EP 131: How Identity Really Works on the Internet Today
Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.
Sign Up Now!
About this episode
May 9, 2023
What does identity on the Internet mean? What does the failure of identity cost us? Do we need to make any changes to the way we do digital identity? Let’s find out with our guest our guest, Jeff Reich, Executive Director of the Identity Defined Security Alliance (IDSA). Your hosts are Kip Boyle, CISO with Cyber Risk Opportunities, and Jake Bernstein, Partner with K&L Gates.
Speaker 1: Welcome to the Cyber Risk Management Podcast. Our mission is to help executives thrive as cyber risk managers. Your hosts are Kip Boyle, Virtual Chief Information Security Officer at Cyber Risk Opportunities, and Jake Bernstein, partner at the law firm of K&L Gates. Visit them at cr-map.com and klgates.com.
Jake Bernstein: So Kip, what are we going to talk about today on episode 131 of the Cyber Risk Management Podcast?
Kip Boyle: Jake, we have an amazing guest with us today, and what we're going to learn is how identity really works on the internet now and in the near future. This is going to be a great conversation. Our guest is Jeff Reich. Now he's the executive director of the Identity, is it the Identity Defined Security Alliance? IDSA. Now, IDSA is a not-for-profit organization, and when I was talking with Jeff earlier about IDSA, 'cause I had not really understood what it was.
But I kind of came away from the conversation feeling like it was a mashup of the internet engineering task force, which a lot of people know is the IETF and the Cloud Security Alliance because of just sort of the way that they work. And anyway, I'm just so glad to have Jeff here. Welcome to our podcast, Jeff, and thanks for being our guest.
Jeff Reich: Thank you very much. It's my pleasure to be here. I want to say hello to everyone by the way. I'm Jeff Reich. As Kip mentioned, I'm the executive director of IDSA. Prior to that, I actually had been with Cloud Security Alliance, worked with a few startups before that, and I've been in the security field for close to 50 years. Started security and risk management at a few companies you may have heard of and we may talk about that later on.
Jake Bernstein: Wow, Kip. I think he's got you there.
Kip Boyle: We don't often have a guest that actually has more time in service than me, but this is fantastic because maybe I can learn a whole bunch from you now and I'd love that.
Jake Bernstein: So Jeff, everyone seems to be talking about identity management with a certain intensity that I haven't heard before. And I guess I'm wondering two things. Why is this? And then is this going to be a three or four hour episode? Is that what we're thinking here?
Jeff Reich: Oh, if you want it that short, we can trim some things down.
Jake Bernstein: Okay. So maybe six, seven hours is what we need to get?
Jeff Reich: I think that's what we could do or just make a series just about this.
Kip Boyle: Welcome back to Jeff part six.
Jeff Reich: Exactly.
Jake Bernstein: We're joking, but we're also not joking. Identity online is so important and I'm just going to, as I often do, ad lib for just a second, Jeff, before we jump into your points. Which is, it's the I in IAAA that people talk about, right? It undergirds so much and if you don't have identity, then you can't get to authentication, authorization or accountability. And this is just a fundamental problem. It comes up in my work with my clients all the time, anywhere from, "We're trying to comply with the Children's Online Privacy Protection Act. How do we know that the person clicking yes is the parent or the child?" These are all identity questions in a way. And so let's jump right in.
Kip Boyle: How do we know it's not a bot?
Jake Bernstein: I don't even know how we're going to know if it's not a bot given how sophisticated the bots are becoming.
Kip Boyle: So tell us, Jeff, why is everybody talking about it identity management? Why is it such a thing right now?
Jeff Reich: Well, the two of you just gave great examples of why it's such a thing right now. Going back to basics, even if you ignore internet and go back in time, 50 years, 100 years. Think of yourself at a military installation and there's a sentry at the gate, what's the first question they ask?
Jake Bernstein: "Who are you?"
Jeff Reich: "Who goes there?"
Kip Boyle: "Who goes there?"
Jake Bernstein: "Who goes there?" That's right. That's really ancient. I mean, that's centuries old.
Jeff Reich: Oh, hey, I'm ancient. I've been doing this for years. So you start with who goes there? And everything's grown since then. Now identity really affects everyone and in some ways not very positive. The most vivid example that many people are aware of right now is ransomware. Ransomware seems to be everywhere, and it is because it's easy for the bad guys to be able to pull it off through either social engineering or good technical skills. Add that to data breaches that occur.
