[MUSIC] >> You're listening to the CyberWire Network, powered by N2K. [MUSIC] >> Quick question. Do your end users always work on company-owned devices and IT-approved apps? If the answer is no, then my next question is, how do you keep company data safe on all those unmanaged apps and devices? >> One password has an answer to this question, extended access management. One password, extended access management, helps you secure every sign-in for every app on every device, because it solves the problem traditional IAM and MDM can't touch. Check it out at onepassword.com/xam. That's onepassword.com/xam. [MUSIC] >> In June of this year, I attended the Rocky Mountain Information Security Conference. I was there to present the Cybersecurity Cannon Hall of Fame Awards to the two 2024 inductees. The first was one of our Cybersecurity Founding Fathers, Dr. Eugene Spafford, for his book Myths and Misconceptions. 40 years of cybersecurity with and wisdom contained in one easy-to-read book, chock full of hard-won knowledge over the course of an amazing career. People wonder why I read books. Well, let me tell you, because in just a few short hours, I can be exposed to an entire career of knowledge Dr. Spafford's, for instance, without having to go through the pain he did to get it. I'm reminded of the quote from the great philosopher Socrates, "Employ your time in improving yourself by other man's writings." "So that you shall gain easily what others have labored hard for." Or more to the point from Otto von Bismarck, the man who masterminded the unification of Germany in 1871, any fool can learn from experience. It's better to learn from the experience of others, but I digress. The other winning author at the ceremony was Andy Greenberg, the fantastic wired magazine journalist for his Tracers in the Dark, the best cybercrime book I've read in over a decade. After the ceremony, I was loitering around the book signing table. Greenberg and Spafford were signing their books for anybody that wanted one. And who did I run into? Well, my old friend and colleague, John Kindervog, the originator of the Zero Trust idea back in 2010 for his paper, "No More Chewy Sinners Introducing the Zero Trust Model of Information Security," which got me to thinking about the current state of Zero Trust. You all know that we published our first principles book last year. In it, we included a one over the world diagram that captures all the strategies and tactics we covered in the book. And just so you know, to get ready for our presentation at RSA this year, the N2K art director, Brigitte Weil, gave that diagram a complete makeover, and I have to tell you, it is gorgeous. You can check it out at the book's website, and N2K.com/CyberSecurityFirstPrinciplesBook, all one word. Scroll to the bottom, find the Zero Trust Strategy Blue Balloon bottom left corner, and then follow the blue line up to the possible tactics that you might deploy in order to pursue the Zero Trust Strategy, like vulnerability management and S-bombs, just the name two. But what is not obvious from looking at the diagram is the importance of the Identity and Access Management tactic. You can execute all the other tactics completely, like single sign-on and software-defined perimeter, but unless you absolutely nail Identity and Access Management, your Zero Trust journey will be stuck at the starting line, not making much progress. Ted Wagner is an old Army buddy of mine. We've been friends forever, and he and I worked together in two different organizations, not to mention that he was one of the first people I called to be a regular guest at the Cyberwire Hashtable. He's been the CISO at SAP National Security Services for over eight years. Here's what he had to say about the importance of Identity and Access Management. Every time I think about Identity and Access Management, it always makes the hair stand up on the back of my neck, because it's so foundational to everything that we do. I feel my pulse quickened, because I know it's so central to the things that we do in security, and so critical in securing our environment and our workloads and our networks. >> That's exactly right. So with all that said, I thought it was time to take another look at Identity and Access Management, and see if we can determine the current state. So, hold on to your butts. >> Hold on to your butts. >> Butts. >> This is going to be fun. [MUSIC] >> My name is Rick Howard, and I'm broadcasting from Intu-K Cyber's Secret Sanctum Sanctorum Studios, located underwater somewhere along the Patapsco River near Baltimore Harbor, Maryland, in the Good All U.S. of A. And you're listening to CSO Perspectives, my podcast about the ideas, strategies, and technologies that senior security executives wrestle with on a daily basis. [MUSIC] Casio Sempao is the Chief Product Officer for Customer Identity at Okta, an Identity and Access Management Platform, IAM, that provides secure authentication and authorization services like single sign-on, user authentication, access management, and user provisioning. I ran into Casio at the annual RSA Conference in San Francisco, and asked him to write the Twitter line, 280 characters only, that explains the current state of IAM today. >> Yeah, I think a Twitter line will be a little bit, maybe I should call it an "x" line. The way we see the Identity and Access Management market is that it's now pretty well-defined in between two classes of problems. You have a workforce or employee identity problem, whereas everything is about policy. The company defines a policy, employees follow those policies, and have a cost-free identity policy problem, which is very different, like where it's about user choice, it's about creating the right incentives for users to adopt the different security intent, like those brands like one, in order for users to get what they want from their consumer experience, but still in a very secure and compliant way. >> I like the way you divide that in the two buckets, because on the consumer side, it's not just one identity I imagine. I might be managing 100 different whatever that is. I'm Rick Howard, podcaster for the Cyberware, but I'm also Daisy Mae, the seventh-level elf in my Dungeons and Dragons group, right? So, I need a way to establish identities for both of those identities, and make sure they don't mix. Somebody can't figure out that the podcaster in the Dungeons and Dragons person is the same guy if I don't want that, right? So, that makes the problem exponentially more