In this episode of Redefining CyberSecurity, host Sean Martin connects with Jeff Reich to explore the complexities of digital identities and the importance of securing them in today's evolving digital landscape.
Guest: Jeff Reich, Executive Director of Identity Defined Security Alliance [@idsalliance]
On Linkedin | https://www.linkedin.com/in/jreich/
On Twitter | https://twitter.com/JeffReichCSO
On YouTube | https://www.youtube.com/channel/UC8yfa2vRYDjS7TUWKAHIrwg
____________________________
Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin
____________________________
This Episode’s Sponsors
Imperva | https://itspm.ag/imperva277117988
Pentera | https://itspm.ag/penteri67a
___________________________
Episode Notes
In this episode of Redefining CybersSecurity, host Sean Martin connects with Jeff Reich to dive deep into the world of digital identities and identity management. Through their lively and thought-provoking conversation, they explore various aspects of identities, from multiple personas in apps to the challenges and risks associated with identity sharing.
They discuss the impact of cloud adoption and remote work on identity security, emphasizing the need for organizations to prioritize securing digital identities. They also touch on the role of artificial identities in smart devices and cars, and how AI and machine learning can be utilized in identity use cases.
Throughout the episode, Sean and Jeff bring a philosophical and science fiction perspective to the topic, using metaphors and engaging storytelling techniques to captivate listeners. They highlight the importance of policy and control in identity management, and the need for organizations to take proactive measures in securing digital identities. They also provide valuable insights from a research survey, revealing that identity security is a top priority for a significant percentage of organizations.
They emphasize the complexities of identity management and the evolving nature of identities in today's digital landscape. Overall, this episode offers a captivating and informative discussion on digital identities, leaving listeners with valuable takeaways and a deeper understanding of the importance of identity security in the modern world.
____________________________
Watch this and other videos on ITSPmagazine's YouTube Channel
Redefining CyberSecurity Podcast with Sean Martin, CISSP playlist:
📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
ITSPmagazine YouTube Channel:
📺 https://www.youtube.com/@itspmagazine
Be sure to share and subscribe!
____________________________
Resources
IDSA: https://www.idsalliance.org/
2023 Trends In Securing Digital Identities (White Paper): https://www.idsalliance.org/white-paper/2023-trends-in-securing-digital-identities/
2023 Trends In Securing Digital Identities (Infographic): https://www.idsalliance.org/wp-content/uploads/2023/08/IDSA-2023Trends-Infographic.pdf
____________________________
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-cybersecurity-podcast
Are you interested in sponsoring an ITSPmagazine Channel?
👉 https://www.itspmagazine.com/sponsor-the-itspmagazine-podcast-network
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
00:00:00] Sean Martin: Hello everybody. This is Sean Martin, your host, and you're very welcome to a new episode of Redefining Cybersecurity here on ITSP Magazine, where I have the pleasure of talking to a super smart people, much smarter than I, than myself, uh, looking at all different types of topics for how we can better support the business, uh, to.
Deliver their services and products in a more secure fashion and protect the revenue that they generate when they do that. And one of the areas that I've seen over the decades that I've been involved in, in this space, kind of come and go in importance and in scope and awareness and attention is identities and identity management more specifically.
And of course, when you start talking to identities, you have to look at the access and authentication part of it too. So, um, Clearly, uh, there's a need to control access and manage identities properly. And, and who knows if what I'm saying, identity is what identity was 30 years ago. It's probably very different now.
Um, I can immediately think of things like machine as an identity or an API as an identity, perhaps. Um, so I think we're going to get into all of that and because I don't know all the answers. I do have a lot of questions. I have Jeff Rich on from IDSA. Jeff, how are you?
[00:01:26] Jeff Reich: I'm doing very well. Thanks, Sean.
How are you doing today?
[00:01:29] Sean Martin: I'm fantastic. I feel like myself today.
[00:01:33] Jeff Reich: Good. So you, you have control of your identity. I
[00:01:36] Sean Martin: have, I know my identity and I have control over it. Yes. I'll
[00:01:39] Jeff Reich: ask, I'll ask you that question at the end as well. Let's see how we go. Yeah, exactly.
[00:01:45] Sean Martin: That's a good point. That's a good point. Um, and, and speaking, I've had identities, hopefully, hopefully folks, uh, have a view of what I.
