Growth. Transformation. Can You Achieve Either Without Identity?
Unlock On-Demand Webinar
Video Transcript
Mike Engle:
Let's actually start off with something really not on the topic of the webinar, but yet it is, while we're waiting for people to come on in their back-to-back meetings here. This came out a couple of days ago. I figured it's a good icebreaker. A PSA from the FBI. See how many acronyms we can use on this webinar. Yeah, these bad guys in North Korea are sneaking into our country a whole bunch of different ways. The FBI put out this warning a little less than a week ago, a little over, yeah, about a week ago actually. I don't think this is anything new, Sam, you've seen this type of attack before, right?
Sam Tang:
Yeah. We're actually going to touch on this later in a little bit. It's what I call cross boundary access in defending against, or the geopolitical landscape that we're in with which this applies as well. We'll touch on how to actually address this.
Mike Engle:
Yeah. I know. There's a bunch of terms that we've, some of, we've coined one or two, but the industry uses proxy interviewing and contractor jacking. We'll touch on some of that as well. I'm seeing this make the LinkedIn circuits today. It's getting a lot of heat and I know the FS-ISAC has been warning about this to the financial services community for many years.
Sam Tang:
Yep.
Mike Engle:
Different day, new alert.
Sam Tang:
Yeah. I sent this to my cross boundary team and said, "Get ready."
Mike Engle:
Yeah, the phone's going to ring.
Sam Tang:
Yes.
Mike Engle:
Cool. Well, let's jump in and get going here. Quick intros. I'm Mike Engel, Co-Founder at 1Kosmos, live in Jersey. I've got three Labradoodles, five kids, two grandkids, all that stuff. A lot going on here, but really super excited to talk with an amazing giant in the industry and longtime friend Sam Tang. You want to say hi and just say something about yourself?
Sam Tang:
Mike, thanks again. Always the pleasure of spending time with you and you can give me the time and I'm hopeful that the audience finds this session insightful. It's really close to my heart, this topic, and hope everybody's ready for the long weekend. I'm not sure if everyone heard, but I'm not going to do anything this weekend.
Mike Engle:
Very nice. Love it. I'll aspire. Yeah, let's go a little bit Debbie Downer here to start. It's a new Verizon data breach investigations report. Nothing new. Every year this report comes out. It's like 200 pages of really detailed customer surveys, breach analysis, and surprise, surprise, the main attack vector is credentials, is humans. The old ways of getting into infrastructure, like hacking into the web server, is a minority of the attacks these days. We're here to talk about these top two or top four green buckets. I don't think we need to fearmonger our clients, Sam. I think they do.
Sam Tang:
I think we're going to cover this in a little bit anyway.
Mike Engle:
Let's start with kind of how things have changed, Sam. I think you told me this sometime in the last year or two, what you're seeing at the CIO level. I think the way you put it was we used to be able to buy tools to solve problems. The problem could be, "I need to be more secure." Kind of vague, but that's not really the state of the state today, is it?
Sam Tang:
No. In fact, this is a very good question and actually a very subjective one because what I've found doing this for 30 years, seeing a lot of companies, every organization, no organization is exactly like them, no one's alike. Most importantly, they have differing priorities as well. There are some common things that I'm seeing. The common thing is this, misalignment of priorities between the C-Suite and the board, and what I would call the cyber security organization. When I say cyber security organization, it's not just about cyber and digital identity, it's IT and IAS, InfoSec, cloud security, digital identity, because a lot of the things that we do in security are starting to become emerged as cyber security.
One, cyber security practitioners doesn't know what measurements to provide leadership to justify the spend. Two, leadership and C-Suites and the board, they can't really describe the measurements that they're expecting from cyber security. When you take those two things and combine them, it is very difficult to prioritize. Another common trend that I do see is that even the C-Suites and the board themselves, can't agree on what value means to the business and how does cyber security offer that value to the business. If this could be in the form of operational efficiency, risk reduction, audit and compliance, end user experience and business adoption, but more importantly, cost.
Cost is the one thing that is common across the board. It's really the cost doing something and the ROI that's expected to be returned or the value that's expected to be returned. Secondly, it's the cost of doing nothing because there is a chance, there is an opportunity to fix some audit findings if you could. But if you don't do anything, there may be a chance for audit findings. It's really about being able to actually understand what to prioritize, what's the gain alignment across the board as to what is expected from cybersecurity.
Mike Engle:
Yeah, no, well said. I know we're going to get into some details on some of those various components here in just a second. Actually in the spirit of that, one thing that I've learned from the ENY cybersecurity identity practice are the four Rs. Again, we've called these different things over the years, but I really like the way you've framed these up to really drive into a couple areas that we need to focus on. These do look familiar to you, right, Sam?
Sam Tang:
Thank you. Thanks for the plug, Mike. Again, this is very close to my heart because after doing this for 30 years, what I did was over the past couple of years, I took a step back and I said, "All the things that we do in cyber and digital identity especially, is there a pattern of things or how we can group these things to measure?" I'm going to be using the word measurement a lot today. The measurement here is really about gauging where the company is from a maturity standpoint with the cybersecurity program, compare it against the peers as well.
I can say the four main components as you can see here is realization, do you know everything that you need to know in order for you to satisfy management of access to things. Including things like, have you classed one of the, I think what you brought up earlier about the Korea situation is, have you classified your assets in order for you to prevent and be able to defend against those types of attacks? Not just data, it's infrastructure, cloud, devices, network, application, data, most importantly people.
Readiness. How ready are you for unforeseen changes, unforeseen, multinational, geopolitical situations like what you just mentioned about Korea, and being able to actually understand how do we get ready from a digital identity and cybersecurity standpoint. It's going to go a long way to really be able to not worry about things that you don't know.
Resilience. This is one thing that is a lot of people think micro segmentation and hardening the network is all you need to do, but it's actually no. It's actually about, people hear about zero trust and that's a buzzword that's coming down, but still least privilege is still here. This is really asking are you applying least privilege to everything that we do for authentication and authorization?
The remediation is if something does happen, how quickly can you respond and recover with the most minimal impact as possible? I do want to go back to the realization before we move on. I'm going to quote one of my heroes growing up, and I hope in the audience you'll get my reference here is that is, "Knowing is half the battle." There's a lot of wisdom that comes with that statement because without knowing, you can't really execute on the remaining things that you need to actually address. Without knowing and having visibility as we're really managing, that means that you really can't be ready to tackle anything and everything will be tactical. Resilience, you don't know what to lock down unless you know what the risks are. Recover, you don't know how to recover and remediate unless you know what is ahead of you and what could be breaches. Again, the four Rs is really a technique that I'm using to really put everything that we do in cyber security into these buckets so that we can actually measure for the C-Suite and the board.
Mike Engle:
Now a question that I think we need to explain is, who is the hero from the eighties, right?
Sam Tang:
Yeah. It begins with G, and I'm going to leave the middle word out.
Mike Engle:
I thought it ended with Joe, but I'm not sure. That's great. We'll let the young whippersnappers go Google that one and figure it out.
Sam Tang:
Knowing is half the battle, there's a lot of wisdom to it.
Mike Engle:
It really is, yeah. Let's dive into that. Realization, how well do you know your environment? I ask my prospective clients and even myself when I was doing this stuff at Lehman back in the day, "How many types of identities do we have? What are the authoritative sources for each?" Just starting there, when you talk to your clients today and they're like, "Oh my god, a regulator knocked on my door and they asked this scary question," or whatever it is, what is it that you ask them first and try to figure out in this category here?
Sam Tang:
Yeah, and really the personas that we're talking about, the types of identities that we're talking about is not just about human identities or even machine identities. It's really everything to me within the ecosystem that needs security is an identity including assets, including devices, including even things like forklifts for manufacturing companies. It's really about the identities that we're talking about is a prompt word. Anything that touches authentication or authorization, to me is considered as an asset of identities.
Mike Engle:
Yeah. Yeah. We have a question in Q&A that we typically will save for the end, but the question is, it's a fair question is, "How do you know what you don't know?" I think you start at least going back to an IPv4 layer, you know your networks, at least you'd better, and if you don't know that every port on every switch is occupied, you have a really long way ahead of you. I think we'll touch on a little bit of that some more as well. Robert will answer that here in script in a second.
Then getting deeper into the weeds, so you have all these accounts and these authoritative sources, how many different ways do you have to authenticate today? I know that if just looking at my one password account, oh geez, I just did a little OPSEC. I told everybody what my password manager is, but it's the only one out there. I have over 1200 passwords and when I type AUTH on my iPhone to look at my authenticator options, there's six different apps. In large enterprises, I think it's even worse. Again, Sam, your thoughts on experience with authentication and what can be done here.
Sam Tang:
Yeah. The first part, quick answer, way too many. This is not just about my authentication for the laptop that I use for EY, this is also about the laptops I get from clients and also my personal things. Even during the digital identity forum, I'm not sure if you remember the story I told is, if you go to take a step back from the day you were born, you begin having identities and need to worry about who's got access to buying information, who's authenticating information about me. You say 120, but if you compound that as a persona of an enterprise user, but if you compound that with a B2B user, a B2C user, personally, you're looking at it like 500 and above, so way too many.
Mike Engle:
Yeah.
Sam Tang:
Really the second thing here is really about, shouldn't we from day one know everything that we need to worry about from an authentication standpoint? The answer is yes, but at the end of the day, like I said earlier, realization's key.
Mike Engle:
Yeah. The third category here is, how many of your systems still rely on weak credentials? Frankly, in my opinion, every credential that is using a password is weak because it can be intercepted, coerced, caches can be cracked, et cetera. This is really important. Not only do you inventory, but you have to measure the efficacy of them, how strong they are, et cetera. If you can't measure it, right, part of the challenge as well.
Sam Tang:
It's difficult, right?
Mike Engle:
Yeah.
Sam Tang:
I'm not saying that it's easy to measure things like this, but it's difficult.
Mike Engle:
Yeah.
Sam Tang:
I can't say this though, and my previous comments about measurement and prioritization, but if you can't accurately measure it, maybe it's time to think about how are you prioritizing it? Maybe you should revisit it and take a look at it closely. Measurement is very key.
Mike Engle:
Yeah, I have this chart that we've made for one of our clients. We had to pull teeth to get this out of the CISO and head of identity security engineering layer. These are basics. I have an SSO system, I've got operating systems, I've got two FAs and MFAs and KBAs and RBAs and all these other things. Starting here, at least lets you know what you can go out and try to fix. I'm going to just dive into the next R, which is resilience. You are ready, you've cleaned everything up, something bad happens, right? Let's talk about identity resilience, Sam. First, how resilient are your credentials? If you start with a password, like I mentioned before, you're behind the eight-ball.
Sam Tang:
Yeah.
Mike Engle:
Tell me what you think about the identity attack surface.
Sam Tang:
Yeah, again, I'm going to go back to what I said earlier is that the attacker surface what we're talking about, a lot of people think passwords is associated to human identities and don't think of the word password, think of the word tokens and credentials. It's not just about passwords. What we're really talking about here are things that you don't normally think of having to worry about passwords or credentials or PKI, things like assets, like devices, infrastructure, physical tokens, the management of those physical tokens, servers, synthetic identities, both interactive and non-interactive synthetic identities, and really just focused on passwords. It's not viable. Unfortunately, password authentication is here. It's reality. Mike, five years ago when password authentication was just emerging, people thought, "Oh, that's not going to be adopted." If you look across the landscape now, password authentication is an expectation, it's no longer, "Is it real or not?"
Mike Engle:
Yeah.
Sam Tang:
One more point. This will only be stronger as time goes on because identity verification needs to be a part of the process of gaining trust and understanding what the trust is in your environment.
Mike Engle:
Yeah, we'll talk about verified identities here in a second as well. When something that's near and dear to my heart, because very few players in the industry do it well, especially as well as we do, is account recovery. Oh my god, if you set all this awesome authentication up and it's got certificates and 4FA, and then you have to start from scratch because you lost your phone, I got a new machine, what's the fallback? It's username, password, phone calls, jumping through hoops. It's really painful. We'll talk about that in a little more detail. Here's a little bit of a litmus test, Sam, that I'm sure you work with your clients on. If you can give a credential to somebody else, including this YubiKey that you tap or my smart card or a username password and 2FA token, I can give that to anybody. Can you trust it?
Sam Tang:
I think you just mentioned it, right? The problem with physical tokens is that there's no guarantee that person that's holding token is actually the person who they are. As a by-product, though still, you still have the management aspect of this where you have to deal with lost tokens, forgotten tokens, and renewals. There's a lot of maintenance involved when it comes to physical things that you have to manage.
Mike Engle:
Yeah, yeah. Part of resiliency is making it simple, easy, repeatable, and secure at the same time. Whatever the protected asset is, the first goal should be get rid of the legacy credential. What do you replace it with? Well, we've talked a little bit about the concept of certificates or file of authentication and biometrics. Those are the only options. If you know it and can share it or guess it, it is not a thing anymore. This stuff on the left has to go. We talked a little bit about resilience on now accounts and verification.
This is a little bit off script, Sam, so you might be seeing this for the first time. In spirit of that FBI warning and the North Korea alert, just drilling deeper into identity resiliency, right? Did you know that you can verify somebody remotely with a pretty darn high shore of level of assurance? Of course US industry Identiverse types, I'll know that this is a thing, but these points of entry into a firm, new hires or, "I'm in and now I need to hit my PAM," or I'm a remote caller saying, "Hey, I'm Sam Tang, I lost my phone." These can be solved with identity verification, reusable identity, and it can be implemented literally in a day, a week max. This is not a heavy lift. Now of course there's wood to chop to tie it into your 4,000 applications or whatever, but just knowing who the remote caller is, is possible today. You can do this at any point of presence within an organization, tie it into your Microsoft conditional access into Entra, et cetera. A little segue there, but the bad guys don't know how to bypass passwords in MFA, right?
Sam Tang:
Yep. Let me add something to this, and Mike, this is not scripted up like you said, but however I can say this, let's turn it on his head. What if we were able to convince companies, I know this is nirvana, again, what Mike said earlier is that these are our insights. This is not what we believe the thing that you need to do or should do. What if you had the opportunity to convince the board and C-Suite that we can? Now it's time to flip it on its head, where no access is granted unless things are classified and verified. If you're able to classify your assets, which I spoke about earlier, or the network infrastructure cloud, blah, blah, blah, blah, and you're able to classify and you're able to actually say that every step of the way you're able to verify access at runtime using these privileged principles, that means that you shouldn't have anything to worry about, at least knowing, what is classified and what should gain access and what should not gain access. Therefore, you can use technology like AI to detect anomalies better at one time.
Mike Engle:
Yeah, exactly. No, well said. I picture a day when every time we do a business transaction, there's a green check mark next to that little Sam Tang in the corner. Then I don't have to even worry about deepfakes if we do that right. Moving on into two Rs that we're going to combine together here because they really work hand in hand, is readiness and remediation. This happens to many organizations. Bad guy gets in through some Citrix server or whatever it is, help desk, and their directories, internal directories are compromised. All 50,000 of my A.D. accounts cannot be trusted now. What the hell do you do? How would you advise a client who calls you up at two in the morning, Sam, and says, "What do I do now?"