And regardless of when you're listening to this broadcast, I can promise if you Google latest data breach, there will be one this week. There will probably be one today. So that's happening all the time. And every data breach usually involves the taking of someone's identity information. So almost everyone's been affected, even if it's as simple as a stolen credit card, which is happening less frequently now, but still that's part of your identity.
For the longest time, that was the most common way to do it. Now it's more common for individuals to receive a note. It's usually a paper in the mail or sometimes an email saying, "We discovered on this date that we had a security exposure and your information was exposed. Here's what was exposed, and we're going to give you three years of free credit monitoring. Thank you very much for your business." That's very common. That once again, no one hasn't heard that yet. So it's time for all of us to get on board and all of us, in addition to consumers, all of us to get on board and say, "How do we control this and how do we secure it?"
Because there's my identity there's your identity. Right now three of us have an identity associated with this podcast. How do we control that? So thought,-
Jake Bernstein: I don't know.
Jeff Reich: ... what question do I raise there? And that's why I'm here, right?
Kip Boyle: No, there's so much popping right now in my head as I was just listening to you and I was thinking about things. Even with ransomware, the way that it happens is at some point along the line, the criminals impersonate someone or something like a privileged service account or something like that, right? They pretend there's somebody or something else.
Jake Bernstein: It really does. And the thing is it gets complicated because we all, we probably all have many identities. And if you've been on the internet long enough, if you've been on anything from the original dial-in bulletin board systems to, which I have too, me too. I was a kid, but I was still on them. It counts. To just being on different logins for different internet sites and forums. We all have different sub identities. And I think even answering the question of what is identity is tough. So I guess, where do we even start? Well, Kip, where do we even start?
Kip Boyle: I think we should start by asking Jeff to tell us how does identity work on the internet today? Because as you said, Jake, there's a long history of identity. And Jeff as you pointed out, right, even before we chatted with each other over electronic signals, there was this sense of identity going back to pre-history. So as the executive director of IDSA, how do you describe how identity works on the internet today?
Jeff Reich: Well, I'm going to do that in a couple different segments. I want to start with a little bit about IDSA because our main focus, our members are security and identity vendors and corporate consumers of that. Companies that use identity and security tools that eventually feeds down to consumers. And that's why you can't ignore them in a discussion no matter what tool you talk about, no matter what company you talk about.
Kip Boyle: Okay. So whether it's an Apple ID or Okta or whatever.
Jeff Reich: Exactly. So each of you mentioned, who am I or what am I? And that's a primary fundamental question. So let's start there, all right. Who am I? Is pretty basic. You have a carbon-based identity and that's you. It begins, I'm not going to say when it begins because that ends up being controversial, but certainly as long as you're alive, you have a carbon-based identity. And to a degree, it may even persist a bit after. But for the most part, let's assume that for your lifetime, your you is your carbon-based identity. Let's lock that in. That's an easy one.
And that's actually difficult to steal, right? Now, let's get to what I call silicon-based identities. There are some different names for this, digital IDs, artificial IDs. I'm going to explain how I look at them from the perspective of IDSA. A silicon-based identity is an identity of some sort that's associated with a silicon chip. So the most common one most people use right now are smartphones. Smartphones have, if you didn't know hundreds of chips inside them. Each chip has an identifier that says this is the chip. And you would be able to tell when was it made, where was it made and where was it installed.
So there's all those silicon-based identities that are out there, and you have your carbon-based identity. So the key on the internet is associating your carbon-based identity with all the different silicon-based identities you have. I mentioned phone. Your computer has a number of silicon-based identities. A lot of people don't think about, but if you stop, you will. Your car, if it's less than five years old and probably less than 10 years old, it has silicon-based identities as well.
And if you didn't know that there's computer chips that give you warnings on your dashboard or send a signal back to a dealership saying, "It's time for service or it's time to recall." Depending on what kind of car you have, you may even get an over the air update to some of your silicon-based identity functions. So all of that's there and it works well except that you want to be able to have a modicum of control over those silicon-based identities.
So you associate your carbon-based identity with those silicon-based identities through what I call the artificial identity.
Kip Boyle: Okay. So just pause for a second because I want to make sure I'm following you. So in all the examples that you gave me, I made up in my mind, a specific example, right? So if I'm on the internet, my MAC address of the computer that I'm using is part of my identity. So is my IP address, which happens at a higher level in the networking stack, but that's also part of my identity, right?