complex. Does it remind exaggerating that? >> No, I think it's a very interesting point of view, that's how you just brought up, Rick, where if you think from the point of view of any consumer brand, you really want that single point of view of each one of your consumers. Does that allow you to provide better personalization, like the tailor offerings, like provide the right user experience, not every user or their consumer is expected to behave in the same way, but you also need to respect the fact that users may not want that same relationship back. So, which is why when we think of customer identity, we always think of giving users or consumers absolute control of their profile, absolute control of their settings, everything should be opt-in, both because that's where compliance is moving. The best way to adopt compliance is to just self-regulate yourself, just adopt, do the right thing first. Don't wait for regulation to come down your way. So, give users control of that and let users decide what's best for them. We've had quite a history of trying to figure out who that person is on the digital line. It goes all the way back to the early 1960s with the invention of the user ID and password. And it's amazing to me that still, after 60 years, it's still the dominant way to log into places. I reminded of the old 1982 Star Trek movie, "The Wrath of Khan." I'm a bit of a Star Trek nerd, as you all might know, and I say that "The Wrath of Khan" is the best movie in the 13th film franchise. And I'm prepared to die on that particular nerd hill for anybody that wants to challenge me. In the movie, Captain Kirk, played by the indomitable William Shatner, breaks into another starship, The Reliant, by guessing it's five-digit password, not five characters, five digits. Reliance prefix number is 16309. I can't understand. If you learn why things work on a starship, each ship has its own combination code. To prevent an enemy from doing what we're attempting. Using our console, to order Reliant, to lower his shield. Assuming he hasn't changed the combination, he's quite intelligent. 15 seconds, sir. No? Khan, how do we know you'll keep your word? Well, I've given you no word, key and find. In my judgment, you simply have no alternatives here. I see your point. Stand by to receive our transmission. Soon, block the phasers on target and I'll wait my command. Phasers, lock. Time's up, happy. Here it comes. Now let's just... Sir, our shields are dropping. Raise them! I can't! Where's the override? The override! Fire! Fire! Five-digit passwords for starships notwithstanding. We really have come a long way in terms of having confidence in identifying who that person is on the network. We have other choices these days. In the first principles book, I organized those choices on the road to cyber security nirvana with the least effective at the beginning of the journey to the most effective at the end. In sequence from least effective to most effective, they are email verification, SMS verification, authenticator soft tokens like the Google Authenticator app. Push authentication like from Google, Apple, and others. Passkey! And finally, FIDO2 heart token universal two-factor authentication systems. Actually, we published the book before passkey was really a thing, so it's not in the diagram. But if I was doing the diagram today, I would have passkey right before the hard tokens. So, like I said, we have options. But as a profession, we haven't quite made the turn. We haven't eliminated passwords yet, but you can see that we will eventually make that happen somewhere down the line on the road to cyber security nirvana. Here's Casio. Let's think aspiration. I mean, eradicate passwords because we all know passwords are insecure. In the case of our fellow, like Captain Kirk, being able to exploit that in the ship, but it happens all the time increasingly, and particularly in consumer and other customer identity apps. But we believe, I believe, the technology is here now to solve this. You have a myriad of options. And it's not only about... And that's our show. Well, part of it. There's actually a whole lot more, and it's all pretty great. So here's the deal. We need your help so we can keep producing the insights that make you smarter and keep you a step ahead in the rapidly changing world of cyber security. If you want the full show, head on over to the cyberwire.com/pro and sign up for an account. That's the cyberwirealloneword.com/pro. For less than a dollar a day, you can help us keep the lights and the mics on and the insights flowing. Plus, you get a whole bunch of other great stuff, like ad-free podcasts, exclusive content, newsletters, and personal level-up resources like practice tests. Within 2K Pro, you get to help me and our team. Put food on the table for our families, and you also get to be smarter and more informed than any of your friends. I'd say that's a win-win. So head on over to the cyberwire.com/pro and sign up today for less than a dollar a day. Now, if that's more than you can muster, that's totally fine. Shoot an email to pro@intookay.com and we'll figure something out. I'd love to see you here at Intookay Pro. Here at Intookay, we have a wonderful team of talented people doing insanely great things to make me and the show sound good. And I think it's only appropriate that you know who they are. I'm Liz Stokes. I'm N2K's Cyberwires Associate Producer. I'm Trey Hester, Audio Editor and Sound Engineer. I'm Elliot Peltzman, Executive Director of Sound Envision. I'm Jennifer Ivan, Executive Producer. I'm Brandon Karpf, Executive Editor. I'm Simone Petrella, the President of N2K. I'm Peter Kilpe, the CEO and Publisher at N2K. And I'm Rick Howard. Thanks for your support, everybody. And thanks for listening. Identity architects and engineers simplify your identity management with Strata, securely integrate non-standard apps with any IDP, apply modern MFA, and ensure seamless failover during outages. Strata helps you avoid app refactoring and reduces legacy tech debt, making your identity systems more robust and efficient. Strata does it better and at a better price. Experience stress-free identity management and join industry leaders in transforming their identity architecture with Strata. Visit strata.io/cyberwire, share your identity challenge, and get a free set of AirPods Pro. Revolutionize your identity infrastructure now. Visit strata.io/cyberwire. And our thanks to Strata for being a longtime friend and supporter of this podcast.