What I stand for when I try to accomplish here on the show, but I'd like folks to learn a little more about you, Rich, uh, Jeff Rich, um, to kind of set the stage for how you got involved with IDSA and this research that we're going to talk about and, uh, maybe even some of your journey leading up to this point
[00:02:14] Jeff Reich: in time.
I'm happy to thanks the, I'm going to start with a journey real quickly. Now I've been doing this almost 50 years, so I'm not going to go through all the details because. You're going to run out of, out of bandwidth. So, exactly. But I'll briefly say, you know, my backgrounds in physics, I taught, um, for astronomy and physics for a bit.
It worked in law enforcement, and then a little over 45 years ago, I got involved in information security, computer security, data security, it's gone through cyber, it's gone through a number of names. Um, much of it still, the core is the same. I started security programs at Arco Oil's company, I started a security program at Dell, at Rackspace, and a few other financial services firms as well, so this is what I do.
I spent about 10 years working in some startups, and I had the opportunity earlier this year, in February, actually January, to take a look at IDSA because the founding executive director was retiring, was looking for someone else with maybe a little more expertise on what's going on, so it was, we thought, a good fit.
Been enjoying it since then. It's still a journey, it's an exploration. Um, you know, identity itself is not new. As you said, identity hasn't changed. Yeah, your personal identity, and that's one of the types I want to talk about, really hasn't changed over the years. Everything else has. All the other rules are off.
So I think we could spend time talking about this. IDSA every year, uh, conducts a, uh, research survey. cohort of organizations with a thousand or more employees, not restricted to technology, but that, that ends up where the center of gravity is. And we ask a series of questions, many of which are repeated year to year to say, what sort of trends are we seeing?
And for those at home playing buzzword bingo, We do end up talking about AI and zero trust. So, so there's two of them out of the way right away. Yes, but, uh, but I'm not here really to talk about that. Although at some point we're going to say how identity really drives those and without managing identity correctly, you'll have neither effectively.
[00:04:30] Sean Martin: Yeah. So, so many questions, uh, we can get. Technical, philosophical, operational, all the above. We'll see where things go here. Um, I, I want to ask quickly, how important is it to, cause you said the only constant is, is our identity. And, um, and as I say that I might question, well, have, has our identity changed?
I'm thinking in terms of behavior. Um, cause what I was leading up to is the question is how important is it to look back at history? And how things have changed to better prepare ourselves for. where we are and what's coming.
[00:05:11] Jeff Reich: So it's vitally important. Yeah. It's vitally important to look at history because without it, we will repeat every single mistake that was made.
Because they're out there, it's human nature to go through either the easy answer, the quickest route, or whatever else may seem appropriate at the time. So if you look back at history, Um, you know, let's, uh, let's then maybe go back to Roman times. Let's go back to World War II, all right? World War I, even.
Um, you're at a military base, or you're approaching a military base, and as you approach the gate, what three words do you think you're gonna hear? Open, says me. No, that's what you're gonna try to say, but there's three words that you're gonna hear. You tell me, Jeff. Who goes there? Yeah, go to any old war movie and you'll find who goes there as a century says that on guard.
And so that's, that's an identity challenge right there. And even if you say I'm Sean Martin, are you? We have identity and then we need a way maybe with an ID badge as time has come along, we have better ways of authenticating because in the past it was I'm Sean Martin and you know my friend Jeff and Jeff can vouch for me and someone can come to Jeff and say, is this Sean Martin?
I'd say yes. And then they'd say, yeah, I accept this. You are Sean Martin. It was difficult without something like that. So now with the issue of picture ID cards. And, and unique, um, devices that are issued to an individual, it's easier to say, are you really who you say you are? So looking back in the past though, we can never forget who goes there because simply putting up an ID badge to open a door doesn't mean that you are properly identified.
It simply means you have a card that's going to open the door. Yeah. So always go back.
[00:07:09] Sean Martin: I love it. And so are we, are we learning from? History. Or if we continue to make some of the same, same mistakes, do you
[00:07:20] Jeff Reich: think? You know, the, well, humans will always try to find a way. How can I make something easier? And, and actually I'm in favor of that.
Let's remove as much friction as possible. You mentioned behavior earlier. I don't think your behavior, and we could, we could have a philosophical discussion about this. Does your behavior truly affect your identity? Uh, you know, depending on how you behave, you're still, I'd like to believe, you're still Sean Martin.
