The Year of Connected Identity: Bringing it all Back Home

Thanks for sticking around for, for my slot. I know I'm between you and coffee and ccan, so I'll, I'll make it as you know, effective as I can. So my topic is, I called it your connected identity. I wanna talk to you about connecting identities, about unifying an approach to identity and seeing what we can do with that, what benefits we can get.

Now guys, I am aware, cause I was sitting in the audience myself, that Erv and, you know, Anil spoke about this topic, so I consider that they laid the groundwork for me. So you're convinced it's a great idea. There's cool things we can do from e there's lots of problems from Anil.

Well, I'm gonna show you some concrete steps that you could actually take to achieve some of these unified identity use cases that we're talking about. I deliberately wanted to make it somewhat concrete, so, you know, I hope that's okay.

But, but we'll see how it goes. Now the title is chosen somewhat wisely. We've seen probably like a lot of the analysts over the last couple years, customers coming to us and wanting to talk about identity as a thing, you know, in itself, right? So not just coming and saying, you know, what's this MFA thing? Or what's provisioning, what's privilege? They're actually coming to us saying, we think identity is a thing we could get behind. We think it could help us with, you know, some of our digitalization initiatives with some of our security initiatives. How's that gonna work? Right?

So, so organiza now it's, in terms of the graph, it's down here, right? It's not up here, but it's definitely a trend. So I'm not saying we're all gonna fix this problem this year, but it's definitely a topic that's, that's of the moment. Okay? So now I'm going to don't run screaming, but here's a little bit of a shocking image, right? This I think is a kind of a fair enough representation of, or kind of image of how we're dealing with identity today. How we're struggling to deal with d you know, different identities that we have to cope with. It's a lot of different technologies, right?

Different strands. You see the image, a lot of different teams, and they're not necessarily all working together. There's very little coherence in the policies, very little consistency. There's a lot of complexity as you can see in, in the mess. And there's almost certainly poor security and very poor user experience in terms of, you know, how users interact with it, security process.

Now, I won't, so I'm an a d guy, do this work, right? So there's no rec, we're all friends here, right? We're all doing our best to help organizations. How did we come to this kind of mess, right?

Well, we know the answer to this, and I won't dwell on these because Evan and Anil have, you know, spoken a lot about this. But I will just underline some of the points here. We are being asked as identity folks to deal with a lot more situations in a very short period of time.

Hey, you need now to secure remote identities. Oh, okay. Okay.

Let, lemme get on that. Oh, and by the way, a significant portion of them are remote administrative privileged identities.

Oh, okay, well, I better put something. So you see, you're already pulled in different directions.

Hey, what about all our, you know, externals? No problem. I'll make a page for externals to self-register. And then all of a sudden, your guys from the I density team have been dragged right into the middle of the whole topic of securing the supply chain, right? And by the way, we buy a lot from China, right? So there's some cycles that you're gonna burn, right? People are turning into things with a great example of, there's several, a couple of organizations, not everybody, where they're actually onboarding their digital workers, right?

So Dan, the agenda chatbot and Julie, the, you know, HR chatbot, they're actually onboarding them through HR systems and injecting it into downstream processes. So now you're the identity guy. What the hell is this? Who's Dan? Right?

Well, he's a virtual worker. Welcome to 21st century in the world of applications, of course we've got, you know, a lot of SASS applications and so on, and that would probably be easy enough to deal with even if they're distributed. But some of those are actually cloud infrastructure environments, right? So now you're into the world of what, what's this IP address doing in my identity system?

Well, you have to govern access to it, okay? Cause that's keen, right? The cloud entitlement management stuff, okay? So it's not that in this new world, there aren't technologies, you know, emerging to help us with these problems. Passwordless, yeah, but what does that even really mean?

You know, not all our workers have smartphones, okay? Decentralized identity, a lot of promise for consumers and citizens, consent and privacy, all that stuff. We go take a look at the standards. It's kind of a lot of blank, you know, page deliberately left blank. So what are you gonna do? Now there are well established, you know, architectural references and pillars of identity. We can turn to, you know, governance. I don't have to, you know, the access management, the PAM stuff, securing the directories, right? The foundational directories.