Sam Tang:
Yeah. Let me using an example, a recent example where a CISO asked me based on their audit findings, how can they address least privilege within three months? Okay. Least privilege is not a super tool. It's not a technology. It's not just process. It's not about data. It's about everything that we do in cybersecurity. It's about behavior and it is about hygiene. Truly, least privilege, there's a strategy for it, but the most important thing is to really understand what you're granting access to and remove the unnecessary first elevated access. Remove unnecessary access that's associated to what a person's job should be. We've been talking about RBAC and DBAG for a long time, but no one really does it. What if we treated anything outside of the norm, which is not a part of your job, so that it's not a persistent entitlement or access that you have, but it's got to be continuously approved and monitored and verified.
Mike Engle:
Yeah. Yeah, we have a question popping up that we'll get to that's right on topic with what you're saying there, Sam. Let's move on and get to that one in a second because it's relevant. Verified identity, right? I think you said that you don't even like using the term IAM anymore or account management is, that's what we did in the nineties. Proofing, we've been talking about it, Gartner's now, it's like one of their top five things. Should organizations be proofing their users today?
Sam Tang:
Absolutely. Especially Mike, if you even take a look at the NIST 800-63 spec, it talks about assurance levels for identification, authorization, and authorization. Those assurance levels are really a way for you to use to see how you can best gauge the trust of a certain transaction, the trust, the risk, the assurance, the tolerance level that you have. This applies to B2B, B2C, and B2C, especially on the B2B side because in addition to the verification of the identity of the person, how trustworthy they are in the ecosystem, but also how about the legal entity the person works? What if the legal entity themselves also should be a part of the equation to see if the legal entity is trustworthy or not? The transactions that you were talking about earlier, Mike, business transaction, especially on payment fraud detection, it is emerging as a requirement because it's a cost plan. You really can't really do payment fraud detection unless you're able to do verification services.
Mike Engle:
Yeah. Yeah, let's dive into some of those levers that we can pull on now, that we can actually measure, manage, save a ton of money, and reduce risk at the same time. We're going to just kind of quickly run through each one of these here because these are real metrics that you can apply to your identity infrastructure that'll have real value that you'll actually get high-fives not only from your users but the C-Suite, right? Starting off with how many SSO systems do you have? We're all running around trying to get rid of some of the legacy systems, but obviously there's newer big players and you implement a new one. Do you get rid of the old one? What are some examples of multiple SSOs that you've seen at your clients? What are some of the problems there?
Sam Tang:
Yeah. Mike, we're seeing a lot of efforts, transformative efforts from a lot of people realizing that consolidating the IPPs, there's a lot of benefit to it. Obviously cost, management, overhead operations and so on and so forth, but people think they're going towards one, but actually it's always more than one. I'm still seeing legacy platforms like SiteMinder in the picture as well. There's a lot of effort in migrating and merging these technologies. Even once it's merged though, there's a misconception that once you merge, you end up with one platform, you're going to be one platform only. It's not the case, because cloud providers are still an IDP.
Even when you merge into a single IDP platform, it doesn't mean that it's not a guarantee that moving forward because of M&A and divestiture and the best insurance and business transactions like that, you don't end up with multiple products again. That's why there's a lot of, Mike, you hear me say this word all the time, it's got to be how can you best coexist, knowing that there may be one or more products? How can you orchestrate across these multiple IDPs so that the experience is seamless?
Mike Engle:
Yeah. At the end of the day, your 2000 business applications typically still have 2000 unique identifiers inside of them. You do need them all to tie back to a single source of truth. It's really not about the number of directories, but about how you tie them together and mitigate the underlying risk on them. Touching on one of your favorite subjects is PAM, you already said the word zero trust once. We can't say that too many times or Beetlejuice will appear. What do you think about the entry points that PAM used today and can we do better there?
Sam Tang:
Yeah, and going back to what you asked about how many IDPs we have, my question is how many PAM products do you have? What's the coverage that you're using the PAM tool for? A lot of people combine PAM and things that we do in DevSecOps as a single thing, but I personally think PAM should be treated to do one some good things and continue doing those. It's not going to handle the entry points of machine-to-machine and device-to-device. However, I'm not sure if the audience has monitored a most recent announcement of a PAM vendor acquiring a MFA and TKI vendor. What that is really leaning towards is that actually they're realizing that their coverage needs to be expanded to cover device-to-device and machine-to-machine.
Mike Engle:
Yeah, yeah, exactly. We are seeing a lot of traction for verified identity before you can get into PAM. You don't have that certificate that says, "I know you're Sam Tang," just take 60 seconds and go prove it, right?
Sam Tang:
Yeah.
Mike Engle:
Another lever that is getting a lot of traction is log on times. Getting your employees or even more important customers to enjoy using the system. Why is Amazon amazing? I can't remember the last time I've had to put my Amazon password in. It just works and I touch a button and 60 seconds later, there's a box on the front porch. Imagine if we could do that. I'm so spoiled. Imagine what it was like when we have to go down to Sears.
Now if you can log in, these are real numbers here from one of our clients. We deployed passwordless authentication into our remote access system in less than four weeks for 40,000 users and they demonstrated $4 million, they did, not us, in the first year. We've kind of rounded this out. It depends on the industry, but you can save about $1,000,000 in efficiency for every 10,000 employees. It's not hard. Just get up a little Excel sheet and type in 15 seconds times 20 logins a day times 200 business days a year, and all of a sudden you're like, "Wow, this is real time and money that we're talking about." How many times per day do you log in, Sam or your clients, are they worried about this type of metric?
Sam Tang:
I don't want to embarrass myself, but I do have to log in at least 20 times a day, not because we don't have the technology to do so, it's because I walk away, I come back, I have to re-authenticate myself, and the 20 times is just really how many times I really have to step away from my laptop.
Mike Engle:
Right, and $4,000 an hour at your billing rate, I mean, geez, they're talking about real money there.
Sam Tang:
Yeah.
Mike Engle:
Yeah. Moving on to the fourth one here, it's reducing help desk costs at the same time. What do you think the number one call into the help desk is, Sam? Any guess?
Sam Tang:
I'm not even trying to guess.
Mike Engle:
It's password resets, right? Account lockouts and password resets. The Gartner, Forrester stat is about $50 per call. Even if you take $20 and go add up 100,000 calls times $20, right? Let's cut that in half and save some real money here.
Sam Tang:
Yeah, let me give another product a plug here and let me remind people where the space started from an ITP standpoint. There's a giant ITP that you're probably using or maybe considering using that starts with O. Even them, if you look back about 10 years, 15 years, they started out as a password reset tool for AD only and see where they've expanded the services to cover more. To show you where this space is today versus 15 years ago, we're quite further ahead, but still the starting point is about password resets.
Mike Engle:
Yeah. We have a couple of pretty cool password reset options that if you just type 1Kosmos password reset, you'll see we can do it from an app, we can do it from verifying a call remotely. We might have time to show a quick demo of that here. Definitely the art of the possible is here today, it is possible. Then in line with the FBI alert as well, those terms I mentioned before, proxy interviewing, contractor jacking.
There was an interesting question that came into the chat. It was anonymous. I say to the anonymous asker, they ask the question, "I still seem to have to verify my identity over and over again." I think what they're saying is they're asked to go maybe fetch a 2FA code. For example, if you go to B of A or Chase and set up a new wire or Zelle destination, oh my God, verify your identity to log in, verify the new Zelle, I send you another code, I put $600 in, verify yourself again, and there's always 60 seconds of each other. That's not identity, that is broken systems that just don't know how to take the session and trust it. What we're talking about is a verified identity and call it a wallet or whatever it is, but it's the digital version of the driver's license in your pocket or a passport. If you start your hiring process app talent acquisition with a verified Sam Tang identity, because you need to know that you're interviewing Sam.
Sam Tang:
Yeah.
Mike Engle:
Start way back there, give them a credential that belongs to them and you shouldn't have to ask for it again because you've got a biometric with every call. Is there an opportunity here, Sam?
Sam Tang:
Yeah, before I get into the question about opportunities, let me even follow your thinking right now. The question was why is there still multiple verification, that is because actually that's probably intentional. Maybe it was because you are traveling overseas, it sees that your location may be different from your usual behavior, or maybe you're switching devices, you get a new phone or maybe your laptop is new or your laptop just did an update on your OS, it lost some of the tokens that was looking for. The re-verification should be simple. The re-verification process itself should be very simple. It's actually doing you a favor when somebody's asking you for re-verification, it's because it's thinking that there may be an anomaly.
From your question about opportunity, I don't think, not only is it an opportunity, but it's going to be a requirement. You saw the opening Korean situation that we're in. Injecting the verification process upfront and the recruiting and the talents at stake, it actually helps a lot with the JML process. It allows you to really simplify when you get to the point where it's actually onboarded as a new employee as what to provision, it's going to help with all that as well because it's going to tell you if the person is a, what persona the person is as well, employee, worker, or frontline worker. Let the upfront enrollment and registration process and the hiring process do some of the heavy lifting for you. Before even it gets to the environment, you know exactly what you're dealing with.
Mike Engle:
I'll pop up a quick demo here. People ask, "What does it mean to verify identity?" Well, most of us today, if we've gone for a driver's license, you have to prove documents. Now when you go to open up a crypto account, you have to scan a driver's license. Let's assume I've done that. I've scanned in my phone a driver's license and it's now here. This is how simple it is to transmit that to Workday or whatever your PeopleSoft hiring system is with the press of a button. Now me proving that I'm still the holder, that's it, I'm done. That data flows into the target system. It could be CyberArk, it could be anything, or your talent acquisition, or HR hiring system. It really is that easy and I can reuse that over and over. I know what you're going to say, Sam. "Mike, what if I can't use an app?:" It was right on the tip of your tongue. "I won't use an app, can't use an app, don't have it. Whatever. I'm still on a flip phone."
Sam Tang:
And the camera is not available to you.
Mike Engle:
Yeah, you're in an environment where you can't use a camera. You can actually do it with just a biometric, of course you have to trust it. Here's something we call our LiveID. I actually recorded this at your offices, Sam, for that event, the digital identity event. That's it. I approve my identity, liveness detection, and boom right here, this is just showing my profile, my account. You can see under the hood, all of my credentials are available to me there and only available to me. Now with the press of a button, I can go send them to any target system. It's a combination of a amazing user experience and technology that's protecting not only the user but the organization. Just the last one that we had on the tile of six is I know this one's near and dear to your heart because you advise a lot on risk and governance and regulatory, audits. Comment a little bit about what some of this posture can do for an organization on this front.
Sam Tang:
Yeah. Digital identity, there's a realization where digital identity is not just about human actors or identities. It is going to address a lot of your OT and IT set of use cases where manufacturing, insurance, retail, where there's actually physical locations that you need to worry about as well. In those physical locations, there's actually areas and assets that may be harmful to the people themselves that's working in that environment.
What we're seeing now is, we need to be able to apply the digital identity principles, apply it as to how we manage applications and logical access, apply to physical assets as well so that you can actually handle the situations where you can protect hazardous environments if a person's harmful or not. If the person is working in a food manufacturing and we detect that the person is actually 104 degrees, they should not be touching food at all. One more thing is, imagine you can apply this to every business transaction, like what Mike was mentioning. What if you're able to actually be able to prevent fraudulent transactions either via a consumer or even as a B2B transaction. What if you just take 5% of those, be able to detect 5%? That's a lot of money for those transactions.
Mike Engle:
Yeah, it is. Making it easy is key. We know how much we hate friction. I don't know if you remember when we finally put chips in our credit cards. I don't know, was it eight years ago? We were 20 years behind the rest of the world. I can feel my blood pressure going up a smidgen because sliding that thing in took about four seconds when they first did it. I was like, "Oh my god, four seconds, this is terrible." Right now, you tap it. Of course they fixed that experience and it's a thousand times more secure than magstripe or the cards.
Sam Tang:
It's kind of funny. We said tolerance level of risk earlier. I live in New York City, I still subway quite a bit.
Mike Engle:
Right.
Sam Tang:
Even though all of the location support the use of a credit card and also they tell you, you actually get money off as well when you do that, but I still see people getting Metro cards.
Mike Engle:
Yeah, exactly. It's like the people throwing cash into the EZPass lanes on the turnpike like, oh my god, I guess they don't want the man following them, so they're afraid of being tracked or something. I don't know.
Sam Tang:
Yeah.
Mike Engle:
Yeah, I'll show an example of an amazing user experience. I'll have you compare this to your existing authentication to get into Microsoft products. Imagine if it's just your username and your face. This is the future of consumer and employee convenience and security. With this same LiveID that you saw here, I have to slow it down because it happens so fast, it's that amazing. That's it. You're staring at your Outlook or whatever it is. This is the future, along with a verified identity under the hood. I can't just have a face, you have to have I've been verified with some type of root of trust and you're in. That's what we're aspiring to get out to the world here.
Sam Tang:
Mike, let me throw something off script to you now.
Mike Engle:
Please.
Sam Tang:
What's your answer in your technology as to how you actually are able to handle people using a photo up on the camera, how have you address it?
Mike Engle:
Yeah, so there's a couple technologies now. This is my old expired Global Entry Card, but you can bypass really weak systems just by holding up a picture on a phone, which you go get off somebody's Facebook. There's several compensating controls there. You can detect that the image is not a real person, it's what we call liveness detection. There's a number of really deep technologies that do that. You can tell just that I'm moving a certain way. You can tell the depth of my face. You can detect the screen that is, we call that a replay attack. For a video call like this, there's tools like Swap Face where in two seconds I could become Sam, I should have had it ready for this.
Now you have to detect injections into the webcam themselves. There's methods to do that injection attack as well. It is a cat and mouse game. When you think something may not be right, you may have to take another step. You do have, to your point on my Zelle wires, there could be something funky in there that you're like, "You know what? Let's just do one more knock on the door before we let this go through." It's a risk.
Sam Tang:
It's a risk, trust, tolerance, assurance.
Mike Engle:
Right. Exactly. Is this person coming in from where they did before? All right, that's a great signal. They're not somewhere in North Korea. In summary, just wrapping this up, we can verify, we can modernize, we can get more efficient. These are the things that will be game changers inside of the organization and I think we've done it, Sam.
Sam Tang:
All right.
Mike Engle:
I know we had a couple of questions that were answered already by the guys on the team here.
Sam Tang:
Great.
Mike Engle:
Tell me where can people learn more about what you're doing day to day, following you on the TikTok or how does that work?
Sam Tang:
I sparingly use social media. I have enough gadgets and things that I have to worry about. They can reach out to me on LinkedIn, they can find me on LinkedIn and they should have my email address. Maybe we should provide my email address. Please feel free to reach out, even if it's a casual conversation. It doesn't always have to be about doing business together.
Mike Engle:
Yeah, we could talk about the Rolling Stones or doing nothing. That would be fun, right?
Sam Tang:
Yeah.
Mike Engle:
That'd be awesome. Well, listen, Sam, thank you so much for joining. It's always fantastic chatting with you about this and life stuff in general.
Sam Tang:
Yeah.
Mike Engle:
Hopefully we can do it again soon. Thanks everybody for attending on the leading up to this holiday weekend here in the US.
Sam Tang:
All right.
Mike Engle:
Enjoy the rest of your time.
Sam Tang:
Take care. Bye-bye.
Mike Engle:
Bye-bye.