Whether you're on a podcast, or robbing a bank, or flying an airplane, you're still Sean Martin. So, from that perspective, I think your identity really doesn't change. It's what I call your carbon based identity, right? It's, cause it's you. It should last your lifetime. Now, um, behavior definitely changes. As an example, if you go back, um, to the 1950s, and if you were to ask someone, what's your social security number, they would probably not think twice and give it to you.
But they say, yeah, that's kind of how I do, that's who I am. And social security was new, it was 10 years old by the mid 50s. So, or maybe, uh, 15 or 20 years old, but still, it was relatively new. And then we reached a point where social security number was used to determine can you get into your bank account, can you do other things, and people started saying, no, I'm not going to share my social security number with you because that may give you access to something I don't want you to get to.
So there's a behavior change. It's an artificial identity. The social security number is. That's the second type of identity. I talked about carbon based, now artificial. That's one type of artificial identity. And the reason it's an artificial identity is if it breaks for whatever reason or it's truly compromised, you can get a new one.
It may not be fun or easy, but you can get a new one. You can't get a new carbon based identity. There's that artificial identity, which many people started to believe, I need to put a little more protection around this. And even then, you go into a doctor's office, and I still get it today, where they say, can we have your social security number?
And my answer is always no, or sometimes if I'm nice, I'll say why. But, but still, no, there's no need to have that. So there's an example of an artificial identity that's been created. That originally people just thought of as a number and now people recognize is a form of identity, artificial identity, that they have to have some level of protection, so there's a behavior change.
Um, I think a more significant behavior change is. If you go back to the 50s, 60s, 70s, because you talked about going back in history, so I'm staying with that theme. So if you don't like it, it's your fault. You took me here.
[00:10:02] Sean Martin: We're back in time. Go for
[00:10:03] Jeff Reich: it. Yeah. Um, if you go back, then people would love to say, Hey, I'm taking a trip and I'm going to Europe and I'm leaving in a month.
Even then, the only people that really knew were your immediate friends, because you didn't necessarily rent a billboard and say, I'm taking a trip to Europe, right? A vacation to Europe. Your media friends knew it. And then along came social media, which more and more says, if you want to use a lot of these functions, you need to give me more and more information Facebook.
Saying, I'm looking forward to my vacation in Europe next year. And all of a sudden, thousands of people could see it immediately instead of your three or five closest friends. That you know weren't necessarily going to disclose it. You've now given information about yourself, not necessarily identity based, but now you've put yourself at a higher risk because if they know your whole family's going, there's a good chance that someone wants to do something, your house is probably going to be empty.
Just as an example. So, being comfortable giving up more and more personal information, entering your birth date into social media platforms, Which, by the way, isn't there simply for verification. It's also shared with, um, the people that sponsor, uh, social media apps and, and, um, and, and advertisements within it so that you can have more targeted marketing towards you so it's specialized towards you.
Do you always want to give away your birth date? I don't know. Is that, it's often used as a form of authentication. Now, if you call the doctor's office, that's actually the first question I ask you is what's your date of birth. That's how they index your records. So an associated artificial identity, although you really can't change a date, I get that, that we're willing to compromise for the sake of, I want social media, I want access to this.
And then at other times feel, no, I don't necessarily want to share that. So we haven't learned the lesson about what that really means. Can we be consistent? We're not there yet from a personal perspective. Now, from an enterprise perspective, things become much more complex.
[00:12:13] Sean Martin: Oh boy. I always think the, uh, the, uh, the consumer world and general societal aspects are more complex, but maybe business, because we want more control and there's more risk for a business.
It becomes more of a class. I'm going to, I'm going to dig into that in a minute. I think there's a, another identity type though we haven't touched on yet.
[00:12:35] Jeff Reich: Yeah, there's a third. There's the carbon base, there's the artificial base, and there's a silicon based identity. And that's going to be associated with either embedded on a chip or a number of chips that are associated in a device.
If you, um, see when I do it, this is my phone. This has a silicon based identity in it, or actually more than one. And I use an artificial identity to associate my carbon based identity with the silicon based identity. Now, that
[00:13:08] Sean Martin: affects connection. That's either, what's that connection? I can presume it's, it's a password or fingerprint if it's a bio.
[00:13:20] Jeff Reich: It may be a facial image. It could be any biometric, yeah, it could be a password, it could be one of these USB devices that's used to say, if I have this, I can identify myself. There's a number of ways that you can validate that the artificial identity is the correct one to use to link both the carbon based to the silicon based.
