Implementing a Sustainable Zero Trust Architecture


Unlock On-Demand Webinar

Video Transcript
Mike Engle:
Thanks everybody for joining us today. Today, we're here to talk about Zero Trust, with a little bit of a focus on the identity side of that concept. So with that, we're going to jump right in. Today you'll be hearing from, obviously me. My name is Mike Engle. I'm a Chief Strategy Officer and co-founder here at 1KOSMOS and, Mark, if you would please say hi and let people know what you do for a living.

Mark Gamis:
Yeah. Hi, everyone. My name's Mark Gamis. I'm a Senior Vice President with Booz Allen Hamilton, and I lead some of the firm's largest cybersecurity programs in the federal civilian Market, including our continuous diagnostics and mitigation that we do in partnership with DHS [inaudible 00:00:51].

Mike Engle:
Right. Thank you. Great to have you here, Mark. Thanks for joining me. Just a quick snapshot of who we are behind the companies here. 1KOSMOS is a leader in digital identity. We combine the true principles of strong identity, which is proof of identity. We'll get into some of the standards that support that, as well as the ability to use that identity anywhere. So the technologies there are passwordless and multifactor, and we're serving all verticals in all industries globally. We can apply our technology really, to anybody who uses a digital technology today, whether it's a customer, employee, citizen, resident, it doesn't matter. Mark, if you can just let everybody know who hasn't heard of Booz Allen Hamilton, what you guys do. You hinted at it a second ago.

Mark Gamis:
Right. We're a global leading technology firm, primarily focused in U.S. government, as well as commercial. We are one of North America's biggest cybersecurity professional services firm, and we deliver services to all different parts of the government, both on the DOD and the federal civilian side.

Mike Engle:
Keeping us all safe, right?

Mark Gamis:
Exactly.

Mike Engle:
All right. One shameless plug for an upcoming event that many of us on this call will be at, some of you out in the audience will be at Identiverse next week. Identiverse is a conference in Denver. It'll have thousands of attendees, probably between a 100 and 200 companies there. If anybody will be there and would like to meet up, just shoot me a chat here on Zoom, or ping me on LinkedIn, or whatever, and love to meet up with you. There's a bunch of other conferences, Gartner in August, and FIDO's Authenticate Con coming up as well that will be at. So look forward to meeting some of our colleagues at these events. So Maureen, if you could tee up a poll question, we have a couple of questions that we wanted to ask the folks that are attending.

First one here as you can see, is just asking if you have a formal Zero Trust program at your company? We'll just leave this here for about 10 or 15 seconds, let people pop in their answers and then Maureen we'll share these results here momentarily. So I would imagine the larger the company, the more formalize the Zero Trust program is, but we'll see how this shakes out. Give it just another second. All right. Thanks everybody who answered. And then if you could go to the next one, Maureen. All right. So really, a pretty even split across those results there. That's great.
Second, do you measure how effective your multifactor or two-factor is today? I'm sure a lot of companies are doing red team, tiger team type stuff. There's a couple ways to measure, there's the effectiveness of it, but also the user experience. So we're seeing more and more companies start to measure the user experience side of security, which typically has a terrible score. Mark, I don't know what it's like over at Booz Allen, but I'm sure there's a couple hoops you have to jump through to get in and access systems. Otherwise, the bad guys could get in easily, right?

Mark Gamis:
Right. We're pretty buttoned up. We've got a great CIO and we've put in a lot of the same principles that we talk to our clients about, all around Zero Trust.

Mike Engle:
That's great. Yeah. I'm sure we'll see the results here in a minute, but we're about split again. So just a great mix of yeses and nos here. And we'll talk a little bit more about user experience and effectiveness as we move throughout this presentation today. So let's get into a very simple definition and Mark, I'll ask you to take the lead here on a couple of these since it's really the substance of what you do in your practice there. But, if you could just give us your elevator pitch of what Zero Trust is, and then we'll get into some more detail on the next slide here.

Mark Gamis:
Sure. So by definition it's, always assume breach, don't trust anyone, and then definitely incorporate the idea of least privilege. A lot of these things in our work seems very fundamental, but it's also surprising on how little some of these paradigms are actually implemented. I think a lot of organizations have the base capabilities in place, but getting to Zero Trust in our opinion is definitely an architecture and engineering initiative. And as we'll talk about in a couple of minutes, we've got all the basic capabilities in place, but it's bringing the connection between those capabilities to get to Zero Trust milestones so that we understand who the person is, what knowledge do they have as well as combining that with biometrics, and hopefully getting to a point where we've got a passwordless environment.