Jake Bernstein: And I don't think we've gotten there yet, if I'm understanding correctly. We're really at a fundamental level still. I think what you just said was artificial identities is when you start to build onto these things. That's where you get to the IP address where it becomes much more complicated. And I don't think I realize though, I should have that each individual piece of silicon in every device it must have its own little identifier. And I'm not even sure, a MAC address is an address of a conglomerate of silicon identities. Isn't that what it would be under this?
Kip Boyle: Well, it's actually burnt into the network interface card that you're using, right?
Jake Bernstein: That's right. So it's specific to-
Kip Boyle: A NIC. Every NIC has its own unique-
Jake Bernstein: ... Oh, I haven't heard that word in a long time.
Kip Boyle: ... I know, right? But that's what you get here on the Cyber Risk Management podcast. You dredge up all the stuff that's important-
Jake Bernstein: Throwbacks.
Kip Boyle: ... And the reason I went from MAC address to IP address is because a lot of people get in trouble with the law because law enforcement is able to connect an IP address to your carbon-based identity, right?-
Jake Bernstein: Well,-
Kip Boyle: ... So that's kind of where I was going.
Jake Bernstein: ... And I've done that. It's not simple and it's not obvious, and it's really, there's just a lot of assumptions and suppositions that are made when you try to connect that. And I think, proof is a funny thing. I mean, I don't want to derail us even though I'm prone to do that. But even just human memory of who was there, who said what, that is incredibly challenging.
Kip Boyle: "My cousin, Vinny," right? That movie is all about identity.
Jake Bernstein: I mean, I identity is... Okay, so artificial identities, let's-
Kip Boyle: Okay, let's keep going, Jeff.
Jake Bernstein: ... let's build from there, Jeff.
Kip Boyle: So we've got carbon-based, silicon-based and now the third one I think is an artificial, right?
Jeff Reich: That's what I'm calling it, yes. And by the way, whenever I'm about to derail conversation, I always preface it with, I don't want to derail us.
Jake Bernstein: Totally.
Jeff Reich: The artificial identity is what you use to associate your single carbon-based identity with each of the different silicon-based identities you have and it's not one to one. In fact, it shouldn't be. It could be dangerous to have one association of your carbon-based with all of your silicon-based identities. You should really focus almost on each of them or at least grouping them. And let me give you a reason why.
So an artificial identity may be a user ID. And Jake, you already talked about authentication. Let's kind of tab that for a minute and get back to it. But you have a user ID to get into a given system where a silicon-based chip, with the silicon-based identity is going to perform functions for you or with you on your behalf. Should that artificial identity that you create to associate you with that silicon-based identity, should that happen to become compromised, you do not want to put yourself in a situation where you use the same exact identification authentication to every single silicon-based identity you have, because then it acts like what I call an identity virus.
I'm going to coin a whole bunch of phrases here and we'll see if any of them have legs. I think the identity virus, it says what affected one system now spreads to the other because there's no immunity to it.
Jake Bernstein: Well, and that's the classic way that people get in big trouble with password breaches is that historically people who have oftentimes used the same passwords, oftentimes the same user ID, which is often our emails, which is an interesting choice. And man, this is already my favorite episode in a long time, Kip, and I think we're going to have to have a follow up or two because this is so fundamental and is so fascinating.
Kip Boyle: I love unpacking this and kind of getting down to the primitives and how you can build up to things that we use every day, but don't think too much about. This is fantastic. Okay, so Jeff, the last part that you talked about was a little abstract. I wonder if you could give us, Jake was starting to give us an example, but I wonder if you could flush out what you're talking about with an example.
Jeff Reich: So let's say that you have a social media account. We won't have to say where.
Kip Boyle: Okay.
Jeff Reich: And my ID is Jeff and my password is Jeff's password, okay? I do not recommend using a password like that, but for the sake of this example, let's do that, all right? I use that to access my social media, which some people may consider important, some people may consider trivial. Now I am going to use online banking with all my finances. All my money is contained in a bank. I'm creating an ID, should I create an ID of Jeff with a password, Jeff's password?
And the reason that it may seem easy and convenient, but the reason you shouldn't do that, and this is very fundamental, is that should your social media account be compromised, then the bad guys that do that will probably try to see, "Where is this guy banking? Where does he live? What banks are there?" And try to log in with that information. And you may have just given them the key to all of your finances, all of your money.
Jake Bernstein: Right. That's interesting.
Kip Boyle: So it's... So it's great-
Jake Bernstein: No, it's my turn.
Kip Boyle: ... Okay, fine. Go for it.