Now, um, consumers are certainly involved in that. I, I, I'm an identity geek now. Right? I'm not yet recovering, but I'll have to be before long, and I have, I've trimmed the number of identities and accounts that I have, and I call number of, I call them personas that I have, either whether it's doing something on the dark web, which I'm not endorsing anyone does, unless you're really, really dumb or a high risk taker, or you plan it out and do things that, um, I have an email address associated with IDSA.
I have a personal, um, a personal email address. I have an email address I use for banking. I have an email address I use for non IDSA professional work. As I said, I'm an IDSA, I'm an identity geek. I'm down to 12 email addresses right now. But the number of identities and personas I have in a credential management tool I have is 896.
I actually removed one this morning. So, um, that's higher than most. But anyone that says, Oh, I don't have more than three or five hasn't looked because you have a bunch.
[00:14:57] Sean Martin: Yeah, the personas thing I want to touch on quickly because I remember years ago, even for a single app, um, a buddy of mine mentioned that his daughter had multiple logins.
AKA multiple personas to act and, and be part of that environment as different. So I don't know if that's, that plays into what we're talking about here today. I think I certainly from a consumer working with a brand, um, businesses recognizing that that happens, I would imagine. I don't know. Do we see that in, in, in employees and.
Partners logging into businesses as well. That might scare me a little more. Uh, well, I
[00:15:48] Jeff Reich: think I, I do see some of it. It's not as prevalent because with it, and it's actually more and more, um, apps are beginning to take steps to limit that, um, with consumers because they know of the risk involved. Plus, you know, is it cost effective for them?
Is it, are they just churning more cost and not enough revenue? Um, but yeah, that does happen. Um, to either take advantage of different free trials or two different competing, um, players in a game, you know, each one of those is an artificial identity, um, in the, in the enterprise, in the commercial environment, you're seeing less of it, but you still see some, especially with partners, as an example, um, if I were to say to you, um, we're, we're partners now, you know, you, we have a partnership, uh, with ITP, uh, ITSP magazine and, Um, IDSA.
We're going to give you an, an account to use to log in. And if there's three of you that do work and you don't say anything, chances are the three of you are going to share that account. However, so when I see something happen from that account that I may have even called Sean, I don't really know it's you.
So some things that, um, companies are doing more so to limit that is say, I'm going to implement a form of two factor authentication. Now, I know, I, I believe you have your CISSP. And I have, I have, I am, uh, next year's 30 years for me, uh, with mine. So yeah, um, I'm old.
[00:17:24] Sean Martin: Much lower number
[00:17:25] Jeff Reich: than me. Yeah, I'm at a four digit.
So, um, but you, one of the principles, um, you learn in, in that, in, you know, we, I heard you talk about identification, authentication, and authorization. You know, that's clearly one of the principles that's beyond CISSP, that's security in general. And, and going back to how do you, um, confirm that Sean is Sean, there are three, and now many consider four ways of having authentication.
There's something you know that's a password. Something you have, which could be this token or could be a card key or something else. Something you are, which is a thumbprint, fingerprint, facial scan. And now a lot of people consider the fourth. To be where you are in it and where you are has to work in conjunction with one of the at least one of the other three you get any two or more though if you have multifactor authentication and that's a way that more and more organization is saying i'm issuing an account to sean and you have to register another device with me.
And every time you log in, I'm going to put a challenge to that device to ensure it's you. I've just found a way to say, the artificial identity I assigned to you is now staying with Sean as opposed to being shared. Or at least I'm reducing the chances. You could also share the device, but you know, you could take this to the extreme at some point.
So, I just talked about multi factor authentication, there's another buzzword. Bingo. MFA. I may fill the card.
[00:18:53] Sean Martin: Yeah, you got it right in front of you. Now, but I want to, um, I want to get your thoughts on this, because I touched on it. Uh, at the beginning, is it possible to have digital identity without a carbon identity?
I'm thinking, I'm thinking things that act on our behalf without us actually being present. So systems and IOT devices and, and, uh, automation driven by AI or whatever it is, it's doing something for us, even if we're not there.
[00:19:30] Jeff Reich: Absolutely. Um, if you have a smart home device, a smart speaker, And you use, um, IFTT, um, which is an easy, I wouldn't even call it a program, that you can just say when this occurs, every day at sunset, turn on this light, you know, you could, you could program it to do that.
That's happening without you there, without any other intervention on your, on your part. However, for you to program that, for you to set it up, for you to say, hey, when it's sunset, turn on this light. At some point, you had to do some form of identification authentication. Otherwise, anyone could just say, Hey, go turn on Sean's light every 15 minutes.
