Facebook? The idea now is you log in with your bank ID, you have a little message on your site that says, hey, you're logging into on your phone in your banking app that says you're logging into john site, do you want to share this information with them? You say? Yes, I want to share that I'm in the US. No, I don't want to share my specific address. No, I want to tell them that I'm over 21, but I'm not going to tell them my exact date. Okay. Sure. Sure that,

Mike Kiser 43:31

but yeah, I think John’s right. control. John's right. There's, there's a balance between privacy and trust. Right. And I think it's coming. And I think, even with like the recent Apple news of you know, them supporting, basically a digital wallet where you could use your iPhone, if you have one, to show your ID at TSA. They're going to their changes coming, including the death of third party cookies, which is going to do yeah, potentially horrific things to single log out per SAML and other things. But our jobs from an identity governance perspective will still be the same. Once the user is authenticated, then we know how much we should trust them, which which conditions what, what the policy says they should have access to, right. So a lot of times I think companies will have their own authentication systems. It's just going to depend I think it's going to devolve later to user centric rather than enterprise centric identity, which has other implications beyond the scope of this call, for sure. But it does heighten awareness, the idea that people are thinking about their privacy means that they're more invested. I don't have to explain facial recognition, protection to people which I've done some research on on my side hustle, they get it, they want privacy, right. My friends and family want security as well, right? They don't want it their accounts compromised and their money taken at the same time. That's not really their motivating factor. I don't think their motivating factor is I want to get in, and I don't want to type my password or I don't want to remember something that I know or pull up. Even I don't like UB keys, I think they're great. But they're paying every 30 days to plug it in and do my thumbprint. Right, if I can get in by just looking at my device. That's perfect, right? Because now we have strong authentication. And it's easy, it's a benefit to the user because it's easier to use. So even as we implement these identity governance, things, that's one of the benefits, I would say to Greg is, that's one of the reasons I like the ML usage. It's pre deciding what you need. And and if I need additional access, I can request it. And ultimately, the machine learning model can kind of answer those questions about the policy. And I don't have to wait for my manager. And who knows what location to check your email and do stuff. it automates it, it speeds it up and fly benefit comes faster to use. And I'm still secure, the more we can summary, the Morrigan channel people into more secure methods of accessing resources, either on the front end or the back end, that increases their security that's full of wind. And I think that's the only way to really afford. I'll get off my soapbox.

Greg Irwin 46:20

Oh, Mike, I'm going to switch gears here for a moment, we got 10 minutes left. So these calls can go different ways. Sometimes they can just kind of Peter off, we've had a good run for 15 minutes, then people start thinking about their next meeting and start multitasking. Or we can finish strong. Let's finish strong. All right. So let's take good use here. It's a phenomenal group that's that's come together as take advantage. Mike, one question that's self serving for an identity professional on identity is a really, it's not. It's not the most glorious job. You know, you when you make headlines, it's typically typically not for a good reason. So the question I've got for you is, is there something that you see any of your customers doing to demonstrate performance and efficacy on a positive sense? So reporting in a way that shows, you know, what least privilege access, you know, adherence, and we're doing and we're achieving? And just because we haven't had a breach doesn't mean that we haven't made notable improvements in our operations and security posture?

Mike Kiser 47:34

Yeah, the I would say that the biggest thing is having time being able to communicate to your constituency, often that's the board. And so I've seen people pulling metrics and using dashboards, to actually provide their CFO or whoever else is interested in a real time dashboard that says, Look, these are, here are the transactions that are going through, here's our throughput, here's how fast the system that's going here is the the timeline from someone being hired or changing jobs to productivity, here is the time that it takes for someone after they are terminated for their accounts all to be suspended throughout the organization. So there's, there's a lot of that this kind of operational metrics that that show, they're making progress even because you're right, that we didn't get a breach, yay, I mean, that's definitely a valuable metric until it's a really valuable metric. And so using more incremental things in and especially in ways that people can understand, right, if they can't understand what you're talking about, or see the value in it, then then they're not gonna care, get their buy in, find out what their perceived need is. Sometimes it has very little to do with what's actually valuable. But I've seen customers Believe it or not go and actually provide a custom dashboard or a one off dashboard for their C level. That doesn't really relate to what they're doing but it makes a C level feel really great and secure about what's going on. I'm not saying lie to your your interested parties. I'm just saying meet what they feel like the need is rather than what you prescribe it to be.

Greg Irwin 49:16

Got it. Does anyone else have a story of how you're demonstrating performance on this never ending journey that actually can justify or more importantly, I honestly More importantly, actually prove to you that your security posture is improving. Let's let's you know, I'm going to ask some new some others Brandon, Daniel, Chris. Akashi, were you involved Neil, someone else want to share a story about how you height and how you prove your your security posture or improving security posture?