Jake Bernstein: You go ahead. Fighting, this is going to happen the whole time. Okay, fine. I will take it briefly just because you reminded me. This really sheds a different light on the whole sign in with X, where X is some social media company that really took the internet by storm over the-
Kip Boyle: Well, I hate that. I never do it.
Jake Bernstein: ... I don't do it, I mean, so well, actually, I take it back. Sometimes I do because it's convenient. And it depends on the site. It may not matter to me, but what that does is it encourages the merging of these artificial identities over many different places.
Jeff Reich: Now the convenience is a good factor. Security shouldn't have to be hard, but there is a point of diminishing return. I group my identities into different categories from low risk, which may be social media, potentially, up to high risk, which is healthcare and finance for me, for instance. And I have four different strata in there. And I may combine things in what's called federated identity within one low risk group. I will never do it at a high risk group.
Kip Boyle: That makes sense. That makes sense. Because it doesn't matter if somebody gets into your not valuable social media account, and then at the same time they use those credentials to get into a website that you use to monitor the weather, right? I mean, it's not going to hurt you.
Jake Bernstein: Right. And you just used a buzzword that I think is worth briefly unpacking is what does federated identity mean? I hear this all the time. I have an idea, but from the identity professional's viewpoint, what is federated identity?
Jeff Reich: Using federated identity makes it, pardon me, easy for a consumer to say, rather than create a new ID and a new password for this site I'm logging into, it's giving me the option of saying, "Let's use my social," I'm purposely avoiding names. "Let's use this social media account. You can just click here. Once you've authenticated to that, I'll use that to log you into this new site that you're accessing." That's using federated identity and I'm using the social media account as the federated account. And I can use that to log into a number of different places.
Now your primary email server may do the same thing, probably a bit more secure. I'm going to say this, probably, a bit more secure than some social media. And I know don't at me please, that you can use for some sites but still, where is it in that risk profile? And I want to say real briefly, because we've talked about now consumers and merchants and vendors and identity providers, and I'm going to mention, again, I promise only because it's so important. The identities defined Security Alliance thinks this is so important we have created on the second Tuesday of every April of every year Identity Management Day.
And for those of you listening to this, the 2023 event has already occurred. But you can go to our website, idsalliance.org, still register for it, see recordings, and we'll make that available for you. And the reason I bring that up is that can help answer a lot of these questions. I'm not trying to defer them, I just want to make sure people know they can get some answers there.
Kip Boyle: Right. Well, we have limited time to answer questions here, but I would imagine a person could spend a lot more time diving deeply into the different sessions that they're going to be able to get access to from Identity Day. And when I think of federation, I think something we should definitely mention is that as a person who signs in using a federated function, what I'm not seeing is there's a whole bunch of behind the scenes where my social media ID is being shunted over to this other website that I want to visit without having to authenticate separately. And the Federation is between those two websites because they're agreeing to trust each other. Is that right, Jeff?
Jeff Reich: Yes. I think that's a very accurate way of describing it. And it's convenient, it's good, and I encourage it at the appropriate risk level. Keep in mind, when your social media account is compromised, that means access to whatever else you're using it for is going to be compromised as well.
Jake Bernstein: And Kip, you just used the T word. And one of the other buzzwords going around right now is zero trust. But yet what I'm-
Kip Boyle: I didn't say T. I am drinking tea, but I'm didn't say T.
Jake Bernstein: ... You said, sorry, the T word being trust. You said trust a minute ago,-
Kip Boyle: All right, fine.
Jake Bernstein: ... they trust each other. What I'm saying, what I'm making, the point is that there's another buzzword called zero trust, but yet I think the reality is that there is so much trusting going on, particularly in the identity space. It's almost no wonder that breaches and violations happen all the time because there's just so many attack points. And I think I'm curious, Jeff, is there something, what's out there that... In a federated system, you've got different parties trusting. It's kind of a, well, it's a federated system. That's the point hence the name. But what about, in litigation world we talk a lot about data custodians, is there an identity custodian concept out there?
Kip Boyle: Ooh, nice segue.
Jeff Reich: Yes. Thank you very much. Yes. It's yet another phrase I'm attempting to coin, because every organization that asks you to identify yourself to them now becomes a data, pardon me, an identity custodian of your identity or part of your identity. It could just be your email address and a password. It could be, and in the US, even though it's not supposed to happen, it still does. It could be your social security number. There are still some healthcare providers that are looking for that as an example. It could be your driver's license number or your passport number or the federated system that you're using to log in. It could be everything associated with that.