Mike Engle:
Yeah. Now, thanks for that. I've seen Zero Trust get depicted as pillars and discrete disciplines or areas of focus. I really like this next slide here that comes from Booz Allen's approach. So walk us through this Mark, if you could. This is [inaudible 00:06:44].

Mark Gamis:
Yeah. So one of the things you'll hear us talk about is, we just need an organization to start the Zero Trust journey. It's a mindset, it's a set of guiding principles. There isn't any product that's going to get you there overnight. And in many cases, most of you probably already have some form of these products in place. I think the big missing piece for those who answer that you don't have a formal program, is how are you architecting the connection between these different capabilities to hit Zero Trust? So what we've done is drawn upon DOD and the NSA, as well as [inaudible 00:07:18] maturity models to create a maturity model that we feel has enough granularly to help our clients set a multi-year plan, to achieve some of the goals that they have to. And for our federal clients, that's reaching a Zero Trust architecture by September 2024, as mandated by the Cyber EO issued last March.

We're going to focus today in part of the conversation and partnership with 1KOSMOS, is really focus on the user identity. What we see is most organizations have some semblance of all these capabilities. Some are more mature than others, but we really see people starting with assets and identity. Some of the biggest challenges, crazy as it sounds, is people still don't have their arms wrapped around what assets they have. They've got multiple asset management systems they're unaccounted for. And especially with the pandemic the last couple years, the attack surfaces has expanded is people start using more personal devices to interact and support the missions.

I think the other thing that we've seen that is a challenge for people getting started is we are seeing organizations with multiple identity management systems, and it takes a lot Herculean effort to get those down to one system. In some cases we're seeing people bring in identity as a service providers to help accelerate that as well as bring the needed expertise. I would say one of the biggest challenges that we see in terms of the talent, is just getting the right identity and access management people in place, as well as those who are experts at some of the different applications that we see in the Marketplace.

Mike Engle:
Yeah. I really like the slide because you can see the layers at the bottom. One through five, the level of maturity or governance that you have here. And that it all does start with the user, if you know which user's accessing your device, who's accessing your network or your apps or your APIs or whatever it is, it really makes all of those other areas much easier to manage. So it's something that all of us security practitioners have been doing in a fragmented way for me for 20 years, since I first tried rolling out [inaudible 00:09:28]NT4 and figuring out how to lock that stuff down.

Mark Gamis:
Yeah. And Mike, I think CISA and OMB have really done us a great service, by not only providing us with a model that we can all adopt and then tailor to whatever extent for organizations, but OMB by providing a set of expectations in their Zero Trust strategy that they released late last fall. So now we've got maturity models. We know what the journey could be. Journey should be risk-based, mission-based on the things that we want to protect into what degree we want to protect it. And then what's the cost of that. But OMB has provided, at least for the federal government, what I would say is the minimum baseline for organizations to reach by September 24. Currently out for comment is NIST put out there an implementation guide for Zero Trust. So I think they're taking the best of the best and trying to develop a playbook to help accelerate people making their way towards those milestones for September 24.

Mike Engle:
Yeah. The term Zero Trust has gotten a little bit thrown around. I think every vendor, whether they're into Zero Trust stuff or not and wants to put their name on that. And I'm seeing the high C-levels of CIOs, even CEOs and boards now know what this term is. So it's good. So us down in the weeds are hearing it 75 times a day, but now the high level are at least hearing it once a week and they're starting to understand what it is. So it's kind of cool.
One of the things that I'm seeing, and I'd love your thoughts on this, Mark, is the more analysts I follow or hear talk or papers I read, I'm seeing it really start with identity, which is great. As I pointed out on the prior slide, if you don't know who's coming in it really sets you back across the rest of your infrastructure. So we're going to focus on this quite a bit today, but from an identity perspective, love your thoughts on this, Mark.

Mark Gamis:
Yeah. Everybody's setting the bar at multifactor authentication, so we've leapfrog two-factor. But because to this expanded attack surface that all organizations are using, we need to know not just the identity, but we need to know that we're authenticating the people that are truly who they are, but at the same time authorizing them. Some of the things that we have seen from an authorization standpoint is people change jobs within the organization as they get promoted, they're not rebaselining what their authorization should be.

I think one of the easiest places to start is have role based authentication and access controls, but those are some of the basic blocking and tackling we see not happening. And as we continue in a litigious environment, making sure that people have access to the right data to do their job at the right time, with the least privilege. I know within a lot of the organizations we see, they're very good at making sure they time out all of the applications so that if there's no access in the last couple minutes, you have to reauthenticate and reauthorize.