Let's actually start off with something really not on the topic of the webinar, but yet it is, while we're waiting for people to come on in their back-to-back meetings here. This came out a couple of days ago. I figured it's a good icebreaker. A PSA from the FBI. See how many acronyms we can use on this webinar. Yeah, these bad guys in North Korea are sneaking into our country a whole bunch of different ways. The FBI put out this warning a little less than a week ago, a little over, yeah, about a week ago actually. I don't think this is anything new, Sam, you've seen this type of attack before, right?
Sam Tang:
Yeah. We're actually going to touch on this later in a little bit. It's what I call cross boundary access in defending against, or the geopolitical landscape that we're in with which this applies as well. We'll touch on how to actually address this.
Mike Engle:
Yeah. I know. There's a bunch of terms that we've, some of, we've coined one or two, but the industry uses proxy interviewing and contractor jacking. We'll touch on some of that as well. I'm seeing this make the LinkedIn circuits today. It's getting a lot of heat and I know the FS-ISAC has been warning about this to the financial services community for many years.
Sam Tang:
Yep.
Mike Engle:
Different day, new alert.
Sam Tang:
Yeah. I sent this to my cross boundary team and said, "Get ready."
Mike Engle:
Yeah, the phone's going to ring.
Sam Tang:
Yes.
Mike Engle:
Cool. Well, let's jump in and get going here. Quick intros. I'm Mike Engel, Co-Founder at 1Kosmos, live in Jersey. I've got three Labradoodles, five kids, two grandkids, all that stuff. A lot going on here, but really super excited to talk with an amazing giant in the industry and longtime friend Sam Tang. You want to say hi and just say something about yourself?
Sam Tang:
Mike, thanks again. Always the pleasure of spending time with you and you can give me the time and I'm hopeful that the audience finds this session insightful. It's really close to my heart, this topic, and hope everybody's ready for the long weekend. I'm not sure if everyone heard, but I'm not going to do anything this weekend.
Mike Engle:
Very nice. Love it. I'll aspire. Yeah, let's go a little bit Debbie Downer here to start. It's a new Verizon data breach investigations report. Nothing new. Every year this report comes out. It's like 200 pages of really detailed customer surveys, breach analysis, and surprise, surprise, the main attack vector is credentials, is humans. The old ways of getting into infrastructure, like hacking into the web server, is a minority of the attacks these days. We're here to talk about these top two or top four green buckets. I don't think we need to fearmonger our clients, Sam. I think they do.
Sam Tang:
I think we're going to cover this in a little bit anyway.
Mike Engle:
Let's start with kind of how things have changed, Sam. I think you told me this sometime in the last year or two, what you're seeing at the CIO level. I think the way you put it was we used to be able to buy tools to solve problems. The problem could be, "I need to be more secure." Kind of vague, but that's not really the state of the state today, is it?
Sam Tang:
No. In fact, this is a very good question and actually a very subjective one because what I've found doing this for 30 years, seeing a lot of companies, every organization, no organization is exactly like them, no one's alike. Most importantly, they have differing priorities as well. There are some common things that I'm seeing. The common thing is this, misalignment of priorities between the C-Suite and the board, and what I would call the cyber security organization. When I say cyber security organization, it's not just about cyber and digital identity, it's IT and IAS, InfoSec, cloud security, digital identity, because a lot of the things that we do in security are starting to become emerged as cyber security.
One, cyber security practitioners doesn't know what measurements to provide leadership to justify the spend. Two, leadership and C-Suites and the board, they can't really describe the measurements that they're expecting from cyber security. When you take those two things and combine them, it is very difficult to prioritize. Another common trend that I do see is that even the C-Suites and the board themselves, can't agree on what value means to the business and how does cyber security offer that value to the business. If this could be in the form of operational efficiency, risk reduction, audit and compliance, end user experience and business adoption, but more importantly, cost.
Cost is the one thing that is common across the board. It's really the cost doing something and the ROI that's expected to be returned or the value that's expected to be returned. Secondly, it's the cost of doing nothing because there is a chance, there is an opportunity to fix some audit findings if you could. But if you don't do anything, there may be a chance for audit findings. It's really about being able to actually understand what to prioritize, what's the gain alignment across the board as to what is expected from cybersecurity.
Mike Engle:
Yeah, no, well said. I know we're going to get into some details on some of those various components here in just a second. Actually in the spirit of that, one thing that I've learned from the ENY cybersecurity identity practice are the four Rs. Again, we've called these different things over the years, but I really like the way you've framed these up to really drive into a couple areas that we need to focus on. These do look familiar to you, right, Sam?
Sam Tang:
Thank you. Thanks for the plug, Mike. Again, this is very close to my heart because after doing this for 30 years, what I did was over the past couple of years, I took a step back and I said, "All the things that we do in cyber and digital identity especially, is there a pattern of things or how we can group these things to measure?" I'm going to be using the word measurement a lot today. The measurement here is really about gauging where the company is from a maturity standpoint with the cybersecurity program, compare it against the peers as well.
I can say the four main components as you can see here is realization, do you know everything that you need to know in order for you to satisfy management of access to things. Including things like, have you classed one of the, I think what you brought up earlier about the Korea situation is, have you classified your assets in order for you to prevent and be able to defend against those types of attacks? Not just data, it's infrastructure, cloud, devices, network, application, data, most importantly people.
Readiness. How ready are you for unforeseen changes, unforeseen, multinational, geopolitical situations like what you just mentioned about Korea, and being able to actually understand how do we get ready from a digital identity and cybersecurity standpoint. It's going to go a long way to really be able to not worry about things that you don't know.
Resilience. This is one thing that is a lot of people think micro segmentation and hardening the network is all you need to do, but it's actually no. It's actually about, people hear about zero trust and that's a buzzword that's coming down, but still least privilege is still here. This is really asking are you applying least privilege to everything that we do for authentication and authorization?
The remediation is if something does happen, how quickly can you respond and recover with the most minimal impact as possible? I do want to go back to the realization before we move on. I'm going to quote one of my heroes growing up, and I hope in the audience you'll get my reference here is that is, "Knowing is half the battle." There's a lot of wisdom that comes with that statement because without knowing, you can't really execute on the remaining things that you need to actually address. Without knowing and having visibility as we're really managing, that means that you really can't be ready to tackle anything and everything will be tactical. Resilience, you don't know what to lock down unless you know what the risks are. Recover, you don't know how to recover and remediate unless you know what is ahead of you and what could be breaches. Again, the four Rs is really a technique that I'm using to really put everything that we do in cyber security into these buckets so that we can actually measure for the C-Suite and the board.
Mike Engle:
Now a question that I think we need to explain is, who is the hero from the eighties, right?
Sam Tang:
Yeah. It begins with G, and I'm going to leave the middle word out.
Mike Engle:
I thought it ended with Joe, but I'm not sure. That's great. We'll let the young whippersnappers go Google that one and figure it out.
Sam Tang:
Knowing is half the battle, there's a lot of wisdom to it.
Mike Engle:
It really is, yeah. Let's dive into that. Realization, how well do you know your environment? I ask my prospective clients and even myself when I was doing this stuff at Lehman back in the day, "How many types of identities do we have? What are the authoritative sources for each?" Just starting there, when you talk to your clients today and they're like, "Oh my god, a regulator knocked on my door and they asked this scary question," or whatever it is, what is it that you ask them first and try to figure out in this category here?
Sam Tang:
Yeah, and really the personas that we're talking about, the types of identities that we're talking about is not just about human identities or even machine identities. It's really everything to me within the ecosystem that needs security is an identity including assets, including devices, including even things like forklifts for manufacturing companies. It's really about the identities that we're talking about is a prompt word. Anything that touches authentication or authorization, to me is considered as an asset of identities.
Mike Engle:
Yeah. Yeah. We have a question in Q&A that we typically will save for the end, but the question is, it's a fair question is, "How do you know what you don't know?" I think you start at least going back to an IPv4 layer, you know your networks, at least you'd better, and if you don't know that every port on every switch is occupied, you have a really long way ahead of you. I think we'll touch on a little bit of that some more as well. Robert will answer that here in script in a second.
Then getting deeper into the weeds, so you have all these accounts and these authoritative sources, how many different ways do you have to authenticate today? I know that if just looking at my one password account, oh geez, I just did a little OPSEC. I told everybody what my password manager is, but it's the only one out there. I have over 1200 passwords and when I type AUTH on my iPhone to look at my authenticator options, there's six different apps. In large enterprises, I think it's even worse. Again, Sam, your thoughts on experience with authentication and what can be done here.
Sam Tang:
Yeah. The first part, quick answer, way too many. This is not just about my authentication for the laptop that I use for EY, this is also about the laptops I get from clients and also my personal things. Even during the digital identity forum, I'm not sure if you remember the story I told is, if you go to take a step back from the day you were born, you begin having identities and need to worry about who's got access to buying information, who's authenticating information about me. You say 120, but if you compound that as a persona of an enterprise user, but if you compound that with a B2B user, a B2C user, personally, you're looking at it like 500 and above, so way too many.
Mike Engle:
Yeah.
Sam Tang:
Really the second thing here is really about, shouldn't we from day one know everything that we need to worry about from an authentication standpoint? The answer is yes, but at the end of the day, like I said earlier, realization's key.
Mike Engle:
Yeah. The third category here is, how many of your systems still rely on weak credentials? Frankly, in my opinion, every credential that is using a password is weak because it can be intercepted, coerced, caches can be cracked, et cetera. This is really important. Not only do you inventory, but you have to measure the efficacy of them, how strong they are, et cetera. If you can't measure it, right, part of the challenge as well.
Sam Tang:
It's difficult, right?
Mike Engle:
Yeah.
Sam Tang:
I'm not saying that it's easy to measure things like this, but it's difficult.
Mike Engle:
Yeah.
Sam Tang:
I can't say this though, and my previous comments about measurement and prioritization, but if you can't accurately measure it, maybe it's time to think about how are you prioritizing it? Maybe you should revisit it and take a look at it closely. Measurement is very key.
Mike Engle:
Yeah, I have this chart that we've made for one of our clients. We had to pull teeth to get this out of the CISO and head of identity security engineering layer. These are basics. I have an SSO system, I've got operating systems, I've got two FAs and MFAs and KBAs and RBAs and all these other things. Starting here, at least lets you know what you can go out and try to fix. I'm going to just dive into the next R, which is resilience. You are ready, you've cleaned everything up, something bad happens, right? Let's talk about identity resilience, Sam. First, how resilient are your credentials? If you start with a password, like I mentioned before, you're behind the eight-ball.
Sam Tang:
Yeah.
Mike Engle:
Tell me what you think about the identity attack surface.
Sam Tang:
Yeah, again, I'm going to go back to what I said earlier is that the attacker surface what we're talking about, a lot of people think passwords is associated to human identities and don't think of the word password, think of the word tokens and credentials. It's not just about passwords. What we're really talking about here are things that you don't normally think of having to worry about passwords or credentials or PKI, things like assets, like devices, infrastructure, physical tokens, the management of those physical tokens, servers, synthetic identities, both interactive and non-interactive synthetic identities, and really just focused on passwords. It's not viable. Unfortunately, password authentication is here. It's reality. Mike, five years ago when password authentication was just emerging, people thought, "Oh, that's not going to be adopted." If you look across the landscape now, password authentication is an expectation, it's no longer, "Is it real or not?"
Mike Engle:
Yeah.
Sam Tang:
One more point. This will only be stronger as time goes on because identity verification needs to be a part of the process of gaining trust and understanding what the trust is in your environment.
Mike Engle:
Yeah, we'll talk about verified identities here in a second as well. When something that's near and dear to my heart, because very few players in the industry do it well, especially as well as we do, is account recovery. Oh my god, if you set all this awesome authentication up and it's got certificates and 4FA, and then you have to start from scratch because you lost your phone, I got a new machine, what's the fallback? It's username, password, phone calls, jumping through hoops. It's really painful. We'll talk about that in a little more detail. Here's a little bit of a litmus test, Sam, that I'm sure you work with your clients on. If you can give a credential to somebody else, including this YubiKey that you tap or my smart card or a username password and 2FA token, I can give that to anybody. Can you trust it?
Sam Tang:
I think you just mentioned it, right? The problem with physical tokens is that there's no guarantee that person that's holding token is actually the person who they are. As a by-product, though still, you still have the management aspect of this where you have to deal with lost tokens, forgotten tokens, and renewals. There's a lot of maintenance involved when it comes to physical things that you have to manage.
Mike Engle:
Yeah, yeah. Part of resiliency is making it simple, easy, repeatable, and secure at the same time. Whatever the protected asset is, the first goal should be get rid of the legacy credential. What do you replace it with? Well, we've talked a little bit about the concept of certificates or file of authentication and biometrics. Those are the only options. If you know it and can share it or guess it, it is not a thing anymore. This stuff on the left has to go. We talked a little bit about resilience on now accounts and verification.
This is a little bit off script, Sam, so you might be seeing this for the first time. In spirit of that FBI warning and the North Korea alert, just drilling deeper into identity resiliency, right? Did you know that you can verify somebody remotely with a pretty darn high shore of level of assurance? Of course US industry Identiverse types, I'll know that this is a thing, but these points of entry into a firm, new hires or, "I'm in and now I need to hit my PAM," or I'm a remote caller saying, "Hey, I'm Sam Tang, I lost my phone." These can be solved with identity verification, reusable identity, and it can be implemented literally in a day, a week max. This is not a heavy lift. Now of course there's wood to chop to tie it into your 4,000 applications or whatever, but just knowing who the remote caller is, is possible today. You can do this at any point of presence within an organization, tie it into your Microsoft conditional access into Entra, et cetera. A little segue there, but the bad guys don't know how to bypass passwords in MFA, right?
Sam Tang:
Yep. Let me add something to this, and Mike, this is not scripted up like you said, but however I can say this, let's turn it on his head. What if we were able to convince companies, I know this is nirvana, again, what Mike said earlier is that these are our insights. This is not what we believe the thing that you need to do or should do. What if you had the opportunity to convince the board and C-Suite that we can? Now it's time to flip it on its head, where no access is granted unless things are classified and verified. If you're able to classify your assets, which I spoke about earlier, or the network infrastructure cloud, blah, blah, blah, blah, and you're able to classify and you're able to actually say that every step of the way you're able to verify access at runtime using these privileged principles, that means that you shouldn't have anything to worry about, at least knowing, what is classified and what should gain access and what should not gain access. Therefore, you can use technology like AI to detect anomalies better at one time.
Mike Engle:
Yeah, exactly. No, well said. I picture a day when every time we do a business transaction, there's a green check mark next to that little Sam Tang in the corner. Then I don't have to even worry about deepfakes if we do that right. Moving on into two Rs that we're going to combine together here because they really work hand in hand, is readiness and remediation. This happens to many organizations. Bad guy gets in through some Citrix server or whatever it is, help desk, and their directories, internal directories are compromised. All 50,000 of my A.D. accounts cannot be trusted now. What the hell do you do? How would you advise a client who calls you up at two in the morning, Sam, and says, "What do I do now?"
Sam Tang:
Yeah. Let me using an example, a recent example where a CISO asked me based on their audit findings, how can they address least privilege within three months? Okay. Least privilege is not a super tool. It's not a technology. It's not just process. It's not about data. It's about everything that we do in cybersecurity. It's about behavior and it is about hygiene. Truly, least privilege, there's a strategy for it, but the most important thing is to really understand what you're granting access to and remove the unnecessary first elevated access. Remove unnecessary access that's associated to what a person's job should be. We've been talking about RBAC and DBAG for a long time, but no one really does it. What if we treated anything outside of the norm, which is not a part of your job, so that it's not a persistent entitlement or access that you have, but it's got to be continuously approved and monitored and verified.