And you wouldn't be able to control that. So, there's a digital identity or artificial identity associated with that, but there's still a form of control in that case going back to carbon based. Now, let's take that on the other side and say that, um, your car, for instance. And if your car is less than 10 years old, chances are you have an artificial identity with your car as well.
And if you don't believe me, Just see if your insurance company has said you can get a reduced rate if you just take this device and plug it into the slot underneath your dashboard. Those are silicon chips with identities on them. That's an artificial, identity that creates an artificial identity for you.
So they can uniquely say, you know, how, how good or bad a driver are you? Um, I, I told you at the end, I was going to ask you, how many do you have and how do you feel about it? So we're, we're kind of getting there. We're chipping away at that one. We are, we're working
[00:21:07] Sean Martin: our way down. I want to bring it. Bring it inside the business now, I think we've had a pretty good, pretty good wrap session on kind of what it is and how it looks from the individual's perspective.
And I think some of the use cases we talked about were societal or, uh, commercially driven, uh, B2B, or I'm sorry, B2C type stuff. We can talk about government interactions as well, but let's, let's look at kind of the employee and the partner and from inside the B2C, uh, experience with identities. Cause I know, and this might be a good time to start to dig into some of the research as well.
Um, cause I want to understand. What organizations may or may not think about with respect to identity. What assumptions are they making? What, what gaps are they leaving? Where are they overdoing things perhaps? So I'm, I'm assuming some of that's in this research. Maybe you can kind of set the stage for us with what the research is, the, the, the scope of, uh, of the survey, and, uh, and then maybe also maybe, maybe the top finding that you think folks would really care
[00:22:22] Jeff Reich: about.
I'm happy to do so, and, and just, I'm going to put in a plug, it's free, so I'm not trying to sell anything, but anyone can read, can download the report from this research survey, any of the past four years, actually, at IDSAlliance. org. All you have to do is put in your name and email address. We do capture that, so we capture some of your artificial identity, yeah.
Um, but all we, and then you could say, I don't want you to get anything else, I just want this, this report, and that's fine, that's all you get. But, um, you know, I, I encourage people to take a look, especially if you're associated in any way with application development, identity, um, administration, or IAM, or security, because all three are affected by this.
And to answer your first question, you know, what's the top thing that, that, Um, if I had to go away with one takeaway, and it, it's good to see, and we ask this every year, and it's improved a lot, really, in the past two years, but I'm looking at the percentages, we, we interviewed, as I said, organizations of a thousand or more, a little over 500 respondents on this, more than two fifth of them, if you would, or 44%, Say it's in their top three priority dealing with securing digital identity.
It's in the top three of things are doing regardless of their vertical space, whatever business they're in, you know, another 25 percent say it's in the top five. Now 17 percent say it's their number one priority. So I didn't expect that to be much higher. But if you add just those, the, you know, those up well over half of the organizations we surveyed have said, Top five.
We know we have to address digital identity security. So that's good news. I'll take that as a really good takeaway. Um, another question we asked is what factors are driving an increase if you're having an increase and every almost everyone said they are. Um, the 2 percent said they don't. Um, I'm driving that increase far and away right now.
It's the adoption of more cloud applications. Many people may think that we're completely in cloud and everything's working that way. This will be available in the cloud. This podcast will be. But not everyone's there yet. And there's nothing wrong with that, but every day more and more organizations are migrating either partially or fully to the cloud.
That increases the number of identities people have to have. And organizations feel that they're losing some semblance of control over it. Whether that's true or not remains to be seen, but they feel that way. So 52 percent say, yeah, getting more cloud stuff is top. And, uh, what didn't exist two years ago wasn't even on the radar.
Last year, 50 percent of the people said we have to focus on this because of remote work. You know, so that's brand new. Um, and I, I can get into what some of the issues are and, and some, what I believe are some conflicting answers I see later on as well. But I, I, I see you have a question. Yeah. So, well,
[00:25:21] Sean Martin: it it's that third, that third uh, pie chart there.
And I know we weren't gonna talk too much about ai, but I want to talk about, I'll just, I'll just state it. 63% believe they can benefit from AI or ML for, uh, identity use cases. And to me. Or just forget how you arrive there. Um, the idea that you have use cases that then presumably define policy that then hopefully define controls or the actual rules that, that, uh, ensure you abide by the policy.