Mike Engle:
Yeah. And there's so many different levels of authentication that we all go through today. I'm seeing even the most basic websites. Your PetSmart now wants a 2FA to go fetch a code from your email to log you in. So it feels like we're going back in the '90s with some of this stuff. And I do want to spend a little bit of time talking about the trends that are happening, where the bad guys are trying to bypass what has been established as identity. I'm going to cover my definition of identity and 1KOSMOS's a bit and the governments. I think it's really important to understand that a 2FA code is not identity. I see so many vendors promoting the use of a token or a code as identity, and it's just not. And you're seeing the bad guys, for example, MailChimp was breached recently where four MailChimp employees were very actively targeted with phishing campaigns for a couple weeks.

Bad guys got in and then the company, one of their downstream customers called Trezor makes a crypto wallet software, was targeted because now the bad guys could pretend to be MailChimp and send out what looked like legitimate messages, got into the whole supply chain. But it started with four people giving up their access into the system and they were able to do that because it wasn't true identity that they were using to get in. Similarly, Robinhood had 7 million customers breached in a similar campaign, where the attacker was able to get the list and email addresses of 5 million people. And what are they going to do with that? Pretend to be Robinhood and now go after all of those people. And so this started as they socially engineered a customer support employee by phone. And I don't like this, is like watching an accident as you're driving down the highway.

Nobody wants to see this stuff happen, but it's lessons in what the bad guys are doing. And then I think one of the most public ones that all of the security folks in the audience here will know about is the Okta breach, which is from a third party provider as well. A call center customer support employee was targeted. Bad guys got in there, that call center had access to Okta services. And before you know it, there was another incident there as well. So they're able to do this just because they're chiseling away at how companies authenticate and try to identify those people as they're coming in.

Of course, there's a dozen other ways they could get in, you could attack the web services or find unpatched systems. But one of the easiest ways is to just go in through that human element. So you see down here in the bottom right, the latest Verizon Data Breach Investigations Report, it's a phenomenal paper, comes out every year. It's like 150 pages long, gets into how the bad guys are doing what they do. And then this latest one, they're very clearly calling out that a human element is involved in over 81% of all the hacks that they've monitored and they monitor thousands of them. So I'm sure this is what you're seeing in your practice as well, Mark.

Mark Gamis:
It is. The better programs have a really dedicated portfolio of training for all the users. But at the end of the day, when we talk about training, we're really talking about behavioral changes because to your point, we need people to be able to recognize and be conscious of the fact that we're all being targeted, the organization, us as executives, and that we've really got to have our radars on high to watch out for these things. I think you're going to talk about here in a second, just how good the threat actors have gotten at masquerading themselves as legitimate communications in sites.
Mike Engle:
It is amazing. I'm going to show you how 1KOSMOS was targeted just last week. That'll be in just a second. A really interesting tidbit that I heard on one of the podcast that I listen to it's called Risky Business, Phenomenal Podcast for anybody who hasn't heard of it and likes podcasts. But they pointed out that business email compromise is now a greater money maker for bad guys than ransomware. I was really surprised. I think part of it is because when you ransom out somebody you're trying to get $1, $5, $10 million at once, and you have to pay in crypto. With business email compromise, the way this works is they'll get into one email account and be able to then send email to somebody else and pretend to be a legit person.

And now you're diverting, for example, maybe making one payment to a different place where it's not supposed to go, changing a routing number and all of a sudden you lose just a couple $100,000 or $1 million in real money that leaves, it's not crypto most of the time. So now you're seeing a combination of ransomware and business email compromise being put together. And these are some recent attacks that have happened. Imagine being the city of Portland and seeing 1.4 million fly out the door because of a bad email that somebody got into because of a social engineering attempt.

I thought this was interesting, and hopefully you appreciate it. And then this just was really crazy timing because, I'm making the presentation for this webinar with Mark. Here comes this email that one of our team members posted in slack. It said, "Is this legit?" This is an email that came in and says, "Your daily sales report is ready. Click here to go to the report, has this person's direct email on it." Now you'll see something a little funny, right? The link is a little bit broken here on this reporting.