Mike Engle:
Yeah. Yeah, we have a question popping up that we'll get to that's right on topic with what you're saying there, Sam. Let's move on and get to that one in a second because it's relevant. Verified identity, right? I think you said that you don't even like using the term IAM anymore or account management is, that's what we did in the nineties. Proofing, we've been talking about it, Gartner's now, it's like one of their top five things. Should organizations be proofing their users today?
Sam Tang:
Absolutely. Especially Mike, if you even take a look at the NIST 800-63 spec, it talks about assurance levels for identification, authorization, and authorization. Those assurance levels are really a way for you to use to see how you can best gauge the trust of a certain transaction, the trust, the risk, the assurance, the tolerance level that you have. This applies to B2B, B2C, and B2C, especially on the B2B side because in addition to the verification of the identity of the person, how trustworthy they are in the ecosystem, but also how about the legal entity the person works? What if the legal entity themselves also should be a part of the equation to see if the legal entity is trustworthy or not? The transactions that you were talking about earlier, Mike, business transaction, especially on payment fraud detection, it is emerging as a requirement because it's a cost plan. You really can't really do payment fraud detection unless you're able to do verification services.
Mike Engle:
Yeah. Yeah, let's dive into some of those levers that we can pull on now, that we can actually measure, manage, save a ton of money, and reduce risk at the same time. We're going to just kind of quickly run through each one of these here because these are real metrics that you can apply to your identity infrastructure that'll have real value that you'll actually get high-fives not only from your users but the C-Suite, right? Starting off with how many SSO systems do you have? We're all running around trying to get rid of some of the legacy systems, but obviously there's newer big players and you implement a new one. Do you get rid of the old one? What are some examples of multiple SSOs that you've seen at your clients? What are some of the problems there?
Sam Tang:
Yeah. Mike, we're seeing a lot of efforts, transformative efforts from a lot of people realizing that consolidating the IPPs, there's a lot of benefit to it. Obviously cost, management, overhead operations and so on and so forth, but people think they're going towards one, but actually it's always more than one. I'm still seeing legacy platforms like SiteMinder in the picture as well. There's a lot of effort in migrating and merging these technologies. Even once it's merged though, there's a misconception that once you merge, you end up with one platform, you're going to be one platform only. It's not the case, because cloud providers are still an IDP.
Even when you merge into a single IDP platform, it doesn't mean that it's not a guarantee that moving forward because of M&A and divestiture and the best insurance and business transactions like that, you don't end up with multiple products again. That's why there's a lot of, Mike, you hear me say this word all the time, it's got to be how can you best coexist, knowing that there may be one or more products? How can you orchestrate across these multiple IDPs so that the experience is seamless?
Mike Engle:
Yeah. At the end of the day, your 2000 business applications typically still have 2000 unique identifiers inside of them. You do need them all to tie back to a single source of truth. It's really not about the number of directories, but about how you tie them together and mitigate the underlying risk on them. Touching on one of your favorite subjects is PAM, you already said the word zero trust once. We can't say that too many times or Beetlejuice will appear. What do you think about the entry points that PAM used today and can we do better there?
Sam Tang:
Yeah, and going back to what you asked about how many IDPs we have, my question is how many PAM products do you have? What's the coverage that you're using the PAM tool for? A lot of people combine PAM and things that we do in DevSecOps as a single thing, but I personally think PAM should be treated to do one some good things and continue doing those. It's not going to handle the entry points of machine-to-machine and device-to-device. However, I'm not sure if the audience has monitored a most recent announcement of a PAM vendor acquiring a MFA and TKI vendor. What that is really leaning towards is that actually they're realizing that their coverage needs to be expanded to cover device-to-device and machine-to-machine.
Mike Engle:
Yeah, yeah, exactly. We are seeing a lot of traction for verified identity before you can get into PAM. You don't have that certificate that says, "I know you're Sam Tang," just take 60 seconds and go prove it, right?
Sam Tang:
Yeah.
Mike Engle:
Another lever that is getting a lot of traction is log on times. Getting your employees or even more important customers to enjoy using the system. Why is Amazon amazing? I can't remember the last time I've had to put my Amazon password in. It just works and I touch a button and 60 seconds later, there's a box on the front porch. Imagine if we could do that. I'm so spoiled. Imagine what it was like when we have to go down to Sears.
Now if you can log in, these are real numbers here from one of our clients. We deployed passwordless authentication into our remote access system in less than four weeks for 40,000 users and they demonstrated $4 million, they did, not us, in the first year. We've kind of rounded this out. It depends on the industry, but you can save about $1,000,000 in efficiency for every 10,000 employees. It's not hard. Just get up a little Excel sheet and type in 15 seconds times 20 logins a day times 200 business days a year, and all of a sudden you're like, "Wow, this is real time and money that we're talking about." How many times per day do you log in, Sam or your clients, are they worried about this type of metric?
Sam Tang:
I don't want to embarrass myself, but I do have to log in at least 20 times a day, not because we don't have the technology to do so, it's because I walk away, I come back, I have to re-authenticate myself, and the 20 times is just really how many times I really have to step away from my laptop.
Mike Engle:
Right, and $4,000 an hour at your billing rate, I mean, geez, they're talking about real money there.
Sam Tang:
Yeah.
Mike Engle:
Yeah. Moving on to the fourth one here, it's reducing help desk costs at the same time. What do you think the number one call into the help desk is, Sam? Any guess?
Sam Tang:
I'm not even trying to guess.
Mike Engle:
It's password resets, right? Account lockouts and password resets. The Gartner, Forrester stat is about $50 per call. Even if you take $20 and go add up 100,000 calls times $20, right? Let's cut that in half and save some real money here.
Sam Tang:
Yeah, let me give another product a plug here and let me remind people where the space started from an ITP standpoint. There's a giant ITP that you're probably using or maybe considering using that starts with O. Even them, if you look back about 10 years, 15 years, they started out as a password reset tool for AD only and see where they've expanded the services to cover more. To show you where this space is today versus 15 years ago, we're quite further ahead, but still the starting point is about password resets.
Mike Engle:
Yeah. We have a couple of pretty cool password reset options that if you just type 1Kosmos password reset, you'll see we can do it from an app, we can do it from verifying a call remotely. We might have time to show a quick demo of that here. Definitely the art of the possible is here today, it is possible. Then in line with the FBI alert as well, those terms I mentioned before, proxy interviewing, contractor jacking.
There was an interesting question that came into the chat. It was anonymous. I say to the anonymous asker, they ask the question, "I still seem to have to verify my identity over and over again." I think what they're saying is they're asked to go maybe fetch a 2FA code. For example, if you go to B of A or Chase and set up a new wire or Zelle destination, oh my God, verify your identity to log in, verify the new Zelle, I send you another code, I put $600 in, verify yourself again, and there's always 60 seconds of each other. That's not identity, that is broken systems that just don't know how to take the session and trust it. What we're talking about is a verified identity and call it a wallet or whatever it is, but it's the digital version of the driver's license in your pocket or a passport. If you start your hiring process app talent acquisition with a verified Sam Tang identity, because you need to know that you're interviewing Sam.
Sam Tang:
Yeah.
Mike Engle:
Start way back there, give them a credential that belongs to them and you shouldn't have to ask for it again because you've got a biometric with every call. Is there an opportunity here, Sam?
Sam Tang:
Yeah, before I get into the question about opportunities, let me even follow your thinking right now. The question was why is there still multiple verification, that is because actually that's probably intentional. Maybe it was because you are traveling overseas, it sees that your location may be different from your usual behavior, or maybe you're switching devices, you get a new phone or maybe your laptop is new or your laptop just did an update on your OS, it lost some of the tokens that was looking for. The re-verification should be simple. The re-verification process itself should be very simple. It's actually doing you a favor when somebody's asking you for re-verification, it's because it's thinking that there may be an anomaly.
From your question about opportunity, I don't think, not only is it an opportunity, but it's going to be a requirement. You saw the opening Korean situation that we're in. Injecting the verification process upfront and the recruiting and the talents at stake, it actually helps a lot with the JML process. It allows you to really simplify when you get to the point where it's actually onboarded as a new employee as what to provision, it's going to help with all that as well because it's going to tell you if the person is a, what persona the person is as well, employee, worker, or frontline worker. Let the upfront enrollment and registration process and the hiring process do some of the heavy lifting for you. Before even it gets to the environment, you know exactly what you're dealing with.
Mike Engle:
I'll pop up a quick demo here. People ask, "What does it mean to verify identity?" Well, most of us today, if we've gone for a driver's license, you have to prove documents. Now when you go to open up a crypto account, you have to scan a driver's license. Let's assume I've done that. I've scanned in my phone a driver's license and it's now here. This is how simple it is to transmit that to Workday or whatever your PeopleSoft hiring system is with the press of a button. Now me proving that I'm still the holder, that's it, I'm done. That data flows into the target system. It could be CyberArk, it could be anything, or your talent acquisition, or HR hiring system. It really is that easy and I can reuse that over and over. I know what you're going to say, Sam. "Mike, what if I can't use an app?:" It was right on the tip of your tongue. "I won't use an app, can't use an app, don't have it. Whatever. I'm still on a flip phone."
Sam Tang:
And the camera is not available to you.
Mike Engle:
Yeah, you're in an environment where you can't use a camera. You can actually do it with just a biometric, of course you have to trust it. Here's something we call our LiveID. I actually recorded this at your offices, Sam, for that event, the digital identity event. That's it. I approve my identity, liveness detection, and boom right here, this is just showing my profile, my account. You can see under the hood, all of my credentials are available to me there and only available to me. Now with the press of a button, I can go send them to any target system. It's a combination of a amazing user experience and technology that's protecting not only the user but the organization. Just the last one that we had on the tile of six is I know this one's near and dear to your heart because you advise a lot on risk and governance and regulatory, audits. Comment a little bit about what some of this posture can do for an organization on this front.
Sam Tang:
Yeah. Digital identity, there's a realization where digital identity is not just about human actors or identities. It is going to address a lot of your OT and IT set of use cases where manufacturing, insurance, retail, where there's actually physical locations that you need to worry about as well. In those physical locations, there's actually areas and assets that may be harmful to the people themselves that's working in that environment.
What we're seeing now is, we need to be able to apply the digital identity principles, apply it as to how we manage applications and logical access, apply to physical assets as well so that you can actually handle the situations where you can protect hazardous environments if a person's harmful or not. If the person is working in a food manufacturing and we detect that the person is actually 104 degrees, they should not be touching food at all. One more thing is, imagine you can apply this to every business transaction, like what Mike was mentioning. What if you're able to actually be able to prevent fraudulent transactions either via a consumer or even as a B2B transaction. What if you just take 5% of those, be able to detect 5%? That's a lot of money for those transactions.
Mike Engle:
Yeah, it is. Making it easy is key. We know how much we hate friction. I don't know if you remember when we finally put chips in our credit cards. I don't know, was it eight years ago? We were 20 years behind the rest of the world. I can feel my blood pressure going up a smidgen because sliding that thing in took about four seconds when they first did it. I was like, "Oh my god, four seconds, this is terrible." Right now, you tap it. Of course they fixed that experience and it's a thousand times more secure than magstripe or the cards.
Sam Tang:
It's kind of funny. We said tolerance level of risk earlier. I live in New York City, I still subway quite a bit.
Mike Engle:
Right.
Sam Tang:
Even though all of the location support the use of a credit card and also they tell you, you actually get money off as well when you do that, but I still see people getting Metro cards.
Mike Engle:
Yeah, exactly. It's like the people throwing cash into the EZPass lanes on the turnpike like, oh my god, I guess they don't want the man following them, so they're afraid of being tracked or something. I don't know.
Sam Tang:
Yeah.
Mike Engle:
Yeah, I'll show an example of an amazing user experience. I'll have you compare this to your existing authentication to get into Microsoft products. Imagine if it's just your username and your face. This is the future of consumer and employee convenience and security. With this same LiveID that you saw here, I have to slow it down because it happens so fast, it's that amazing. That's it. You're staring at your Outlook or whatever it is. This is the future, along with a verified identity under the hood. I can't just have a face, you have to have I've been verified with some type of root of trust and you're in. That's what we're aspiring to get out to the world here.
Sam Tang:
Mike, let me throw something off script to you now.
Mike Engle:
Please.
Sam Tang:
What's your answer in your technology as to how you actually are able to handle people using a photo up on the camera, how have you address it?
Mike Engle:
Yeah, so there's a couple technologies now. This is my old expired Global Entry Card, but you can bypass really weak systems just by holding up a picture on a phone, which you go get off somebody's Facebook. There's several compensating controls there. You can detect that the image is not a real person, it's what we call liveness detection. There's a number of really deep technologies that do that. You can tell just that I'm moving a certain way. You can tell the depth of my face. You can detect the screen that is, we call that a replay attack. For a video call like this, there's tools like Swap Face where in two seconds I could become Sam, I should have had it ready for this.
Now you have to detect injections into the webcam themselves. There's methods to do that injection attack as well. It is a cat and mouse game. When you think something may not be right, you may have to take another step. You do have, to your point on my Zelle wires, there could be something funky in there that you're like, "You know what? Let's just do one more knock on the door before we let this go through." It's a risk.
Sam Tang:
It's a risk, trust, tolerance, assurance.
Mike Engle:
Right. Exactly. Is this person coming in from where they did before? All right, that's a great signal. They're not somewhere in North Korea. In summary, just wrapping this up, we can verify, we can modernize, we can get more efficient. These are the things that will be game changers inside of the organization and I think we've done it, Sam.
Sam Tang:
All right.
Mike Engle:
I know we had a couple of questions that were answered already by the guys on the team here.
Sam Tang:
Great.
Mike Engle:
Tell me where can people learn more about what you're doing day to day, following you on the TikTok or how does that work?
Sam Tang:
I sparingly use social media. I have enough gadgets and things that I have to worry about. They can reach out to me on LinkedIn, they can find me on LinkedIn and they should have my email address. Maybe we should provide my email address. Please feel free to reach out, even if it's a casual conversation. It doesn't always have to be about doing business together.
Mike Engle:
Yeah, we could talk about the Rolling Stones or doing nothing. That would be fun, right?
Sam Tang:
Yeah.
Mike Engle:
That'd be awesome. Well, listen, Sam, thank you so much for joining. It's always fantastic chatting with you about this and life stuff in general.
Sam Tang:
Yeah.
Mike Engle:
Hopefully we can do it again soon. Thanks everybody for attending on the leading up to this holiday weekend here in the US.
Sam Tang:
All right.
Mike Engle:
Enjoy the rest of your time.
Sam Tang:
Take care. Bye-bye.
Mike Engle:
Bye-bye.
Mike Engle
CSO
1Kosmos
Sam Tang
Partner/Principal
Ernst & Young
When it comes to managing worker and customer authentication, most organizations struggle with a cobbled together infrastructure – generations of IAM, IGA, SSO, PAM, and IDAAS working with as many operating systems all wrestling over access control and user data, slowing digital transformations.
As a result, IT and security teams are strapped, users dissatisfied. Progress can’t come fast enough or stop the threats that keep evolving. This has the enterprise architecture for identity shifting toward decentralization. This shift will bring unparalleled privacy controls and portable credentials, promising an improved and more secure user experience, ensuring an identity is present at every transaction. But how can IT and security teams adjust on the fly?