And then of course we can always talk about the, while we're monitoring to see, are we following it? And if not, who, who, when, how, why are we not following it? Um, so that's a mouthful there. Feel free to comment on it specifically around AI and ML, if you, if you have some specific points there, but to me, it's a sign that at least people are thinking about the policies, if they're looking to maybe, maybe something they didn't get to before, because it's so hard now, maybe AI and ML helps.
[00:26:39] Jeff Reich: Yeah, no, I think there is some of that. You know, um, this is identity and identity management. It's not a technology issue. There's, there's nothing technology can fix. You have to figure out what you intend to do, what you need to do, come up with a plan and then do that and then go find the right tools, whether it's AI based or not, to get that done effectively.
So we need to keep that in mind. It goes back to what you said. It's a policy issue. It's not a technology issue. So, um, anytime someone says, I'm going to go buy this tool and this will make identity management better for me, maybe, um, you know, would you go buy an 18 wheeler if you need to bring groceries home?
No, even if it was a nice, shiny 18 wheeler, it doesn't make sense. So figure out what you, maybe an EV. Yeah, there you go. But boy, plugging that in, that's gonna, your whole neighborhood's gonna brown out when you do that. Plug into the
[00:27:39] Sean Martin: neighbor's house on that one. Yeah.
[00:27:42] Jeff Reich: Um, so you still have to figure out what you're going to do.
But one thing that has been found, and it was the number one response, the 63 percent you talked about, is organizations want to use AI to find all of their outlying behavior, outlier behavior, as in who, um, is constantly failing passwords, who is always trying to get to something they shouldn't be getting to.
Here's a real big one and, um, we ended up having a number that, um, we won't dive real deep into this from the report that how long do accounts go when someone leaves your organization before you do something to turn them off or delete them? Almost half say immediately. That's great. Yeah, and that is, that's exactly what should happen, and going back to, um, CISSP, ISE 2 says you should delete it immediately, that never happens, but you should be able to disable it immediately, and then find time to delete it after you make sure you don't have any loose ends, but we work our way down, and there's more than 5 percent that say, we don't really know if we ever take care of it, so now you have, and there's some that say, oh, three months, six months, Once or twice a year we go through inventory and clean things out.
So you have a large number of accounts now, artificial identities, that no longer are linked to a carbon based identity. They're left hanging and they're ignored. And anytime you have an abandoned, ignored account, It's going to be compromised. I promise. It's simply a matter of time. It's not if. So there's a big, so a lot of organization want to use AI to start finding all that because to tell someone go find this.
You need a combination of two things, a willingness to say, okay, maybe I'm new to the industry. I have to pay my dues. I'm willing to do this sort of looking line by line work and knowing what the ramifications are. And that mix doesn't exist. If you really know what the ramifications are, you no longer want to do that work.
So it is difficult to get that done. That's an excellent task for AI and machine learning to start not only finding what's there, but start predicting when it's going to happen. And that's the number one, that, that 63%, those, that outlier. Um, the second one, which, and that, this is the only other one I'll talk about.
is evaluating alert severity in the SOC or the Security Operations Center. This is another job that is often considered if you're, if you're a level one SOC analyst, you're probably new to the industry, um, you're, you may or may not have just gotten out of school, um, and, uh, it's essentially kind of paying your dues and learning a bit, and you see what happens when you have a problem that you have to escalate.
I haven't met anyone that really likes that job, um, really, so, I, I personally, that job should be eliminated, and AI should be able to do that, I think we can do a better job of bringing people into the industry, and having, doing something they, they, they feel has more purpose, and, and the reason I think it can be eliminated is, 80 to 85% of every alert that comes into a SOC is gonna have a routine response.
It's expected and, and should just be handled that way. You know, another five to, um, 7% are going to be something that requires a bit of thought, but may still apply to, um, a, a, a given script or a response. And then you're gonna have five to 10% that need to be escalated to a higher level of, of expertise and experience.
AI can do that, that not the escalation, but the sorting out and dealing with, this is a rote response, we know how to deal with it, I can even report on it, AI should be able to do that and really make the SOC a fun place to work that is engaging and where people learn as opposed to I have my torture of paying my dues before I can get the job I want.
[00:31:41] Sean Martin: Yep. And, uh, yeah, we, we, we love the SOC analysts and we want them to be happy and healthy and. Perhaps it's a redefining level one, uh, to, to up, up level them and to do more, more important things. Absolutely.
[00:31:58] Jeff Reich: Exactly. I'm not trying to eliminate jobs. I don't want to have people laid off. I think there's a better job for them though.