Sorry, my pen's not working here. And then on the next screen, you'll see there's a little bit of fuzziness in some of it. But then when you click that link, this is just an amazing phishing attempt. So you see it's got our entire webpage, is probably autogenerated by some tool that these bad actors wrote. Again, your email address is there and they're asking for the password. There's a lot of people that would fall for this. And then they're also really good at intercepting the 2FA that should come after this. Now, the good thing for us is none of our employees even have a password. So there's nothing for this person to type in here if they happen to click this link. We'll talk about that in a second as well, but I thought this was just... It's actually a really cool attack.

If you see the URL up here in the top, it is flagged by Chrome as a suspicious website. But when it first came out, it was not. They found a real domain to use and then after some time Chrome blocked it out. So, neat stuff. That's what keeps us employed. Right, mark?

Mark Gamis:
Yeah, exactly.

Mike Engle:
I asked a couple of my peers that are CSOs at wall street banks and technology companies, and they agree. I asked them how they would hack into their own companies and they said, "I would call the help desk. They know the procedures, they would find the self-service password reset tools." And that's what you saw on those three high profile attacks I had on the prior page, or like the one I just showed you go phishing.

The third one they mentioned is I'd try to plant in insider. That's a lot more involved. You have to get somebody hired or bribe somebody. The first two you can do from anywhere in the world. So this I thought was really in line with that identity or user pillar of Zero Trust. So again, just some more validation and I'll get a little controversial now. I would like to ask everybody kind of a question to ask inside your head is, and this is for you too, Mark, but maybe you shouldn't answer. Could you give me access to one of your remote access systems if you wanted to? Could you give me this? I have right here, I have a YubiKey. I have a username, I have a password. I have a one time code generator and all these things for my corporate systems.

Could I text it to a colleague to let them into my system? Could a spouse use it? I'd say nine times out of 10, for most forms of authentication today, the answer is yes. Or if I push a yes answer on an app, would it let somebody into my system? And if the answer is, yes, it is our take that you do not have Zero Trust for identity because you're not proving who it is. So another litmus test for this is when you get pulled over by a state trooper, not that I've ever been pulled over, but maybe you have Mark.

When the police officer looks at your driver's license, they're verifying your identity. And that is now something that we're going to try to get into here and get into the weeds on a bit on this one pillar. Before we do just one more poll question, Maureen, if you're ready to pull the trigger, this is just some really easy ones. So we're really talking about the ability for us to use our phones out in the world for authentication, or just being able to transact. What would hurt you more if you left it at home, your phone or your wallet? And I think we'll be fine.

Mark Gamis:
I guess I would ask why do we even need a wallet anymore? That's extremely legacy.

Mike Engle:
Yeah. I still have my Costco card and my ATM Debit Card, but with Apple Pay and Google Pay and all these other things, I'm finding that... And even cash, you just don't need this stuff anymore. So thanks for that one, Maureen.

Mark Gamis:
I think some of our threat actors, even the more sophisticated ones have gotten good at spoofing our phones. How hard would it be for them to grab someone's token if they lost it? I agree with you that and as an insider, it's pretty easy even with some of those multifactor authentications, that if somebody wanted to do something and have it done someone else, it's not that hard.

Mike Engle:
That's right. Yeah. Final poll question here, another really easy one. When Apple's face ID came out, there was a little bit of a revolt against it, but it's now so commonplace. So I'm wondering how many people use your built in biometrics to unlock your device. I don't see many people still typing a six digit pin into their iPhone, as the only way, of course, you still have to do that when you reboot. But it looks like we still have under 20% of the people here that still don't like using biometrics on their phone. I bring this up because it's a bit of a loaded question, but biometrics are the only way to prove who somebody is in my... And there's all kinds of different biometrics that we'll get into.

So thanks again for that. That's our last poll question. Let's talk a little bit now about the definition of identity that not just the government, but the industry in general is putting out there for us to be able to embrace. So the first side of this is what's something called NIST 800-63-3, and this is getting more and more popular. There's still a very large population of security and identity practitioners that don't know about, or know about this in detail. But this standard was set up in 2017 by NIST the government body, to define how you onboard an identity remotely and it has different levels of identity.

So your general identity out there in the internet is what's called identity assurance level, IAL1. It's just a name on the internet, an email address, not verified. It goes up to level three where you're comparing documents with photos, and it has chain of custody and encryption and all these other things associated with it. So this standard now exists. And it's gotten more and more popular because of COVID and everybody working from home and purchasing things at home and opening bank accounts now at home, you have to do this remotely. There's a certifying body called the Kantara initiative that will prove that a vendor is doing it, or a test that a vendor is doing it the right way. So these are too important, the standard itself and the certifying body. And then going alongside with that is your ability to use an identity.