In this webinar, 1Kosmos CSO Mike Engle and Ernst & Young Partner/Principal Sam Tang presented an ROI driven strategy to modernize digital identity across the enterprise.
By watching, you will learn:
- The four Rs of Digital Identity: Readiness, Resilience, Response, Realization
- An enterprise roadmap to fraud prevention and customer growth
- A strategy focused on simplification, trust, and operational efficiency to accelerate adoption of digital services
- How to account for edge use cases like third-party access and helpdesks when planning for digital transformations.
Mike Engle
CSO
1Kosmos
Sam Tang
Partner/Principal
Ernst & Young
Video Transcript
Mike Engle:
Let's actually start off with something really not on the topic of the webinar, but yet it is, while we're waiting for people to come on in their back-to-back meetings here. This came out a couple of days ago. I figured it's a good icebreaker. A PSA from the FBI. See how many acronyms we can use on this webinar. Yeah, these bad guys in North Korea are sneaking into our country a whole bunch of different ways. The FBI put out this warning a little less than a week ago, a little over, yeah, about a week ago actually. I don't think this is anything new, Sam, you've seen this type of attack before, right?
Sam Tang:
Yeah. We're actually going to touch on this later in a little bit. It's what I call cross boundary access in defending against, or the geopolitical landscape that we're in with which this applies as well. We'll touch on how to actually address this.
Mike Engle:
Yeah. I know. There's a bunch of terms that we've, some of, we've coined one or two, but the industry uses proxy interviewing and contractor jacking. We'll touch on some of that as well. I'm seeing this make the LinkedIn circuits today. It's getting a lot of heat and I know the FS-ISAC has been warning about this to the financial services community for many years.
Sam Tang:
Yep.
Mike Engle:
Different day, new alert.
Sam Tang:
Yeah. I sent this to my cross boundary team and said, "Get ready."
Mike Engle:
Yeah, the phone's going to ring.
Sam Tang:
Yes.
Mike Engle:
Cool. Well, let's jump in and get going here. Quick intros. I'm Mike Engel, Co-Founder at 1Kosmos, live in Jersey. I've got three Labradoodles, five kids, two grandkids, all that stuff. A lot going on here, but really super excited to talk with an amazing giant in the industry and longtime friend Sam Tang. You want to say hi and just say something about yourself?
Sam Tang:
Mike, thanks again. Always the pleasure of spending time with you and you can give me the time and I'm hopeful that the audience finds this session insightful. It's really close to my heart, this topic, and hope everybody's ready for the long weekend. I'm not sure if everyone heard, but I'm not going to do anything this weekend.
Mike Engle:
Very nice. Love it. I'll aspire. Yeah, let's go a little bit Debbie Downer here to start. It's a new Verizon data breach investigations report. Nothing new. Every year this report comes out. It's like 200 pages of really detailed customer surveys, breach analysis, and surprise, surprise, the main attack vector is credentials, is humans. The old ways of getting into infrastructure, like hacking into the web server, is a minority of the attacks these days. We're here to talk about these top two or top four green buckets. I don't think we need to fearmonger our clients, Sam. I think they do.
Sam Tang:
I think we're going to cover this in a little bit anyway.
Mike Engle:
Let's start with kind of how things have changed, Sam. I think you told me this sometime in the last year or two, what you're seeing at the CIO level. I think the way you put it was we used to be able to buy tools to solve problems. The problem could be, "I need to be more secure." Kind of vague, but that's not really the state of the state today, is it?
Sam Tang:
No. In fact, this is a very good question and actually a very subjective one because what I've found doing this for 30 years, seeing a lot of companies, every organization, no organization is exactly like them, no one's alike. Most importantly, they have differing priorities as well. There are some common things that I'm seeing. The common thing is this, misalignment of priorities between the C-Suite and the board, and what I would call the cyber security organization. When I say cyber security organization, it's not just about cyber and digital identity, it's IT and IAS, InfoSec, cloud security, digital identity, because a lot of the things that we do in security are starting to become emerged as cyber security.
One, cyber security practitioners doesn't know what measurements to provide leadership to justify the spend. Two, leadership and C-Suites and the board, they can't really describe the measurements that they're expecting from cyber security. When you take those two things and combine them, it is very difficult to prioritize. Another common trend that I do see is that even the C-Suites and the board themselves, can't agree on what value means to the business and how does cyber security offer that value to the business. If this could be in the form of operational efficiency, risk reduction, audit and compliance, end user experience and business adoption, but more importantly, cost.
Cost is the one thing that is common across the board. It's really the cost doing something and the ROI that's expected to be returned or the value that's expected to be returned. Secondly, it's the cost of doing nothing because there is a chance, there is an opportunity to fix some audit findings if you could. But if you don't do anything, there may be a chance for audit findings. It's really about being able to actually understand what to prioritize, what's the gain alignment across the board as to what is expected from cybersecurity.
Mike Engle:
Yeah, no, well said. I know we're going to get into some details on some of those various components here in just a second. Actually in the spirit of that, one thing that I've learned from the ENY cybersecurity identity practice are the four Rs. Again, we've called these different things over the years, but I really like the way you've framed these up to really drive into a couple areas that we need to focus on. These do look familiar to you, right, Sam?
Sam Tang:
Thank you. Thanks for the plug, Mike. Again, this is very close to my heart because after doing this for 30 years, what I did was over the past couple of years, I took a step back and I said, "All the things that we do in cyber and digital identity especially, is there a pattern of things or how we can group these things to measure?" I'm going to be using the word measurement a lot today. The measurement here is really about gauging where the company is from a maturity standpoint with the cybersecurity program, compare it against the peers as well.
I can say the four main components as you can see here is realization, do you know everything that you need to know in order for you to satisfy management of access to things. Including things like, have you classed one of the, I think what you brought up earlier about the Korea situation is, have you classified your assets in order for you to prevent and be able to defend against those types of attacks? Not just data, it's infrastructure, cloud, devices, network, application, data, most importantly people.
Readiness. How ready are you for unforeseen changes, unforeseen, multinational, geopolitical situations like what you just mentioned about Korea, and being able to actually understand how do we get ready from a digital identity and cybersecurity standpoint. It's going to go a long way to really be able to not worry about things that you don't know.
Resilience. This is one thing that is a lot of people think micro segmentation and hardening the network is all you need to do, but it's actually no. It's actually about, people hear about zero trust and that's a buzzword that's coming down, but still least privilege is still here. This is really asking are you applying least privilege to everything that we do for authentication and authorization?
The remediation is if something does happen, how quickly can you respond and recover with the most minimal impact as possible? I do want to go back to the realization before we move on. I'm going to quote one of my heroes growing up, and I hope in the audience you'll get my reference here is that is, "Knowing is half the battle." There's a lot of wisdom that comes with that statement because without knowing, you can't really execute on the remaining things that you need to actually address. Without knowing and having visibility as we're really managing, that means that you really can't be ready to tackle anything and everything will be tactical. Resilience, you don't know what to lock down unless you know what the risks are. Recover, you don't know how to recover and remediate unless you know what is ahead of you and what could be breaches. Again, the four Rs is really a technique that I'm using to really put everything that we do in cyber security into these buckets so that we can actually measure for the C-Suite and the board.
Mike Engle:
Now a question that I think we need to explain is, who is the hero from the eighties, right?
Sam Tang:
Yeah. It begins with G, and I'm going to leave the middle word out.
Mike Engle:
I thought it ended with Joe, but I'm not sure. That's great. We'll let the young whippersnappers go Google that one and figure it out.
Sam Tang:
Knowing is half the battle, there's a lot of wisdom to it.
Mike Engle:
It really is, yeah. Let's dive into that. Realization, how well do you know your environment? I ask my prospective clients and even myself when I was doing this stuff at Lehman back in the day, "How many types of identities do we have? What are the authoritative sources for each?" Just starting there, when you talk to your clients today and they're like, "Oh my god, a regulator knocked on my door and they asked this scary question," or whatever it is, what is it that you ask them first and try to figure out in this category here?
Sam Tang:
Yeah, and really the personas that we're talking about, the types of identities that we're talking about is not just about human identities or even machine identities. It's really everything to me within the ecosystem that needs security is an identity including assets, including devices, including even things like forklifts for manufacturing companies. It's really about the identities that we're talking about is a prompt word. Anything that touches authentication or authorization, to me is considered as an asset of identities.
Mike Engle:
Yeah. Yeah. We have a question in Q&A that we typically will save for the end, but the question is, it's a fair question is, "How do you know what you don't know?" I think you start at least going back to an IPv4 layer, you know your networks, at least you'd better, and if you don't know that every port on every switch is occupied, you have a really long way ahead of you. I think we'll touch on a little bit of that some more as well. Robert will answer that here in script in a second.
Then getting deeper into the weeds, so you have all these accounts and these authoritative sources, how many different ways do you have to authenticate today? I know that if just looking at my one password account, oh geez, I just did a little OPSEC. I told everybody what my password manager is, but it's the only one out there. I have over 1200 passwords and when I type AUTH on my iPhone to look at my authenticator options, there's six different apps. In large enterprises, I think it's even worse. Again, Sam, your thoughts on experience with authentication and what can be done here.
Sam Tang:
Yeah. The first part, quick answer, way too many. This is not just about my authentication for the laptop that I use for EY, this is also about the laptops I get from clients and also my personal things. Even during the digital identity forum, I'm not sure if you remember the story I told is, if you go to take a step back from the day you were born, you begin having identities and need to worry about who's got access to buying information, who's authenticating information about me. You say 120, but if you compound that as a persona of an enterprise user, but if you compound that with a B2B user, a B2C user, personally, you're looking at it like 500 and above, so way too many.
Mike Engle:
Yeah.
Sam Tang:
Really the second thing here is really about, shouldn't we from day one know everything that we need to worry about from an authentication standpoint? The answer is yes, but at the end of the day, like I said earlier, realization's key.
Mike Engle:
Yeah. The third category here is, how many of your systems still rely on weak credentials? Frankly, in my opinion, every credential that is using a password is weak because it can be intercepted, coerced, caches can be cracked, et cetera. This is really important. Not only do you inventory, but you have to measure the efficacy of them, how strong they are, et cetera. If you can't measure it, right, part of the challenge as well.
Sam Tang:
It's difficult, right?
Mike Engle:
Yeah.
Sam Tang:
I'm not saying that it's easy to measure things like this, but it's difficult.
Mike Engle:
Yeah.
Sam Tang:
I can't say this though, and my previous comments about measurement and prioritization, but if you can't accurately measure it, maybe it's time to think about how are you prioritizing it? Maybe you should revisit it and take a look at it closely. Measurement is very key.
Mike Engle:
Yeah, I have this chart that we've made for one of our clients. We had to pull teeth to get this out of the CISO and head of identity security engineering layer. These are basics. I have an SSO system, I've got operating systems, I've got two FAs and MFAs and KBAs and RBAs and all these other things. Starting here, at least lets you know what you can go out and try to fix. I'm going to just dive into the next R, which is resilience. You are ready, you've cleaned everything up, something bad happens, right? Let's talk about identity resilience, Sam. First, how resilient are your credentials? If you start with a password, like I mentioned before, you're behind the eight-ball.
Sam Tang:
Yeah.
Mike Engle:
Tell me what you think about the identity attack surface.
Sam Tang:
Yeah, again, I'm going to go back to what I said earlier is that the attacker surface what we're talking about, a lot of people think passwords is associated to human identities and don't think of the word password, think of the word tokens and credentials. It's not just about passwords. What we're really talking about here are things that you don't normally think of having to worry about passwords or credentials or PKI, things like assets, like devices, infrastructure, physical tokens, the management of those physical tokens, servers, synthetic identities, both interactive and non-interactive synthetic identities, and really just focused on passwords. It's not viable. Unfortunately, password authentication is here. It's reality. Mike, five years ago when password authentication was just emerging, people thought, "Oh, that's not going to be adopted." If you look across the landscape now, password authentication is an expectation, it's no longer, "Is it real or not?"
Mike Engle:
Yeah.
Sam Tang:
One more point. This will only be stronger as time goes on because identity verification needs to be a part of the process of gaining trust and understanding what the trust is in your environment.
Mike Engle:
Yeah, we'll talk about verified identities here in a second as well. When something that's near and dear to my heart, because very few players in the industry do it well, especially as well as we do, is account recovery. Oh my god, if you set all this awesome authentication up and it's got certificates and 4FA, and then you have to start from scratch because you lost your phone, I got a new machine, what's the fallback? It's username, password, phone calls, jumping through hoops. It's really painful. We'll talk about that in a little more detail. Here's a little bit of a litmus test, Sam, that I'm sure you work with your clients on. If you can give a credential to somebody else, including this YubiKey that you tap or my smart card or a username password and 2FA token, I can give that to anybody. Can you trust it?
Sam Tang:
I think you just mentioned it, right? The problem with physical tokens is that there's no guarantee that person that's holding token is actually the person who they are. As a by-product, though still, you still have the management aspect of this where you have to deal with lost tokens, forgotten tokens, and renewals. There's a lot of maintenance involved when it comes to physical things that you have to manage.
Mike Engle:
Yeah, yeah. Part of resiliency is making it simple, easy, repeatable, and secure at the same time. Whatever the protected asset is, the first goal should be get rid of the legacy credential. What do you replace it with? Well, we've talked a little bit about the concept of certificates or file of authentication and biometrics. Those are the only options. If you know it and can share it or guess it, it is not a thing anymore. This stuff on the left has to go. We talked a little bit about resilience on now accounts and verification.
This is a little bit off script, Sam, so you might be seeing this for the first time. In spirit of that FBI warning and the North Korea alert, just drilling deeper into identity resiliency, right? Did you know that you can verify somebody remotely with a pretty darn high shore of level of assurance? Of course US industry Identiverse types, I'll know that this is a thing, but these points of entry into a firm, new hires or, "I'm in and now I need to hit my PAM," or I'm a remote caller saying, "Hey, I'm Sam Tang, I lost my phone." These can be solved with identity verification, reusable identity, and it can be implemented literally in a day, a week max. This is not a heavy lift. Now of course there's wood to chop to tie it into your 4,000 applications or whatever, but just knowing who the remote caller is, is possible today. You can do this at any point of presence within an organization, tie it into your Microsoft conditional access into Entra, et cetera. A little segue there, but the bad guys don't know how to bypass passwords in MFA, right?
Sam Tang:
Yep. Let me add something to this, and Mike, this is not scripted up like you said, but however I can say this, let's turn it on his head. What if we were able to convince companies, I know this is nirvana, again, what Mike said earlier is that these are our insights. This is not what we believe the thing that you need to do or should do. What if you had the opportunity to convince the board and C-Suite that we can? Now it's time to flip it on its head, where no access is granted unless things are classified and verified. If you're able to classify your assets, which I spoke about earlier, or the network infrastructure cloud, blah, blah, blah, blah, and you're able to classify and you're able to actually say that every step of the way you're able to verify access at runtime using these privileged principles, that means that you shouldn't have anything to worry about, at least knowing, what is classified and what should gain access and what should not gain access. Therefore, you can use technology like AI to detect anomalies better at one time.
