Identiverse (formerly the Cloud Identity Summit) will be in Boston, MA, June 24-27 and promises to be the biggest identity event of the year! Subjects ranging across the identity security spectrum will be covered in detail in the in-depth presentations, sessions, and fascinating keynotes.
But what is the current state of identity security? What are the problems facing identity and access management controls? To get a perspective on these issues, we spoke with Richard Bird. Richard is the Client Director of Optiv, Inc., and is a former CISO and CIO. He’s an expert in risk management and insider threats.
The following is the partial transcript of our conversation, edited for readability and length. You can read part 2 here:
Ben Canner: Today we’re talking about identity security, and how it relates to Identiverse (formerly the Cloud Identity Summit). My question to start off with is: where do you see identity and security going in the future? And how is that going to be reflected in Identiverse’s content—the sessions, the keynotes, etc.?
Richard Bird: There is starting to finally be a realization that if you don’t get identity right, you’re wasting all your money on your other cybersecurity. Every breach and exploit has shown that, but you still see companies neglect their identity controls and access administration.
As a brief example: when I took my first identity job, my CIO said “Congratulations! You have the easiest job in the world!”
I asked him what he meant. He said, “Well, it’s just giving people access. How hard can that be?”
We’re starting to see some changes there. The keynotes we’ll see this year at Identiverse will really bring focus back to the basics of foundational identity control; the idea that if people are failing to enact basic controls, it doesn’t matter how many flashy cybersecurity solutions you buy.
One of the things I’ll be speaking about concerns bad actors beating us. Corporations are spending more and more on cybersecurity solutions. But hackers are not hacking us with more expensive tools. They’re hacking us on social engineering, they’re hacking us on people. They’re not spending any extra money. We are. And they’re still beating us.
And it has to come back to the realization that we’re not giving identity the attention due.
Ben Canner: How are we not getting identity right? You mentioned the corporate culture issue at play here. Is that the core of it? Or is there something else preventing us from recognizing how important identity is in security?
Richard Bird: There are so many different layers to this problem.
First off, there’s the history of access. For a very long time—going back to the 60s and 70s—access was an administration function because it operated in isolation. Mainframes were not connected. There were no direct paths. Servers operated in isolation. Then the internet and e-commerce arrived, but that wasn’t the real gamechanger. Instead, it was exponential technology that sprang from it that basically invalidated all other security measures.
During a conversation I had the other day, someone said to me, “we’re spending hundreds and hundreds and hundreds still on firewall technology. Where does the firewall work now? What is the perimeter?” Well, now there is no perimeter. You’re gauging the activities of people that are in secondary, tertiary, IT supplier positions all at once. And that’s fostering all these complications, but we haven’t changed access administration. Instead, we keep going “hey, give them access.”
There’s one undeniable fact about business in general—and there are varying degrees of this based upon their culture, history, construction across the countries, etc.—but still to this day the vast majority of companies’ business leaders look at their situation and say “Well you know what? My employees do their jobs. Why would I install security controls? I trust them.” That last part is the killer.
I have this conversation a lot. Trust and hope do not affect security situation. They just don’t.
The hackers will go immediately to age-obsolete integrated credentials that are sitting on all kinds of corporate systems and they aggregate them to do of their bidding. “Joe” working in such-and-such an area for the past 20 years is given all this access because he’s a great guy. We trust him so we didn’t delete all of his accounts. 5 years later, the hackers are able to acquire those accounts.
We need to be open to other models of secure authorization. Companies try to buy security and everyone screams at them about overhead, client impact, customer impact, employees, etc. In no other place do we make this kind of argument except the digital realm.
When the cop pulls us over for speeding we don’t say: “you know, I really have somewhere to be for work. And even though I’ve paid attention that sign for the past ten years, it was really inconvenient this time.” It just doesn’t work that way in the analog world. We don’t have the same kind of efficiency expectations anywhere but in the digital realm.
Ben Canner: Is there a compromise for those needs? You mentioned the analogy of the speeding ticket but is there another way we can go about identity to bring the two values of productivity and identity security together? Or is that question reflecting the same culture—of productivity trumping identity security—that is part of the problem you highlighted?
Richard Bird: I’m thankful that in my 20 plus years, I didn’t spend all of them in cybersecurity. I came in from project management. I made my way through the IT ranks through that. My focus was really operation of IT and transactional technology.
I used to tell people all the time the reason I was a great CISO and a great security practitioner is because I’m a reformed reprobate. I was the lawbreaker. I was the worst lawbreaker of identity back when I dealt with the production side. The work had to get done. I used to make the same arguments.
It’s a really interesting problem because when you look at cybersecurity solutions providers today, you’re looking at companies that are making what they believe customers need…without any research into what customers want.
Think about the overhead created either by a security solutions’ processes that require X amount of additional steps for a job. The security solution providers say, “I’m going to give you what you need to secure your environment.” And the buyer says, “that’s great! But I need you to get me what I want: just a solution that provides this level of security and does not impact my business processes, my customers, or my employees.”
The problem is a huge number of solution providers, frankly, have never sat in an operations seat before a day in their life. One of my favorite statements is “don’t tell me you’re going to come in here and solve all my problems because you’re a mercenary.” Applied here, this means that there is a disconnect between the implementation and management of an identity security.
Companies’ personnel have to run the solution, have to manage it, and in reality not enough security providers—almost none—have ever sat in the seat of having to see all the outcomes and impacts that would cause them to modify their solutions and create better compromises to solve business problems
They look at security problems. They aren’t solving business problems. That’s the gap.
Thanks again to Richard Bird of Optiv for his time and expertise! You can read part 2 of our interview on identity security here.
You can use our promotional code REGISTERNOW18 when you register to save $250. Get ahead of the identity game! You should register here today!