So there's the NIST 800-63-3B side. The A side is the identity assurance level and the B side is the authentication assurance level. That combined with FIDO passwordless and these are referenced by each other typically, lets you get into a system with a level of assurance as well. You put these two together, it's like yin and yang and they really not only get you in, but gets you in with a level of assurance. The certifying body, which has gotten a lot of popularity in the past couple of months is FIDO.

FIDO stands for Fast Identity Online. I'm sure more people know about FIDO than know about NIST 800-63-3, but it's really made a lot of headway. On may 5th was international password day or passwordless day, I forget what they called it. There's an international day every day now, right? But the big tech providers made announcements that they're going to support this more and more. So you're going to see more and more about FIDO coming out and marrying these two together is a biometric and there's a certifying body. There's a couple of them out there, but one of the most popular ones is called iBeta.

If your biometrics are certified by iBeta, then they have some resistance against Tom cruise putting a mission impossible mask over their head and pretending to be somebody else. So tying these all together, we refer to it as identity based authentication. You can see the word 2FA token secret knowledge is not referenced to anywhere in any of this stuff when you look under the hood. I'm wondering, since this is a government standard, Mark, and you're in that space quite a bit. Are you seeing more and more talk about these inside of the practices where you're working?

Mark Gamis:
Definitely, those that are Zero Trust space. So the 800-207 and then OMB is recent guidance that they've published. I think the big thing is right now, our federal government agencies are just trying to get their plans up and running because they see the clock ticking about September of 24, and really taking stock in where are they at in their journey for all the capabilities under Zero Trust, not just identity and asset management. But I would say those are two of some of the biggest hurdles of some long overdue activities to get those into, what I would say, a more organized fashion. Now, someone did ask a quick question in the chat based on our previous discussion about, couldn't an in insider basically, just give someone their pin number as soon as it goes to their phone? Absolutely. So for insider threat, those are the things we have to be looking at.

But when you look at the rest of Zero Trust, we're also looking at authorization, we're looking at user behavior analytics. So if Mike gave me his pin and I got in, I should still be somewhat stumbling because I need to have the right authorizations to get to the particular data that I want to see. Number one, and number two, we should be running behavioral analytics to see, am I accessing the system or set of data that I don't typically have, or have not done in the past? Do I have authorization to do it? Where am I doing it from? Is it a device that's unrecognized or even a time zone that's unrecognized? So there's a lot of ways that would go just beyond the identity part, if there was an insider who wanted to utilize a second party to get in.

Mike Engle:
Yeah. Awesome. Well said. As Jay just pointed out in the chat, the device biometrics that we all have on our iPhones and Androids does not prove identity. It proves that somebody has a biometric on that phone, but it could be a spouse, a child, a coworker or somebody else who linked it. I'll cover how you mitigate that with real biometrics in just a second. So putting those standards into a slightly different view, one of the activities that must be done to get somebody into a system with a level of assurance is enrollment or proofing. Proofing has gotten really popular again because of COVID that is, linking your digital identity to what's typically called your real world identity. Very commonly you can take a picture of a driver's license or consume a digital version of it, even scanning the NFC chip in your passport.

In the corporate world, you could say, I've got a photo of this person inside my HR system or my access control system. I'm going to use that photo to prove who it is over here. I'll give you a real world example of that with a live demo in just a second. You also have a very strong identity with your bank. Your bank spends on average $450 doing KYC for you for anti-money laundering purposes, the Patriot Act type stuff. They have to prove who you are so that you're not a terrorist. And so you can leverage these sources of truth about you to establish a digital identity and then you can use that over and over again with proof that you are who you are. Of course, we all know what SAML and OAuth and OIDC are. These are protocols that let you use your identity across different systems. So they're under the hood allowing all this stuff to function, FIDO as well.

There's a combination of cryptography here, public private key stuff that we've been doing for 20 years, going back to the Diffie-Hellman days and biometrics that come together now. And so there's a couple ways to do this. You don't have to have all of your customers or employees scan a driver's license to prove who they are. You already trust and know who they are today. Imagine, Mark, if you didn't really trust your, however many tens of thousands employees, BAH has getting in today. You trust the current authentication system, but we can transition it to a way that uses better cryptography and biometrics. And so we call this establishing an identity chain of custody. So what we'll do is we will link your existing account. I have an account at mybank.com and you have them authenticate the same way they do today.