Mike Engle:
Yeah, exactly. No, well said. I picture a day when every time we do a business transaction, there's a green check mark next to that little Sam Tang in the corner. Then I don't have to even worry about deepfakes if we do that right. Moving on into two Rs that we're going to combine together here because they really work hand in hand, is readiness and remediation. This happens to many organizations. Bad guy gets in through some Citrix server or whatever it is, help desk, and their directories, internal directories are compromised. All 50,000 of my A.D. accounts cannot be trusted now. What the hell do you do? How would you advise a client who calls you up at two in the morning, Sam, and says, "What do I do now?"
Sam Tang:
Yeah. Let me using an example, a recent example where a CISO asked me based on their audit findings, how can they address least privilege within three months? Okay. Least privilege is not a super tool. It's not a technology. It's not just process. It's not about data. It's about everything that we do in cybersecurity. It's about behavior and it is about hygiene. Truly, least privilege, there's a strategy for it, but the most important thing is to really understand what you're granting access to and remove the unnecessary first elevated access. Remove unnecessary access that's associated to what a person's job should be. We've been talking about RBAC and DBAG for a long time, but no one really does it. What if we treated anything outside of the norm, which is not a part of your job, so that it's not a persistent entitlement or access that you have, but it's got to be continuously approved and monitored and verified.
Mike Engle:
Yeah. Yeah, we have a question popping up that we'll get to that's right on topic with what you're saying there, Sam. Let's move on and get to that one in a second because it's relevant. Verified identity, right? I think you said that you don't even like using the term IAM anymore or account management is, that's what we did in the nineties. Proofing, we've been talking about it, Gartner's now, it's like one of their top five things. Should organizations be proofing their users today?
Sam Tang:
Absolutely. Especially Mike, if you even take a look at the NIST 800-63 spec, it talks about assurance levels for identification, authorization, and authorization. Those assurance levels are really a way for you to use to see how you can best gauge the trust of a certain transaction, the trust, the risk, the assurance, the tolerance level that you have. This applies to B2B, B2C, and B2C, especially on the B2B side because in addition to the verification of the identity of the person, how trustworthy they are in the ecosystem, but also how about the legal entity the person works? What if the legal entity themselves also should be a part of the equation to see if the legal entity is trustworthy or not? The transactions that you were talking about earlier, Mike, business transaction, especially on payment fraud detection, it is emerging as a requirement because it's a cost plan. You really can't really do payment fraud detection unless you're able to do verification services.
Mike Engle:
Yeah. Yeah, let's dive into some of those levers that we can pull on now, that we can actually measure, manage, save a ton of money, and reduce risk at the same time. We're going to just kind of quickly run through each one of these here because these are real metrics that you can apply to your identity infrastructure that'll have real value that you'll actually get high-fives not only from your users but the C-Suite, right? Starting off with how many SSO systems do you have? We're all running around trying to get rid of some of the legacy systems, but obviously there's newer big players and you implement a new one. Do you get rid of the old one? What are some examples of multiple SSOs that you've seen at your clients? What are some of the problems there?
Sam Tang:
Yeah. Mike, we're seeing a lot of efforts, transformative efforts from a lot of people realizing that consolidating the IPPs, there's a lot of benefit to it. Obviously cost, management, overhead operations and so on and so forth, but people think they're going towards one, but actually it's always more than one. I'm still seeing legacy platforms like SiteMinder in the picture as well. There's a lot of effort in migrating and merging these technologies. Even once it's merged though, there's a misconception that once you merge, you end up with one platform, you're going to be one platform only. It's not the case, because cloud providers are still an IDP.
Even when you merge into a single IDP platform, it doesn't mean that it's not a guarantee that moving forward because of M&A and divestiture and the best insurance and business transactions like that, you don't end up with multiple products again. That's why there's a lot of, Mike, you hear me say this word all the time, it's got to be how can you best coexist, knowing that there may be one or more products? How can you orchestrate across these multiple IDPs so that the experience is seamless?
Mike Engle:
Yeah. At the end of the day, your 2000 business applications typically still have 2000 unique identifiers inside of them. You do need them all to tie back to a single source of truth. It's really not about the number of directories, but about how you tie them together and mitigate the underlying risk on them. Touching on one of your favorite subjects is PAM, you already said the word zero trust once. We can't say that too many times or Beetlejuice will appear. What do you think about the entry points that PAM used today and can we do better there?
Sam Tang:
Yeah, and going back to what you asked about how many IDPs we have, my question is how many PAM products do you have? What's the coverage that you're using the PAM tool for? A lot of people combine PAM and things that we do in DevSecOps as a single thing, but I personally think PAM should be treated to do one some good things and continue doing those. It's not going to handle the entry points of machine-to-machine and device-to-device. However, I'm not sure if the audience has monitored a most recent announcement of a PAM vendor acquiring a MFA and TKI vendor. What that is really leaning towards is that actually they're realizing that their coverage needs to be expanded to cover device-to-device and machine-to-machine.
Mike Engle:
Yeah, yeah, exactly. We are seeing a lot of traction for verified identity before you can get into PAM. You don't have that certificate that says, "I know you're Sam Tang," just take 60 seconds and go prove it, right?
Sam Tang:
Yeah.
Mike Engle:
Another lever that is getting a lot of traction is log on times. Getting your employees or even more important customers to enjoy using the system. Why is Amazon amazing? I can't remember the last time I've had to put my Amazon password in. It just works and I touch a button and 60 seconds later, there's a box on the front porch. Imagine if we could do that. I'm so spoiled. Imagine what it was like when we have to go down to Sears.
Now if you can log in, these are real numbers here from one of our clients. We deployed passwordless authentication into our remote access system in less than four weeks for 40,000 users and they demonstrated $4 million, they did, not us, in the first year. We've kind of rounded this out. It depends on the industry, but you can save about $1,000,000 in efficiency for every 10,000 employees. It's not hard. Just get up a little Excel sheet and type in 15 seconds times 20 logins a day times 200 business days a year, and all of a sudden you're like, "Wow, this is real time and money that we're talking about." How many times per day do you log in, Sam or your clients, are they worried about this type of metric?
Sam Tang:
I don't want to embarrass myself, but I do have to log in at least 20 times a day, not because we don't have the technology to do so, it's because I walk away, I come back, I have to re-authenticate myself, and the 20 times is just really how many times I really have to step away from my laptop.
Mike Engle:
Right, and $4,000 an hour at your billing rate, I mean, geez, they're talking about real money there.
Sam Tang:
Yeah.
Mike Engle:
Yeah. Moving on to the fourth one here, it's reducing help desk costs at the same time. What do you think the number one call into the help desk is, Sam? Any guess?
Sam Tang:
I'm not even trying to guess.
Mike Engle:
It's password resets, right? Account lockouts and password resets. The Gartner, Forrester stat is about $50 per call. Even if you take $20 and go add up 100,000 calls times $20, right? Let's cut that in half and save some real money here.
Sam Tang:
Yeah, let me give another product a plug here and let me remind people where the space started from an ITP standpoint. There's a giant ITP that you're probably using or maybe considering using that starts with O. Even them, if you look back about 10 years, 15 years, they started out as a password reset tool for AD only and see where they've expanded the services to cover more. To show you where this space is today versus 15 years ago, we're quite further ahead, but still the starting point is about password resets.
Mike Engle:
Yeah. We have a couple of pretty cool password reset options that if you just type 1Kosmos password reset, you'll see we can do it from an app, we can do it from verifying a call remotely. We might have time to show a quick demo of that here. Definitely the art of the possible is here today, it is possible. Then in line with the FBI alert as well, those terms I mentioned before, proxy interviewing, contractor jacking.
There was an interesting question that came into the chat. It was anonymous. I say to the anonymous asker, they ask the question, "I still seem to have to verify my identity over and over again." I think what they're saying is they're asked to go maybe fetch a 2FA code. For example, if you go to B of A or Chase and set up a new wire or Zelle destination, oh my God, verify your identity to log in, verify the new Zelle, I send you another code, I put $600 in, verify yourself again, and there's always 60 seconds of each other. That's not identity, that is broken systems that just don't know how to take the session and trust it. What we're talking about is a verified identity and call it a wallet or whatever it is, but it's the digital version of the driver's license in your pocket or a passport. If you start your hiring process app talent acquisition with a verified Sam Tang identity, because you need to know that you're interviewing Sam.
Sam Tang:
Yeah.
Mike Engle:
Start way back there, give them a credential that belongs to them and you shouldn't have to ask for it again because you've got a biometric with every call. Is there an opportunity here, Sam?
Sam Tang:
Yeah, before I get into the question about opportunities, let me even follow your thinking right now. The question was why is there still multiple verification, that is because actually that's probably intentional. Maybe it was because you are traveling overseas, it sees that your location may be different from your usual behavior, or maybe you're switching devices, you get a new phone or maybe your laptop is new or your laptop just did an update on your OS, it lost some of the tokens that was looking for. The re-verification should be simple. The re-verification process itself should be very simple. It's actually doing you a favor when somebody's asking you for re-verification, it's because it's thinking that there may be an anomaly.
From your question about opportunity, I don't think, not only is it an opportunity, but it's going to be a requirement. You saw the opening Korean situation that we're in. Injecting the verification process upfront and the recruiting and the talents at stake, it actually helps a lot with the JML process. It allows you to really simplify when you get to the point where it's actually onboarded as a new employee as what to provision, it's going to help with all that as well because it's going to tell you if the person is a, what persona the person is as well, employee, worker, or frontline worker. Let the upfront enrollment and registration process and the hiring process do some of the heavy lifting for you. Before even it gets to the environment, you know exactly what you're dealing with.
Mike Engle:
I'll pop up a quick demo here. People ask, "What does it mean to verify identity?" Well, most of us today, if we've gone for a driver's license, you have to prove documents. Now when you go to open up a crypto account, you have to scan a driver's license. Let's assume I've done that. I've scanned in my phone a driver's license and it's now here. This is how simple it is to transmit that to Workday or whatever your PeopleSoft hiring system is with the press of a button. Now me proving that I'm still the holder, that's it, I'm done. That data flows into the target system. It could be CyberArk, it could be anything, or your talent acquisition, or HR hiring system. It really is that easy and I can reuse that over and over. I know what you're going to say, Sam. "Mike, what if I can't use an app?:" It was right on the tip of your tongue. "I won't use an app, can't use an app, don't have it. Whatever. I'm still on a flip phone."
Sam Tang:
And the camera is not available to you.
Mike Engle:
Yeah, you're in an environment where you can't use a camera. You can actually do it with just a biometric, of course you have to trust it. Here's something we call our LiveID. I actually recorded this at your offices, Sam, for that event, the digital identity event. That's it. I approve my identity, liveness detection, and boom right here, this is just showing my profile, my account. You can see under the hood, all of my credentials are available to me there and only available to me. Now with the press of a button, I can go send them to any target system. It's a combination of a amazing user experience and technology that's protecting not only the user but the organization. Just the last one that we had on the tile of six is I know this one's near and dear to your heart because you advise a lot on risk and governance and regulatory, audits. Comment a little bit about what some of this posture can do for an organization on this front.
Sam Tang:
Yeah. Digital identity, there's a realization where digital identity is not just about human actors or identities. It is going to address a lot of your OT and IT set of use cases where manufacturing, insurance, retail, where there's actually physical locations that you need to worry about as well. In those physical locations, there's actually areas and assets that may be harmful to the people themselves that's working in that environment.
What we're seeing now is, we need to be able to apply the digital identity principles, apply it as to how we manage applications and logical access, apply to physical assets as well so that you can actually handle the situations where you can protect hazardous environments if a person's harmful or not. If the person is working in a food manufacturing and we detect that the person is actually 104 degrees, they should not be touching food at all. One more thing is, imagine you can apply this to every business transaction, like what Mike was mentioning. What if you're able to actually be able to prevent fraudulent transactions either via a consumer or even as a B2B transaction. What if you just take 5% of those, be able to detect 5%? That's a lot of money for those transactions.
Mike Engle:
Yeah, it is. Making it easy is key. We know how much we hate friction. I don't know if you remember when we finally put chips in our credit cards. I don't know, was it eight years ago? We were 20 years behind the rest of the world. I can feel my blood pressure going up a smidgen because sliding that thing in took about four seconds when they first did it. I was like, "Oh my god, four seconds, this is terrible." Right now, you tap it. Of course they fixed that experience and it's a thousand times more secure than magstripe or the cards.
Sam Tang:
It's kind of funny. We said tolerance level of risk earlier. I live in New York City, I still subway quite a bit.
Mike Engle:
Right.
Sam Tang:
Even though all of the location support the use of a credit card and also they tell you, you actually get money off as well when you do that, but I still see people getting Metro cards.
Mike Engle:
Yeah, exactly. It's like the people throwing cash into the EZPass lanes on the turnpike like, oh my god, I guess they don't want the man following them, so they're afraid of being tracked or something. I don't know.
Sam Tang:
Yeah.
Mike Engle:
Yeah, I'll show an example of an amazing user experience. I'll have you compare this to your existing authentication to get into Microsoft products. Imagine if it's just your username and your face. This is the future of consumer and employee convenience and security. With this same LiveID that you saw here, I have to slow it down because it happens so fast, it's that amazing. That's it. You're staring at your Outlook or whatever it is. This is the future, along with a verified identity under the hood. I can't just have a face, you have to have I've been verified with some type of root of trust and you're in. That's what we're aspiring to get out to the world here.
Sam Tang:
Mike, let me throw something off script to you now.
Mike Engle:
Please.
Sam Tang:
What's your answer in your technology as to how you actually are able to handle people using a photo up on the camera, how have you address it?
Mike Engle:
Yeah, so there's a couple technologies now. This is my old expired Global Entry Card, but you can bypass really weak systems just by holding up a picture on a phone, which you go get off somebody's Facebook. There's several compensating controls there. You can detect that the image is not a real person, it's what we call liveness detection. There's a number of really deep technologies that do that. You can tell just that I'm moving a certain way. You can tell the depth of my face. You can detect the screen that is, we call that a replay attack. For a video call like this, there's tools like Swap Face where in two seconds I could become Sam, I should have had it ready for this.
Now you have to detect injections into the webcam themselves. There's methods to do that injection attack as well. It is a cat and mouse game. When you think something may not be right, you may have to take another step. You do have, to your point on my Zelle wires, there could be something funky in there that you're like, "You know what? Let's just do one more knock on the door before we let this go through." It's a risk.
Sam Tang:
It's a risk, trust, tolerance, assurance.
Mike Engle:
Right. Exactly. Is this person coming in from where they did before? All right, that's a great signal. They're not somewhere in North Korea. In summary, just wrapping this up, we can verify, we can modernize, we can get more efficient. These are the things that will be game changers inside of the organization and I think we've done it, Sam.
Sam Tang:
All right.
Mike Engle:
I know we had a couple of questions that were answered already by the guys on the team here.
Sam Tang:
Great.
Mike Engle:
Tell me where can people learn more about what you're doing day to day, following you on the TikTok or how does that work?
Sam Tang:
I sparingly use social media. I have enough gadgets and things that I have to worry about. They can reach out to me on LinkedIn, they can find me on LinkedIn and they should have my email address. Maybe we should provide my email address. Please feel free to reach out, even if it's a casual conversation. It doesn't always have to be about doing business together.
Mike Engle:
Yeah, we could talk about the Rolling Stones or doing nothing. That would be fun, right?
Sam Tang:
Yeah.
Mike Engle:
That'd be awesome. Well, listen, Sam, thank you so much for joining. It's always fantastic chatting with you about this and life stuff in general.