So any organization that says, "I want you to identify yourself, create a login and identify yourself," they are now an identity custodian of your information. And this, by the way, is where a lot of the exposure, Jake, that you just mentioned about all the different data breaches can happen for two reasons. One, some of those identity custodians don't really know the reach of everything they have access to. And two, when someone wants to disassociate themselves from that site, they have to find a way to undo the spaghetti of connections to say, "Disassociate me from there, but keep me everywhere else."
Kip Boyle: Right.
Jeff Reich: Take that to the next level. When you sell your phone or give it to your nephew or whatever else you're going to do with it, you need to ensure you can disassociate your carbon-based identity from your silicon-based identity within that device otherwise your identity travels with it. And that's certainly not what you want.
Kip Boyle: Cars are a great example of that, right? Whether I'm renting a car or selling a car that I've affiliated my smartphone with because I wanted to listen through Bluetooth, and then my contacts get dumped into the onboard memory of the car. And if I don't clear that out before I sell the car or turn it back in from renting it, and I've just disassociated with geography, but that stuff's still in there.
Jake Bernstein: You know what's interesting? I just realized it's not even just silicon-based necessarily. Someone used to write down the VIN number of cars. I just did a bad thing, a VIN, not a VIN number. There's records of VINs to names and ownership. And I mean, that is also a form of identity.
Kip Boyle: And we do it too, Jake, because nobody really knows this unless you've become a customer of Cyber Risk Opportunities. But whenever we collect sensitive information about a customer, we never put their name on it. We always put an ID on it, a license plate we call it. And so if you tipped us over and stole all the sensitive data, you wouldn't be able to identify the sensitive, the secrets with their owners, because we've disassociated that in our little treasure box of secrets.
Jake Bernstein: Well, and just to make it clear, I mean, I've been spending a whole lot of time using the phrase de-identified recently working with clients dealing with HIPAA requirements. And then in the GDPR world, we'll call it pseudonymous or the best would be anonymous, where there's truly no identity. And I only bring that up not to derail us, but just to make it clear that there is almost nothing, this concept and this discussion doesn't touch in the modern world.
Kip Boyle: So it's air. I mean, we breathe-
Jake Bernstein: It really is.
Kip Boyle: ... without it.
Jeff Reich: And it's the oxygen in air that we use, because without that, we're not going to be able to function. The nitrogen is just there to make us feel happy but the oxygen is what we burn to actually get stuff done. See, you didn't know you were going to get a science geek here too.
Kip Boyle: Yes. Well, it turns out Jake-
Jeff Reich: I was going to derail us.
Kip Boyle: ... He's an attorney, but he's also a science geek, right, Jake?
Jeff Reich: No, that's true.
Kip Boyle: You started experiments on small animals or something, right?
Jake Bernstein: Mice and inaudible, yes.
Kip Boyle: You were in the lab.
Jake Bernstein: I was in a lab. I mean, gosh, there's so much to unpack here. Jeff, how do we begin to make sense of this and ensure that we, along with all of these identity custodians, that honestly, we may not even know all of them out there.
Jeff Reich: Okay.
Jake Bernstein: How do we manage these associations as well as disassociations when no longer needed? And I'm going to just toss out a word. Identity sovereignty or data sovereignty is a big deal these days, and I have some friends that I would love to bring into a discussion with all of us who work in that space, but it's intimately tied to identity. So tell us what you think.
Jeff Reich: So there is a lot thee. Let's briefly touch on sovereignty. The classic definition, and I'm not going to argue with an attorney about it, but the classic definition of sovereignty is that it belongs within a certain jurisdiction or domain, which is often defined by geographical boundary. Now, the challenge with that is the internet is not defined by geographical boundaries and as hard as you want, even there are very large countries in Asia that make it a point to say, "This is our internet." Even they with all of their power and everything else, cannot completely control the internet from staying within or outside a geographical boundary.
But the reason we look at sovereignty here is this, and we'll use GDPR as an example, is any identity information belonging to a resident of the European Union, the EU. By GDPR, the General Data Protection Regulation states that that information belongs to the individual, not to the organization. That is what I call the identity custodian. So anything that's going to be done with that, or anytime that's going to be reported outside of the EU's jurisdiction, you must first of all need the owner's permission and you have to abide by whatever treaty you're going to have.