Username, password, 2FA, MFA, whatever it is, and exchange that for a modern authentication combination of public private key pair, and then enroll their biometrics. However, for new employees, new customers with high valued accounts, we will ask them to prove who they are. They have to do it anyway. So instead of taking a picture of a driver's license and mailing it to HR, having to go into an office, you can do that digitally now. Follow the principles of NIST 800-63-3, get to that high level of assurance and then give them the credential. So it's a matter of your risk tolerance. If you think that somebody might be a bad actor with an existing account then proof them, otherwise, inherit. These two functions, proofing and authorization can feed into existing systems. So you see on the right, these are kind of big buckets of all of our IAM systems that we have today.

And what's missing from most IAM systems is the I, the identity. So let's use real biometrics and proof of identity and feed it into our IGA, our Identity Governance Access Systems, which then goes out and creates your 100 accounts across the system. So, Mark, I'm sure these buckets on the right are something that you see all the time. And there's a lot of spaghetti holding these things together. A lot of organizations that I've worked at in the past, and I'm sure this is a focus point for a lot of things that you do in Zero Trust. Would that be a fair statement?

Mark Gamis:
It is. Right now we see a lot of the clients while they understand the principles of Zero Trust, they realize you can't buy your way out of it with one product. They're still focusing in on a pillar by pillar journey to get to a minimum level, to get to create really what the new baseline needs. But I think we need to have those architects and engineers thinking out months or a couple years ahead, of how do we integrate the pillars so we really do get to Zero Trust.

And we can very quickly catch the scenario that we just talked about, where I send you my pin as soon as it goes to my phone, and we catch them before they even hit any of the applications or the data. But one of the things that you said that made me think about this is, how is this in addition to what we already do when an organization gives their employees digital certificates? To me, this is just another proof point in terms of not what you have but who you are in terms of the form of a digital certificate, so to speak.

Mike Engle:
Yeah. I'm glad you mentioned the word certificate. Let's double click on that here. A certificate is a cryptographic proof. And so if you have cryptographic proof of identity, I look you in the face, I say, "You're you, here's a certificate." That is definitely a step in the right direction. And so with that cryptographic proof, you can have a digital signature, it can be written to a distributed ledger. So you have an immutable audit trail and then every time that identity is used, let's get cryptographic proof that it's the same person that enrolled. So these two things coming together, if you can answer with authority, am I a 100% sure that Mark Gamis is the one that accessed that system because of that cryptographic proof match with that biometric? Then we're heading in the direction of user based or identity based access with Zero Trust. So nice segue Mark.

Now, one of the ways that this can be linked with today's authentication system is a combination of FIDO authentication. If anybody wants to see a FIDO authentication today, you can go right to the 1KOSMOS developer website, click on our developer portal and you can just click and try FIDO authentication. It's pretty neat. You could also log into eBay or TurboTax and experience a FIDO authentication. Once you log in, it'll pop up and say, would you like to go passwordless? We're seeing more and more of this out in the wild. But when you marry that experience with a public key written to the server, then every time that you're authenticating with a biometric, this is a key point. There's a couple of questions that have come out here in the last couple minutes in the Q and A. Now, well, what if I give my face ID to somebody else?

Jay on our solutions team pointed that out, that you have to verify the identity. It is the only way to prove. Imagine you get pulled over by that state trooper and you hand him a YubiKey. Trust me, I'm Mike Engel, here's a YubiKey. And the state trooper goes, "Okay, it's a YubiKey. You got it. That's it. Here you go." There's a $75 ticket and you pay it. So let me show you one example of enrolling a biometric and establishing a private key. What I'm going to do here is I'm going to launch an authenticator app. As that's done behind the scenes, a key is installed in the trusted element of this phone, the TPM. We'll set up a pin, that's just one way to protect the wallet's, very rarely used. And then we'll do device biometrics, touch ID, face ID, same stuff we all use.

That's not real identity yet. That's two-factors, private key and face ID. Now we're going to enroll what we call live ID. This is a real biometric. That's me. Now that biometric when used properly, can prove my identity going forward. You see here in the top part, under the identification documents, I could also enroll a driver's license, which be matched to that face or a corporate photo or any other form of identity to link me to a real world identity, if you will. And I have the cryptographic proof that I'm the one that enrolled it. Now, to show you how that identity could be linked to a source of truth. Let me show you how you could, for example, take a picture of a driver's license in about two seconds.