Sam Tang:
Yeah.
Mike Engle:
Hopefully we can do it again soon. Thanks everybody for attending on the leading up to this holiday weekend here in the US.
Sam Tang:
All right.
Mike Engle:
Enjoy the rest of your time.
Sam Tang:
Take care. Bye-bye.
Mike Engle:
Bye-bye.
Let's actually start off with something really not on the topic of the webinar, but yet it is, while we're waiting for people to come on in their back-to-back meetings here. This came out a couple of days ago. I figured it's a good icebreaker. A PSA from the FBI. See how many acronyms we can use on this webinar. Yeah, these bad guys in North Korea are sneaking into our country a whole bunch of different ways. The FBI put out this warning a little less than a week ago, a little over, yeah, about a week ago actually. I don't think this is anything new, Sam, you've seen this type of attack before, right?
Sam Tang:
Yeah. We're actually going to touch on this later in a little bit. It's what I call cross boundary access in defending against, or the geopolitical landscape that we're in with which this applies as well. We'll touch on how to actually address this.
Mike Engle:
Yeah. I know. There's a bunch of terms that we've, some of, we've coined one or two, but the industry uses proxy interviewing and contractor jacking. We'll touch on some of that as well. I'm seeing this make the LinkedIn circuits today. It's getting a lot of heat and I know the FS-ISAC has been warning about this to the financial services community for many years.
Sam Tang:
Yep.
Mike Engle:
Different day, new alert.
Sam Tang:
Yeah. I sent this to my cross boundary team and said, "Get ready."
Mike Engle:
Yeah, the phone's going to ring.
Sam Tang:
Yes.
Mike Engle:
Cool. Well, let's jump in and get going here. Quick intros. I'm Mike Engel, Co-Founder at 1Kosmos, live in Jersey. I've got three Labradoodles, five kids, two grandkids, all that stuff. A lot going on here, but really super excited to talk with an amazing giant in the industry and longtime friend Sam Tang. You want to say hi and just say something about yourself?
Sam Tang:
Mike, thanks again. Always the pleasure of spending time with you and you can give me the time and I'm hopeful that the audience finds this session insightful. It's really close to my heart, this topic, and hope everybody's ready for the long weekend. I'm not sure if everyone heard, but I'm not going to do anything this weekend.
Mike Engle:
Very nice. Love it. I'll aspire. Yeah, let's go a little bit Debbie Downer here to start. It's a new Verizon data breach investigations report. Nothing new. Every year this report comes out. It's like 200 pages of really detailed customer surveys, breach analysis, and surprise, surprise, the main attack vector is credentials, is humans. The old ways of getting into infrastructure, like hacking into the web server, is a minority of the attacks these days. We're here to talk about these top two or top four green buckets. I don't think we need to fearmonger our clients, Sam. I think they do.
Sam Tang:
I think we're going to cover this in a little bit anyway.
Mike Engle:
Let's start with kind of how things have changed, Sam. I think you told me this sometime in the last year or two, what you're seeing at the CIO level. I think the way you put it was we used to be able to buy tools to solve problems. The problem could be, "I need to be more secure." Kind of vague, but that's not really the state of the state today, is it?
Sam Tang:
No. In fact, this is a very good question and actually a very subjective one because what I've found doing this for 30 years, seeing a lot of companies, every organization, no organization is exactly like them, no one's alike. Most importantly, they have differing priorities as well. There are some common things that I'm seeing. The common thing is this, misalignment of priorities between the C-Suite and the board, and what I would call the cyber security organization. When I say cyber security organization, it's not just about cyber and digital identity, it's IT and IAS, InfoSec, cloud security, digital identity, because a lot of the things that we do in security are starting to become emerged as cyber security.
One, cyber security practitioners doesn't know what measurements to provide leadership to justify the spend. Two, leadership and C-Suites and the board, they can't really describe the measurements that they're expecting from cyber security. When you take those two things and combine them, it is very difficult to prioritize. Another common trend that I do see is that even the C-Suites and the board themselves, can't agree on what value means to the business and how does cyber security offer that value to the business. If this could be in the form of operational efficiency, risk reduction, audit and compliance, end user experience and business adoption, but more importantly, cost.
Cost is the one thing that is common across the board. It's really the cost doing something and the ROI that's expected to be returned or the value that's expected to be returned. Secondly, it's the cost of doing nothing because there is a chance, there is an opportunity to fix some audit findings if you could. But if you don't do anything, there may be a chance for audit findings. It's really about being able to actually understand what to prioritize, what's the gain alignment across the board as to what is expected from cybersecurity.
Mike Engle:
Yeah, no, well said. I know we're going to get into some details on some of those various components here in just a second. Actually in the spirit of that, one thing that I've learned from the ENY cybersecurity identity practice are the four Rs. Again, we've called these different things over the years, but I really like the way you've framed these up to really drive into a couple areas that we need to focus on. These do look familiar to you, right, Sam?
Sam Tang:
Thank you. Thanks for the plug, Mike. Again, this is very close to my heart because after doing this for 30 years, what I did was over the past couple of years, I took a step back and I said, "All the things that we do in cyber and digital identity especially, is there a pattern of things or how we can group these things to measure?" I'm going to be using the word measurement a lot today. The measurement here is really about gauging where the company is from a maturity standpoint with the cybersecurity program, compare it against the peers as well.
I can say the four main components as you can see here is realization, do you know everything that you need to know in order for you to satisfy management of access to things. Including things like, have you classed one of the, I think what you brought up earlier about the Korea situation is, have you classified your assets in order for you to prevent and be able to defend against those types of attacks? Not just data, it's infrastructure, cloud, devices, network, application, data, most importantly people.
Readiness. How ready are you for unforeseen changes, unforeseen, multinational, geopolitical situations like what you just mentioned about Korea, and being able to actually understand how do we get ready from a digital identity and cybersecurity standpoint. It's going to go a long way to really be able to not worry about things that you don't know.
Resilience. This is one thing that is a lot of people think micro segmentation and hardening the network is all you need to do, but it's actually no. It's actually about, people hear about zero trust and that's a buzzword that's coming down, but still least privilege is still here. This is really asking are you applying least privilege to everything that we do for authentication and authorization?
The remediation is if something does happen, how quickly can you respond and recover with the most minimal impact as possible? I do want to go back to the realization before we move on. I'm going to quote one of my heroes growing up, and I hope in the audience you'll get my reference here is that is, "Knowing is half the battle." There's a lot of wisdom that comes with that statement because without knowing, you can't really execute on the remaining things that you need to actually address. Without knowing and having visibility as we're really managing, that means that you really can't be ready to tackle anything and everything will be tactical. Resilience, you don't know what to lock down unless you know what the risks are. Recover, you don't know how to recover and remediate unless you know what is ahead of you and what could be breaches. Again, the four Rs is really a technique that I'm using to really put everything that we do in cyber security into these buckets so that we can actually measure for the C-Suite and the board.
Mike Engle:
Now a question that I think we need to explain is, who is the hero from the eighties, right?
Sam Tang:
Yeah. It begins with G, and I'm going to leave the middle word out.
Mike Engle:
I thought it ended with Joe, but I'm not sure. That's great. We'll let the young whippersnappers go Google that one and figure it out.
Sam Tang:
Knowing is half the battle, there's a lot of wisdom to it.
Mike Engle:
It really is, yeah. Let's dive into that. Realization, how well do you know your environment? I ask my prospective clients and even myself when I was doing this stuff at Lehman back in the day, "How many types of identities do we have? What are the authoritative sources for each?" Just starting there, when you talk to your clients today and they're like, "Oh my god, a regulator knocked on my door and they asked this scary question," or whatever it is, what is it that you ask them first and try to figure out in this category here?
Sam Tang:
Yeah, and really the personas that we're talking about, the types of identities that we're talking about is not just about human identities or even machine identities. It's really everything to me within the ecosystem that needs security is an identity including assets, including devices, including even things like forklifts for manufacturing companies. It's really about the identities that we're talking about is a prompt word. Anything that touches authentication or authorization, to me is considered as an asset of identities.
Mike Engle:
Yeah. Yeah. We have a question in Q&A that we typically will save for the end, but the question is, it's a fair question is, "How do you know what you don't know?" I think you start at least going back to an IPv4 layer, you know your networks, at least you'd better, and if you don't know that every port on every switch is occupied, you have a really long way ahead of you. I think we'll touch on a little bit of that some more as well. Robert will answer that here in script in a second.
Then getting deeper into the weeds, so you have all these accounts and these authoritative sources, how many different ways do you have to authenticate today? I know that if just looking at my one password account, oh geez, I just did a little OPSEC. I told everybody what my password manager is, but it's the only one out there. I have over 1200 passwords and when I type AUTH on my iPhone to look at my authenticator options, there's six different apps. In large enterprises, I think it's even worse. Again, Sam, your thoughts on experience with authentication and what can be done here.
Sam Tang:
Yeah. The first part, quick answer, way too many. This is not just about my authentication for the laptop that I use for EY, this is also about the laptops I get from clients and also my personal things. Even during the digital identity forum, I'm not sure if you remember the story I told is, if you go to take a step back from the day you were born, you begin having identities and need to worry about who's got access to buying information, who's authenticating information about me. You say 120, but if you compound that as a persona of an enterprise user, but if you compound that with a B2B user, a B2C user, personally, you're looking at it like 500 and above, so way too many.
Mike Engle:
Yeah.
Sam Tang:
Really the second thing here is really about, shouldn't we from day one know everything that we need to worry about from an authentication standpoint? The answer is yes, but at the end of the day, like I said earlier, realization's key.
Mike Engle:
Yeah. The third category here is, how many of your systems still rely on weak credentials? Frankly, in my opinion, every credential that is using a password is weak because it can be intercepted, coerced, caches can be cracked, et cetera. This is really important. Not only do you inventory, but you have to measure the efficacy of them, how strong they are, et cetera. If you can't measure it, right, part of the challenge as well.
Sam Tang:
It's difficult, right?
Mike Engle:
Yeah.
Sam Tang:
I'm not saying that it's easy to measure things like this, but it's difficult.
Mike Engle:
Yeah.
Sam Tang:
I can't say this though, and my previous comments about measurement and prioritization, but if you can't accurately measure it, maybe it's time to think about how are you prioritizing it? Maybe you should revisit it and take a look at it closely. Measurement is very key.
Mike Engle:
Yeah, I have this chart that we've made for one of our clients. We had to pull teeth to get this out of the CISO and head of identity security engineering layer. These are basics. I have an SSO system, I've got operating systems, I've got two FAs and MFAs and KBAs and RBAs and all these other things. Starting here, at least lets you know what you can go out and try to fix. I'm going to just dive into the next R, which is resilience. You are ready, you've cleaned everything up, something bad happens, right? Let's talk about identity resilience, Sam. First, how resilient are your credentials? If you start with a password, like I mentioned before, you're behind the eight-ball.
Sam Tang:
Yeah.
Mike Engle:
Tell me what you think about the identity attack surface.
Sam Tang:
Yeah, again, I'm going to go back to what I said earlier is that the attacker surface what we're talking about, a lot of people think passwords is associated to human identities and don't think of the word password, think of the word tokens and credentials. It's not just about passwords. What we're really talking about here are things that you don't normally think of having to worry about passwords or credentials or PKI, things like assets, like devices, infrastructure, physical tokens, the management of those physical tokens, servers, synthetic identities, both interactive and non-interactive synthetic identities, and really just focused on passwords. It's not viable. Unfortunately, password authentication is here. It's reality. Mike, five years ago when password authentication was just emerging, people thought, "Oh, that's not going to be adopted." If you look across the landscape now, password authentication is an expectation, it's no longer, "Is it real or not?"
Mike Engle:
Yeah.
Sam Tang:
One more point. This will only be stronger as time goes on because identity verification needs to be a part of the process of gaining trust and understanding what the trust is in your environment.
Mike Engle:
Yeah, we'll talk about verified identities here in a second as well. When something that's near and dear to my heart, because very few players in the industry do it well, especially as well as we do, is account recovery. Oh my god, if you set all this awesome authentication up and it's got certificates and 4FA, and then you have to start from scratch because you lost your phone, I got a new machine, what's the fallback? It's username, password, phone calls, jumping through hoops. It's really painful. We'll talk about that in a little more detail. Here's a little bit of a litmus test, Sam, that I'm sure you work with your clients on. If you can give a credential to somebody else, including this YubiKey that you tap or my smart card or a username password and 2FA token, I can give that to anybody. Can you trust it?
Sam Tang:
I think you just mentioned it, right? The problem with physical tokens is that there's no guarantee that person that's holding token is actually the person who they are. As a by-product, though still, you still have the management aspect of this where you have to deal with lost tokens, forgotten tokens, and renewals. There's a lot of maintenance involved when it comes to physical things that you have to manage.
Mike Engle:
Yeah, yeah. Part of resiliency is making it simple, easy, repeatable, and secure at the same time. Whatever the protected asset is, the first goal should be get rid of the legacy credential. What do you replace it with? Well, we've talked a little bit about the concept of certificates or file of authentication and biometrics. Those are the only options. If you know it and can share it or guess it, it is not a thing anymore. This stuff on the left has to go. We talked a little bit about resilience on now accounts and verification.
This is a little bit off script, Sam, so you might be seeing this for the first time. In spirit of that FBI warning and the North Korea alert, just drilling deeper into identity resiliency, right? Did you know that you can verify somebody remotely with a pretty darn high shore of level of assurance? Of course US industry Identiverse types, I'll know that this is a thing, but these points of entry into a firm, new hires or, "I'm in and now I need to hit my PAM," or I'm a remote caller saying, "Hey, I'm Sam Tang, I lost my phone." These can be solved with identity verification, reusable identity, and it can be implemented literally in a day, a week max. This is not a heavy lift. Now of course there's wood to chop to tie it into your 4,000 applications or whatever, but just knowing who the remote caller is, is possible today. You can do this at any point of presence within an organization, tie it into your Microsoft conditional access into Entra, et cetera. A little segue there, but the bad guys don't know how to bypass passwords in MFA, right?
Sam Tang:
Yep. Let me add something to this, and Mike, this is not scripted up like you said, but however I can say this, let's turn it on his head. What if we were able to convince companies, I know this is nirvana, again, what Mike said earlier is that these are our insights. This is not what we believe the thing that you need to do or should do. What if you had the opportunity to convince the board and C-Suite that we can? Now it's time to flip it on its head, where no access is granted unless things are classified and verified. If you're able to classify your assets, which I spoke about earlier, or the network infrastructure cloud, blah, blah, blah, blah, and you're able to classify and you're able to actually say that every step of the way you're able to verify access at runtime using these privileged principles, that means that you shouldn't have anything to worry about, at least knowing, what is classified and what should gain access and what should not gain access. Therefore, you can use technology like AI to detect anomalies better at one time.
Mike Engle:
Yeah, exactly. No, well said. I picture a day when every time we do a business transaction, there's a green check mark next to that little Sam Tang in the corner. Then I don't have to even worry about deepfakes if we do that right. Moving on into two Rs that we're going to combine together here because they really work hand in hand, is readiness and remediation. This happens to many organizations. Bad guy gets in through some Citrix server or whatever it is, help desk, and their directories, internal directories are compromised. All 50,000 of my A.D. accounts cannot be trusted now. What the hell do you do? How would you advise a client who calls you up at two in the morning, Sam, and says, "What do I do now?"