The US has a privacy shield treaty with EU to say this organization is going to follow at least all of the security precautions that are required within the EU. So sovereignty becomes a really big question. I think it's going to become even more so as people become more mobile and can cross borders more easily. I think you just talked about another whole episode-
Jake Bernstein: Oh, that is.
Jeff Reich: ... about sovereignty. And I just want to make it a point that we haven't even yet talked about how you prove who you are. All we talk about is who you are.
Kip Boyle: But in the real world, we deal with that all the time. We're planning, my family's planning to go overseas, and I've got three young daughters, fourth grade and second grade, and we needed to get them passports. And so we actually had to present ourselves in person. There was no other way to do it. With them and with certified copies of birth certificates and so on and so forth. So we really had to put a lot of effort into establishing their identity for the purposes of getting a passport. And it had been a long time since I've had to do something like that to bind an identity in an official way, and I couldn't think of a more burdensome association.
Jake Bernstein: What's funny though is that really at the end of the day, even that identity is just a bunch of records. It's not, there's no-
Kip Boyle: You didn't take fingerprints, right?
Jake Bernstein: ... No, but I think it's a problem that we haven't, I mean, if you go back, way-way back, identity is, does somebody know you? And you could probably make it a math equation. Does my optical regions of my brain identify the shape of your face with the person who I believe you to be? But you don't really-
Kip Boyle: My inaudible does that to me every day. Multiple times.
Jake Bernstein: ... It does. And that's very math heavy. But I think to the point that identity is a construct is something that's worth just understanding. That we accept this construct. We use it, we have to use it, but it is a construct and it doesn't-
Kip Boyle: It's hard to scale.
Jake Bernstein: ... It is hard to scale.
Kip Boyle: I mean, isn't that really part of what's going on here, right, is that in most of human history, I could be Kip, the village idiot, but I was only in one village, right?
Jake Bernstein: And everyone knew you.
Kip Boyle: And I didn't need a last name, right? Because the geography was so small that they just knew me based on seeing my face and the way I talked and walked around and that sort of thing. And then we needed last names all of a sudden because the world, people got more mobile. And now we're trying to scale identity, not just for carbon-based units, as Jeff said, but now through SSL certificates, servers have identities. So now we're giving identities to things that don't even breathe oxygen. And that's I think, where a lot of this craziness comes from, is this attempt to scale in a digital world. I don't know, Jeff, what do you think? Does that make sense?
Jeff Reich: Oh no, you're spot on. Let's just look at the internet of things, all right? I would challenge everyone listening to this, yes, everyone listening to this after this is over, please finish listening to it 'cause I know we have more great stuff coming up. But think about, go around your house and count how many silicon-based identities exist in your house. This is your smart doorbell, your garage door opener, every webcam in your house, maybe a sprinkler system for your house, your router, your computers, your TV.-
Kip Boyle: Refrigerator.
Jeff Reich: ... That list is going to be very long.
Jake Bernstein: Every smart speaker, every watch, every, I mean, every smart watch, every tablet.
Kip Boyle: Right? Smartphone.
Jake Bernstein: I've even got, I've even got sprinkler timers that are smart devices.
Jeff Reich: Yes, I do as well. I've created a separate network for it, but still I have that, but I'm a geek, right? And I'm a security guy, so I have to be paranoid. I'm not suggesting everyone needs to be there, but everything we're talking about, the reason you shouldn't be scared is you need to find a good way to authenticate who you are. And most people know that as a password, right? Everyone has passwords for something. Passwords have been around a long time. They're kind of dusty. It's time maybe to be using at least something else, if not something to replace it, at least something to adjunct to it.
Kip Boyle: Well, there's another episode, right? Passwordless, right? Because that seems to be the next thing. Oh, look at Jake. I can read it on his face.
Jake Bernstein: Oh, no, no. I just wanted to say just what was the, I'm thinking of the clickers. I believe in World War II, the paratroopers carried the little clickers. That it was if you got challenged and you didn't respond with the clicker sound,-
Kip Boyle: The pattern.
Jake Bernstein: ... then you would get shot. But that's a password. I mean, passwords don't have to be, this goes well beyond the internet and computers. Passwords have been around for a very long time. I want to come into this building, what's the password? It ain't please, I'll tell you that.
Jeff Reich: He wanted to say speakeasy, but he didn't.
Kip Boyle: Jake, you're beyond your years. Multifactor authentication, zero trust. In fact, Jeff, this is an aside, but isn't zero trust really predicated on identity? If you can't do good identity, you really can't do zero trust you, can you? I mean, I don't know if this is an area of specialization for you.
Jeff Reich: Well, it's certainly something I'm very interested in. I'd like to say I specialize in everything, but that doesn't always work. But no, zero trust. You're right. Zero trust cannot exist, will not exist, will never exist without not only good identity, solid reliable identity. Because the way zero trust works, I'm going to give a definition of zero trust, which with the three of us, we could have at least three, I'm sure. But zero trust from my perspective means whatever it is you're going to do next, identify yourself, authenticate yourself, and then I'm going to check to see if you have authorization to do that.
That's great. That ended, now you're going to be doing something else. And it could just be the next step.
Kip Boyle: And depending on where you come from and which device you use, the rigor of the identification and the authentication could go higher and higher and higher dynamically. And there may be a bar over which you cannot climb because you're trying to come in from Kazakhstan, and that just doesn't compute for the resources you're trying to get to.
Jake Bernstein: And the zero trust, I think is one of those phrases that is not as complicated as people think it is. And I think just a good metaphor is, I want to go into the White House. Okay, so I'm going to get challenged at the gate, right? "Who are you? Why are you here?" And they say, "Okay, you can go through." Well, now, just because I got through the first gate doesn't mean I'm going to get to walk into the Oval Office. I'm going to be challenged repeatedly throughout the White House. I assume. I've never been there.
And that there are different places that are going to have higher levels of requirement where it's not enough to show my ID. I'm going to have to give a reason that I need to go in there. Some other special authorization. So zero trust is just really the idea that just because I trusted you five minutes ago doesn't mean I trust you one minute from now.
Kip Boyle: Or just because I trusted you to give you access to that resource doesn't mean I'm automatically going to give you a transitive trust to let you get to the other resource. And transitive trust, Jake, transitive-
Jake Bernstein: The transitive property. I mean, the reason we even need to talk about zero trust is that at some point in the past, we made a decision to trust all the time, which is interesting in and of itself.
Kip Boyle: Just being on the LAN made you trust it. If you could get on the LAN, you were trusted, right, and that's why perimeter networks are old and busted to borrow your phraseology there.
Jeff Reich: I would offer a zero trust. Though keep in mind it's not just because I trusted you before, can I trust you now. I don't care if I trusted you before, I don't trust you now.
Kip Boyle: By definition.
Jake Bernstein: That true. That's an even better way. It's a good, yes, I adopt that definition.
Kip Boyle: Okay, so Jeff, is IDSA trying to work with identity custodians, this new construct that you're telling us about? And if so, what is it you're trying to encourage them to do?
Jeff Reich: So we are going to be doing that this year. We're starting with the identity providers because an identity custodian's only going to be as effective as the tools they use. Because they can develop all the processes they want but if they add too much latency to the whole system, then no one's going to use it. So they need good tools. So we start with the identity vendors that provide tools for a good, secure, federated identity. Or for ensuring that you can have all your passwords securely stored in one place and use them to access and all the different things around that.
Once we have, I think, and there is a very good suite of tools out there for identity custodians to choose from, we want to start in a more unified way educating all the identity custodians to say, "We're not saying this is a best or this is a best." What we are saying, here is the entire menu and we're going to give you thought leadership on, here's the sort of things you need to be able to combine to give yourself the right suite of tools because there is no silver bullet. There is another cliche I'm bringing in there, but it does exist. There is give me this one tool and I have identity solved. It's called a skiff.
Where you're going to have a lead lined room with no transmissions going in or out, and anything you do happens in that room. Beyond that, which is not achievable for the vast majority of us, we need a suite of tools to say when I can use these in combination, I can manage the identities of my customers and my members.
Jake Bernstein: Quick question, just because I want to make sure I ask it. SSO, another buzzword, single sign-on. Is that really just a tool that's related to this? Is that just another way to say federated identity? People say, "Oh, you got to have SSO." What does that mean in this context of identity?
Jeff Reich: So I would offer that single sign-on is a cousin of federated identity. Maybe even a sibling. But they may share that much DNA, but they're not the same because federated identity has the security of the initial federated source only, and then there's a level of trust with each identity, custodian uses it. With single sign-on you're saying, "I'm establishing a trusted enclave by signing into it, and I can use that to access anything within that trusted enclave, but it's not going to branch out and go to something that I'm not aware of that simply wants to use me as a federated identity provider." Did that make sense?