This would be for a new high valued account, domain admin? Why not? So now my real biometric is enrolled. It's matched to a government photo, and I can ask for that every time that I need to use it. It takes two or three seconds. There's 600 fraud checks that are done against that government document, and the biometrics been certified. It's got decisioning bias protection in it, false acceptance rates and all that stuff. So there's a lot of nuance devil in the details, but we're seeing this get pushed out into both workforce and customer solutions quite a way. Now you're like, "Oh, that's great, Mike. I took a picture and I scan my face. What do I do with it?" So here's where the rubber meets the road. This is me authenticating into a Windows workstation with my real biometrics. This is identity based authentication.

Instead of username password here, I'm going to invoke our authenticator, launch the app, engage with the system, do my real biometrics, and I'm staring at my desktop. Now that I've done that, I'm in. I've proven my authentication, my identity, the same way that a user would if you got pulled over by a state trooper. Now, you don't have to do that every time. There's a lot more friction there than just hitting enter on a password, or it's actually less friction than going and fetching a 2FA code, but it's still some friction and your users will probably revolt a little bit. So you use face ID sometimes depending on the risk tolerance of the system you're accessing and you use live ID, real biometrics, voice and face when it's warranted. Maybe for the first log one of the day, or if you suspect that a different IP address has popped up.

But now that I'm in this workstation, why not just let me then authenticate a second time by just knocking on the same device? So in this example, I lock my workstation and now I need to unlock it 15 minutes later, and you'll see I'm lining up my camera on my watch. So I go to unlock it, my watch vibrates, I touch, yes, that's me and my machine is unlocked. So that's no friction. As little friction as you can get. So we went through a high level of proof with real identity and then my second knock, 15 minutes later, it's linked to the same device. I think you mentioned 15 minutes earlier, Mark. And let them continue to use the system, you don't have to ask for that every time. So pretty neat experience. Just curious about your thoughts on that, Mark.

Mark Gamis:
Yeah. You know what I'm thinking about is, all of us have smart cards. The CAC card is still predominantly used in the DOD land. So I think as we look at the greater, as we see attacks growing more sophisticated, I don't know that we would get rid of our smart cards. I think we would add this to our smart cards in the way that we use those. So I've seen a couple discussions talking about, does this eliminate anything? I think this is going to be additive to give us a greater level of confidence, as well as, another insurance policy to guard against the high cost of having an event, an incident, or a breach in exfiltration.

Mike Engle:
Yeah. That's right. This is a tool that is now put into a tool belt, and it's not the only tool. To a carpenter, everything looks like a nail with a hammer, right? But it's a big, hairy infrastructure out there. It's going to take us time to migrate. You have to have passwordless and password side by side coexisting for quite a while. So it's just a step on that journey to a Zero Trust infrastructure. We're about 40 minutes into the hour here. We're not going to consume the full hour, give everybody 10 or 15 minutes to get some of their day back, bio breaks and all that.

We just had a couple closing thoughts that I wanted to discuss with you, Mark. The move towards SSO, Single Sign-On has really made the user experience easier. So think about the hundred applications that are behind that one gateway. And we know these systems out there,[inaudible 00:41:48], Azure AD, etcetera. But most of those systems, I think, are moving us in a direction away from Zero Trust. We saw the attack on this with the solar winds episodes that happened pretty recently. So your thoughts on putting the keys to the kingdom behind one machine, Mark, or one system, just curious what your thoughts are on that.

Mark Gamis:
You know, working with people who are on the front lines managing this day to day, I think we're going to be able to watch what's going on from the second floor, if we've got Single Sign-On. If we have a single integrated system. I'm seeing clients with, let's just say over a 100 different business applications, all with a different sign-on. So we're making it harder to guard the kingdom, even though we're assuming breach.

As well as, I think it opens up the risk because, there's a higher likelihood that someone is going to be phished or their credentials are going to be snatched if we've got a 100 different pieces of credential that we're looking for on each person and we've got thousands of people in the organization. So I think it's a good step. I don't think it's the destination, but consolidation of identities is definitely going to be something that the organization can get its arms around, more so than where we are at today.

Mike Engle:
Yeah. And implementing the type of authentication identity and proofing in front of your SSO, gives you a much stronger tool then to get into those a 100 downstream systems. I just want to point out one question that Andrew asked about SCIFs, we do talk to the intelligence community about these types of applications. And this same concept that works on mobile phone does work on a local machine, a network machine in a SCIF where you can't have wireless. So today's Windows and Mac devices, you could have a external card reader on there. You could use the biometrics on that device. There's a lot of flexibility in today's platform. So good question and there is an answer for that. It comes down again to flexibility. You can't make everything work with just a hammer. Second point here, will users and companies trust these real biometrics?

So we saw a huge backlash in the industry a couple months ago, where one of the federal civilian agencies attempted to implement real biometrics and driver's license scanning. And they weren't super clear about where the faces were being used, how they're being used, where they were going, all that stuff. And that actually set the industry back a bit. Now everybody's like, "Whoa, wait a minute. Government's going to scan my face." I think it's going to take some time for the adoption to pick up, just like it took time with face ID. Wondering what you're hearing on the biometric front in your circles, Mark.

Mark Gamis:
It's slow. Yeah. And I'm familiar with the news story that you're talking about. I think where we see the federal government trying to create a higher customer experience, is the place that they're going. So the intent is right. I think what I see is we need the policy to be there before we put the solution in place, after policy follows standards and procedures and the things that go like that. I think where it can be centralized under the watchful eye of an organization, like CISA as an example or OMB who can create one standard out for everything, is probably where we need to go. I like the idea, it is coming. I think there just need to be a few steps that we take before releasing the solution to get there, to give everybody peace of mind.

Mike Engle:
Right. Absolutely. And then finally, Mark, how would somebody get started with Zero Trust that hasn't done it?

Mark Gamis:
Just select a model. At the end of the day there has to be accountability. It's going to fall on the CIO and CSO to get this put in place. You've already got the capabilities, make it a formal program, make it a part of the strategy for the CIO and the security organization, put an executive in charge and make it a multi-year journey. It's difficult from the security architecture and engineering in getting organized, but every organization has the pieces in place to start.

There are enough models out there that people can have a destination. There's enough information out there where people can set a minimum baseline. Then they just need to tailor that based on their security appetite, as well as, how it marries up with other initiatives currently going on in the organization. But the bottom line is just start and there's a lot of good frameworks out there to choose from.

Mike Engle:
Oh, awesome. Well, that is it for our slides. We have a couple questions that came in, feel free to throw them in chat if you have any more. I'll answer Debbie's question that just came in, about the audit capabilities noted on the prior slide. This other private company and the federal agency they were working with got in trouble because, as I mentioned, the faces were being put into a place where they could be accessed potentially without people really knowing what was going on. Their goal was potentially innocent. It was to match faces against known fraudsters, but your one, what was the, snowed in event away for lack of a better term, from somebody also using that face to go find you when you don't pay your taxes, or just to use it for nefarious purposes.

So a couple things is the biometrics need to be encrypted in a way where the central authority cannot get them without user consent. And second is every time it's used, it needs to be audited, periodically reviewed. We leverage user private key encryption for the face, and then it can only be presented with permission. And then it's up to the policy of the consuming organization as to how they treat it after that. So very clear policies, and then regular audits by an independent body to make sure that it's being used.

Vincent. Yes, we can share the slides after the meeting and this webinar will be posted online for people to review afterwards, as well. I don't know if there was any other questions that haven't been answered in the chat. I think we are about good. Did you see anything else come in Mark?

Mark Gamis:
No, I think that's all of it.

Mike Engle:
Awesome.

Mark Gamis:
Oh, there's there's one that just came in.

Mike Engle:
That was an answer. Yes.

Mark Gamis:
Okay.

Mike Engle:
I think we're good. So listen, 10 minutes left on the hour. I think we've done it. Mark, thanks so much for being here. It was super fun talking to you here today, and I really look forward to working with you and all of you on the call here in the near future.

Mark Gamis:
Thanks a lot. Have a great day.

Mike Engle:
Thank you. Take care.
Michael Engle
Mike Engle
CSO
1Kosmos
Mark Gamis
Mark Gamis
Senior VP
Booz Allen Hamilton
booz-allen-hamilton-logo

By watching you will learn:

  • The difference between biometric and identity based authentication
  • How to go beyond MFA, modernize the user experience and close security gaps
  • How to gain control and rapidly implement authentication flow in a diverse IT environment

Account takeover and insider threats pose two of the most serious security risks to any organization. The consequences of not stopping attackers after they have penetrated defenses can be devastating.

Some peg passwords or a lack of security training as the problem. Others want to add MFA and move toward Zero Trust, but where to start? What is the right architecture to support Zero Trust across a complex environment consisting of Microsoft, Mac, Linux, Unix and more?

During this session, Mike Engle, CSO at 1Kosmos and Mark Gamis, SVP at Booz Allen Hamilton, looked at how passwordless multi-factor authentication, based on the new FIDO2 standard supports continuous authentication that improves both security and the user login experience.

×