Sam Tang:
Yeah. Let me using an example, a recent example where a CISO asked me based on their audit findings, how can they address least privilege within three months? Okay. Least privilege is not a super tool. It's not a technology. It's not just process. It's not about data. It's about everything that we do in cybersecurity. It's about behavior and it is about hygiene. Truly, least privilege, there's a strategy for it, but the most important thing is to really understand what you're granting access to and remove the unnecessary first elevated access. Remove unnecessary access that's associated to what a person's job should be. We've been talking about RBAC and DBAG for a long time, but no one really does it. What if we treated anything outside of the norm, which is not a part of your job, so that it's not a persistent entitlement or access that you have, but it's got to be continuously approved and monitored and verified.
Mike Engle:
Yeah. Yeah, we have a question popping up that we'll get to that's right on topic with what you're saying there, Sam. Let's move on and get to that one in a second because it's relevant. Verified identity, right? I think you said that you don't even like using the term IAM anymore or account management is, that's what we did in the nineties. Proofing, we've been talking about it, Gartner's now, it's like one of their top five things. Should organizations be proofing their users today?
Sam Tang:
Absolutely. Especially Mike, if you even take a look at the NIST 800-63 spec, it talks about assurance levels for identification, authorization, and authorization. Those assurance levels are really a way for you to use to see how you can best gauge the trust of a certain transaction, the trust, the risk, the assurance, the tolerance level that you have. This applies to B2B, B2C, and B2C, especially on the B2B side because in addition to the verification of the identity of the person, how trustworthy they are in the ecosystem, but also how about the legal entity the person works? What if the legal entity themselves also should be a part of the equation to see if the legal entity is trustworthy or not? The transactions that you were talking about earlier, Mike, business transaction, especially on payment fraud detection, it is emerging as a requirement because it's a cost plan. You really can't really do payment fraud detection unless you're able to do verification services.
Mike Engle:
Yeah. Yeah, let's dive into some of those levers that we can pull on now, that we can actually measure, manage, save a ton of money, and reduce risk at the same time. We're going to just kind of quickly run through each one of these here because these are real metrics that you can apply to your identity infrastructure that'll have real value that you'll actually get high-fives not only from your users but the C-Suite, right? Starting off with how many SSO systems do you have? We're all running around trying to get rid of some of the legacy systems, but obviously there's newer big players and you implement a new one. Do you get rid of the old one? What are some examples of multiple SSOs that you've seen at your clients? What are some of the problems there?
Sam Tang:
Yeah. Mike, we're seeing a lot of efforts, transformative efforts from a lot of people realizing that consolidating the IPPs, there's a lot of benefit to it. Obviously cost, management, overhead operations and so on and so forth, but people think they're going towards one, but actually it's always more than one. I'm still seeing legacy platforms like SiteMinder in the picture as well. There's a lot of effort in migrating and merging these technologies. Even once it's merged though, there's a misconception that once you merge, you end up with one platform, you're going to be one platform only. It's not the case, because cloud providers are still an IDP.
Even when you merge into a single IDP platform, it doesn't mean that it's not a guarantee that moving forward because of M&A and divestiture and the best insurance and business transactions like that, you don't end up with multiple products again. That's why there's a lot of, Mike, you hear me say this word all the time, it's got to be how can you best coexist, knowing that there may be one or more products? How can you orchestrate across these multiple IDPs so that the experience is seamless?
Mike Engle:
Yeah. At the end of the day, your 2000 business applications typically still have 2000 unique identifiers inside of them. You do need them all to tie back to a single source of truth. It's really not about the number of directories, but about how you tie them together and mitigate the underlying risk on them. Touching on one of your favorite subjects is PAM, you already said the word zero trust once. We can't say that too many times or Beetlejuice will appear. What do you think about the entry points that PAM used today and can we do better there?
Sam Tang:
Yeah, and going back to what you asked about how many IDPs we have, my question is how many PAM products do you have? What's the coverage that you're using the PAM tool for? A lot of people combine PAM and things that we do in DevSecOps as a single thing, but I personally think PAM should be treated to do one some good things and continue doing those. It's not going to handle the entry points of machine-to-machine and device-to-device. However, I'm not sure if the audience has monitored a most recent announcement of a PAM vendor acquiring a MFA and TKI vendor. What that is really leaning towards is that actually they're realizing that their coverage needs to be expanded to cover device-to-device and machine-to-machine.
Mike Engle:
Yeah, yeah, exactly. We are seeing a lot of traction for verified identity before you can get into PAM. You don't have that certificate that says, "I know you're Sam Tang," just take 60 seconds and go prove it, right?
Sam Tang:
Yeah.
Mike Engle:
Another lever that is getting a lot of traction is log on times. Getting your employees or even more important customers to enjoy using the system. Why is Amazon amazing? I can't remember the last time I've had to put my Amazon password in. It just works and I touch a button and 60 seconds later, there's a box on the front porch. Imagine if we could do that. I'm so spoiled. Imagine what it was like when we have to go down to Sears.
Now if you can log in, these are real numbers here from one of our clients. We deployed passwordless authentication into our remote access system in less than four weeks for 40,000 users and they demonstrated $4 million, they did, not us, in the first year. We've kind of rounded this out. It depends on the industry, but you can save about $1,000,000 in efficiency for every 10,000 employees. It's not hard. Just get up a little Excel sheet and type in 15 seconds times 20 logins a day times 200 business days a year, and all of a sudden you're like, "Wow, this is real time and money that we're talking about." How many times per day do you log in, Sam or your clients, are they worried about this type of metric?
Sam Tang:
I don't want to embarrass myself, but I do have to log in at least 20 times a day, not because we don't have the technology to do so, it's because I walk away, I come back, I have to re-authenticate myself, and the 20 times is just really how many times I really have to step away from my laptop.
Mike Engle:
Right, and $4,000 an hour at your billing rate, I mean, geez, they're talking about real money there.
Sam Tang:
Yeah.
Mike Engle:
Yeah. Moving on to the fourth one here, it's reducing help desk costs at the same time. What do you think the number one call into the help desk is, Sam? Any guess?
Sam Tang:
I'm not even trying to guess.
Mike Engle:
It's password resets, right? Account lockouts and password resets. The Gartner, Forrester stat is about $50 per call. Even if you take $20 and go add up 100,000 calls times $20, right? Let's cut that in half and save some real money here.
Sam Tang:
Yeah, let me give another product a plug here and let me remind people where the space started from an ITP standpoint. There's a giant ITP that you're probably using or maybe considering using that starts with O. Even them, if you look back about 10 years, 15 years, they started out as a password reset tool for AD only and see where they've expanded the services to cover more. To show you where this space is today versus 15 years ago, we're quite further ahead, but still the starting point is about password resets.
Mike Engle:
Yeah. We have a couple of pretty cool password reset options that if you just type 1Kosmos password reset, you'll see we can do it from an app, we can do it from verifying a call remotely. We might have time to show a quick demo of that here. Definitely the art of the possible is here today, it is possible. Then in line with the FBI alert as well, those terms I mentioned before, proxy interviewing, contractor jacking.
There was an interesting question that came into the chat. It was anonymous. I say to the anonymous asker, they ask the question, "I still seem to have to verify my identity over and over again." I think what they're saying is they're asked to go maybe fetch a 2FA code. For example, if you go to B of A or Chase and set up a new wire or Zelle destination, oh my God, verify your identity to log in, verify the new Zelle, I send you another code, I put $600 in, verify yourself again, and there's always 60 seconds of each other. That's not identity, that is broken systems that just don't know how to take the session and trust it. What we're talking about is a verified identity and call it a wallet or whatever it is, but it's the digital version of the driver's license in your pocket or a passport. If you start your hiring process app talent acquisition with a verified Sam Tang identity, because you need to know that you're interviewing Sam.
Sam Tang:
Yeah.
Mike Engle:
Start way back there, give them a credential that belongs to them and you shouldn't have to ask for it again because you've got a biometric with every call. Is there an opportunity here, Sam?
Sam Tang:
Yeah, before I get into the question about opportunities, let me even follow your thinking right now. The question was why is there still multiple verification, that is because actually that's probably intentional. Maybe it was because you are traveling overseas, it sees that your location may be different from your usual behavior, or maybe you're switching devices, you get a new phone or maybe your laptop is new or your laptop just did an update on your OS, it lost some of the tokens that was looking for. The re-verification should be simple. The re-verification process itself should be very simple. It's actually doing you a favor when somebody's asking you for re-verification, it's because it's thinking that there may be an anomaly.
From your question about opportunity, I don't think, not only is it an opportunity, but it's going to be a requirement. You saw the opening Korean situation that we're in. Injecting the verification process upfront and the recruiting and the talents at stake, it actually helps a lot with the JML process. It allows you to really simplify when you get to the point where it's actually onboarded as a new employee as what to provision, it's going to help with all that as well because it's going to tell you if the person is a, what persona the person is as well, employee, worker, or frontline worker. Let the upfront enrollment and registration process and the hiring process do some of the heavy lifting for you. Before even it gets to the environment, you know exactly what you're dealing with.
Mike Engle:
I'll pop up a quick demo here. People ask, "What does it mean to verify identity?" Well, most of us today, if we've gone for a driver's license, you have to prove documents. Now when you go to open up a crypto account, you have to scan a driver's license. Let's assume I've done that. I've scanned in my phone a driver's license and it's now here. This is how simple it is to transmit that to Workday or whatever your PeopleSoft hiring system is with the press of a button. Now me proving that I'm still the holder, that's it, I'm done. That data flows into the target system. It could be CyberArk, it could be anything, or your talent acquisition, or HR hiring system. It really is that easy and I can reuse that over and over. I know what you're going to say, Sam. "Mike, what if I can't use an app?:" It was right on the tip of your tongue. "I won't use an app, can't use an app, don't have it. Whatever. I'm still on a flip phone."
Sam Tang:
And the camera is not available to you.
Mike Engle:
Yeah, you're in an environment where you can't use a camera. You can actually do it with just a biometric, of course you have to trust it. Here's something we call our LiveID. I actually recorded this at your offices, Sam, for that event, the digital identity event. That's it. I approve my identity, liveness detection, and boom right here, this is just showing my profile, my account. You can see under the hood, all of my credentials are available to me there and only available to me. Now with the press of a button, I can go send them to any target system. It's a combination of a amazing user experience and technology that's protecting not only the user but the organization. Just the last one that we had on the tile of six is I know this one's near and dear to your heart because you advise a lot on risk and governance and regulatory, audits. Comment a little bit about what some of this posture can do for an organization on this front.
Sam Tang:
Yeah. Digital identity, there's a realization where digital identity is not just about human actors or identities. It is going to address a lot of your OT and IT set of use cases where manufacturing, insurance, retail, where there's actually physical locations that you need to worry about as well. In those physical locations, there's actually areas and assets that may be harmful to the people themselves that's working in that environment.
What we're seeing now is, we need to be able to apply the digital identity principles, apply it as to how we manage applications and logical access, apply to physical assets as well so that you can actually handle the situations where you can protect hazardous environments if a person's harmful or not. If the person is working in a food manufacturing and we detect that the person is actually 104 degrees, they should not be touching food at all. One more thing is, imagine you can apply this to every business transaction, like what Mike was mentioning. What if you're able to actually be able to prevent fraudulent transactions either via a consumer or even as a B2B transaction. What if you just take 5% of those, be able to detect 5%? That's a lot of money for those transactions.
Mike Engle:
Yeah, it is. Making it easy is key. We know how much we hate friction. I don't know if you remember when we finally put chips in our credit cards. I don't know, was it eight years ago? We were 20 years behind the rest of the world. I can feel my blood pressure going up a smidgen because sliding that thing in took about four seconds when they first did it. I was like, "Oh my god, four seconds, this is terrible." Right now, you tap it. Of course they fixed that experience and it's a thousand times more secure than magstripe or the cards.
Sam Tang:
It's kind of funny. We said tolerance level of risk earlier. I live in New York City, I still subway quite a bit.
Mike Engle:
Right.
Sam Tang:
Even though all of the location support the use of a credit card and also they tell you, you actually get money off as well when you do that, but I still see people getting Metro cards.
Mike Engle:
Yeah, exactly. It's like the people throwing cash into the EZPass lanes on the turnpike like, oh my god, I guess they don't want the man following them, so they're afraid of being tracked or something. I don't know.
Sam Tang:
Yeah.
Mike Engle:
Yeah, I'll show an example of an amazing user experience. I'll have you compare this to your existing authentication to get into Microsoft products. Imagine if it's just your username and your face. This is the future of consumer and employee convenience and security. With this same LiveID that you saw here, I have to slow it down because it happens so fast, it's that amazing. That's it. You're staring at your Outlook or whatever it is. This is the future, along with a verified identity under the hood. I can't just have a face, you have to have I've been verified with some type of root of trust and you're in. That's what we're aspiring to get out to the world here.
Sam Tang:
Mike, let me throw something off script to you now.
Mike Engle:
Please.
Sam Tang:
What's your answer in your technology as to how you actually are able to handle people using a photo up on the camera, how have you address it?
Mike Engle:
Yeah, so there's a couple technologies now. This is my old expired Global Entry Card, but you can bypass really weak systems just by holding up a picture on a phone, which you go get off somebody's Facebook. There's several compensating controls there. You can detect that the image is not a real person, it's what we call liveness detection. There's a number of really deep technologies that do that. You can tell just that I'm moving a certain way. You can tell the depth of my face. You can detect the screen that is, we call that a replay attack. For a video call like this, there's tools like Swap Face where in two seconds I could become Sam, I should have had it ready for this.
Now you have to detect injections into the webcam themselves. There's methods to do that injection attack as well. It is a cat and mouse game. When you think something may not be right, you may have to take another step. You do have, to your point on my Zelle wires, there could be something funky in there that you're like, "You know what? Let's just do one more knock on the door before we let this go through." It's a risk.
Sam Tang:
It's a risk, trust, tolerance, assurance.
Mike Engle:
Right. Exactly. Is this person coming in from where they did before? All right, that's a great signal. They're not somewhere in North Korea. In summary, just wrapping this up, we can verify, we can modernize, we can get more efficient. These are the things that will be game changers inside of the organization and I think we've done it, Sam.
Sam Tang:
All right.
Mike Engle:
I know we had a couple of questions that were answered already by the guys on the team here.
Sam Tang:
Great.
Mike Engle:
Tell me where can people learn more about what you're doing day to day, following you on the TikTok or how does that work?
Sam Tang:
I sparingly use social media. I have enough gadgets and things that I have to worry about. They can reach out to me on LinkedIn, they can find me on LinkedIn and they should have my email address. Maybe we should provide my email address. Please feel free to reach out, even if it's a casual conversation. It doesn't always have to be about doing business together.
Mike Engle:
Yeah, we could talk about the Rolling Stones or doing nothing. That would be fun, right?
Sam Tang:
Yeah.
Mike Engle:
That'd be awesome. Well, listen, Sam, thank you so much for joining. It's always fantastic chatting with you about this and life stuff in general.
Sam Tang:
Yeah.
Mike Engle:
Hopefully we can do it again soon. Thanks everybody for attending on the leading up to this holiday weekend here in the US.
Sam Tang:
All right.
Mike Engle:
Enjoy the rest of your time.
Sam Tang:
Take care. Bye-bye.
Mike Engle:
Bye-bye.