Akash 49:56

Well, I think for us at it's baby steps. Right. When I, when I came in, you know, simple things like, the wireless network, they're using a pre shared key, right? Who does that anymore at at a corporate level, and, you know, especially at a financial institution using a pre shared key, they just, you know, the, the founders are fairly new to tech as well. And don't have a lot of experience. So there's thinking, oh, we're this little, you know, little office, that's not on a main street that's hidden, you know, where we're not susceptible to being hacked, you know? And, you know, like, also security by obfuscation is another thing, right? They, they were doing things where, you know, we're just, you know, not going to display this. So, you know, we're not, we're not going to be a target, you know, and that I've never believed in that kind of mentality. And so, you know, just doing little things like, hey, putting in, you know, epls, you know, for doing certificate based authentication for our laptops, for wireless, you know, and then making sure that, you know, instead of doing just, you know, and the other thing was lack of monitoring and visibility, you know, we have zero visibility into any traffic, you know, setting up a sim setting up a Kaz B, you know, doing those things to kind of give us a little bit of visibility into traffic patterns, and what's going on within our within our environment have helped. But it's still a long road, you know, that we have to go down, and there's still a lot more things left to do. So we're starting, you know, slowly and incorporating things without trying to disrupt, you know, day to day operations, right. So, the other thing is, is trying to be pragmatic and, you know, making everything as seamless and easy as possible for the end user as well.

Greg Irwin 51:52

Awesome. Good luck. And thank you, thanks. How about Daniel? Daniel, I'm not sure. Are you? Are you on here with us? Yes, I'm here. Nice. Nice to meet you. Do you have a story to share? I know,

Daniel 52:06

I know. I just did just that. What Mike said about coming up with that the dashboard that the that the seaso might find interesting but doesn't reflect you know, what the what the real status system where we're working with our CSL and more importantly, with their the seaso team to come up with what those dashboards are. So we're taking the time upfront, to understand what data they want to see and surface and just starting initial baby steps. And what we're finding is, you come up with the first or second or third data points, and you actually see what the data in the system that that measures what the ask is, and immediately it just leads to task after task of understanding what the next level drilling in and finding what, you know, why is there outlier data? What what's going on, and it inevitably is leading to productive, you know, findings that hey, I didn't know that was what's going on in the system. And, you know, leading you from step a to step B and C of a well, we have to have next step actions, we have to more importantly make business decisions around rectifying those those outliers. So

Greg Irwin 53:28

inspection monitoring, in every way, what's one thing you're working on? One, one, multi year project?

Daniel 53:38

a multi year project we're working on for for security improvements. Yeah. Yeah. Adaptive authentication and device trust is we're working on

Greg Irwin 53:57

everyone got we've, we've gone around here very well. I'm going to wrap up our session here. Mike, it's always fun. I know you're, you're back to back on your, on your conferences, any closing comments you'd like to share here for the group?

Mike Kiser 54:13

Just that, you know, everyone knows in the call, like I said, DHS, what we all should have been doing. And it starts with visibility. And several people mentioned, right, if you don't know what's out there and your environment, you can't protect it, whether on the front end or the back end with governance. So that's kind of the the first step shining a light on the dark places. And then, you know, ask, like I said before, ask your colleagues, ask your people, they're doing the same job, other places, learn from their mistakes, encourage them, they'll encourage you, it's a team sport. Don't feel alone. That's because I'm at a conference. That's my tendency, right? I'm with my friends. So,

Greg Irwin 54:51

you know, we've had a good run on on these forums, and I hope I'm gonna invite everyone to our next one. What do you all recommend? For a topic learning session like this, I'd like to figure it out right now as we're talking. What's one thing if I said, if I set an agenda for one, you know, two months from now, six weeks from now, what would you all like to hear?

John 55:21

I think I would like to in the short term, because mfe. And now get. So while it is a SIM, a, maybe a catch up to Technology Center working from home, a huge amount of sass exists, especially existing applications that are that need to get covered from the working from home and a lot of us are a lot of stuff is trying to move out of the VPN, because partly, maybe the VPN can't handle the traffic and VPN arguments are going to take time. But how do we handle what what are organizations doing to catch up with this entire remote working and accessing applications which used to be traditionally within the office buildings and Nick workspaces? How are they handling that? And how are we ramping quickly? Because there are ways to do it. But what's the quickest path and then the grander scheme of things is another because the grand scheme will take a lot longer and

Greg Irwin 56:25

so much on cloud proxies. It's just begging a cloud proxy. Yeah, I can certainly, you know, set that up for a future security session. Absolutely. Appreciate that. Anyone else? No. Okay. We'll wrap it up. Hey, everyone. Thanks all for taking some time sharing, sharing integrate conversation, please. Use this as an opportunity to connect among yourself. My thanks so much. Of course. Thanks me. Oh, all right. Take care everybody. Bye Bye. Thanks, bye.

Read More
Read Less

What is BWG Connect?

BWG Connect provides executive strategy & networking sessions that help brands from any industry with their overall business planning and execution. BWG has built an exclusive network of 125,000+ senior professionals and hosts over 2,000 virtual and in-person networking events on an annual basis.
envelopeusercartphone-handsetcrossmenu linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram