Digital Identity, Passwordless Authentication and the Path to a Frictionless Zero Trust Architecture
Unlock On-Demand Webinar
Video Transcript
Mike Engle:
Thanks everybody for joining. My name is Mike Engle with 1Kosmos, and I am joined today by Sam Tang from Ernst & Young, and Sean Ryan from Forrester. Sam, would you mind saying hello to the crowd, let them know what you do for a living.
Sam Tang:
Hello. Thanks, Mike. Thanks for everyone for joining today. Very excited for the topic, it's actually dear to my heart. I'm a managing director for EY and I'm digital identity leader for the cyber practice here at EY. Hope everybody's [inaudible 00:00:38]. Thank you, Mike.
Mike Engle:
Awesome. Sean?
Sean Ryan:
Hi. Yeah, Sean Ryan. So senior analysts at Forrester Research. And look, I'm part of the cybersecurity team and I look at identity and access management technologies, specifically for the workforce. So really looking at things around authentication, around privileged identity management, identity management governance, and the like.
Mike Engle:
Awesome. Yeah, and we're going to quite a bit today about Zero Trust and specifically how identity ties into it. We'll have a bit of a bias there, but Sam and Sean will keep us a little more pure in the Zero Trust categories that there are in there as well. Just a little bit of housekeeping. There's some technologies that you're all welcome to try. This is right on our website, just go to the homepage, click experience it, and you can download an app and play around with a couple different types of ways to use what we refer to as identity based authentication, to engage with a remote system. And we'll be talking a lot about that today, what does it really mean to prove who you are remotely.
Mike Engle:
And also we've got a couple giveaways today. So we have something in our product offering called a passwordless identity package. It is a quick way to embrace passwordless technologies. So companies will typically target the remote access, their operating systems or sitting in front of their SSO gateways. And we're going to randomly pick a winner from the attendees today, we'll reach out to you after the webinars over. If you like the package, you can accept it, otherwise we would go onto the next person. And also I have a pair of these, air pods, I will be personally putting into a manila envelope and sending to somebody, that'll be another random selected person from the list of attendees today. So stay tuned, more to follow there.
Mike Engle:
So let's jump in. Sam and Sean, we're inundated with statements about the problems in the identity world, and you're hearing just day after day of breaches and different types of attacks. We're going to focus today on credentials, of course, because they are the way to really protect everything we have, all of our data and our assets. So I know this is some Forrester sourced material here, if you wouldn't mind just double clicking on this a little bit.
Sean Ryan:
Yeah, absolutely. So this is part of annual research we do, where we're polling security and risk professionals and really trying to understand what they're seeing out there in the wild. And so this is, I think, close to 1800 security and risk professionals globally that we polled here. Key point is how much they go after authentication credentials. A lot of key things on this list that attackers would want to grab, personally identifiable information, health records, intellectual property. Those are all the expected things that you think would bubble to the top here. But authentication credentials are, it's such a means to an end, if they can capture more authentication credentials, move laterally, get to your privileged users, it really just gives them access to even more things. So it's a means to an end, but they are continually pounding after this.
Sean Ryan:
Part of the reason too, it's low hanging fruit. If you've got people with really poor password hygiene, you've got just really basic, easy to bypass, two factor authentication, you can get in much more easily than trying to exploit vulnerabilities. It's really a way to go in undetected and masquerade as legitimate users. So that's really a key point of this slide, Mike, and something to drive home to folks out there.
Mike Engle:
Sure. Once you're in the door, all of these other things are at your fingertips, so it's the one attack to rule them all. So I'm amazed at how many organizations are just implementing 2FA now. Every time I sign a up for another service, your hotel login or some FinTech it's, hey, we're going to send you a six digit code to your email. And six digit codes are over 20 years old in concept, secure IDs and one time generators. And on top of that, the bad guys are really good at stealing those now, too. So as the sophistication of these attacks increases, we're going to see 2FA have to evolve, if I can get your SIM and swap your SIM or whatever, or get access to your email. The bank that I use today, I have a YubiKey, but it still has this button down there that says YubiKey not working, go get a code from your email. So it defeats the purpose.
Mike Engle:
And Sam, I'm sure your clients are very much, this is top of mind for them, not just because of Biden's executive order, but just in general, right?
Sam Tang:
Yeah. I mean, this definitely still is a hot topic when I speak to our clients, even in the industry. I still get questions like, what factor should I be considering, what are the strongest, what should I be adopting? And I keep on telling my clients it's really a balance and you need to understand, it really depends on the service that you're trying to protect. And the real question is, are you really ready to adopt risk based measures, adaptive based measures in your authentication, in your authorization events, and the trick is without having to impact end user experience and security, of course. And take a step back and take a look at your use cases that are associated to B2E, B2B and B2C, because that will translate into a different set of factors as well. And should they be different, should it be harmonized? So it's really, are you ready? So that's my conversation with my clients.
Mike Engle:
Yeah, no, nice segue. So the principles of Zero Trust, Forrester didn't necessarily invent the term, but they certainly made it very popular and commercialized it and increased the awareness of it. So Sean, love to hear some thoughts on these three aspects of it.
Sean Ryan:
Yeah, yeah, it does go way back at Forrester, John Kindervag coined the term and really drove this concept forward, and it really is powerful and it's a set of principles and it's a way to apply security across all of the disciplines. So identity and access management, the lens that I look at it through, but also your endpoints, your networks, really any attack vector, and especially focused on protecting that data at the center. So when I'm looking at this from the identity, protecting the digital identity standpoint, protecting access, there's three principles that really align to Zero Trust that I talk about. So first one being that verify explicitly, let's really make sure we know that this employee, this partner, this contingent worker, this customer is who they say they are when they're setting up their account.
Sean Ryan:
So you're verifying them initially, but then as they log in over and over again, you're authenticating them in a way that you can feel very confident that you've really vetted that person every time, and ideally on a continual basis, you're making sure that session is secure all the way through. And that's where what Mike and team does really, really fits very well into that, trying to bring that up to a fully bulletproofed approach, and at the same time, you want to make sure that user experience is still reasonable. You don't want people trying to bypass this thing, you don't want customers defecting, you don't want employees trying to find workarounds. So really important to do that right and think about that balance of user experience, but being as secure as possible. The one in the middle, this is, I think, a pretty well understood thing that I talk about quite a bit as well, getting down to least privilege access.
Sean Ryan:
This is like breach containment, you want to make sure if somebody does get in, this is things around your authorization, things around how you set up your governance model so that you don't have over provisioned users with too many permissions. So if an attacker does get access to their account, it's not instantly they've got keys to the kingdom and can get to domain level access very easily. You want to avoid that. And then the last component is that assuming a breach, that's just monitoring ongoing, making sure you're paying attention to that.
Mike Engle:
Yeah, and I found this graphic I thought was pretty interesting, that if you can imagine everybody either uses a system or manages one on this call today, you use all kinds of systems, imagine if your data was as accessible as this is here. And that's what, I think, Zero Trust tries to get people to think about, assume that somebody can reach in there and go grab something and you have to protect it, either by asking them are you who you say you are, or micro segmentation or whatever, and you have to let all kinds of users in there for different reasons. So this is in line with what you were just saying as well, Sean. And lastly, once they're inside, Google's Beyond Corp has really done a lot for socializing this as well and setting a framework.
Mike Engle:
So Sam, there's a term we spoke recently that you mentioned, that I thought was really interesting, and we'll bring up this slide as we talk about it. And I mentioned it in an email to you this morning, would you mind double clicking on that as well?
Sam Tang:
Yeah, really, let me start by describing Zero Trust, there's a factor, there's an influence that typically people don't talk about, that it's really the cultural changes. And the cultural changes are actually external and also internal to the environment as well. So every step of the way, what we want to double click on is the importance of the ability for you to verify based on the culture changes, external and internal environment. How fast can you adapt to something that you can verify at run time, at authorization time? So even when you take a look at this picture right here, even if you take a look at apply the 860 [inaudible 00:11:54] spec, the NIST spec, on top of this here you're looking at, really that specifies what needs to be assured, the assurance levels that we always talk about.
Sam Tang:
But what if you're able to actually apply the assurance level concept to also include the people, the culture, and most importantly, the authentication mechanism that was used as part of gaining access. So the trust of the people, the trust of the context as to what you want the session for, the trust in the legal entity that you're working for, and so on and so forth. Trust, that's what we're talking about.
Mike Engle:
That's right. Trust, but verify, right?
Sam Tang:
Yeah.
Sean Ryan:
Yeah, exactly. I mean Zero Trust, it's a nice, good catchy term, and it does capture that. Obviously you have to let people in, entrust them to some degree, but you are verifying first, and then you're checking in as you go. So we want people to do their job, we want people to be productive, but you have to have the security mechanisms along that entire value chain. I like to think of, I am as a full value chain where it is that right as you come in, you authenticate and then it's not like, okay, good, great, now go do whatever you want. It's okay, we still need to authorize you, we still need to keep to track of what you're doing. We don't want to inhibit your productivity, but we want to take a risk based approach, we want to flag this stuff.
Sean Ryan:
You're doing something very strange, or you are accessing some really sensitive data, boom, let's re authenticate you with another factor. Let's really, make sure that we're verifying. Maybe based on some of the signals, let's say you're logging in from a completely different IP address, that could be a signal that flags that, hey, we should add another layer of analysis on here, real time, automate it as much as you can, and if it's maybe a certain level of risk, you want to flag a live person in the SOC, your security operation center, to take a look into this immediately.
Mike Engle:
Is it time for us to talk about McLovin?
Sean Ryan:
I think so. I think so.
Mike Engle:
Yeah. So Sam, you mentioned something, 863-3, which is near and dear to my heart. I didn't know a whole lot about this when I started this effort back in 2018, and the standard was just made in 2017, but it establishes how you remotely proof who somebody is. You two strong forms of identity, matched to their live biometrics and all this coordination and triangulation needs to happen. So what if you could know beyond a shadow of a doubt that the person logging into your domain controller is the person that holds this driver's license? That's kind of the spirit of what this stuff allows you to answer now, that you can't do with 2FA or what people call all different forms of MFA. Just because I have a YubiKey or secure ID token, doesn't prove my identity, but these types of sources of truth, do.
Mike Engle:
So if you can onboard somebody, and every contractor or employee has to be onboarded, even your consumers customers have to be onboarded for certain types of accounts, cryptocurrency, financial services. So at the time they're onboarding, if you apply the latest concepts of cryptography and biometrics, you can create something that's reusable over and over and highly trusted. So I'm sure both of you are seeing and hearing about more. We refer to this as identity based authentication, but the spirits of strong identity proofing, I'm seeing a real uptick, not only in what Forrester's saying, but what the industry is doing. Sam, are you seeing this with your clients, where they're starting to embrace real identity, not just handing them bandaids on top of passwords?
Sam Tang:
There's that word, that bad word, password, again. Yeah. So no, Mike, absolutely, identity proofing to me, when I speak to my clients, has got to be a big part of the verification strategy. And the identity proofing I talk of is not just about identification or authentication, but across the board for transactions and most importantly authorization as well. So the active identity proofing can't be a one time event neither, it has to be a continuous event to really allowing you to have flexibility to detect at transaction time, either it be a identification transaction, authentication, authorization, or a business transaction. And the business transactions, I think I heard you say you use the word blockchain, but more importantly, what I'm starting to see is applying this technique and the technologies that you bring, with identity proofing and authentication and identification combined, those techniques in really using that technique to catch business transaction frauds as well. So there's an emergence of using these techniques continuously, not just for authentication or authorization, but also to be used for business transactions.
Mike Engle:
Yeah, yeah. And Sean, what are your thoughts on should you even let somebody name McLovin into your infrastructure?
Sean Ryan:
I know, yeah. I love this slide, it's from a great movie too. I think the whole point of this is people can create fake IDs, and now that we live in a very digital world, the ability to do identity thefts from anywhere, the ability to falsify accounts, falsify information on that authentication and sorry, carrying that into authentication, there's really a lot of room for fraud out there if you don't have the proper controls in place. So it's critical to have something that can leverage what's already out there for credit reporting agencies, from telecom, from all sorts of other sources of information, to be able to verify this, to be able to do it in a secure way. And ideally in a way that puts that end user in control of their own identity and gives them the tools to keep this in a wallet, a digital wallet, really manage their own digital identity.
Sean Ryan:
So that's the goal, that's where we're headed. And it very much applies to the B2C world, to making sure your customers are who they say they are, and you're protecting their identities for them. But increasingly, business partners, they're not going to be in your HR system, you have to have some level of working relationship with your business partners to verify that. But having the tools in place to help you verify with software and do that in a really programmatic and structured way, is really important too.
Mike Engle:
Yeah. Yeah. We touched on the word blockchain, blockchain is a means to an end. The cryptography behind blockchain is undeniable, the immutable ledger and the ability to prove the history of transaction. So when you apply that to identity, it allows you to set up something that we're referring to as your identity chain of custody, how do you know that the person authenticating is the same person that you gave the credential to? So there's a term that I've heard recently in the FS ISAC world, contractor jacking. You hire person X, but person Y sit that seat on day two, because they're subbing the seat out for 20 bucks less an hour or whatever. That's if it's a friendly handoff of a credential, but of course the bad guys can get them as well.
Mike Engle:
So today, everybody trusts a credential to some level. Corporations are letting people in, username, password, two FA, token, whatever it is, push message. The way that we think about this is your existing users will come in the way they do today, and you'll exchange that process for a cryptographic public, private key pair. And that's really the principle behind FIDO authentication, that we'll touch on if we have time. So you issue them a key, a private key that keep with them and only they can have that. What makes that key really strong then is the addition of real biometrics. So everybody on this call today uses biometrics in some way, usually it's your touch ID or your face ID on the phone. Those aren't real biometrics, they don't prove your identity, but we're seeing wider adoption of a real selfie or your real voice print, or if hardware permits, you can do palm and vein and all these other things.
Mike Engle:
So you exchange the legacy mechanism for the new combination of cryptography and a biometric, that's identity based authentication. And then in a true digital transformation concept, you can do that with your new onboarding personnel as well. So proof them, you have to do it anyway, because they're joining your company, they have to get their tax paying documents and whatever. So rather than emailing and faxing them, do it the right way, digitally onboard them, and at the same time, issue them a credential. I think a real enabler for this was of course COVID, we're all remote and we have to figure out how to do these things. And I'm seeing phenomenal adoption because I live and breathe this stuff in my little world of 1Kosmos. But Sean, maybe start with you, Sam actually, what do you think about the concepts?
Sam Tang:
Yeah. Sean, you want to get started, I'll chime in.
Sean Ryan:
Yeah, yeah, yeah, for sure. I mean again, I'm glad you've got NIST on here too, I completely agree with you, it's a wonderful standard and a great way to build a foundation on how you're going to set up your authenticators and how you're going to set up identity proofing and really all through that value chain of managing digital identities. It's again, like you said, I mean, we've become very, very digital, no in person interaction, this isn't like even if you're working for a company as a remote employee, in the past, you might fly out, meet them, physically hand them documents, that's not always happening anymore. In fact, that's probably really rare these days.
Sean Ryan:
So having that trust be fully digital, really much better to have this fully encapsulated approach to doing it rather than a cobble together, do this through an email and send us this over here and records, you've got really critical, sensitive information that you're sharing and trusting that through email and through various other approaches, rather than a self-contained, know your employee and onboarding, or know your customer type of approach. Just much better to have that, much better to have a complete system that works together.
Sam Tang:
Yeah. And something to add, Mike and Sean, is the identity chain, I think the word chain is very important because I think Mike, you spoke about ledgers and the blockchain, but what if you're able to actually treat that ledger as a form of your digital assets that you have control over? So what you're seeing in front of you right now on this slide here, really, truly enables what the industry is right now is calling decentralized identity or self sovereign identity. Without this here, it's really difficult to achieve what we consider as an industry, decentralized identity that you can apply to your B2C and your B2B, and also now [inaudible 00:24:24].
Mike Engle:
Yeah. And the concept, decentralized identity's been around now for a few years, it's a W3C standard. And you're seeing adoption by the big tech giants and the payment rails companies, your Visa's and MasterCard's are all getting behind the standard. It allows your identity to be portable and move across industry. And I don't know if you guys have noticed, ever since the NFT explosion over the past month, you're seeing Web 3.0 everywhere. Web 3.0 is a form of decentralized concepts applied to the web. So this is in line with that, it is the future of identity. The time for companies to adopt it is really starting to happen, and so you're seeing the uptick happen now, and it's not a matter of if, in my opinion, it's a matter of when.
Mike Engle:
And so if you were to take this and apply it to an IAM infrastructure, this stuff doesn't exist in 90 X percent of IAM infrastructures today, but it will. And so I took a shot at thinking about how this stuff will fit into your existing, all the IT functions on the right, with these new components in the middle. So there's two things if you apply Zero Trust to identities, do I know who it is, and can I prove it? And yes, you can with cryptographics and biometrics. And then on the back end, as all these systems are writing event logs, and it's all going up into Splunk or whatever, is being able to say, all right, here's an entry in my Zscaler logs, can I prove that the person in that log file came in with identity?
Mike Engle:
Well, if you're adopting the right technologies, the answer is yes. You can digitally verify that this hash came in, it was onboarded eight months ago, and you have the chain of custody of that. So we saw what happened with SolarWinds, and a bad guy was caught because somebody happened to look into log files and that broke open the whole Pandora's box. So this is just one way to think about it. Sam, are you seeing some of these forward thinking IT functions get dropped into IAM, maybe either in RFPs or in real practice today where it's not just necessarily this, but some Zero Trust principles that can sit on top of your IT infrastructure to give you that assurance?
Sam Tang:
I am, and the ego in me, after being in this space for 25 plus years, I always keep on telling my colleagues and my clients, identity is in the core of security, you can't bypass it. It could be in the form of cloud, hybrid cloud, on prem, even mainframe, mainframe's still around. So at the core of what we do with these IT functions, you can't deny, or you can't avoid having conversations around identities. So the effort that I'm speaking to my clients about right now is not about if identity is the core of these IT functions, but how to gain alignment across these IT functions, and that's the effort. And again, I keep on coming back to the B2E, the B2C and B2B, the more siloed you are with your consumer based IAM and your enterprise IAM and your third party IAM, is the further along that you are with really seeing the alignment across these IT functions, across the B2E, B2B and B2C.
Mike Engle:
Yeah. Yeah. And Sean, I guess, are you seeing a consolidation of any of the legacy ways to authenticate into some newer stuff, either in your research or as you work with your clients?
Sean Ryan:
Yeah. Yeah. I am. We've done a recent survey looking into password list adoptions, so we're still early days there, but it's encouraging to see how many companies are at least getting to the point where they're doing proof of concept and early pilots and starting to finally, I think everyone's known that trained who have a password centric approach to authentication, just is not going to get it done. But people have really been anchored to this unfortunately, it's partly just legacy architecture, which was built around passwords, and so you have to do some work around things to get past those. It's partly just inertia, just people being used to that, even though I think they're like me, they hate passwords and would love to find a better way, but again, it's that inertia, a lot of people, it's just what they're used to, it's the devil they know.
Sean Ryan:
But like I said, I am encouraged that we're seeing people move in this direction and the technology enablers are there. Many people have smartphones in their hands that have either fingerprint or facial recognition right at the ready there. You've got this on laptops and desktops now. So there's more of an ability to do biometrics. And the underlying technology behind the scenes is getting more mature as well. And I thought you made a great point earlier talking about true biometrics as opposed to biometrics that's just on the endpoint device, that, while is good, does allow the user to authenticate, and it doesn't prove that on the back end. So if you're storing a mathematical representation of those biometrics so that they're safe, they're protected, they're encrypted, where they're stored by the organization that is managing that access and that authentication, that gives you a much stronger approach.
Sean Ryan:
And again, at the end of the day, I think we get to the point where we can move passwords to the backseat, we can deprecate them and we can move to these methods that are inherently stronger and they are a better user experience once folks get used to them.
Mike Engle:
Yeah. Yeah. I'm going to give a little McLovin demo here in a minute, I can't resist. When we say real biometrics, it is real, and one of the big barriers to adoption is just people getting comfortable with it. When you saw Apple release face ID, people were like, whoa, whoa, whoa, whoa, you're scanning my face. What are you doing with it? Where's it going? When you use clear and go through the airport, they're scanning your biometrics and storing them somewhere. So you have to take the stuff, you have to be really careful with it, you have to make sure that everything's certified and you know exactly how it's encrypted and stored. In true Web 3.0 capacity, you can make sure that the user is the only person that can decrypt, enroll and decrypt and use the biometric. So if you'll tolerate a short demo, I'm going to show you how the launching of an app creates a private key behind the scenes.
Mike Engle:
Press of a button, and there it is, you have a pin which is a fallback mechanism in case you have a problem, very rarely used. But now inside the phone, you have two factors already. You have your private key in a pin, and then let's add device biometrics. So this is the device, the biometrics that we all use today. Now you can see this is the first time launching this, there's no proof of me in this, somebody's face on this phone was just enrolled. And this is one of the common misconceptions of about device biometrics, is this doesn't prove, this isn't Zero Trust, because my kids face could have been the one that just enrolled. However, when you take it to the next level and you capture a real biometric, so this is my identity wallet, and we're going to enroll a live selfie. And you're seeing this become more and more adopted, especially in fintechs and some of the more forward thinking organizations. On top of that, you can then enroll government credentials as well.
Mike Engle:
And the beauty of that, this gets into, for those not familiar with NIST 863-3, it says, take your live selfie, enroll two strong forms of government credentials. So if I just fast forward and show you then now the onboarding of some trusted form of identity. So let's ask the user to, sorry, I think the same videos playing again, let's ask the user to enroll their government credential, in this case, it's my driver's license. So this one here. And this is done simply by using the cameras capabilities to onboard the document information, matching the face to the face on the document with the one I just captured. And then, if available, depending on what country you're in, you can actually check the validity of the document with the issuing authorities.
Mike Engle:
So a whole lot happened there and you can see it takes a couple seconds, but now inside the user's possession, almost like in your real wallet, a credential matched to your face, when you get pulled over by the state trooper, or you go through TSA checkpoint, they're comparing your face to a document, now we can do that in a digital fashion. And so this is really the future of it. From here, now you just have to onboard the user. And that's where in the slide with the two flows, send them a magic link, let them click on it and let them type in their existing ad user name, password, and marry it to this now strong, biometric and private key, and you're pretty much on your way. So Sam, I know you [inaudible 00:34:32].
Sam Tang:
Yeah. Mike, I just want to make sure that we emphasize that the words that you were using, enrollment and onboarding, those are key words here. What if you're able to actually apply this technique here to your onboarding of your workforce, to your contingent workers, to your employees, as well as what if you're able to actually use this as the technique to onboard your B2B, your third party, your business partners, allowing this as a mechanism for you to continue to simplify the onboarding and the enrollment and to continued vetting of the users in your environment, either it be a customer, a business partner, or even your workforce.
Mike Engle:
Yeah. It's like you read my mind, so I threw the slide up for you. Yeah, it's exactly right. Send them a link to get bound, they can authenticate any one of a number of ways, last time that they'd have to use that legacy credential, and now they're linked with a cryptographic secret and a biometric. So the actual implementation of this would be similar to this flow. So in this idea here, this is how now once that user has clicked that link, they basically have onboarded this credential into that same wallet that you saw a minute ago and only they have the possession of the key to be able to use this, and you have a couple options for authentication. So instead of your traditional username or password, you can engage with the system via QR code, via push, and then with simple device biometrics, let them into the workstation.
Mike Engle:
Or you're staring at your desktop, now think about the user experience on that, that is a passwordless exchange, and it's not just passwordless, but it's linked back to the binding that we did, and so with a click of a button, this user that was onboarded, wouldn't even know their Windows password. And there's a lot of support that has to go around that. What happens if they do need a password, you have to give them a break glass way to do it, and you can do that by clicking on the app and typing in a username and password. So Sean, in the passwordless experiences that you've seen in your clients, I mean, have you had any of your clients do user customer satisfaction? It's something that we encourage, take a before and then after, ask them, do you like logging into windows now, do you like it after? I'm wondering if you're seeing the user experience be a big driver, not just the security?
Sean Ryan:
Yeah. So I mean, that is the promise of the benefit of going passwordless, is an improved user experience. I mean, you think about the ... one is the login experience and getting that down to seconds and very, very seamless, pick the phone up, hold it to your face, or scan a QR code, as opposed to retyping in a password, maybe having a one time password code sent via SMS to your phone, having to go retype that in. You just get into this multi-step thing that not a big deal if you do it once, but if you're doing this multiple times, day after day, after day, it adds up. There's also thinking through the ability to reset this too. I mean, you think about all of the headaches that people face and how expensive it is for help desks when people need to reset their passwords. And put on top of that, the fact that there's quarterly typically scheduled password reset for companies and people reset their passwords, they forget them, this just happens again and again, and you're doing that and it's not secure because you're reusing similar passwords across other sites.
Sean Ryan:
We're still seeing credential stuffing attacks, we're still seeing root force attacks. So it just goes to show you that there's both the security and the user aspects to think about for sure. And I think it is important to have different authenticator options, different methods. You mentioned YubiKeys earlier, because not everybody is going to have of a capable smartphone or it may not be the best approach for their particular environment. So having those different options for folks and really just getting them used to the process, as you said, I think it starts with people inside organizations who really want to try something new, then they can help share that knowledge and spread that through the organization, and you start to get to a point where people realize the advantages of the user experience from the new methods that we've got.
Mike Engle:
Yep. Yeah. We have just one more, either brave or foolish live demo that I'm going to do here. So this is the experience that's on our website. And what I wanted to show that I didn't have in the PowerPoint, is how you can apply that onboarding for new hires. So the idea here is onboard your identity documents, so here inside of my wallet, I've enrolled my driver's license and passport. And this is my real phone, by the way. And so you can instruct your, as you go through talent acquisition, they accepted their offer, follow these instructions and onboard yourself. It's verified by the backend system and then transmit the credentials directly into Workday. So I'll do this here, I'm going to actually move my phone off the screen because it shows me my passport and driver's license data. So I'm just going to sneak this off to the side for a minute.
Mike Engle:
Scan the QR code, and now it's asking me to prove my identity. This is different than touch ID or face ID. So now I have to prove that I'm the same person that enrolled my credentials last week or whatever it was. And there, boom, there's my location, my government documents are uploaded, because HR needs them anyway, they have to file them in the US for USCIS purposes, for example. And now with the press of a button, that credential can go directly from Workday into your IGA system, your sale points, your savings or whatever, a link gets sent to the user encrypted with their public key so that only they can open it, and they've onboarded their active directory credential in two seconds. And so then literally on minute one, the users coming into their Windows workstation, and I know I showed this a second ago, but now I asked our engineers to turn this on for live ID.
Mike Engle:
And again, live demo, we'll see how this goes. And I'm scanning QR code, doing real biometrics before I get into this critical Windows workstation, and I am staring at my desktop. Murphy's law said that should have broke, but there we go, it worked. So there you go, the reason I wanted to finish up with that before we get into Q&A, is because that to me is real Zero Trust access into a system, nobody else could of compared that face to mine, except for Tom Cruise, when he 3D prints my face, puts it over his head, but even that, we've got a good story because we went through beta certification and they tried some of that stuff. So I think that's the future of identity based authentication.
Sean Ryan:
And Mike, just another important point, I think having the combination of that with a possession factor, so you verified the endpoint devices that you're using. So that's really important to make sure that we're not just relying on biometrics here, biometrics is not a silver bullet, it is great and it's first period of passwords, but these things alone, they do have their flaws and they're going to be attacked. But if you're using those in combination and you're making it pretty seamless and easy, very difficult for an attacker to overcome that. And even with that, I mean, you showed how fast you did it, so I think the user experience speaks for itself.
Sam Tang:
And Sean and Mike, before we get into Q&A, I just want to add one more dimension to what the audience saw today. That is, if you take a look at the risk and controls, using what you witnessed today, the audience witnessed today, if you take a look at the NIST, the ISO, the CIS set of controls, I was surprised in working with our risk controls practice here at EY, what the percentage of controls that were associated to credentials, passwords, and accounts and so on. If you look at that, if you put that lens on it, this here what you saw today is not just say a security and user experience, but also the implications of the impact it has with audit and controls, audit, and compliance, and risk and controls, it's a tremendous impact. So just want to ...
Mike Engle:
Yeah, there's an audit component of blockchain, which is one of its strongest places of adoption in enterprise is the immutable ledger. So imagine when SolarWinds happens next time, and you actually had cryptographic proof of how that person got to where they are, it can really ... because they can't modify the logs, blockchain doesn't allow that. And it's a private blockchain, and of course what you said, Sean, is there is no silver bullet, this is a tool in your tool bag of 20 things. You still need username, password and 2FA, the mainframe is not going to be using live ID anytime soon. I've seen plug-ins for RACF and nobody wants to develop to them. So probably all the young whippersnappers don't even know what a RACF is, right?
Sean Ryan:
Yeah, and I mean, we're going to live in this hybrid world, especially large companies have been around for many years, it's not just turn the switch off on your mainframes and your legacy client custom applications, but you can reduce those. You can get those so it's a manageable thing that you're doing in more legacy way. You can spend more time monitoring, focusing, auditing that stuff, and then the rest of your things, you can get to this higher confidence level of security, better user experience, and just really have to spend less time on really monitoring that, you get that in a more automated fashion, and you can use your limited time as a IT security pro wisely, right?
Mike Engle:
That's right. Yeah, that's right. Time is of the essence. So yeah, there's a couple questions that came in. And one of them, which we get asked all the time as we're talking to clients, is what happens if you lose your phone? And that is the age old question, and really, the answer is you figure it out. And as silly as that sounds, it depends on the company, the risk profile of how they want to allow a new phone to get onboarded. And I'll explain what I mean. There are ways to back up a private key, just like there is in the crypto world, you can save a file, which is your digital certificate, but you can also prevent people from doing that. And in a workforce scenario, you might not want them to be able to back up that key and put it onto an Android phone that doesn't have an MDM or whatever. So it depends on the profile.
Mike Engle:
That private key can be stored in Apple iCloud, all kinds of options. Of course, the private key is the key, so the more loose you are with it. What most clients will do is they want their employees to go through some hurdles to prove they are who they are before they're re onboarded a second time, because the bad guys will leverage that exception process to try to get in red teams, tiger team type stuff, right?
Sean Ryan:
Yeah. that's one I think about a lot, Mike. I think you know when I talk to you or other providers, that's always one of my key questions because it is a potential weak point. And if I were an attacker, I would go after that exception, that reset, I'm going to try and social engineer my way into getting that credential, bypass all of these wonderful controls that are in place by really just simply tricking someone into that. So part of this is beyond technology, it is your processes and the organization, making sure you're working with your providers to come up with the best approach, and that you've thought through these scenarios. It could be, some companies may do backup YubiKeys for critical employees so that they can very quickly switch over.
Sean Ryan:
But if you do get asked for a reset, you're verifying, you're still trying to ping that device, is this you, let's confirm through that, through email, through phone. You're doing multiple channels to really, really verify that that reset has to happen. And then it's a magic link or something, you do something temporary till you can ship them a new device or verify a BYOD device that you're going to reauthenticate. But just can't emphasize enough how much you want to really focus on that and do that part right.
Mike Engle:
Yep. Yeah, and then the other-
Sam Tang:
And Mike, let me add something to what Sean was just saying. I think I mentioned it earlier, this is a cultural shift in people's thinking, and you must treat it as such. The cultural aspect of this technology, these techniques, and Zero Trust itself, it's a major shift and it has to be a shift in the way that we think, and adoption is associated to that cultural change.
Mike Engle:
Yeah, maybe we can mint an NFT of this episode and go sell it after the show. Wouldn't that be awesome? In the spirit of that decentralized world, there's been a bunch of questions in chat, I'm just looking over here in the corner, that our engineering team has been answering. But we talk about wallets and decentralized identity, and we've been talking about this stuff for a few years and it seems like everybody's like, yeah, is it ever really going to happen? And the way I see it is yes, soon. Soon is relative, in dog years, it could be a hundred years. But you have now the mechanism standardized and agreed upon of a decentralized identifier that can go maybe between MasterCard and Visa and the bank and the telco or the government, they have to form that agreement, but the pipes and plumbing is there, you've got these universal resolvers.
Mike Engle:
What is really messy though, is when you go up a layer into the trust over IP stack. So you have the network layer, then the wallet layer, and then the application layer, that's where it's still a bit nebulous. And so what we showed today, what I showed here is our adoption of that to be used by an organization to solve real world security problems. When bank A wants to share an employee credential with organization broker B, we're ready to do it, but the agreements and the standards are still working out up there at those upper levels. So no silver bullet there either, to use Sean silver bullet terminology, but everybody's trying really hard, I mean, I'm sure both of you are seeing a lot of exposure on the verifiable credentials front and the decentralized identity front. I know Sam, you're pretty plugged into those environments.
Sam Tang:
And when we talk about decentralized identities, also sovereign, passwordless, the way that I describe it to our clients, and the way I speak to the industry experts is that there's four Rs as to what we do, realization, readiness, resiliency, and remediation. And at a minimum, what I tell my clients is that you have to be focused on the first two Rs, which is realization, which is understanding what you're really dealing with and what you're managing from access standpoint, and be ready when it's here. So realization and readiness are the two main Rs to really focus on.
Mike Engle:
Cool.
Sean Ryan:
Yeah, that's important, and same with passwordless, we're still early days on this stuff, and you don't want to just dive in blindly and then figure out after the fact, I didn't think about all these considerations. But this is the time to be testing, doing some pilots, working with your user groups. A lot of companies will start with their IT folks, hey, you're savvy, let's try this out on you, you can help us bulletproof this thing, we can go through some of these scenarios, like you got to do a reset, you lost your device, it was stolen. Let's see how we work through that and what are some of the issues? And let's try and think about it when we get to less sophisticated users in our user population and what they might encounter.
Sean Ryan:
So really important. And Mike, earlier on, you were bringing up things like the SolarWinds attack and passwords being involved in that, and then there was Golden SAML attacks. So even how you link up your single sign on, your [inaudible 00:52:05] provider, for example, to multifactor authentication. And you need to think through that process to make sure that not just on the front end multifactor authentication, but also on storing the SAML certificates, that those can't be attacked. So there's many things to think about with this, but now is the time to start. I think you don't want to be the last company jumping into passwordless, because the attackers are still going to go after the passwords because it's easier, it's much easier. And the next level is SMS two factor authentication. As you showed all those news articles, I've seen plenty myself of more social engineering, more SMS based credential attacks and SIM swapping types of attacks, those are going to continue to happen more. You can get over to this area, much, much more difficult to crack this stuff, but you still want to think through all those links of the chain.
Mike Engle:
Yeah. Pushes the problem more out to the edge then centralized, right?
Sean Ryan:
Yeah, there you go.
Mike Engle:
Yeah. Well, I think we've about done it guys. We're getting to the top of the hour. We'll give people a few minutes back, so they have time to get a bio break between their next back to back meeting. I wanted to thank you guys for coming on board. You just want to maybe let people know how they get ahold of you, do you like Twitter or LinkedIn, Sean, what's your mechanism, email?
Sean Ryan:
Yeah, I've got Twitter, LinkedIn, probably prefer LinkedIn or directly Forrester obviously, best way to reach me.
Mike Engle:
And Sam, personal cell number?
Sam Tang:
LinkedIn is good, or my email, sam.tang@ey.com.
Mike Engle:
Awesome.
Sam Tang:
I'm reachable.
Mike Engle:
Yeah, exactly. All right. Well, thanks again for hopping on and thanks to all the webinar attendees that hopped on. And for all these, there's probably about 80 questions floating around that have been going back and forth in chat, very interactive discussion. So thanks everybody, this webinar will be put online on our website and we'll be announcing the winners of these guys here and the passwordless identity package, shortly after the webinar. So thanks again and we'll see you guys online.
Sam Tang:
Thank you. Wish you a good safe. Bye-bye.
Mike Engle:
Bye-bye.
Sean Ryan:
Bye.
Thanks everybody for joining. My name is Mike Engle with 1Kosmos, and I am joined today by Sam Tang from Ernst & Young, and Sean Ryan from Forrester. Sam, would you mind saying hello to the crowd, let them know what you do for a living.
Sam Tang:
Hello. Thanks, Mike. Thanks for everyone for joining today. Very excited for the topic, it's actually dear to my heart. I'm a managing director for EY and I'm digital identity leader for the cyber practice here at EY. Hope everybody's [inaudible 00:00:38]. Thank you, Mike.
Mike Engle:
Awesome. Sean?
Sean Ryan:
Hi. Yeah, Sean Ryan. So senior analysts at Forrester Research. And look, I'm part of the cybersecurity team and I look at identity and access management technologies, specifically for the workforce. So really looking at things around authentication, around privileged identity management, identity management governance, and the like.
Mike Engle:
Awesome. Yeah, and we're going to quite a bit today about Zero Trust and specifically how identity ties into it. We'll have a bit of a bias there, but Sam and Sean will keep us a little more pure in the Zero Trust categories that there are in there as well. Just a little bit of housekeeping. There's some technologies that you're all welcome to try. This is right on our website, just go to the homepage, click experience it, and you can download an app and play around with a couple different types of ways to use what we refer to as identity based authentication, to engage with a remote system. And we'll be talking a lot about that today, what does it really mean to prove who you are remotely.
Mike Engle:
And also we've got a couple giveaways today. So we have something in our product offering called a passwordless identity package. It is a quick way to embrace passwordless technologies. So companies will typically target the remote access, their operating systems or sitting in front of their SSO gateways. And we're going to randomly pick a winner from the attendees today, we'll reach out to you after the webinars over. If you like the package, you can accept it, otherwise we would go onto the next person. And also I have a pair of these, air pods, I will be personally putting into a manila envelope and sending to somebody, that'll be another random selected person from the list of attendees today. So stay tuned, more to follow there.
Mike Engle:
So let's jump in. Sam and Sean, we're inundated with statements about the problems in the identity world, and you're hearing just day after day of breaches and different types of attacks. We're going to focus today on credentials, of course, because they are the way to really protect everything we have, all of our data and our assets. So I know this is some Forrester sourced material here, if you wouldn't mind just double clicking on this a little bit.
Sean Ryan:
Yeah, absolutely. So this is part of annual research we do, where we're polling security and risk professionals and really trying to understand what they're seeing out there in the wild. And so this is, I think, close to 1800 security and risk professionals globally that we polled here. Key point is how much they go after authentication credentials. A lot of key things on this list that attackers would want to grab, personally identifiable information, health records, intellectual property. Those are all the expected things that you think would bubble to the top here. But authentication credentials are, it's such a means to an end, if they can capture more authentication credentials, move laterally, get to your privileged users, it really just gives them access to even more things. So it's a means to an end, but they are continually pounding after this.
Sean Ryan:
Part of the reason too, it's low hanging fruit. If you've got people with really poor password hygiene, you've got just really basic, easy to bypass, two factor authentication, you can get in much more easily than trying to exploit vulnerabilities. It's really a way to go in undetected and masquerade as legitimate users. So that's really a key point of this slide, Mike, and something to drive home to folks out there.
Mike Engle:
Sure. Once you're in the door, all of these other things are at your fingertips, so it's the one attack to rule them all. So I'm amazed at how many organizations are just implementing 2FA now. Every time I sign a up for another service, your hotel login or some FinTech it's, hey, we're going to send you a six digit code to your email. And six digit codes are over 20 years old in concept, secure IDs and one time generators. And on top of that, the bad guys are really good at stealing those now, too. So as the sophistication of these attacks increases, we're going to see 2FA have to evolve, if I can get your SIM and swap your SIM or whatever, or get access to your email. The bank that I use today, I have a YubiKey, but it still has this button down there that says YubiKey not working, go get a code from your email. So it defeats the purpose.
Mike Engle:
And Sam, I'm sure your clients are very much, this is top of mind for them, not just because of Biden's executive order, but just in general, right?
Sam Tang:
Yeah. I mean, this definitely still is a hot topic when I speak to our clients, even in the industry. I still get questions like, what factor should I be considering, what are the strongest, what should I be adopting? And I keep on telling my clients it's really a balance and you need to understand, it really depends on the service that you're trying to protect. And the real question is, are you really ready to adopt risk based measures, adaptive based measures in your authentication, in your authorization events, and the trick is without having to impact end user experience and security, of course. And take a step back and take a look at your use cases that are associated to B2E, B2B and B2C, because that will translate into a different set of factors as well. And should they be different, should it be harmonized? So it's really, are you ready? So that's my conversation with my clients.
Mike Engle:
Yeah, no, nice segue. So the principles of Zero Trust, Forrester didn't necessarily invent the term, but they certainly made it very popular and commercialized it and increased the awareness of it. So Sean, love to hear some thoughts on these three aspects of it.
Sean Ryan:
Yeah, yeah, it does go way back at Forrester, John Kindervag coined the term and really drove this concept forward, and it really is powerful and it's a set of principles and it's a way to apply security across all of the disciplines. So identity and access management, the lens that I look at it through, but also your endpoints, your networks, really any attack vector, and especially focused on protecting that data at the center. So when I'm looking at this from the identity, protecting the digital identity standpoint, protecting access, there's three principles that really align to Zero Trust that I talk about. So first one being that verify explicitly, let's really make sure we know that this employee, this partner, this contingent worker, this customer is who they say they are when they're setting up their account.
Sean Ryan:
So you're verifying them initially, but then as they log in over and over again, you're authenticating them in a way that you can feel very confident that you've really vetted that person every time, and ideally on a continual basis, you're making sure that session is secure all the way through. And that's where what Mike and team does really, really fits very well into that, trying to bring that up to a fully bulletproofed approach, and at the same time, you want to make sure that user experience is still reasonable. You don't want people trying to bypass this thing, you don't want customers defecting, you don't want employees trying to find workarounds. So really important to do that right and think about that balance of user experience, but being as secure as possible. The one in the middle, this is, I think, a pretty well understood thing that I talk about quite a bit as well, getting down to least privilege access.
Sean Ryan:
This is like breach containment, you want to make sure if somebody does get in, this is things around your authorization, things around how you set up your governance model so that you don't have over provisioned users with too many permissions. So if an attacker does get access to their account, it's not instantly they've got keys to the kingdom and can get to domain level access very easily. You want to avoid that. And then the last component is that assuming a breach, that's just monitoring ongoing, making sure you're paying attention to that.
Mike Engle:
Yeah, and I found this graphic I thought was pretty interesting, that if you can imagine everybody either uses a system or manages one on this call today, you use all kinds of systems, imagine if your data was as accessible as this is here. And that's what, I think, Zero Trust tries to get people to think about, assume that somebody can reach in there and go grab something and you have to protect it, either by asking them are you who you say you are, or micro segmentation or whatever, and you have to let all kinds of users in there for different reasons. So this is in line with what you were just saying as well, Sean. And lastly, once they're inside, Google's Beyond Corp has really done a lot for socializing this as well and setting a framework.
Mike Engle:
So Sam, there's a term we spoke recently that you mentioned, that I thought was really interesting, and we'll bring up this slide as we talk about it. And I mentioned it in an email to you this morning, would you mind double clicking on that as well?
Sam Tang:
Yeah, really, let me start by describing Zero Trust, there's a factor, there's an influence that typically people don't talk about, that it's really the cultural changes. And the cultural changes are actually external and also internal to the environment as well. So every step of the way, what we want to double click on is the importance of the ability for you to verify based on the culture changes, external and internal environment. How fast can you adapt to something that you can verify at run time, at authorization time? So even when you take a look at this picture right here, even if you take a look at apply the 860 [inaudible 00:11:54] spec, the NIST spec, on top of this here you're looking at, really that specifies what needs to be assured, the assurance levels that we always talk about.
Sam Tang:
But what if you're able to actually apply the assurance level concept to also include the people, the culture, and most importantly, the authentication mechanism that was used as part of gaining access. So the trust of the people, the trust of the context as to what you want the session for, the trust in the legal entity that you're working for, and so on and so forth. Trust, that's what we're talking about.
Mike Engle:
That's right. Trust, but verify, right?
Sam Tang:
Yeah.
Sean Ryan:
Yeah, exactly. I mean Zero Trust, it's a nice, good catchy term, and it does capture that. Obviously you have to let people in, entrust them to some degree, but you are verifying first, and then you're checking in as you go. So we want people to do their job, we want people to be productive, but you have to have the security mechanisms along that entire value chain. I like to think of, I am as a full value chain where it is that right as you come in, you authenticate and then it's not like, okay, good, great, now go do whatever you want. It's okay, we still need to authorize you, we still need to keep to track of what you're doing. We don't want to inhibit your productivity, but we want to take a risk based approach, we want to flag this stuff.
Sean Ryan:
You're doing something very strange, or you are accessing some really sensitive data, boom, let's re authenticate you with another factor. Let's really, make sure that we're verifying. Maybe based on some of the signals, let's say you're logging in from a completely different IP address, that could be a signal that flags that, hey, we should add another layer of analysis on here, real time, automate it as much as you can, and if it's maybe a certain level of risk, you want to flag a live person in the SOC, your security operation center, to take a look into this immediately.
Mike Engle:
Is it time for us to talk about McLovin?
Sean Ryan:
I think so. I think so.
Mike Engle:
Yeah. So Sam, you mentioned something, 863-3, which is near and dear to my heart. I didn't know a whole lot about this when I started this effort back in 2018, and the standard was just made in 2017, but it establishes how you remotely proof who somebody is. You two strong forms of identity, matched to their live biometrics and all this coordination and triangulation needs to happen. So what if you could know beyond a shadow of a doubt that the person logging into your domain controller is the person that holds this driver's license? That's kind of the spirit of what this stuff allows you to answer now, that you can't do with 2FA or what people call all different forms of MFA. Just because I have a YubiKey or secure ID token, doesn't prove my identity, but these types of sources of truth, do.
Mike Engle:
So if you can onboard somebody, and every contractor or employee has to be onboarded, even your consumers customers have to be onboarded for certain types of accounts, cryptocurrency, financial services. So at the time they're onboarding, if you apply the latest concepts of cryptography and biometrics, you can create something that's reusable over and over and highly trusted. So I'm sure both of you are seeing and hearing about more. We refer to this as identity based authentication, but the spirits of strong identity proofing, I'm seeing a real uptick, not only in what Forrester's saying, but what the industry is doing. Sam, are you seeing this with your clients, where they're starting to embrace real identity, not just handing them bandaids on top of passwords?
Sam Tang:
There's that word, that bad word, password, again. Yeah. So no, Mike, absolutely, identity proofing to me, when I speak to my clients, has got to be a big part of the verification strategy. And the identity proofing I talk of is not just about identification or authentication, but across the board for transactions and most importantly authorization as well. So the active identity proofing can't be a one time event neither, it has to be a continuous event to really allowing you to have flexibility to detect at transaction time, either it be a identification transaction, authentication, authorization, or a business transaction. And the business transactions, I think I heard you say you use the word blockchain, but more importantly, what I'm starting to see is applying this technique and the technologies that you bring, with identity proofing and authentication and identification combined, those techniques in really using that technique to catch business transaction frauds as well. So there's an emergence of using these techniques continuously, not just for authentication or authorization, but also to be used for business transactions.
Mike Engle:
Yeah, yeah. And Sean, what are your thoughts on should you even let somebody name McLovin into your infrastructure?
Sean Ryan:
I know, yeah. I love this slide, it's from a great movie too. I think the whole point of this is people can create fake IDs, and now that we live in a very digital world, the ability to do identity thefts from anywhere, the ability to falsify accounts, falsify information on that authentication and sorry, carrying that into authentication, there's really a lot of room for fraud out there if you don't have the proper controls in place. So it's critical to have something that can leverage what's already out there for credit reporting agencies, from telecom, from all sorts of other sources of information, to be able to verify this, to be able to do it in a secure way. And ideally in a way that puts that end user in control of their own identity and gives them the tools to keep this in a wallet, a digital wallet, really manage their own digital identity.
Sean Ryan:
So that's the goal, that's where we're headed. And it very much applies to the B2C world, to making sure your customers are who they say they are, and you're protecting their identities for them. But increasingly, business partners, they're not going to be in your HR system, you have to have some level of working relationship with your business partners to verify that. But having the tools in place to help you verify with software and do that in a really programmatic and structured way, is really important too.
Mike Engle:
Yeah. Yeah. We touched on the word blockchain, blockchain is a means to an end. The cryptography behind blockchain is undeniable, the immutable ledger and the ability to prove the history of transaction. So when you apply that to identity, it allows you to set up something that we're referring to as your identity chain of custody, how do you know that the person authenticating is the same person that you gave the credential to? So there's a term that I've heard recently in the FS ISAC world, contractor jacking. You hire person X, but person Y sit that seat on day two, because they're subbing the seat out for 20 bucks less an hour or whatever. That's if it's a friendly handoff of a credential, but of course the bad guys can get them as well.
Mike Engle:
So today, everybody trusts a credential to some level. Corporations are letting people in, username, password, two FA, token, whatever it is, push message. The way that we think about this is your existing users will come in the way they do today, and you'll exchange that process for a cryptographic public, private key pair. And that's really the principle behind FIDO authentication, that we'll touch on if we have time. So you issue them a key, a private key that keep with them and only they can have that. What makes that key really strong then is the addition of real biometrics. So everybody on this call today uses biometrics in some way, usually it's your touch ID or your face ID on the phone. Those aren't real biometrics, they don't prove your identity, but we're seeing wider adoption of a real selfie or your real voice print, or if hardware permits, you can do palm and vein and all these other things.
Mike Engle:
So you exchange the legacy mechanism for the new combination of cryptography and a biometric, that's identity based authentication. And then in a true digital transformation concept, you can do that with your new onboarding personnel as well. So proof them, you have to do it anyway, because they're joining your company, they have to get their tax paying documents and whatever. So rather than emailing and faxing them, do it the right way, digitally onboard them, and at the same time, issue them a credential. I think a real enabler for this was of course COVID, we're all remote and we have to figure out how to do these things. And I'm seeing phenomenal adoption because I live and breathe this stuff in my little world of 1Kosmos. But Sean, maybe start with you, Sam actually, what do you think about the concepts?
Sam Tang:
Yeah. Sean, you want to get started, I'll chime in.
Sean Ryan:
Yeah, yeah, yeah, for sure. I mean again, I'm glad you've got NIST on here too, I completely agree with you, it's a wonderful standard and a great way to build a foundation on how you're going to set up your authenticators and how you're going to set up identity proofing and really all through that value chain of managing digital identities. It's again, like you said, I mean, we've become very, very digital, no in person interaction, this isn't like even if you're working for a company as a remote employee, in the past, you might fly out, meet them, physically hand them documents, that's not always happening anymore. In fact, that's probably really rare these days.
Sean Ryan:
So having that trust be fully digital, really much better to have this fully encapsulated approach to doing it rather than a cobble together, do this through an email and send us this over here and records, you've got really critical, sensitive information that you're sharing and trusting that through email and through various other approaches, rather than a self-contained, know your employee and onboarding, or know your customer type of approach. Just much better to have that, much better to have a complete system that works together.
Sam Tang:
Yeah. And something to add, Mike and Sean, is the identity chain, I think the word chain is very important because I think Mike, you spoke about ledgers and the blockchain, but what if you're able to actually treat that ledger as a form of your digital assets that you have control over? So what you're seeing in front of you right now on this slide here, really, truly enables what the industry is right now is calling decentralized identity or self sovereign identity. Without this here, it's really difficult to achieve what we consider as an industry, decentralized identity that you can apply to your B2C and your B2B, and also now [inaudible 00:24:24].
Mike Engle:
Yeah. And the concept, decentralized identity's been around now for a few years, it's a W3C standard. And you're seeing adoption by the big tech giants and the payment rails companies, your Visa's and MasterCard's are all getting behind the standard. It allows your identity to be portable and move across industry. And I don't know if you guys have noticed, ever since the NFT explosion over the past month, you're seeing Web 3.0 everywhere. Web 3.0 is a form of decentralized concepts applied to the web. So this is in line with that, it is the future of identity. The time for companies to adopt it is really starting to happen, and so you're seeing the uptick happen now, and it's not a matter of if, in my opinion, it's a matter of when.
Mike Engle:
And so if you were to take this and apply it to an IAM infrastructure, this stuff doesn't exist in 90 X percent of IAM infrastructures today, but it will. And so I took a shot at thinking about how this stuff will fit into your existing, all the IT functions on the right, with these new components in the middle. So there's two things if you apply Zero Trust to identities, do I know who it is, and can I prove it? And yes, you can with cryptographics and biometrics. And then on the back end, as all these systems are writing event logs, and it's all going up into Splunk or whatever, is being able to say, all right, here's an entry in my Zscaler logs, can I prove that the person in that log file came in with identity?
Mike Engle:
Well, if you're adopting the right technologies, the answer is yes. You can digitally verify that this hash came in, it was onboarded eight months ago, and you have the chain of custody of that. So we saw what happened with SolarWinds, and a bad guy was caught because somebody happened to look into log files and that broke open the whole Pandora's box. So this is just one way to think about it. Sam, are you seeing some of these forward thinking IT functions get dropped into IAM, maybe either in RFPs or in real practice today where it's not just necessarily this, but some Zero Trust principles that can sit on top of your IT infrastructure to give you that assurance?
Sam Tang:
I am, and the ego in me, after being in this space for 25 plus years, I always keep on telling my colleagues and my clients, identity is in the core of security, you can't bypass it. It could be in the form of cloud, hybrid cloud, on prem, even mainframe, mainframe's still around. So at the core of what we do with these IT functions, you can't deny, or you can't avoid having conversations around identities. So the effort that I'm speaking to my clients about right now is not about if identity is the core of these IT functions, but how to gain alignment across these IT functions, and that's the effort. And again, I keep on coming back to the B2E, the B2C and B2B, the more siloed you are with your consumer based IAM and your enterprise IAM and your third party IAM, is the further along that you are with really seeing the alignment across these IT functions, across the B2E, B2B and B2C.
Mike Engle:
Yeah. Yeah. And Sean, I guess, are you seeing a consolidation of any of the legacy ways to authenticate into some newer stuff, either in your research or as you work with your clients?
Sean Ryan:
Yeah. Yeah. I am. We've done a recent survey looking into password list adoptions, so we're still early days there, but it's encouraging to see how many companies are at least getting to the point where they're doing proof of concept and early pilots and starting to finally, I think everyone's known that trained who have a password centric approach to authentication, just is not going to get it done. But people have really been anchored to this unfortunately, it's partly just legacy architecture, which was built around passwords, and so you have to do some work around things to get past those. It's partly just inertia, just people being used to that, even though I think they're like me, they hate passwords and would love to find a better way, but again, it's that inertia, a lot of people, it's just what they're used to, it's the devil they know.
Sean Ryan:
But like I said, I am encouraged that we're seeing people move in this direction and the technology enablers are there. Many people have smartphones in their hands that have either fingerprint or facial recognition right at the ready there. You've got this on laptops and desktops now. So there's more of an ability to do biometrics. And the underlying technology behind the scenes is getting more mature as well. And I thought you made a great point earlier talking about true biometrics as opposed to biometrics that's just on the endpoint device, that, while is good, does allow the user to authenticate, and it doesn't prove that on the back end. So if you're storing a mathematical representation of those biometrics so that they're safe, they're protected, they're encrypted, where they're stored by the organization that is managing that access and that authentication, that gives you a much stronger approach.
Sean Ryan:
And again, at the end of the day, I think we get to the point where we can move passwords to the backseat, we can deprecate them and we can move to these methods that are inherently stronger and they are a better user experience once folks get used to them.
Mike Engle:
Yeah. Yeah. I'm going to give a little McLovin demo here in a minute, I can't resist. When we say real biometrics, it is real, and one of the big barriers to adoption is just people getting comfortable with it. When you saw Apple release face ID, people were like, whoa, whoa, whoa, whoa, you're scanning my face. What are you doing with it? Where's it going? When you use clear and go through the airport, they're scanning your biometrics and storing them somewhere. So you have to take the stuff, you have to be really careful with it, you have to make sure that everything's certified and you know exactly how it's encrypted and stored. In true Web 3.0 capacity, you can make sure that the user is the only person that can decrypt, enroll and decrypt and use the biometric. So if you'll tolerate a short demo, I'm going to show you how the launching of an app creates a private key behind the scenes.
Mike Engle:
Press of a button, and there it is, you have a pin which is a fallback mechanism in case you have a problem, very rarely used. But now inside the phone, you have two factors already. You have your private key in a pin, and then let's add device biometrics. So this is the device, the biometrics that we all use today. Now you can see this is the first time launching this, there's no proof of me in this, somebody's face on this phone was just enrolled. And this is one of the common misconceptions of about device biometrics, is this doesn't prove, this isn't Zero Trust, because my kids face could have been the one that just enrolled. However, when you take it to the next level and you capture a real biometric, so this is my identity wallet, and we're going to enroll a live selfie. And you're seeing this become more and more adopted, especially in fintechs and some of the more forward thinking organizations. On top of that, you can then enroll government credentials as well.
Mike Engle:
And the beauty of that, this gets into, for those not familiar with NIST 863-3, it says, take your live selfie, enroll two strong forms of government credentials. So if I just fast forward and show you then now the onboarding of some trusted form of identity. So let's ask the user to, sorry, I think the same videos playing again, let's ask the user to enroll their government credential, in this case, it's my driver's license. So this one here. And this is done simply by using the cameras capabilities to onboard the document information, matching the face to the face on the document with the one I just captured. And then, if available, depending on what country you're in, you can actually check the validity of the document with the issuing authorities.
Mike Engle:
So a whole lot happened there and you can see it takes a couple seconds, but now inside the user's possession, almost like in your real wallet, a credential matched to your face, when you get pulled over by the state trooper, or you go through TSA checkpoint, they're comparing your face to a document, now we can do that in a digital fashion. And so this is really the future of it. From here, now you just have to onboard the user. And that's where in the slide with the two flows, send them a magic link, let them click on it and let them type in their existing ad user name, password, and marry it to this now strong, biometric and private key, and you're pretty much on your way. So Sam, I know you [inaudible 00:34:32].
Sam Tang:
Yeah. Mike, I just want to make sure that we emphasize that the words that you were using, enrollment and onboarding, those are key words here. What if you're able to actually apply this technique here to your onboarding of your workforce, to your contingent workers, to your employees, as well as what if you're able to actually use this as the technique to onboard your B2B, your third party, your business partners, allowing this as a mechanism for you to continue to simplify the onboarding and the enrollment and to continued vetting of the users in your environment, either it be a customer, a business partner, or even your workforce.
Mike Engle:
Yeah. It's like you read my mind, so I threw the slide up for you. Yeah, it's exactly right. Send them a link to get bound, they can authenticate any one of a number of ways, last time that they'd have to use that legacy credential, and now they're linked with a cryptographic secret and a biometric. So the actual implementation of this would be similar to this flow. So in this idea here, this is how now once that user has clicked that link, they basically have onboarded this credential into that same wallet that you saw a minute ago and only they have the possession of the key to be able to use this, and you have a couple options for authentication. So instead of your traditional username or password, you can engage with the system via QR code, via push, and then with simple device biometrics, let them into the workstation.
Mike Engle:
Or you're staring at your desktop, now think about the user experience on that, that is a passwordless exchange, and it's not just passwordless, but it's linked back to the binding that we did, and so with a click of a button, this user that was onboarded, wouldn't even know their Windows password. And there's a lot of support that has to go around that. What happens if they do need a password, you have to give them a break glass way to do it, and you can do that by clicking on the app and typing in a username and password. So Sean, in the passwordless experiences that you've seen in your clients, I mean, have you had any of your clients do user customer satisfaction? It's something that we encourage, take a before and then after, ask them, do you like logging into windows now, do you like it after? I'm wondering if you're seeing the user experience be a big driver, not just the security?
Sean Ryan:
Yeah. So I mean, that is the promise of the benefit of going passwordless, is an improved user experience. I mean, you think about the ... one is the login experience and getting that down to seconds and very, very seamless, pick the phone up, hold it to your face, or scan a QR code, as opposed to retyping in a password, maybe having a one time password code sent via SMS to your phone, having to go retype that in. You just get into this multi-step thing that not a big deal if you do it once, but if you're doing this multiple times, day after day, after day, it adds up. There's also thinking through the ability to reset this too. I mean, you think about all of the headaches that people face and how expensive it is for help desks when people need to reset their passwords. And put on top of that, the fact that there's quarterly typically scheduled password reset for companies and people reset their passwords, they forget them, this just happens again and again, and you're doing that and it's not secure because you're reusing similar passwords across other sites.
Sean Ryan:
We're still seeing credential stuffing attacks, we're still seeing root force attacks. So it just goes to show you that there's both the security and the user aspects to think about for sure. And I think it is important to have different authenticator options, different methods. You mentioned YubiKeys earlier, because not everybody is going to have of a capable smartphone or it may not be the best approach for their particular environment. So having those different options for folks and really just getting them used to the process, as you said, I think it starts with people inside organizations who really want to try something new, then they can help share that knowledge and spread that through the organization, and you start to get to a point where people realize the advantages of the user experience from the new methods that we've got.
Mike Engle:
Yep. Yeah. We have just one more, either brave or foolish live demo that I'm going to do here. So this is the experience that's on our website. And what I wanted to show that I didn't have in the PowerPoint, is how you can apply that onboarding for new hires. So the idea here is onboard your identity documents, so here inside of my wallet, I've enrolled my driver's license and passport. And this is my real phone, by the way. And so you can instruct your, as you go through talent acquisition, they accepted their offer, follow these instructions and onboard yourself. It's verified by the backend system and then transmit the credentials directly into Workday. So I'll do this here, I'm going to actually move my phone off the screen because it shows me my passport and driver's license data. So I'm just going to sneak this off to the side for a minute.
Mike Engle:
Scan the QR code, and now it's asking me to prove my identity. This is different than touch ID or face ID. So now I have to prove that I'm the same person that enrolled my credentials last week or whatever it was. And there, boom, there's my location, my government documents are uploaded, because HR needs them anyway, they have to file them in the US for USCIS purposes, for example. And now with the press of a button, that credential can go directly from Workday into your IGA system, your sale points, your savings or whatever, a link gets sent to the user encrypted with their public key so that only they can open it, and they've onboarded their active directory credential in two seconds. And so then literally on minute one, the users coming into their Windows workstation, and I know I showed this a second ago, but now I asked our engineers to turn this on for live ID.
Mike Engle:
And again, live demo, we'll see how this goes. And I'm scanning QR code, doing real biometrics before I get into this critical Windows workstation, and I am staring at my desktop. Murphy's law said that should have broke, but there we go, it worked. So there you go, the reason I wanted to finish up with that before we get into Q&A, is because that to me is real Zero Trust access into a system, nobody else could of compared that face to mine, except for Tom Cruise, when he 3D prints my face, puts it over his head, but even that, we've got a good story because we went through beta certification and they tried some of that stuff. So I think that's the future of identity based authentication.
Sean Ryan:
And Mike, just another important point, I think having the combination of that with a possession factor, so you verified the endpoint devices that you're using. So that's really important to make sure that we're not just relying on biometrics here, biometrics is not a silver bullet, it is great and it's first period of passwords, but these things alone, they do have their flaws and they're going to be attacked. But if you're using those in combination and you're making it pretty seamless and easy, very difficult for an attacker to overcome that. And even with that, I mean, you showed how fast you did it, so I think the user experience speaks for itself.
Sam Tang:
And Sean and Mike, before we get into Q&A, I just want to add one more dimension to what the audience saw today. That is, if you take a look at the risk and controls, using what you witnessed today, the audience witnessed today, if you take a look at the NIST, the ISO, the CIS set of controls, I was surprised in working with our risk controls practice here at EY, what the percentage of controls that were associated to credentials, passwords, and accounts and so on. If you look at that, if you put that lens on it, this here what you saw today is not just say a security and user experience, but also the implications of the impact it has with audit and controls, audit, and compliance, and risk and controls, it's a tremendous impact. So just want to ...
Mike Engle:
Yeah, there's an audit component of blockchain, which is one of its strongest places of adoption in enterprise is the immutable ledger. So imagine when SolarWinds happens next time, and you actually had cryptographic proof of how that person got to where they are, it can really ... because they can't modify the logs, blockchain doesn't allow that. And it's a private blockchain, and of course what you said, Sean, is there is no silver bullet, this is a tool in your tool bag of 20 things. You still need username, password and 2FA, the mainframe is not going to be using live ID anytime soon. I've seen plug-ins for RACF and nobody wants to develop to them. So probably all the young whippersnappers don't even know what a RACF is, right?
Sean Ryan:
Yeah, and I mean, we're going to live in this hybrid world, especially large companies have been around for many years, it's not just turn the switch off on your mainframes and your legacy client custom applications, but you can reduce those. You can get those so it's a manageable thing that you're doing in more legacy way. You can spend more time monitoring, focusing, auditing that stuff, and then the rest of your things, you can get to this higher confidence level of security, better user experience, and just really have to spend less time on really monitoring that, you get that in a more automated fashion, and you can use your limited time as a IT security pro wisely, right?
Mike Engle:
That's right. Yeah, that's right. Time is of the essence. So yeah, there's a couple questions that came in. And one of them, which we get asked all the time as we're talking to clients, is what happens if you lose your phone? And that is the age old question, and really, the answer is you figure it out. And as silly as that sounds, it depends on the company, the risk profile of how they want to allow a new phone to get onboarded. And I'll explain what I mean. There are ways to back up a private key, just like there is in the crypto world, you can save a file, which is your digital certificate, but you can also prevent people from doing that. And in a workforce scenario, you might not want them to be able to back up that key and put it onto an Android phone that doesn't have an MDM or whatever. So it depends on the profile.
Mike Engle:
That private key can be stored in Apple iCloud, all kinds of options. Of course, the private key is the key, so the more loose you are with it. What most clients will do is they want their employees to go through some hurdles to prove they are who they are before they're re onboarded a second time, because the bad guys will leverage that exception process to try to get in red teams, tiger team type stuff, right?
Sean Ryan:
Yeah. that's one I think about a lot, Mike. I think you know when I talk to you or other providers, that's always one of my key questions because it is a potential weak point. And if I were an attacker, I would go after that exception, that reset, I'm going to try and social engineer my way into getting that credential, bypass all of these wonderful controls that are in place by really just simply tricking someone into that. So part of this is beyond technology, it is your processes and the organization, making sure you're working with your providers to come up with the best approach, and that you've thought through these scenarios. It could be, some companies may do backup YubiKeys for critical employees so that they can very quickly switch over.
Sean Ryan:
But if you do get asked for a reset, you're verifying, you're still trying to ping that device, is this you, let's confirm through that, through email, through phone. You're doing multiple channels to really, really verify that that reset has to happen. And then it's a magic link or something, you do something temporary till you can ship them a new device or verify a BYOD device that you're going to reauthenticate. But just can't emphasize enough how much you want to really focus on that and do that part right.
Mike Engle:
Yep. Yeah, and then the other-
Sam Tang:
And Mike, let me add something to what Sean was just saying. I think I mentioned it earlier, this is a cultural shift in people's thinking, and you must treat it as such. The cultural aspect of this technology, these techniques, and Zero Trust itself, it's a major shift and it has to be a shift in the way that we think, and adoption is associated to that cultural change.
Mike Engle:
Yeah, maybe we can mint an NFT of this episode and go sell it after the show. Wouldn't that be awesome? In the spirit of that decentralized world, there's been a bunch of questions in chat, I'm just looking over here in the corner, that our engineering team has been answering. But we talk about wallets and decentralized identity, and we've been talking about this stuff for a few years and it seems like everybody's like, yeah, is it ever really going to happen? And the way I see it is yes, soon. Soon is relative, in dog years, it could be a hundred years. But you have now the mechanism standardized and agreed upon of a decentralized identifier that can go maybe between MasterCard and Visa and the bank and the telco or the government, they have to form that agreement, but the pipes and plumbing is there, you've got these universal resolvers.
Mike Engle:
What is really messy though, is when you go up a layer into the trust over IP stack. So you have the network layer, then the wallet layer, and then the application layer, that's where it's still a bit nebulous. And so what we showed today, what I showed here is our adoption of that to be used by an organization to solve real world security problems. When bank A wants to share an employee credential with organization broker B, we're ready to do it, but the agreements and the standards are still working out up there at those upper levels. So no silver bullet there either, to use Sean silver bullet terminology, but everybody's trying really hard, I mean, I'm sure both of you are seeing a lot of exposure on the verifiable credentials front and the decentralized identity front. I know Sam, you're pretty plugged into those environments.
Sam Tang:
And when we talk about decentralized identities, also sovereign, passwordless, the way that I describe it to our clients, and the way I speak to the industry experts is that there's four Rs as to what we do, realization, readiness, resiliency, and remediation. And at a minimum, what I tell my clients is that you have to be focused on the first two Rs, which is realization, which is understanding what you're really dealing with and what you're managing from access standpoint, and be ready when it's here. So realization and readiness are the two main Rs to really focus on.
Mike Engle:
Cool.
Sean Ryan:
Yeah, that's important, and same with passwordless, we're still early days on this stuff, and you don't want to just dive in blindly and then figure out after the fact, I didn't think about all these considerations. But this is the time to be testing, doing some pilots, working with your user groups. A lot of companies will start with their IT folks, hey, you're savvy, let's try this out on you, you can help us bulletproof this thing, we can go through some of these scenarios, like you got to do a reset, you lost your device, it was stolen. Let's see how we work through that and what are some of the issues? And let's try and think about it when we get to less sophisticated users in our user population and what they might encounter.
Sean Ryan:
So really important. And Mike, earlier on, you were bringing up things like the SolarWinds attack and passwords being involved in that, and then there was Golden SAML attacks. So even how you link up your single sign on, your [inaudible 00:52:05] provider, for example, to multifactor authentication. And you need to think through that process to make sure that not just on the front end multifactor authentication, but also on storing the SAML certificates, that those can't be attacked. So there's many things to think about with this, but now is the time to start. I think you don't want to be the last company jumping into passwordless, because the attackers are still going to go after the passwords because it's easier, it's much easier. And the next level is SMS two factor authentication. As you showed all those news articles, I've seen plenty myself of more social engineering, more SMS based credential attacks and SIM swapping types of attacks, those are going to continue to happen more. You can get over to this area, much, much more difficult to crack this stuff, but you still want to think through all those links of the chain.
Mike Engle:
Yeah. Pushes the problem more out to the edge then centralized, right?
Sean Ryan:
Yeah, there you go.
Mike Engle:
Yeah. Well, I think we've about done it guys. We're getting to the top of the hour. We'll give people a few minutes back, so they have time to get a bio break between their next back to back meeting. I wanted to thank you guys for coming on board. You just want to maybe let people know how they get ahold of you, do you like Twitter or LinkedIn, Sean, what's your mechanism, email?
Sean Ryan:
Yeah, I've got Twitter, LinkedIn, probably prefer LinkedIn or directly Forrester obviously, best way to reach me.
Mike Engle:
And Sam, personal cell number?
Sam Tang:
LinkedIn is good, or my email, sam.tang@ey.com.
Mike Engle:
Awesome.
Sam Tang:
I'm reachable.
Mike Engle:
Yeah, exactly. All right. Well, thanks again for hopping on and thanks to all the webinar attendees that hopped on. And for all these, there's probably about 80 questions floating around that have been going back and forth in chat, very interactive discussion. So thanks everybody, this webinar will be put online on our website and we'll be announcing the winners of these guys here and the passwordless identity package, shortly after the webinar. So thanks again and we'll see you guys online.
Sam Tang:
Thank you. Wish you a good safe. Bye-bye.
Mike Engle:
Bye-bye.
Sean Ryan:
Bye.
Mike Engle
CSO
1Kosmos
Sam Tang
Managing Director of Cybersecurity
Ernst & Young
Sean Ryan
Senior Analyst
Forrester
This on-demand webinar will cover:
- The key components of a Zero Trust Architecture
- The inherent vulnerabilities and risks introduced from implied trust
- The role of digital identity in delivering users a frictionless IAM experience
During the webinar, guest speaker Forrester Senior Analyst Sean Ryan, 1Kosmos Chief Strategy Officer Mike Engle, and Ernst & Young Managing Director of Cybersecurity Sam Tang discussed the role of Digital Identity in a frictionless Zero Trust framework.
Following the May 2021 Executive Order on Improving the Nation’s Cybersecurity, many organizations are evaluating multi-factor authentication (MFA) and moving toward a zero trust architecture. But, disparity in the way IT systems handle MFA and a proliferation of one time codes, push notifications and other authentication protocols are slowing deployment and complicating user adoption. Some have turned to passwordless authentication, but still can’t help security administrators identify compromised accounts leaving them unable to answer the nagging question “Who is logging into my network?”
Mike Engle
CSO
1Kosmos
Sam Tang
Managing Director of Cybersecurity
Ernst & Young
Sean Ryan
Senior Analyst
Forrester
Video Transcript
Mike Engle:
Thanks everybody for joining. My name is Mike Engle with 1Kosmos, and I am joined today by Sam Tang from Ernst & Young, and Sean Ryan from Forrester. Sam, would you mind saying hello to the crowd, let them know what you do for a living.
Sam Tang:
Hello. Thanks, Mike. Thanks for everyone for joining today. Very excited for the topic, it's actually dear to my heart. I'm a managing director for EY and I'm digital identity leader for the cyber practice here at EY. Hope everybody's [inaudible 00:00:38]. Thank you, Mike.
Mike Engle:
Awesome. Sean?
Sean Ryan:
Hi. Yeah, Sean Ryan. So senior analysts at Forrester Research. And look, I'm part of the cybersecurity team and I look at identity and access management technologies, specifically for the workforce. So really looking at things around authentication, around privileged identity management, identity management governance, and the like.
Mike Engle:
Awesome. Yeah, and we're going to quite a bit today about Zero Trust and specifically how identity ties into it. We'll have a bit of a bias there, but Sam and Sean will keep us a little more pure in the Zero Trust categories that there are in there as well. Just a little bit of housekeeping. There's some technologies that you're all welcome to try. This is right on our website, just go to the homepage, click experience it, and you can download an app and play around with a couple different types of ways to use what we refer to as identity based authentication, to engage with a remote system. And we'll be talking a lot about that today, what does it really mean to prove who you are remotely.
Mike Engle:
And also we've got a couple giveaways today. So we have something in our product offering called a passwordless identity package. It is a quick way to embrace passwordless technologies. So companies will typically target the remote access, their operating systems or sitting in front of their SSO gateways. And we're going to randomly pick a winner from the attendees today, we'll reach out to you after the webinars over. If you like the package, you can accept it, otherwise we would go onto the next person. And also I have a pair of these, air pods, I will be personally putting into a manila envelope and sending to somebody, that'll be another random selected person from the list of attendees today. So stay tuned, more to follow there.
Mike Engle:
So let's jump in. Sam and Sean, we're inundated with statements about the problems in the identity world, and you're hearing just day after day of breaches and different types of attacks. We're going to focus today on credentials, of course, because they are the way to really protect everything we have, all of our data and our assets. So I know this is some Forrester sourced material here, if you wouldn't mind just double clicking on this a little bit.
Sean Ryan:
Yeah, absolutely. So this is part of annual research we do, where we're polling security and risk professionals and really trying to understand what they're seeing out there in the wild. And so this is, I think, close to 1800 security and risk professionals globally that we polled here. Key point is how much they go after authentication credentials. A lot of key things on this list that attackers would want to grab, personally identifiable information, health records, intellectual property. Those are all the expected things that you think would bubble to the top here. But authentication credentials are, it's such a means to an end, if they can capture more authentication credentials, move laterally, get to your privileged users, it really just gives them access to even more things. So it's a means to an end, but they are continually pounding after this.
Sean Ryan:
Part of the reason too, it's low hanging fruit. If you've got people with really poor password hygiene, you've got just really basic, easy to bypass, two factor authentication, you can get in much more easily than trying to exploit vulnerabilities. It's really a way to go in undetected and masquerade as legitimate users. So that's really a key point of this slide, Mike, and something to drive home to folks out there.
Mike Engle:
Sure. Once you're in the door, all of these other things are at your fingertips, so it's the one attack to rule them all. So I'm amazed at how many organizations are just implementing 2FA now. Every time I sign a up for another service, your hotel login or some FinTech it's, hey, we're going to send you a six digit code to your email. And six digit codes are over 20 years old in concept, secure IDs and one time generators. And on top of that, the bad guys are really good at stealing those now, too. So as the sophistication of these attacks increases, we're going to see 2FA have to evolve, if I can get your SIM and swap your SIM or whatever, or get access to your email. The bank that I use today, I have a YubiKey, but it still has this button down there that says YubiKey not working, go get a code from your email. So it defeats the purpose.
Mike Engle:
And Sam, I'm sure your clients are very much, this is top of mind for them, not just because of Biden's executive order, but just in general, right?
Sam Tang:
Yeah. I mean, this definitely still is a hot topic when I speak to our clients, even in the industry. I still get questions like, what factor should I be considering, what are the strongest, what should I be adopting? And I keep on telling my clients it's really a balance and you need to understand, it really depends on the service that you're trying to protect. And the real question is, are you really ready to adopt risk based measures, adaptive based measures in your authentication, in your authorization events, and the trick is without having to impact end user experience and security, of course. And take a step back and take a look at your use cases that are associated to B2E, B2B and B2C, because that will translate into a different set of factors as well. And should they be different, should it be harmonized? So it's really, are you ready? So that's my conversation with my clients.
Mike Engle:
Yeah, no, nice segue. So the principles of Zero Trust, Forrester didn't necessarily invent the term, but they certainly made it very popular and commercialized it and increased the awareness of it. So Sean, love to hear some thoughts on these three aspects of it.
Sean Ryan:
Yeah, yeah, it does go way back at Forrester, John Kindervag coined the term and really drove this concept forward, and it really is powerful and it's a set of principles and it's a way to apply security across all of the disciplines. So identity and access management, the lens that I look at it through, but also your endpoints, your networks, really any attack vector, and especially focused on protecting that data at the center. So when I'm looking at this from the identity, protecting the digital identity standpoint, protecting access, there's three principles that really align to Zero Trust that I talk about. So first one being that verify explicitly, let's really make sure we know that this employee, this partner, this contingent worker, this customer is who they say they are when they're setting up their account.
Sean Ryan:
So you're verifying them initially, but then as they log in over and over again, you're authenticating them in a way that you can feel very confident that you've really vetted that person every time, and ideally on a continual basis, you're making sure that session is secure all the way through. And that's where what Mike and team does really, really fits very well into that, trying to bring that up to a fully bulletproofed approach, and at the same time, you want to make sure that user experience is still reasonable. You don't want people trying to bypass this thing, you don't want customers defecting, you don't want employees trying to find workarounds. So really important to do that right and think about that balance of user experience, but being as secure as possible. The one in the middle, this is, I think, a pretty well understood thing that I talk about quite a bit as well, getting down to least privilege access.
Sean Ryan:
This is like breach containment, you want to make sure if somebody does get in, this is things around your authorization, things around how you set up your governance model so that you don't have over provisioned users with too many permissions. So if an attacker does get access to their account, it's not instantly they've got keys to the kingdom and can get to domain level access very easily. You want to avoid that. And then the last component is that assuming a breach, that's just monitoring ongoing, making sure you're paying attention to that.
Mike Engle:
Yeah, and I found this graphic I thought was pretty interesting, that if you can imagine everybody either uses a system or manages one on this call today, you use all kinds of systems, imagine if your data was as accessible as this is here. And that's what, I think, Zero Trust tries to get people to think about, assume that somebody can reach in there and go grab something and you have to protect it, either by asking them are you who you say you are, or micro segmentation or whatever, and you have to let all kinds of users in there for different reasons. So this is in line with what you were just saying as well, Sean. And lastly, once they're inside, Google's Beyond Corp has really done a lot for socializing this as well and setting a framework.
Mike Engle:
So Sam, there's a term we spoke recently that you mentioned, that I thought was really interesting, and we'll bring up this slide as we talk about it. And I mentioned it in an email to you this morning, would you mind double clicking on that as well?
Sam Tang:
Yeah, really, let me start by describing Zero Trust, there's a factor, there's an influence that typically people don't talk about, that it's really the cultural changes. And the cultural changes are actually external and also internal to the environment as well. So every step of the way, what we want to double click on is the importance of the ability for you to verify based on the culture changes, external and internal environment. How fast can you adapt to something that you can verify at run time, at authorization time? So even when you take a look at this picture right here, even if you take a look at apply the 860 [inaudible 00:11:54] spec, the NIST spec, on top of this here you're looking at, really that specifies what needs to be assured, the assurance levels that we always talk about.
Sam Tang:
But what if you're able to actually apply the assurance level concept to also include the people, the culture, and most importantly, the authentication mechanism that was used as part of gaining access. So the trust of the people, the trust of the context as to what you want the session for, the trust in the legal entity that you're working for, and so on and so forth. Trust, that's what we're talking about.
Mike Engle:
That's right. Trust, but verify, right?
Sam Tang:
Yeah.
Sean Ryan:
Yeah, exactly. I mean Zero Trust, it's a nice, good catchy term, and it does capture that. Obviously you have to let people in, entrust them to some degree, but you are verifying first, and then you're checking in as you go. So we want people to do their job, we want people to be productive, but you have to have the security mechanisms along that entire value chain. I like to think of, I am as a full value chain where it is that right as you come in, you authenticate and then it's not like, okay, good, great, now go do whatever you want. It's okay, we still need to authorize you, we still need to keep to track of what you're doing. We don't want to inhibit your productivity, but we want to take a risk based approach, we want to flag this stuff.
Sean Ryan:
You're doing something very strange, or you are accessing some really sensitive data, boom, let's re authenticate you with another factor. Let's really, make sure that we're verifying. Maybe based on some of the signals, let's say you're logging in from a completely different IP address, that could be a signal that flags that, hey, we should add another layer of analysis on here, real time, automate it as much as you can, and if it's maybe a certain level of risk, you want to flag a live person in the SOC, your security operation center, to take a look into this immediately.
Mike Engle:
Is it time for us to talk about McLovin?
Sean Ryan:
I think so. I think so.
Mike Engle:
Yeah. So Sam, you mentioned something, 863-3, which is near and dear to my heart. I didn't know a whole lot about this when I started this effort back in 2018, and the standard was just made in 2017, but it establishes how you remotely proof who somebody is. You two strong forms of identity, matched to their live biometrics and all this coordination and triangulation needs to happen. So what if you could know beyond a shadow of a doubt that the person logging into your domain controller is the person that holds this driver's license? That's kind of the spirit of what this stuff allows you to answer now, that you can't do with 2FA or what people call all different forms of MFA. Just because I have a YubiKey or secure ID token, doesn't prove my identity, but these types of sources of truth, do.
Mike Engle:
So if you can onboard somebody, and every contractor or employee has to be onboarded, even your consumers customers have to be onboarded for certain types of accounts, cryptocurrency, financial services. So at the time they're onboarding, if you apply the latest concepts of cryptography and biometrics, you can create something that's reusable over and over and highly trusted. So I'm sure both of you are seeing and hearing about more. We refer to this as identity based authentication, but the spirits of strong identity proofing, I'm seeing a real uptick, not only in what Forrester's saying, but what the industry is doing. Sam, are you seeing this with your clients, where they're starting to embrace real identity, not just handing them bandaids on top of passwords?
Sam Tang:
There's that word, that bad word, password, again. Yeah. So no, Mike, absolutely, identity proofing to me, when I speak to my clients, has got to be a big part of the verification strategy. And the identity proofing I talk of is not just about identification or authentication, but across the board for transactions and most importantly authorization as well. So the active identity proofing can't be a one time event neither, it has to be a continuous event to really allowing you to have flexibility to detect at transaction time, either it be a identification transaction, authentication, authorization, or a business transaction. And the business transactions, I think I heard you say you use the word blockchain, but more importantly, what I'm starting to see is applying this technique and the technologies that you bring, with identity proofing and authentication and identification combined, those techniques in really using that technique to catch business transaction frauds as well. So there's an emergence of using these techniques continuously, not just for authentication or authorization, but also to be used for business transactions.
Mike Engle:
Yeah, yeah. And Sean, what are your thoughts on should you even let somebody name McLovin into your infrastructure?
Sean Ryan:
I know, yeah. I love this slide, it's from a great movie too. I think the whole point of this is people can create fake IDs, and now that we live in a very digital world, the ability to do identity thefts from anywhere, the ability to falsify accounts, falsify information on that authentication and sorry, carrying that into authentication, there's really a lot of room for fraud out there if you don't have the proper controls in place. So it's critical to have something that can leverage what's already out there for credit reporting agencies, from telecom, from all sorts of other sources of information, to be able to verify this, to be able to do it in a secure way. And ideally in a way that puts that end user in control of their own identity and gives them the tools to keep this in a wallet, a digital wallet, really manage their own digital identity.
Sean Ryan:
So that's the goal, that's where we're headed. And it very much applies to the B2C world, to making sure your customers are who they say they are, and you're protecting their identities for them. But increasingly, business partners, they're not going to be in your HR system, you have to have some level of working relationship with your business partners to verify that. But having the tools in place to help you verify with software and do that in a really programmatic and structured way, is really important too.
Mike Engle:
Yeah. Yeah. We touched on the word blockchain, blockchain is a means to an end. The cryptography behind blockchain is undeniable, the immutable ledger and the ability to prove the history of transaction. So when you apply that to identity, it allows you to set up something that we're referring to as your identity chain of custody, how do you know that the person authenticating is the same person that you gave the credential to? So there's a term that I've heard recently in the FS ISAC world, contractor jacking. You hire person X, but person Y sit that seat on day two, because they're subbing the seat out for 20 bucks less an hour or whatever. That's if it's a friendly handoff of a credential, but of course the bad guys can get them as well.
Mike Engle:
So today, everybody trusts a credential to some level. Corporations are letting people in, username, password, two FA, token, whatever it is, push message. The way that we think about this is your existing users will come in the way they do today, and you'll exchange that process for a cryptographic public, private key pair. And that's really the principle behind FIDO authentication, that we'll touch on if we have time. So you issue them a key, a private key that keep with them and only they can have that. What makes that key really strong then is the addition of real biometrics. So everybody on this call today uses biometrics in some way, usually it's your touch ID or your face ID on the phone. Those aren't real biometrics, they don't prove your identity, but we're seeing wider adoption of a real selfie or your real voice print, or if hardware permits, you can do palm and vein and all these other things.
Mike Engle:
So you exchange the legacy mechanism for the new combination of cryptography and a biometric, that's identity based authentication. And then in a true digital transformation concept, you can do that with your new onboarding personnel as well. So proof them, you have to do it anyway, because they're joining your company, they have to get their tax paying documents and whatever. So rather than emailing and faxing them, do it the right way, digitally onboard them, and at the same time, issue them a credential. I think a real enabler for this was of course COVID, we're all remote and we have to figure out how to do these things. And I'm seeing phenomenal adoption because I live and breathe this stuff in my little world of 1Kosmos. But Sean, maybe start with you, Sam actually, what do you think about the concepts?
Sam Tang:
Yeah. Sean, you want to get started, I'll chime in.
Sean Ryan:
Yeah, yeah, yeah, for sure. I mean again, I'm glad you've got NIST on here too, I completely agree with you, it's a wonderful standard and a great way to build a foundation on how you're going to set up your authenticators and how you're going to set up identity proofing and really all through that value chain of managing digital identities. It's again, like you said, I mean, we've become very, very digital, no in person interaction, this isn't like even if you're working for a company as a remote employee, in the past, you might fly out, meet them, physically hand them documents, that's not always happening anymore. In fact, that's probably really rare these days.
Sean Ryan:
So having that trust be fully digital, really much better to have this fully encapsulated approach to doing it rather than a cobble together, do this through an email and send us this over here and records, you've got really critical, sensitive information that you're sharing and trusting that through email and through various other approaches, rather than a self-contained, know your employee and onboarding, or know your customer type of approach. Just much better to have that, much better to have a complete system that works together.
Sam Tang:
Yeah. And something to add, Mike and Sean, is the identity chain, I think the word chain is very important because I think Mike, you spoke about ledgers and the blockchain, but what if you're able to actually treat that ledger as a form of your digital assets that you have control over? So what you're seeing in front of you right now on this slide here, really, truly enables what the industry is right now is calling decentralized identity or self sovereign identity. Without this here, it's really difficult to achieve what we consider as an industry, decentralized identity that you can apply to your B2C and your B2B, and also now [inaudible 00:24:24].
Mike Engle:
Yeah. And the concept, decentralized identity's been around now for a few years, it's a W3C standard. And you're seeing adoption by the big tech giants and the payment rails companies, your Visa's and MasterCard's are all getting behind the standard. It allows your identity to be portable and move across industry. And I don't know if you guys have noticed, ever since the NFT explosion over the past month, you're seeing Web 3.0 everywhere. Web 3.0 is a form of decentralized concepts applied to the web. So this is in line with that, it is the future of identity. The time for companies to adopt it is really starting to happen, and so you're seeing the uptick happen now, and it's not a matter of if, in my opinion, it's a matter of when.
Mike Engle:
And so if you were to take this and apply it to an IAM infrastructure, this stuff doesn't exist in 90 X percent of IAM infrastructures today, but it will. And so I took a shot at thinking about how this stuff will fit into your existing, all the IT functions on the right, with these new components in the middle. So there's two things if you apply Zero Trust to identities, do I know who it is, and can I prove it? And yes, you can with cryptographics and biometrics. And then on the back end, as all these systems are writing event logs, and it's all going up into Splunk or whatever, is being able to say, all right, here's an entry in my Zscaler logs, can I prove that the person in that log file came in with identity?
Mike Engle:
Well, if you're adopting the right technologies, the answer is yes. You can digitally verify that this hash came in, it was onboarded eight months ago, and you have the chain of custody of that. So we saw what happened with SolarWinds, and a bad guy was caught because somebody happened to look into log files and that broke open the whole Pandora's box. So this is just one way to think about it. Sam, are you seeing some of these forward thinking IT functions get dropped into IAM, maybe either in RFPs or in real practice today where it's not just necessarily this, but some Zero Trust principles that can sit on top of your IT infrastructure to give you that assurance?
Sam Tang:
I am, and the ego in me, after being in this space for 25 plus years, I always keep on telling my colleagues and my clients, identity is in the core of security, you can't bypass it. It could be in the form of cloud, hybrid cloud, on prem, even mainframe, mainframe's still around. So at the core of what we do with these IT functions, you can't deny, or you can't avoid having conversations around identities. So the effort that I'm speaking to my clients about right now is not about if identity is the core of these IT functions, but how to gain alignment across these IT functions, and that's the effort. And again, I keep on coming back to the B2E, the B2C and B2B, the more siloed you are with your consumer based IAM and your enterprise IAM and your third party IAM, is the further along that you are with really seeing the alignment across these IT functions, across the B2E, B2B and B2C.
Mike Engle:
Yeah. Yeah. And Sean, I guess, are you seeing a consolidation of any of the legacy ways to authenticate into some newer stuff, either in your research or as you work with your clients?
Sean Ryan:
Yeah. Yeah. I am. We've done a recent survey looking into password list adoptions, so we're still early days there, but it's encouraging to see how many companies are at least getting to the point where they're doing proof of concept and early pilots and starting to finally, I think everyone's known that trained who have a password centric approach to authentication, just is not going to get it done. But people have really been anchored to this unfortunately, it's partly just legacy architecture, which was built around passwords, and so you have to do some work around things to get past those. It's partly just inertia, just people being used to that, even though I think they're like me, they hate passwords and would love to find a better way, but again, it's that inertia, a lot of people, it's just what they're used to, it's the devil they know.
Sean Ryan:
But like I said, I am encouraged that we're seeing people move in this direction and the technology enablers are there. Many people have smartphones in their hands that have either fingerprint or facial recognition right at the ready there. You've got this on laptops and desktops now. So there's more of an ability to do biometrics. And the underlying technology behind the scenes is getting more mature as well. And I thought you made a great point earlier talking about true biometrics as opposed to biometrics that's just on the endpoint device, that, while is good, does allow the user to authenticate, and it doesn't prove that on the back end. So if you're storing a mathematical representation of those biometrics so that they're safe, they're protected, they're encrypted, where they're stored by the organization that is managing that access and that authentication, that gives you a much stronger approach.
Sean Ryan:
And again, at the end of the day, I think we get to the point where we can move passwords to the backseat, we can deprecate them and we can move to these methods that are inherently stronger and they are a better user experience once folks get used to them.
Mike Engle:
Yeah. Yeah. I'm going to give a little McLovin demo here in a minute, I can't resist. When we say real biometrics, it is real, and one of the big barriers to adoption is just people getting comfortable with it. When you saw Apple release face ID, people were like, whoa, whoa, whoa, whoa, you're scanning my face. What are you doing with it? Where's it going? When you use clear and go through the airport, they're scanning your biometrics and storing them somewhere. So you have to take the stuff, you have to be really careful with it, you have to make sure that everything's certified and you know exactly how it's encrypted and stored. In true Web 3.0 capacity, you can make sure that the user is the only person that can decrypt, enroll and decrypt and use the biometric. So if you'll tolerate a short demo, I'm going to show you how the launching of an app creates a private key behind the scenes.
Mike Engle:
Press of a button, and there it is, you have a pin which is a fallback mechanism in case you have a problem, very rarely used. But now inside the phone, you have two factors already. You have your private key in a pin, and then let's add device biometrics. So this is the device, the biometrics that we all use today. Now you can see this is the first time launching this, there's no proof of me in this, somebody's face on this phone was just enrolled. And this is one of the common misconceptions of about device biometrics, is this doesn't prove, this isn't Zero Trust, because my kids face could have been the one that just enrolled. However, when you take it to the next level and you capture a real biometric, so this is my identity wallet, and we're going to enroll a live selfie. And you're seeing this become more and more adopted, especially in fintechs and some of the more forward thinking organizations. On top of that, you can then enroll government credentials as well.
Mike Engle:
And the beauty of that, this gets into, for those not familiar with NIST 863-3, it says, take your live selfie, enroll two strong forms of government credentials. So if I just fast forward and show you then now the onboarding of some trusted form of identity. So let's ask the user to, sorry, I think the same videos playing again, let's ask the user to enroll their government credential, in this case, it's my driver's license. So this one here. And this is done simply by using the cameras capabilities to onboard the document information, matching the face to the face on the document with the one I just captured. And then, if available, depending on what country you're in, you can actually check the validity of the document with the issuing authorities.
Mike Engle:
So a whole lot happened there and you can see it takes a couple seconds, but now inside the user's possession, almost like in your real wallet, a credential matched to your face, when you get pulled over by the state trooper, or you go through TSA checkpoint, they're comparing your face to a document, now we can do that in a digital fashion. And so this is really the future of it. From here, now you just have to onboard the user. And that's where in the slide with the two flows, send them a magic link, let them click on it and let them type in their existing ad user name, password, and marry it to this now strong, biometric and private key, and you're pretty much on your way. So Sam, I know you [inaudible 00:34:32].
Sam Tang:
Yeah. Mike, I just want to make sure that we emphasize that the words that you were using, enrollment and onboarding, those are key words here. What if you're able to actually apply this technique here to your onboarding of your workforce, to your contingent workers, to your employees, as well as what if you're able to actually use this as the technique to onboard your B2B, your third party, your business partners, allowing this as a mechanism for you to continue to simplify the onboarding and the enrollment and to continued vetting of the users in your environment, either it be a customer, a business partner, or even your workforce.
Mike Engle:
Yeah. It's like you read my mind, so I threw the slide up for you. Yeah, it's exactly right. Send them a link to get bound, they can authenticate any one of a number of ways, last time that they'd have to use that legacy credential, and now they're linked with a cryptographic secret and a biometric. So the actual implementation of this would be similar to this flow. So in this idea here, this is how now once that user has clicked that link, they basically have onboarded this credential into that same wallet that you saw a minute ago and only they have the possession of the key to be able to use this, and you have a couple options for authentication. So instead of your traditional username or password, you can engage with the system via QR code, via push, and then with simple device biometrics, let them into the workstation.
Mike Engle:
Or you're staring at your desktop, now think about the user experience on that, that is a passwordless exchange, and it's not just passwordless, but it's linked back to the binding that we did, and so with a click of a button, this user that was onboarded, wouldn't even know their Windows password. And there's a lot of support that has to go around that. What happens if they do need a password, you have to give them a break glass way to do it, and you can do that by clicking on the app and typing in a username and password. So Sean, in the passwordless experiences that you've seen in your clients, I mean, have you had any of your clients do user customer satisfaction? It's something that we encourage, take a before and then after, ask them, do you like logging into windows now, do you like it after? I'm wondering if you're seeing the user experience be a big driver, not just the security?
Sean Ryan:
Yeah. So I mean, that is the promise of the benefit of going passwordless, is an improved user experience. I mean, you think about the ... one is the login experience and getting that down to seconds and very, very seamless, pick the phone up, hold it to your face, or scan a QR code, as opposed to retyping in a password, maybe having a one time password code sent via SMS to your phone, having to go retype that in. You just get into this multi-step thing that not a big deal if you do it once, but if you're doing this multiple times, day after day, after day, it adds up. There's also thinking through the ability to reset this too. I mean, you think about all of the headaches that people face and how expensive it is for help desks when people need to reset their passwords. And put on top of that, the fact that there's quarterly typically scheduled password reset for companies and people reset their passwords, they forget them, this just happens again and again, and you're doing that and it's not secure because you're reusing similar passwords across other sites.
Sean Ryan:
We're still seeing credential stuffing attacks, we're still seeing root force attacks. So it just goes to show you that there's both the security and the user aspects to think about for sure. And I think it is important to have different authenticator options, different methods. You mentioned YubiKeys earlier, because not everybody is going to have of a capable smartphone or it may not be the best approach for their particular environment. So having those different options for folks and really just getting them used to the process, as you said, I think it starts with people inside organizations who really want to try something new, then they can help share that knowledge and spread that through the organization, and you start to get to a point where people realize the advantages of the user experience from the new methods that we've got.
Mike Engle:
Yep. Yeah. We have just one more, either brave or foolish live demo that I'm going to do here. So this is the experience that's on our website. And what I wanted to show that I didn't have in the PowerPoint, is how you can apply that onboarding for new hires. So the idea here is onboard your identity documents, so here inside of my wallet, I've enrolled my driver's license and passport. And this is my real phone, by the way. And so you can instruct your, as you go through talent acquisition, they accepted their offer, follow these instructions and onboard yourself. It's verified by the backend system and then transmit the credentials directly into Workday. So I'll do this here, I'm going to actually move my phone off the screen because it shows me my passport and driver's license data. So I'm just going to sneak this off to the side for a minute.
Mike Engle:
Scan the QR code, and now it's asking me to prove my identity. This is different than touch ID or face ID. So now I have to prove that I'm the same person that enrolled my credentials last week or whatever it was. And there, boom, there's my location, my government documents are uploaded, because HR needs them anyway, they have to file them in the US for USCIS purposes, for example. And now with the press of a button, that credential can go directly from Workday into your IGA system, your sale points, your savings or whatever, a link gets sent to the user encrypted with their public key so that only they can open it, and they've onboarded their active directory credential in two seconds. And so then literally on minute one, the users coming into their Windows workstation, and I know I showed this a second ago, but now I asked our engineers to turn this on for live ID.
Mike Engle:
And again, live demo, we'll see how this goes. And I'm scanning QR code, doing real biometrics before I get into this critical Windows workstation, and I am staring at my desktop. Murphy's law said that should have broke, but there we go, it worked. So there you go, the reason I wanted to finish up with that before we get into Q&A, is because that to me is real Zero Trust access into a system, nobody else could of compared that face to mine, except for Tom Cruise, when he 3D prints my face, puts it over his head, but even that, we've got a good story because we went through beta certification and they tried some of that stuff. So I think that's the future of identity based authentication.
Sean Ryan:
And Mike, just another important point, I think having the combination of that with a possession factor, so you verified the endpoint devices that you're using. So that's really important to make sure that we're not just relying on biometrics here, biometrics is not a silver bullet, it is great and it's first period of passwords, but these things alone, they do have their flaws and they're going to be attacked. But if you're using those in combination and you're making it pretty seamless and easy, very difficult for an attacker to overcome that. And even with that, I mean, you showed how fast you did it, so I think the user experience speaks for itself.
Sam Tang:
And Sean and Mike, before we get into Q&A, I just want to add one more dimension to what the audience saw today. That is, if you take a look at the risk and controls, using what you witnessed today, the audience witnessed today, if you take a look at the NIST, the ISO, the CIS set of controls, I was surprised in working with our risk controls practice here at EY, what the percentage of controls that were associated to credentials, passwords, and accounts and so on. If you look at that, if you put that lens on it, this here what you saw today is not just say a security and user experience, but also the implications of the impact it has with audit and controls, audit, and compliance, and risk and controls, it's a tremendous impact. So just want to ...
Mike Engle:
Yeah, there's an audit component of blockchain, which is one of its strongest places of adoption in enterprise is the immutable ledger. So imagine when SolarWinds happens next time, and you actually had cryptographic proof of how that person got to where they are, it can really ... because they can't modify the logs, blockchain doesn't allow that. And it's a private blockchain, and of course what you said, Sean, is there is no silver bullet, this is a tool in your tool bag of 20 things. You still need username, password and 2FA, the mainframe is not going to be using live ID anytime soon. I've seen plug-ins for RACF and nobody wants to develop to them. So probably all the young whippersnappers don't even know what a RACF is, right?
Sean Ryan:
Yeah, and I mean, we're going to live in this hybrid world, especially large companies have been around for many years, it's not just turn the switch off on your mainframes and your legacy client custom applications, but you can reduce those. You can get those so it's a manageable thing that you're doing in more legacy way. You can spend more time monitoring, focusing, auditing that stuff, and then the rest of your things, you can get to this higher confidence level of security, better user experience, and just really have to spend less time on really monitoring that, you get that in a more automated fashion, and you can use your limited time as a IT security pro wisely, right?
Mike Engle:
That's right. Yeah, that's right. Time is of the essence. So yeah, there's a couple questions that came in. And one of them, which we get asked all the time as we're talking to clients, is what happens if you lose your phone? And that is the age old question, and really, the answer is you figure it out. And as silly as that sounds, it depends on the company, the risk profile of how they want to allow a new phone to get onboarded. And I'll explain what I mean. There are ways to back up a private key, just like there is in the crypto world, you can save a file, which is your digital certificate, but you can also prevent people from doing that. And in a workforce scenario, you might not want them to be able to back up that key and put it onto an Android phone that doesn't have an MDM or whatever. So it depends on the profile.
Mike Engle:
That private key can be stored in Apple iCloud, all kinds of options. Of course, the private key is the key, so the more loose you are with it. What most clients will do is they want their employees to go through some hurdles to prove they are who they are before they're re onboarded a second time, because the bad guys will leverage that exception process to try to get in red teams, tiger team type stuff, right?
Sean Ryan:
Yeah. that's one I think about a lot, Mike. I think you know when I talk to you or other providers, that's always one of my key questions because it is a potential weak point. And if I were an attacker, I would go after that exception, that reset, I'm going to try and social engineer my way into getting that credential, bypass all of these wonderful controls that are in place by really just simply tricking someone into that. So part of this is beyond technology, it is your processes and the organization, making sure you're working with your providers to come up with the best approach, and that you've thought through these scenarios. It could be, some companies may do backup YubiKeys for critical employees so that they can very quickly switch over.
Sean Ryan:
But if you do get asked for a reset, you're verifying, you're still trying to ping that device, is this you, let's confirm through that, through email, through phone. You're doing multiple channels to really, really verify that that reset has to happen. And then it's a magic link or something, you do something temporary till you can ship them a new device or verify a BYOD device that you're going to reauthenticate. But just can't emphasize enough how much you want to really focus on that and do that part right.
Mike Engle:
Yep. Yeah, and then the other-
Sam Tang:
And Mike, let me add something to what Sean was just saying. I think I mentioned it earlier, this is a cultural shift in people's thinking, and you must treat it as such. The cultural aspect of this technology, these techniques, and Zero Trust itself, it's a major shift and it has to be a shift in the way that we think, and adoption is associated to that cultural change.
Mike Engle:
Yeah, maybe we can mint an NFT of this episode and go sell it after the show. Wouldn't that be awesome? In the spirit of that decentralized world, there's been a bunch of questions in chat, I'm just looking over here in the corner, that our engineering team has been answering. But we talk about wallets and decentralized identity, and we've been talking about this stuff for a few years and it seems like everybody's like, yeah, is it ever really going to happen? And the way I see it is yes, soon. Soon is relative, in dog years, it could be a hundred years. But you have now the mechanism standardized and agreed upon of a decentralized identifier that can go maybe between MasterCard and Visa and the bank and the telco or the government, they have to form that agreement, but the pipes and plumbing is there, you've got these universal resolvers.
Mike Engle:
What is really messy though, is when you go up a layer into the trust over IP stack. So you have the network layer, then the wallet layer, and then the application layer, that's where it's still a bit nebulous. And so what we showed today, what I showed here is our adoption of that to be used by an organization to solve real world security problems. When bank A wants to share an employee credential with organization broker B, we're ready to do it, but the agreements and the standards are still working out up there at those upper levels. So no silver bullet there either, to use Sean silver bullet terminology, but everybody's trying really hard, I mean, I'm sure both of you are seeing a lot of exposure on the verifiable credentials front and the decentralized identity front. I know Sam, you're pretty plugged into those environments.
Sam Tang:
And when we talk about decentralized identities, also sovereign, passwordless, the way that I describe it to our clients, and the way I speak to the industry experts is that there's four Rs as to what we do, realization, readiness, resiliency, and remediation. And at a minimum, what I tell my clients is that you have to be focused on the first two Rs, which is realization, which is understanding what you're really dealing with and what you're managing from access standpoint, and be ready when it's here. So realization and readiness are the two main Rs to really focus on.
Mike Engle:
Cool.
Sean Ryan:
Yeah, that's important, and same with passwordless, we're still early days on this stuff, and you don't want to just dive in blindly and then figure out after the fact, I didn't think about all these considerations. But this is the time to be testing, doing some pilots, working with your user groups. A lot of companies will start with their IT folks, hey, you're savvy, let's try this out on you, you can help us bulletproof this thing, we can go through some of these scenarios, like you got to do a reset, you lost your device, it was stolen. Let's see how we work through that and what are some of the issues? And let's try and think about it when we get to less sophisticated users in our user population and what they might encounter.
Sean Ryan:
So really important. And Mike, earlier on, you were bringing up things like the SolarWinds attack and passwords being involved in that, and then there was Golden SAML attacks. So even how you link up your single sign on, your [inaudible 00:52:05] provider, for example, to multifactor authentication. And you need to think through that process to make sure that not just on the front end multifactor authentication, but also on storing the SAML certificates, that those can't be attacked. So there's many things to think about with this, but now is the time to start. I think you don't want to be the last company jumping into passwordless, because the attackers are still going to go after the passwords because it's easier, it's much easier. And the next level is SMS two factor authentication. As you showed all those news articles, I've seen plenty myself of more social engineering, more SMS based credential attacks and SIM swapping types of attacks, those are going to continue to happen more. You can get over to this area, much, much more difficult to crack this stuff, but you still want to think through all those links of the chain.
Mike Engle:
Yeah. Pushes the problem more out to the edge then centralized, right?
Sean Ryan:
Yeah, there you go.
Mike Engle:
Yeah. Well, I think we've about done it guys. We're getting to the top of the hour. We'll give people a few minutes back, so they have time to get a bio break between their next back to back meeting. I wanted to thank you guys for coming on board. You just want to maybe let people know how they get ahold of you, do you like Twitter or LinkedIn, Sean, what's your mechanism, email?
Sean Ryan:
Yeah, I've got Twitter, LinkedIn, probably prefer LinkedIn or directly Forrester obviously, best way to reach me.
Mike Engle:
And Sam, personal cell number?
Sam Tang:
LinkedIn is good, or my email, sam.tang@ey.com.
Mike Engle:
Awesome.
Sam Tang:
I'm reachable.
Mike Engle:
Yeah, exactly. All right. Well, thanks again for hopping on and thanks to all the webinar attendees that hopped on. And for all these, there's probably about 80 questions floating around that have been going back and forth in chat, very interactive discussion. So thanks everybody, this webinar will be put online on our website and we'll be announcing the winners of these guys here and the passwordless identity package, shortly after the webinar. So thanks again and we'll see you guys online.
Sam Tang:
Thank you. Wish you a good safe. Bye-bye.
Mike Engle:
Bye-bye.
Sean Ryan:
Bye.
Thanks everybody for joining. My name is Mike Engle with 1Kosmos, and I am joined today by Sam Tang from Ernst & Young, and Sean Ryan from Forrester. Sam, would you mind saying hello to the crowd, let them know what you do for a living.
Sam Tang:
Hello. Thanks, Mike. Thanks for everyone for joining today. Very excited for the topic, it's actually dear to my heart. I'm a managing director for EY and I'm digital identity leader for the cyber practice here at EY. Hope everybody's [inaudible 00:00:38]. Thank you, Mike.
Mike Engle:
Awesome. Sean?
Sean Ryan:
Hi. Yeah, Sean Ryan. So senior analysts at Forrester Research. And look, I'm part of the cybersecurity team and I look at identity and access management technologies, specifically for the workforce. So really looking at things around authentication, around privileged identity management, identity management governance, and the like.
Mike Engle:
Awesome. Yeah, and we're going to quite a bit today about Zero Trust and specifically how identity ties into it. We'll have a bit of a bias there, but Sam and Sean will keep us a little more pure in the Zero Trust categories that there are in there as well. Just a little bit of housekeeping. There's some technologies that you're all welcome to try. This is right on our website, just go to the homepage, click experience it, and you can download an app and play around with a couple different types of ways to use what we refer to as identity based authentication, to engage with a remote system. And we'll be talking a lot about that today, what does it really mean to prove who you are remotely.
Mike Engle:
And also we've got a couple giveaways today. So we have something in our product offering called a passwordless identity package. It is a quick way to embrace passwordless technologies. So companies will typically target the remote access, their operating systems or sitting in front of their SSO gateways. And we're going to randomly pick a winner from the attendees today, we'll reach out to you after the webinars over. If you like the package, you can accept it, otherwise we would go onto the next person. And also I have a pair of these, air pods, I will be personally putting into a manila envelope and sending to somebody, that'll be another random selected person from the list of attendees today. So stay tuned, more to follow there.
Mike Engle:
So let's jump in. Sam and Sean, we're inundated with statements about the problems in the identity world, and you're hearing just day after day of breaches and different types of attacks. We're going to focus today on credentials, of course, because they are the way to really protect everything we have, all of our data and our assets. So I know this is some Forrester sourced material here, if you wouldn't mind just double clicking on this a little bit.
Sean Ryan:
Yeah, absolutely. So this is part of annual research we do, where we're polling security and risk professionals and really trying to understand what they're seeing out there in the wild. And so this is, I think, close to 1800 security and risk professionals globally that we polled here. Key point is how much they go after authentication credentials. A lot of key things on this list that attackers would want to grab, personally identifiable information, health records, intellectual property. Those are all the expected things that you think would bubble to the top here. But authentication credentials are, it's such a means to an end, if they can capture more authentication credentials, move laterally, get to your privileged users, it really just gives them access to even more things. So it's a means to an end, but they are continually pounding after this.
Sean Ryan:
Part of the reason too, it's low hanging fruit. If you've got people with really poor password hygiene, you've got just really basic, easy to bypass, two factor authentication, you can get in much more easily than trying to exploit vulnerabilities. It's really a way to go in undetected and masquerade as legitimate users. So that's really a key point of this slide, Mike, and something to drive home to folks out there.
Mike Engle:
Sure. Once you're in the door, all of these other things are at your fingertips, so it's the one attack to rule them all. So I'm amazed at how many organizations are just implementing 2FA now. Every time I sign a up for another service, your hotel login or some FinTech it's, hey, we're going to send you a six digit code to your email. And six digit codes are over 20 years old in concept, secure IDs and one time generators. And on top of that, the bad guys are really good at stealing those now, too. So as the sophistication of these attacks increases, we're going to see 2FA have to evolve, if I can get your SIM and swap your SIM or whatever, or get access to your email. The bank that I use today, I have a YubiKey, but it still has this button down there that says YubiKey not working, go get a code from your email. So it defeats the purpose.
Mike Engle:
And Sam, I'm sure your clients are very much, this is top of mind for them, not just because of Biden's executive order, but just in general, right?
Sam Tang:
Yeah. I mean, this definitely still is a hot topic when I speak to our clients, even in the industry. I still get questions like, what factor should I be considering, what are the strongest, what should I be adopting? And I keep on telling my clients it's really a balance and you need to understand, it really depends on the service that you're trying to protect. And the real question is, are you really ready to adopt risk based measures, adaptive based measures in your authentication, in your authorization events, and the trick is without having to impact end user experience and security, of course. And take a step back and take a look at your use cases that are associated to B2E, B2B and B2C, because that will translate into a different set of factors as well. And should they be different, should it be harmonized? So it's really, are you ready? So that's my conversation with my clients.
Mike Engle:
Yeah, no, nice segue. So the principles of Zero Trust, Forrester didn't necessarily invent the term, but they certainly made it very popular and commercialized it and increased the awareness of it. So Sean, love to hear some thoughts on these three aspects of it.
Sean Ryan:
Yeah, yeah, it does go way back at Forrester, John Kindervag coined the term and really drove this concept forward, and it really is powerful and it's a set of principles and it's a way to apply security across all of the disciplines. So identity and access management, the lens that I look at it through, but also your endpoints, your networks, really any attack vector, and especially focused on protecting that data at the center. So when I'm looking at this from the identity, protecting the digital identity standpoint, protecting access, there's three principles that really align to Zero Trust that I talk about. So first one being that verify explicitly, let's really make sure we know that this employee, this partner, this contingent worker, this customer is who they say they are when they're setting up their account.
Sean Ryan:
So you're verifying them initially, but then as they log in over and over again, you're authenticating them in a way that you can feel very confident that you've really vetted that person every time, and ideally on a continual basis, you're making sure that session is secure all the way through. And that's where what Mike and team does really, really fits very well into that, trying to bring that up to a fully bulletproofed approach, and at the same time, you want to make sure that user experience is still reasonable. You don't want people trying to bypass this thing, you don't want customers defecting, you don't want employees trying to find workarounds. So really important to do that right and think about that balance of user experience, but being as secure as possible. The one in the middle, this is, I think, a pretty well understood thing that I talk about quite a bit as well, getting down to least privilege access.
Sean Ryan:
This is like breach containment, you want to make sure if somebody does get in, this is things around your authorization, things around how you set up your governance model so that you don't have over provisioned users with too many permissions. So if an attacker does get access to their account, it's not instantly they've got keys to the kingdom and can get to domain level access very easily. You want to avoid that. And then the last component is that assuming a breach, that's just monitoring ongoing, making sure you're paying attention to that.
Mike Engle:
Yeah, and I found this graphic I thought was pretty interesting, that if you can imagine everybody either uses a system or manages one on this call today, you use all kinds of systems, imagine if your data was as accessible as this is here. And that's what, I think, Zero Trust tries to get people to think about, assume that somebody can reach in there and go grab something and you have to protect it, either by asking them are you who you say you are, or micro segmentation or whatever, and you have to let all kinds of users in there for different reasons. So this is in line with what you were just saying as well, Sean. And lastly, once they're inside, Google's Beyond Corp has really done a lot for socializing this as well and setting a framework.
Mike Engle:
So Sam, there's a term we spoke recently that you mentioned, that I thought was really interesting, and we'll bring up this slide as we talk about it. And I mentioned it in an email to you this morning, would you mind double clicking on that as well?
Sam Tang:
Yeah, really, let me start by describing Zero Trust, there's a factor, there's an influence that typically people don't talk about, that it's really the cultural changes. And the cultural changes are actually external and also internal to the environment as well. So every step of the way, what we want to double click on is the importance of the ability for you to verify based on the culture changes, external and internal environment. How fast can you adapt to something that you can verify at run time, at authorization time? So even when you take a look at this picture right here, even if you take a look at apply the 860 [inaudible 00:11:54] spec, the NIST spec, on top of this here you're looking at, really that specifies what needs to be assured, the assurance levels that we always talk about.
Sam Tang:
But what if you're able to actually apply the assurance level concept to also include the people, the culture, and most importantly, the authentication mechanism that was used as part of gaining access. So the trust of the people, the trust of the context as to what you want the session for, the trust in the legal entity that you're working for, and so on and so forth. Trust, that's what we're talking about.
Mike Engle:
That's right. Trust, but verify, right?
Sam Tang:
Yeah.
Sean Ryan:
Yeah, exactly. I mean Zero Trust, it's a nice, good catchy term, and it does capture that. Obviously you have to let people in, entrust them to some degree, but you are verifying first, and then you're checking in as you go. So we want people to do their job, we want people to be productive, but you have to have the security mechanisms along that entire value chain. I like to think of, I am as a full value chain where it is that right as you come in, you authenticate and then it's not like, okay, good, great, now go do whatever you want. It's okay, we still need to authorize you, we still need to keep to track of what you're doing. We don't want to inhibit your productivity, but we want to take a risk based approach, we want to flag this stuff.
Sean Ryan:
You're doing something very strange, or you are accessing some really sensitive data, boom, let's re authenticate you with another factor. Let's really, make sure that we're verifying. Maybe based on some of the signals, let's say you're logging in from a completely different IP address, that could be a signal that flags that, hey, we should add another layer of analysis on here, real time, automate it as much as you can, and if it's maybe a certain level of risk, you want to flag a live person in the SOC, your security operation center, to take a look into this immediately.
Mike Engle:
Is it time for us to talk about McLovin?
Sean Ryan:
I think so. I think so.
Mike Engle:
Yeah. So Sam, you mentioned something, 863-3, which is near and dear to my heart. I didn't know a whole lot about this when I started this effort back in 2018, and the standard was just made in 2017, but it establishes how you remotely proof who somebody is. You two strong forms of identity, matched to their live biometrics and all this coordination and triangulation needs to happen. So what if you could know beyond a shadow of a doubt that the person logging into your domain controller is the person that holds this driver's license? That's kind of the spirit of what this stuff allows you to answer now, that you can't do with 2FA or what people call all different forms of MFA. Just because I have a YubiKey or secure ID token, doesn't prove my identity, but these types of sources of truth, do.
Mike Engle:
So if you can onboard somebody, and every contractor or employee has to be onboarded, even your consumers customers have to be onboarded for certain types of accounts, cryptocurrency, financial services. So at the time they're onboarding, if you apply the latest concepts of cryptography and biometrics, you can create something that's reusable over and over and highly trusted. So I'm sure both of you are seeing and hearing about more. We refer to this as identity based authentication, but the spirits of strong identity proofing, I'm seeing a real uptick, not only in what Forrester's saying, but what the industry is doing. Sam, are you seeing this with your clients, where they're starting to embrace real identity, not just handing them bandaids on top of passwords?
Sam Tang:
There's that word, that bad word, password, again. Yeah. So no, Mike, absolutely, identity proofing to me, when I speak to my clients, has got to be a big part of the verification strategy. And the identity proofing I talk of is not just about identification or authentication, but across the board for transactions and most importantly authorization as well. So the active identity proofing can't be a one time event neither, it has to be a continuous event to really allowing you to have flexibility to detect at transaction time, either it be a identification transaction, authentication, authorization, or a business transaction. And the business transactions, I think I heard you say you use the word blockchain, but more importantly, what I'm starting to see is applying this technique and the technologies that you bring, with identity proofing and authentication and identification combined, those techniques in really using that technique to catch business transaction frauds as well. So there's an emergence of using these techniques continuously, not just for authentication or authorization, but also to be used for business transactions.
Mike Engle:
Yeah, yeah. And Sean, what are your thoughts on should you even let somebody name McLovin into your infrastructure?
Sean Ryan:
I know, yeah. I love this slide, it's from a great movie too. I think the whole point of this is people can create fake IDs, and now that we live in a very digital world, the ability to do identity thefts from anywhere, the ability to falsify accounts, falsify information on that authentication and sorry, carrying that into authentication, there's really a lot of room for fraud out there if you don't have the proper controls in place. So it's critical to have something that can leverage what's already out there for credit reporting agencies, from telecom, from all sorts of other sources of information, to be able to verify this, to be able to do it in a secure way. And ideally in a way that puts that end user in control of their own identity and gives them the tools to keep this in a wallet, a digital wallet, really manage their own digital identity.
Sean Ryan:
So that's the goal, that's where we're headed. And it very much applies to the B2C world, to making sure your customers are who they say they are, and you're protecting their identities for them. But increasingly, business partners, they're not going to be in your HR system, you have to have some level of working relationship with your business partners to verify that. But having the tools in place to help you verify with software and do that in a really programmatic and structured way, is really important too.
Mike Engle:
Yeah. Yeah. We touched on the word blockchain, blockchain is a means to an end. The cryptography behind blockchain is undeniable, the immutable ledger and the ability to prove the history of transaction. So when you apply that to identity, it allows you to set up something that we're referring to as your identity chain of custody, how do you know that the person authenticating is the same person that you gave the credential to? So there's a term that I've heard recently in the FS ISAC world, contractor jacking. You hire person X, but person Y sit that seat on day two, because they're subbing the seat out for 20 bucks less an hour or whatever. That's if it's a friendly handoff of a credential, but of course the bad guys can get them as well.
Mike Engle:
So today, everybody trusts a credential to some level. Corporations are letting people in, username, password, two FA, token, whatever it is, push message. The way that we think about this is your existing users will come in the way they do today, and you'll exchange that process for a cryptographic public, private key pair. And that's really the principle behind FIDO authentication, that we'll touch on if we have time. So you issue them a key, a private key that keep with them and only they can have that. What makes that key really strong then is the addition of real biometrics. So everybody on this call today uses biometrics in some way, usually it's your touch ID or your face ID on the phone. Those aren't real biometrics, they don't prove your identity, but we're seeing wider adoption of a real selfie or your real voice print, or if hardware permits, you can do palm and vein and all these other things.
Mike Engle:
So you exchange the legacy mechanism for the new combination of cryptography and a biometric, that's identity based authentication. And then in a true digital transformation concept, you can do that with your new onboarding personnel as well. So proof them, you have to do it anyway, because they're joining your company, they have to get their tax paying documents and whatever. So rather than emailing and faxing them, do it the right way, digitally onboard them, and at the same time, issue them a credential. I think a real enabler for this was of course COVID, we're all remote and we have to figure out how to do these things. And I'm seeing phenomenal adoption because I live and breathe this stuff in my little world of 1Kosmos. But Sean, maybe start with you, Sam actually, what do you think about the concepts?
Sam Tang:
Yeah. Sean, you want to get started, I'll chime in.
Sean Ryan:
Yeah, yeah, yeah, for sure. I mean again, I'm glad you've got NIST on here too, I completely agree with you, it's a wonderful standard and a great way to build a foundation on how you're going to set up your authenticators and how you're going to set up identity proofing and really all through that value chain of managing digital identities. It's again, like you said, I mean, we've become very, very digital, no in person interaction, this isn't like even if you're working for a company as a remote employee, in the past, you might fly out, meet them, physically hand them documents, that's not always happening anymore. In fact, that's probably really rare these days.
Sean Ryan:
So having that trust be fully digital, really much better to have this fully encapsulated approach to doing it rather than a cobble together, do this through an email and send us this over here and records, you've got really critical, sensitive information that you're sharing and trusting that through email and through various other approaches, rather than a self-contained, know your employee and onboarding, or know your customer type of approach. Just much better to have that, much better to have a complete system that works together.
Sam Tang:
Yeah. And something to add, Mike and Sean, is the identity chain, I think the word chain is very important because I think Mike, you spoke about ledgers and the blockchain, but what if you're able to actually treat that ledger as a form of your digital assets that you have control over? So what you're seeing in front of you right now on this slide here, really, truly enables what the industry is right now is calling decentralized identity or self sovereign identity. Without this here, it's really difficult to achieve what we consider as an industry, decentralized identity that you can apply to your B2C and your B2B, and also now [inaudible 00:24:24].
Mike Engle:
Yeah. And the concept, decentralized identity's been around now for a few years, it's a W3C standard. And you're seeing adoption by the big tech giants and the payment rails companies, your Visa's and MasterCard's are all getting behind the standard. It allows your identity to be portable and move across industry. And I don't know if you guys have noticed, ever since the NFT explosion over the past month, you're seeing Web 3.0 everywhere. Web 3.0 is a form of decentralized concepts applied to the web. So this is in line with that, it is the future of identity. The time for companies to adopt it is really starting to happen, and so you're seeing the uptick happen now, and it's not a matter of if, in my opinion, it's a matter of when.
Mike Engle:
And so if you were to take this and apply it to an IAM infrastructure, this stuff doesn't exist in 90 X percent of IAM infrastructures today, but it will. And so I took a shot at thinking about how this stuff will fit into your existing, all the IT functions on the right, with these new components in the middle. So there's two things if you apply Zero Trust to identities, do I know who it is, and can I prove it? And yes, you can with cryptographics and biometrics. And then on the back end, as all these systems are writing event logs, and it's all going up into Splunk or whatever, is being able to say, all right, here's an entry in my Zscaler logs, can I prove that the person in that log file came in with identity?
Mike Engle:
Well, if you're adopting the right technologies, the answer is yes. You can digitally verify that this hash came in, it was onboarded eight months ago, and you have the chain of custody of that. So we saw what happened with SolarWinds, and a bad guy was caught because somebody happened to look into log files and that broke open the whole Pandora's box. So this is just one way to think about it. Sam, are you seeing some of these forward thinking IT functions get dropped into IAM, maybe either in RFPs or in real practice today where it's not just necessarily this, but some Zero Trust principles that can sit on top of your IT infrastructure to give you that assurance?
Sam Tang:
I am, and the ego in me, after being in this space for 25 plus years, I always keep on telling my colleagues and my clients, identity is in the core of security, you can't bypass it. It could be in the form of cloud, hybrid cloud, on prem, even mainframe, mainframe's still around. So at the core of what we do with these IT functions, you can't deny, or you can't avoid having conversations around identities. So the effort that I'm speaking to my clients about right now is not about if identity is the core of these IT functions, but how to gain alignment across these IT functions, and that's the effort. And again, I keep on coming back to the B2E, the B2C and B2B, the more siloed you are with your consumer based IAM and your enterprise IAM and your third party IAM, is the further along that you are with really seeing the alignment across these IT functions, across the B2E, B2B and B2C.
Mike Engle:
Yeah. Yeah. And Sean, I guess, are you seeing a consolidation of any of the legacy ways to authenticate into some newer stuff, either in your research or as you work with your clients?
Sean Ryan:
Yeah. Yeah. I am. We've done a recent survey looking into password list adoptions, so we're still early days there, but it's encouraging to see how many companies are at least getting to the point where they're doing proof of concept and early pilots and starting to finally, I think everyone's known that trained who have a password centric approach to authentication, just is not going to get it done. But people have really been anchored to this unfortunately, it's partly just legacy architecture, which was built around passwords, and so you have to do some work around things to get past those. It's partly just inertia, just people being used to that, even though I think they're like me, they hate passwords and would love to find a better way, but again, it's that inertia, a lot of people, it's just what they're used to, it's the devil they know.
Sean Ryan:
But like I said, I am encouraged that we're seeing people move in this direction and the technology enablers are there. Many people have smartphones in their hands that have either fingerprint or facial recognition right at the ready there. You've got this on laptops and desktops now. So there's more of an ability to do biometrics. And the underlying technology behind the scenes is getting more mature as well. And I thought you made a great point earlier talking about true biometrics as opposed to biometrics that's just on the endpoint device, that, while is good, does allow the user to authenticate, and it doesn't prove that on the back end. So if you're storing a mathematical representation of those biometrics so that they're safe, they're protected, they're encrypted, where they're stored by the organization that is managing that access and that authentication, that gives you a much stronger approach.
Sean Ryan:
And again, at the end of the day, I think we get to the point where we can move passwords to the backseat, we can deprecate them and we can move to these methods that are inherently stronger and they are a better user experience once folks get used to them.
Mike Engle:
Yeah. Yeah. I'm going to give a little McLovin demo here in a minute, I can't resist. When we say real biometrics, it is real, and one of the big barriers to adoption is just people getting comfortable with it. When you saw Apple release face ID, people were like, whoa, whoa, whoa, whoa, you're scanning my face. What are you doing with it? Where's it going? When you use clear and go through the airport, they're scanning your biometrics and storing them somewhere. So you have to take the stuff, you have to be really careful with it, you have to make sure that everything's certified and you know exactly how it's encrypted and stored. In true Web 3.0 capacity, you can make sure that the user is the only person that can decrypt, enroll and decrypt and use the biometric. So if you'll tolerate a short demo, I'm going to show you how the launching of an app creates a private key behind the scenes.
Mike Engle:
Press of a button, and there it is, you have a pin which is a fallback mechanism in case you have a problem, very rarely used. But now inside the phone, you have two factors already. You have your private key in a pin, and then let's add device biometrics. So this is the device, the biometrics that we all use today. Now you can see this is the first time launching this, there's no proof of me in this, somebody's face on this phone was just enrolled. And this is one of the common misconceptions of about device biometrics, is this doesn't prove, this isn't Zero Trust, because my kids face could have been the one that just enrolled. However, when you take it to the next level and you capture a real biometric, so this is my identity wallet, and we're going to enroll a live selfie. And you're seeing this become more and more adopted, especially in fintechs and some of the more forward thinking organizations. On top of that, you can then enroll government credentials as well.
Mike Engle:
And the beauty of that, this gets into, for those not familiar with NIST 863-3, it says, take your live selfie, enroll two strong forms of government credentials. So if I just fast forward and show you then now the onboarding of some trusted form of identity. So let's ask the user to, sorry, I think the same videos playing again, let's ask the user to enroll their government credential, in this case, it's my driver's license. So this one here. And this is done simply by using the cameras capabilities to onboard the document information, matching the face to the face on the document with the one I just captured. And then, if available, depending on what country you're in, you can actually check the validity of the document with the issuing authorities.
Mike Engle:
So a whole lot happened there and you can see it takes a couple seconds, but now inside the user's possession, almost like in your real wallet, a credential matched to your face, when you get pulled over by the state trooper, or you go through TSA checkpoint, they're comparing your face to a document, now we can do that in a digital fashion. And so this is really the future of it. From here, now you just have to onboard the user. And that's where in the slide with the two flows, send them a magic link, let them click on it and let them type in their existing ad user name, password, and marry it to this now strong, biometric and private key, and you're pretty much on your way. So Sam, I know you [inaudible 00:34:32].
Sam Tang:
Yeah. Mike, I just want to make sure that we emphasize that the words that you were using, enrollment and onboarding, those are key words here. What if you're able to actually apply this technique here to your onboarding of your workforce, to your contingent workers, to your employees, as well as what if you're able to actually use this as the technique to onboard your B2B, your third party, your business partners, allowing this as a mechanism for you to continue to simplify the onboarding and the enrollment and to continued vetting of the users in your environment, either it be a customer, a business partner, or even your workforce.
Mike Engle:
Yeah. It's like you read my mind, so I threw the slide up for you. Yeah, it's exactly right. Send them a link to get bound, they can authenticate any one of a number of ways, last time that they'd have to use that legacy credential, and now they're linked with a cryptographic secret and a biometric. So the actual implementation of this would be similar to this flow. So in this idea here, this is how now once that user has clicked that link, they basically have onboarded this credential into that same wallet that you saw a minute ago and only they have the possession of the key to be able to use this, and you have a couple options for authentication. So instead of your traditional username or password, you can engage with the system via QR code, via push, and then with simple device biometrics, let them into the workstation.
Mike Engle:
Or you're staring at your desktop, now think about the user experience on that, that is a passwordless exchange, and it's not just passwordless, but it's linked back to the binding that we did, and so with a click of a button, this user that was onboarded, wouldn't even know their Windows password. And there's a lot of support that has to go around that. What happens if they do need a password, you have to give them a break glass way to do it, and you can do that by clicking on the app and typing in a username and password. So Sean, in the passwordless experiences that you've seen in your clients, I mean, have you had any of your clients do user customer satisfaction? It's something that we encourage, take a before and then after, ask them, do you like logging into windows now, do you like it after? I'm wondering if you're seeing the user experience be a big driver, not just the security?
Sean Ryan:
Yeah. So I mean, that is the promise of the benefit of going passwordless, is an improved user experience. I mean, you think about the ... one is the login experience and getting that down to seconds and very, very seamless, pick the phone up, hold it to your face, or scan a QR code, as opposed to retyping in a password, maybe having a one time password code sent via SMS to your phone, having to go retype that in. You just get into this multi-step thing that not a big deal if you do it once, but if you're doing this multiple times, day after day, after day, it adds up. There's also thinking through the ability to reset this too. I mean, you think about all of the headaches that people face and how expensive it is for help desks when people need to reset their passwords. And put on top of that, the fact that there's quarterly typically scheduled password reset for companies and people reset their passwords, they forget them, this just happens again and again, and you're doing that and it's not secure because you're reusing similar passwords across other sites.
Sean Ryan:
We're still seeing credential stuffing attacks, we're still seeing root force attacks. So it just goes to show you that there's both the security and the user aspects to think about for sure. And I think it is important to have different authenticator options, different methods. You mentioned YubiKeys earlier, because not everybody is going to have of a capable smartphone or it may not be the best approach for their particular environment. So having those different options for folks and really just getting them used to the process, as you said, I think it starts with people inside organizations who really want to try something new, then they can help share that knowledge and spread that through the organization, and you start to get to a point where people realize the advantages of the user experience from the new methods that we've got.
Mike Engle:
Yep. Yeah. We have just one more, either brave or foolish live demo that I'm going to do here. So this is the experience that's on our website. And what I wanted to show that I didn't have in the PowerPoint, is how you can apply that onboarding for new hires. So the idea here is onboard your identity documents, so here inside of my wallet, I've enrolled my driver's license and passport. And this is my real phone, by the way. And so you can instruct your, as you go through talent acquisition, they accepted their offer, follow these instructions and onboard yourself. It's verified by the backend system and then transmit the credentials directly into Workday. So I'll do this here, I'm going to actually move my phone off the screen because it shows me my passport and driver's license data. So I'm just going to sneak this off to the side for a minute.
Mike Engle:
Scan the QR code, and now it's asking me to prove my identity. This is different than touch ID or face ID. So now I have to prove that I'm the same person that enrolled my credentials last week or whatever it was. And there, boom, there's my location, my government documents are uploaded, because HR needs them anyway, they have to file them in the US for USCIS purposes, for example. And now with the press of a button, that credential can go directly from Workday into your IGA system, your sale points, your savings or whatever, a link gets sent to the user encrypted with their public key so that only they can open it, and they've onboarded their active directory credential in two seconds. And so then literally on minute one, the users coming into their Windows workstation, and I know I showed this a second ago, but now I asked our engineers to turn this on for live ID.
Mike Engle:
And again, live demo, we'll see how this goes. And I'm scanning QR code, doing real biometrics before I get into this critical Windows workstation, and I am staring at my desktop. Murphy's law said that should have broke, but there we go, it worked. So there you go, the reason I wanted to finish up with that before we get into Q&A, is because that to me is real Zero Trust access into a system, nobody else could of compared that face to mine, except for Tom Cruise, when he 3D prints my face, puts it over his head, but even that, we've got a good story because we went through beta certification and they tried some of that stuff. So I think that's the future of identity based authentication.
Sean Ryan:
And Mike, just another important point, I think having the combination of that with a possession factor, so you verified the endpoint devices that you're using. So that's really important to make sure that we're not just relying on biometrics here, biometrics is not a silver bullet, it is great and it's first period of passwords, but these things alone, they do have their flaws and they're going to be attacked. But if you're using those in combination and you're making it pretty seamless and easy, very difficult for an attacker to overcome that. And even with that, I mean, you showed how fast you did it, so I think the user experience speaks for itself.
Sam Tang:
And Sean and Mike, before we get into Q&A, I just want to add one more dimension to what the audience saw today. That is, if you take a look at the risk and controls, using what you witnessed today, the audience witnessed today, if you take a look at the NIST, the ISO, the CIS set of controls, I was surprised in working with our risk controls practice here at EY, what the percentage of controls that were associated to credentials, passwords, and accounts and so on. If you look at that, if you put that lens on it, this here what you saw today is not just say a security and user experience, but also the implications of the impact it has with audit and controls, audit, and compliance, and risk and controls, it's a tremendous impact. So just want to ...
Mike Engle:
Yeah, there's an audit component of blockchain, which is one of its strongest places of adoption in enterprise is the immutable ledger. So imagine when SolarWinds happens next time, and you actually had cryptographic proof of how that person got to where they are, it can really ... because they can't modify the logs, blockchain doesn't allow that. And it's a private blockchain, and of course what you said, Sean, is there is no silver bullet, this is a tool in your tool bag of 20 things. You still need username, password and 2FA, the mainframe is not going to be using live ID anytime soon. I've seen plug-ins for RACF and nobody wants to develop to them. So probably all the young whippersnappers don't even know what a RACF is, right?
Sean Ryan:
Yeah, and I mean, we're going to live in this hybrid world, especially large companies have been around for many years, it's not just turn the switch off on your mainframes and your legacy client custom applications, but you can reduce those. You can get those so it's a manageable thing that you're doing in more legacy way. You can spend more time monitoring, focusing, auditing that stuff, and then the rest of your things, you can get to this higher confidence level of security, better user experience, and just really have to spend less time on really monitoring that, you get that in a more automated fashion, and you can use your limited time as a IT security pro wisely, right?
Mike Engle:
That's right. Yeah, that's right. Time is of the essence. So yeah, there's a couple questions that came in. And one of them, which we get asked all the time as we're talking to clients, is what happens if you lose your phone? And that is the age old question, and really, the answer is you figure it out. And as silly as that sounds, it depends on the company, the risk profile of how they want to allow a new phone to get onboarded. And I'll explain what I mean. There are ways to back up a private key, just like there is in the crypto world, you can save a file, which is your digital certificate, but you can also prevent people from doing that. And in a workforce scenario, you might not want them to be able to back up that key and put it onto an Android phone that doesn't have an MDM or whatever. So it depends on the profile.
Mike Engle:
That private key can be stored in Apple iCloud, all kinds of options. Of course, the private key is the key, so the more loose you are with it. What most clients will do is they want their employees to go through some hurdles to prove they are who they are before they're re onboarded a second time, because the bad guys will leverage that exception process to try to get in red teams, tiger team type stuff, right?
Sean Ryan:
Yeah. that's one I think about a lot, Mike. I think you know when I talk to you or other providers, that's always one of my key questions because it is a potential weak point. And if I were an attacker, I would go after that exception, that reset, I'm going to try and social engineer my way into getting that credential, bypass all of these wonderful controls that are in place by really just simply tricking someone into that. So part of this is beyond technology, it is your processes and the organization, making sure you're working with your providers to come up with the best approach, and that you've thought through these scenarios. It could be, some companies may do backup YubiKeys for critical employees so that they can very quickly switch over.
Sean Ryan:
But if you do get asked for a reset, you're verifying, you're still trying to ping that device, is this you, let's confirm through that, through email, through phone. You're doing multiple channels to really, really verify that that reset has to happen. And then it's a magic link or something, you do something temporary till you can ship them a new device or verify a BYOD device that you're going to reauthenticate. But just can't emphasize enough how much you want to really focus on that and do that part right.
Mike Engle:
Yep. Yeah, and then the other-
Sam Tang:
And Mike, let me add something to what Sean was just saying. I think I mentioned it earlier, this is a cultural shift in people's thinking, and you must treat it as such. The cultural aspect of this technology, these techniques, and Zero Trust itself, it's a major shift and it has to be a shift in the way that we think, and adoption is associated to that cultural change.
Mike Engle:
Yeah, maybe we can mint an NFT of this episode and go sell it after the show. Wouldn't that be awesome? In the spirit of that decentralized world, there's been a bunch of questions in chat, I'm just looking over here in the corner, that our engineering team has been answering. But we talk about wallets and decentralized identity, and we've been talking about this stuff for a few years and it seems like everybody's like, yeah, is it ever really going to happen? And the way I see it is yes, soon. Soon is relative, in dog years, it could be a hundred years. But you have now the mechanism standardized and agreed upon of a decentralized identifier that can go maybe between MasterCard and Visa and the bank and the telco or the government, they have to form that agreement, but the pipes and plumbing is there, you've got these universal resolvers.
Mike Engle:
What is really messy though, is when you go up a layer into the trust over IP stack. So you have the network layer, then the wallet layer, and then the application layer, that's where it's still a bit nebulous. And so what we showed today, what I showed here is our adoption of that to be used by an organization to solve real world security problems. When bank A wants to share an employee credential with organization broker B, we're ready to do it, but the agreements and the standards are still working out up there at those upper levels. So no silver bullet there either, to use Sean silver bullet terminology, but everybody's trying really hard, I mean, I'm sure both of you are seeing a lot of exposure on the verifiable credentials front and the decentralized identity front. I know Sam, you're pretty plugged into those environments.
Sam Tang:
And when we talk about decentralized identities, also sovereign, passwordless, the way that I describe it to our clients, and the way I speak to the industry experts is that there's four Rs as to what we do, realization, readiness, resiliency, and remediation. And at a minimum, what I tell my clients is that you have to be focused on the first two Rs, which is realization, which is understanding what you're really dealing with and what you're managing from access standpoint, and be ready when it's here. So realization and readiness are the two main Rs to really focus on.
Mike Engle:
Cool.
Sean Ryan:
Yeah, that's important, and same with passwordless, we're still early days on this stuff, and you don't want to just dive in blindly and then figure out after the fact, I didn't think about all these considerations. But this is the time to be testing, doing some pilots, working with your user groups. A lot of companies will start with their IT folks, hey, you're savvy, let's try this out on you, you can help us bulletproof this thing, we can go through some of these scenarios, like you got to do a reset, you lost your device, it was stolen. Let's see how we work through that and what are some of the issues? And let's try and think about it when we get to less sophisticated users in our user population and what they might encounter.
Sean Ryan:
So really important. And Mike, earlier on, you were bringing up things like the SolarWinds attack and passwords being involved in that, and then there was Golden SAML attacks. So even how you link up your single sign on, your [inaudible 00:52:05] provider, for example, to multifactor authentication. And you need to think through that process to make sure that not just on the front end multifactor authentication, but also on storing the SAML certificates, that those can't be attacked. So there's many things to think about with this, but now is the time to start. I think you don't want to be the last company jumping into passwordless, because the attackers are still going to go after the passwords because it's easier, it's much easier. And the next level is SMS two factor authentication. As you showed all those news articles, I've seen plenty myself of more social engineering, more SMS based credential attacks and SIM swapping types of attacks, those are going to continue to happen more. You can get over to this area, much, much more difficult to crack this stuff, but you still want to think through all those links of the chain.
Mike Engle:
Yeah. Pushes the problem more out to the edge then centralized, right?
Sean Ryan:
Yeah, there you go.
Mike Engle:
Yeah. Well, I think we've about done it guys. We're getting to the top of the hour. We'll give people a few minutes back, so they have time to get a bio break between their next back to back meeting. I wanted to thank you guys for coming on board. You just want to maybe let people know how they get ahold of you, do you like Twitter or LinkedIn, Sean, what's your mechanism, email?
Sean Ryan:
Yeah, I've got Twitter, LinkedIn, probably prefer LinkedIn or directly Forrester obviously, best way to reach me.
Mike Engle:
And Sam, personal cell number?
Sam Tang:
LinkedIn is good, or my email, sam.tang@ey.com.
Mike Engle:
Awesome.
Sam Tang:
I'm reachable.
Mike Engle:
Yeah, exactly. All right. Well, thanks again for hopping on and thanks to all the webinar attendees that hopped on. And for all these, there's probably about 80 questions floating around that have been going back and forth in chat, very interactive discussion. So thanks everybody, this webinar will be put online on our website and we'll be announcing the winners of these guys here and the passwordless identity package, shortly after the webinar. So thanks again and we'll see you guys online.
Sam Tang:
Thank you. Wish you a good safe. Bye-bye.
Mike Engle:
Bye-bye.
Sean Ryan:
Bye.