Jake Bernstein: It does. And it makes me wonder if those terms aren't necessarily always used precisely. I feel I have seen situations where people say SSO, but maybe they actually mean federated identity or-
Kip Boyle: They use it as a synonym.
Jake Bernstein: ... I think there is some confusion out there.
Kip Boyle: Well, I mean from a user's point of view, it feels very similar.
Jake Bernstein: It does.
Kip Boyle: It really is only behind the scenes, which I think, Jeff, your definition really puts spotlight on the fact that really, it's the machinations behind the experience that tell you whether it's one or the other. And so we-
Jeff Reich: And ideally,
Kip Boyle: ... Go ahead.
Jeff Reich: ideally, the consumer shouldn't really have to know that much about it. All they need to be able to say is, "Demonstrate to me that I should trust you with my identity information."
Kip Boyle: But for me, I have to know what's going on in order to create trust. That's just the way I work, right?
Jake Bernstein: You're not a normal consumer, Kip.
Kip Boyle: No.
Jake Bernstein: None of us are.
Kip Boyle: That's absolutely the case. I am not a normal consumer, that's for sure. No, but well, listen, so we're coming to the end of our episode, which is really sad because we weren't kidding when we said this one could go on for hours and hours and hours. But Jeff, I guess as we wrap up, how are you going to get the vendors, the merchants and the users together and get these best practices and common tools defined? How's that going to work?
Jeff Reich: So you just defined my job. So what IDSA is doing, the mission is to say, let's see how many identity vendors we can get together, and we have quite a few already, and we're getting more, to join to become members of IDSA. And within that we also have technical working committees and subcommittees that say, "For a given function or for this new process, let's come up with a best practice." Or, "Let's just write a blog about what it means or write a white paper as an example." So that's a start.
Next we want to bring in and that you're going to start seeing more of that this year, the identity custodians. The merchants you use, the online podcast system that you're using, that you logged into who are going to be consumers of identity management tools, right? That's the next layer that we want to get involved to say, "Here's what's important. Here's what you need to be able to accomplish. Here's tools to do that." Because right now everyone's just running fast and hoping it worked-
Kip Boyle: Right.
Jeff Reich: ... and boom, ransomware and data breaches. So we do that through our site idsalliance.org, and you can see some webinars we've had, see some other artifacts we've created. I can't emphasize enough, the second Tuesday of every April should you want to engage in a live way, so you have plenty of time to plan for next year is Identity Management Day. You can also look at the recordings that have happened this year. I've talked about technical working groups. I've talked about webinars. There are speaker bureaus that we have.
All of these are tools that we want to use to get the information to help standardize the identity vendors, get the right tools in place for the identity custodians. And then ultimately educate the identity consumers who actually are the identity owners so that they can be doing the right things.
Kip Boyle: It's a brave new world. Any last words, Jake?
Jake Bernstein: Oh we haven't even-
Kip Boyle: Last words? Not you opening new conversations.
Jake Bernstein: ... Okay. I'll just say you mentioned GDPR, and I just wanted to say that this entire conversation also has amazing implications, not just implications, fundamental connections to the entire concept of privacy. So maybe we'll talk about that in a future episode.
Jeff Reich: I'd love to.
Kip Boyle: That would be cool. Well, Jeff, thank you so much for being on our show. You talked a little bit about where people could go to learn more. Did you want to share any other place that you'd like for people to connect with you?
Jeff Reich: Sure. I'll talk about two things. idsalliance.org. That's our website. Again, identitymanagementday.org is there as well. You could find the identity to find Security Alliance on Twitter and on LinkedIn and you could find me there as well. I'm on Twitter, Jeff Reich, J-E-F-F R-E-I-C-H C-S-O at Twitter. So all those are out there. You can go to our website, click contact us, and then we'll connect with you and we'll go from there.
Kip Boyle: Awesome, Jeff, thank you. This wraps up this episode of the Cyber Risk Management podcast. Today we learned how identity really works on the internet right now, and we did that with our guest, Jeff Reich. And he's the executive director of the Identify Defined Security Alliance, the IDSA. We'll see you next time.
Jake Bernstein: See you next time.
Speaker 1: Thanks for joining us today on the Cyber Risk Management podcast. If you need to overcome a cybersecurity hurdle that's keeping you from growing your business profitably, then please visit us cr-map.com. Thanks for tuning in. See you next time.
Sign up to receive email updates
Enter your name and email address below and I'll send you periodic updates about the podcast.
Cyber Risk Opportunities
Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).
K&L Gates LLC
Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.