[00:32:03] Sean Martin: Exactly. Exactly. So I want to. Maybe talk a bit about what identity is used for. I mean, there's the authentication and, and granting access to stuff. I don't know if it's changed, but it used to be we let you in and whatever GPO you had, you had full reign and you can do whatever. And if, if you think we, one of the points we want to talk about is identity sprawl, but access sprawl as well, right?
If you searched roles, um. You, you, uh, switch partner. I don't know what the point is. You, you move around, things change, roles and responsibilities shrink and grow. Uh, identities don't always follow that. So that's one point. And then the other is, um, even if things were static, um, using identity and, and the activities.
To better manage access and control and what you can do. So let's go with the first one or you,
[00:33:19] Jeff Reich: whatever you want. Yeah, one's going to lead to the next. Cause if you talk about identity sprawl or access sprawl, you know, I'll give a real quick story and you got to caution me. I do stories about everything, but I've been doing it long enough, but, um.
I did consulting for a while, and whenever I was brought in for a consulting gig, there were three questions I always asked. And the first one was always, when did it happen? And often I'll get a blank stare, like, if it didn't happen, you wouldn't have hired me. So let's talk about what it was, let's get out of the way.
So that's one. The next question is, And I know the answer. Can you identify all of your assets, what their value is, and how you're protecting them? Once again, if they could do that, they wouldn't have called me. They would have it under control. So the answer to that is no. And I'm not trying to beat them up, just saying here's, I'm letting you know what their risk profile here looks like.
The third question I ask is, would you please introduce me to the person that's worked here the longest?
And people never know why I ask that. And it's because of identity sprawl and access sprawl. Because chances are, not every time, but chances are, that individual, if they've been there 18 years... They have access to everything, because they've done five different jobs, and every time they got the access for that new job, then they went to the next job and got the access for that job, and then went to the third and got all the access, and, and often, the prior access was never taken away, well, they've been here 15 years, of course we trust them, what's the big deal, it's really pretty much a spaghetti mess, so I don't want to have to go untangle it, so there's identity sprawl, where they may have multiple accounts, and access sprawl, where they have access to everything.
The reason I want to talk to them is not just for that reason, it's that you are the, you are target one. If someone wants to break in, you're the person they're looking for, because once they can compromise anything you have, they have access to almost everything. So Identity Fraud and Access Fraud are there.
You know, there's a number of ways to do it using AI tools to start finding out where those outliers are, where is it needed, if it hasn't been used. If access hasn't been used in three months, should you cut it off? Should you disable it? Um, and I am gonna, I'm gonna go to another buzzword, which is not really covered in the, in the research survey, but, but it's important only because when I talk about, um, how to really get down to that zero trust helps you get there.
I am not an advocate of zero trust solves everything and you should use it everywhere, but for your most valuable assets. You should be able to say every time you're going to do anything, I'm going to assume I don't know you, and you have to start from the beginning to identify yourself, authenticate yourself, and confirm access every single time you take an action for these valuable assets.
And, and I think that that's a good tool where I, without identity, that could not happen. Um, the, the thing I want to close on really, because I think we're getting pretty close to there, is another term that you've heard me talk about, and that's identity as a perimeter. I, I, I've been involved with computing for a long time, back when it was just a computer.
In an air conditioned room and that was the walls of the computer and the cable that had the terminal attached to it that was everything that was a perimeter all the data was contained in there then became a data center in those four walls became the perimeter then it became the network in a company.
And now all the locations in the company on the network became the perimeter. And then it became the internet. And the internet became the perimeter, which essentially becomes infinite. So now we've lost that perimeter, but the perimeter has re found, re fined itself. within identity because that is now the first line of defense and your first point of entry to get anything done.
So truly, identity is the perimeter. So, um, things like zero trust can't happen with it. Things like being able to protect appropriately and make sure that when someone should lose access, do they? Doesn't happen with identity. And without those artificial identities and decoupling them appropriately when you're done, when you sell your phone, You should be wiping it clear so your identity goes away from it, because you don't want someone picking up your identity through that.
All of that's important and all of that's focused on identity.
[00:37:34] Sean Martin: Yep, I love it. And you're right, we are, we are getting close here. Um... I want to give you a final moment to maybe, I don't know if it's in the report, or in your mind, or in, in, in history. Something organizations should probably take a look at with respect to their identity.
Something that, that may stand out to you that says, in general, organizations are probably missing the mark here. They're not seeing something or they're overdoing it or they're reliant on something too much. What are your thoughts
[00:38:10] Jeff Reich: on that? Um, this is something you'll find in the report that, um, there are some organizations that had over 40 identity management tools.
Um, that's too many. I don't care how large you are. That's way too many. Now, one may not always do it, um, I think identity vendors need to start doing a better job, and that's mainly our, a lot of our members. Uh, we're working with them to say, what can we do to ensure that you can integrate with each other?
You don't have to support each other. You don't have to be the same, but you need to be able to talk to each other. So that from an identity vendor side, I think that needs to happen. From the enterprise side, what needs to occur is, um, the organization needs to recognize that identity needs to become, here's another buzzword, bingo, become a frictionless process.
Or at least as close as you can get to it because every time you create a new barrier for someone to get in, they're going to find a way around it. So why cause that and why put them in that situation? That means come up with a common way of identifying, say, employees across the enterprise. Come up with your process first and what you want it to look like, and I'll bet you can go find a tool that can help you do it once you do that.
It's what most organizations are missing. Many are buying tools and finding a way to shove it into what they have and saying, this doesn't work. And that's actually worse, because then they say, I'm not doing this, it's too expensive and it doesn't work. So, define your process, come up with what identity means to you, whether it's a number, a person, biometrics.
Come up with that commonality, find tools to support that, and wherever possible have access to everything based on that. And when you find your outliers, start pushing your vendors to say it's 2023, or when you're listening, it may even be 2024. Get with the program. We can no longer have a standalone, I need an ID only for your system.
Give
[00:40:03] Sean Martin: it the program. Give it the program. And uh, when Mark goes on with me, my co founder, we often joke that I always have one more question. I'm not going to do that today. I'm going to give you one final, final word though. Um, IDSA. What, uh, how can people get involved both on the identity management side and then also on the operational side?
What, what, what do you offer them and how can they connect with you?
[00:40:34] Jeff Reich: Thank you. And there was a question in there, so you can tell him you did have a question. But thank you. Thank you for that. IDSA, Identity Defined Security Alliance. It's a member based nonprofit organization. Almost everything we do is available for free.
We're a nonprofit, like that research report, for instance. However, when you become a member, a business member, you get access to all the data that supports that report, including things we didn't put in it. Plus, you get access, if you're a vendor, to I have webinars as a corporate member. You can request and get some member round tables that either may or may not have vendors in them so that we can say how do we get together to solve problems.
I recommend go to IDSAlliance. org. Take a look into membership. Membership ranges from being an identity vendor to being an identity partner, a consulting group usually, a corporate member, like any standard organization, a large organization that doesn't sell security or identity, and you could also be contributing, an individual contributing member, and that one's our lowest one.
That costs 250 for a year. You get access to the resource, you get involved in some of the working groups we work on. Uh, cause we have working groups that, that develop, uh, white papers, blogs, um, best practices. So all of that's in there. I'm, I, in case you couldn't tell, really enthused about being here. I'm glad I had this opportunity to come this year and looking forward to, to build it even more and encourage everyone to come take a look at what we have.
Um, take a look at what's free and kick the tires and let us know when you want to get more involved.
[00:42:05] Sean Martin: Perfect. Jeff, I really appreciate it. And, uh, I'm looking forward to report number five. I'll join you next year. You're, you're welcome back. We can, uh, we can talk about the next one and see how things have changed.
This is number four,
[00:42:19] Jeff Reich: right? I'm not, I didn't, uh, yeah, we are number four. Number five is coming up next year. That's correct.
[00:42:23] Sean Martin: So I'm ready for number five when you are. And, uh, I think the final takeaway for me is what you said. Give it the program. So let's, uh, let's do this. Um, thank you, Jeff, for sharing the research with me, and, uh, for joining me for this conversation.
Hopefully we get people to think differently about, uh, identity management and what identities are and how it affects them. In business, of course, but, uh, but ultimately as, as individuals. So really appreciate
[00:42:51] Jeff Reich: it. John, thank you very much. It's my pleasure to be here.
[00:42:54] Sean Martin: And thank you everybody for listening or watching.
And, uh, I'll link to that report. There's also an infographic, which, uh, is very helpful as well. And of course to, uh, to connect with Jeff and the rest of the IISDA team, the IDSA team, I should say, and, uh, be sure to share, subscribe and all that fun stuff and we'll catch you on the next one. Thanks everybody.