We, we do have these things, but they tend to operate in a fragmented way. Okay? We're not getting the best value from them. And if there were only four things to work with for identity, it'd probably be okay. But the reality is, and this is from a survey we did last year, it companies typically have about 25 discrete systems of, you know, siloed identity data. How are you gonna get handle on that? And this is why we need to come back right?

To, to the unified vision for this thing. Well, what are we gonna do? And he's kind of following my image here. We're gonna take those different strands, we're gonna weave them together, right into something meaningful.

Now, you'll notice or deliberately not claim to replace it with one strand. No, that's never going to happen. But we're gonna be sensible about how we do this.

And guys, I'm well aware that there's, you know, organizational and business aspects to this. We're not just bringing technology together. We're bringing teams. We'll have to have some vision from our, you know, IT security leadership guys, you know, refrains from, you know, sarcastic comment about management, okay? They will help us. But what I want to do here is to talk about some of the concrete use cases that we can work on. Okay? What can we achieve, right? Because this is kind of pragmatic. Okay?

So let's take those four pillars and I'll invite you as you're sitting there, maybe you can, if you've got any neuron time, computational time left, you can engage them. What could we actually do if we have these systems talk to each other? What could we do?

Well, I'll give you three examples. If we connect the directory security workflows more deeply into our PAM systems, okay then at the time that the PAM system releases the privileged account, we can decorate it. And I think the previous speaker, I was watching him inside, he was speaking about just in time. And that's the kind of stuff we can do with just in time privilege. Okay?

But like, I, I think it was yourself, they were speaking about cracking open those risk silos, right? And we really have to crack those systems open. You won't do this without going a little bit under the surface to, to get this, this integration. Let me give you another example. If we connect access management to identity governance, what can we do?

Well, yes, you'd be able to access review on application access. You'd be able to do end user request provision access to applications. But what I want to call attention to is the fundamental difference between governance and access management, which is that identity governance knows what you should have whilst access management knows what you're actually doing on the ground. One's a policy definition point and one is an enforcement point.

And what that means is that by informing governance with what's actually happening in reality, what systems are being used, what are the signals of risk with respect to the user behavior, then we can achieve what I call, well what we call a behavior driven governance. And it's not just a use it or lose it use case, it's also the propagation of risk signals. And we can do some very interesting things with that. Okay? Then the last example is, if we connect governance privilege, okay, I've taken care of privilege, like I've got a box there, all the secrets are in the box, okay?

Everything's fine. Okay? Who's got access to the box? Who's got the ability to elevate permissions? It's the guys with the, you know, the USB keys around the neck. It's all the network network guys. That's not good enough, right? Because elevating their privilege is exactly what a malicious, you know, hacker or even a malicious insider will try to do. Now we need to govern exactly who has the permission to get into the box. We need to govern it very closely. And that's what you could call, you know, privileged access governance. Okay? So there are three examples. Do the Matthias, right?

Pair wise, choosing two from three to six. So, you know, exercise for the reader, you can think about the other cases. What could we do with it?

Okay, well, I'm gonna just show you one example of mitigate, well, not mitigating actually reducing risk with some of these capabilities. I, I guess you've probably, a lot of you have seen this approach to risk. So along the bottom it's likelihood and up this way it's it's impact. Okay? So the game is things that can happen to you. Like for example, being attacked by a shark.

You, you put it somewhere on the grid, right? So where I live, it's very low likelihood, you know, I'll get attacked by a shark, but if it did happen, it would be pretty bad, right? So you do it. So you position all the things that can happen, you know, around and, and you decide if it's acceptable or unacceptable.

Now, if there are in the audience, you know, actual people actually know about risk, I know this is a simplistic thing, but I think it's actually pretty useful, right? So what we're gonna do is we're gonna play what I call risk snooker. Okay? Risk snooker is we'll take that little red ball, right? And we wanna move it down into the green pocket, okay? How are we gonna do it?

Well, the tools we have at our disposal are the capabilities we've been talking about. If we vault the credentials, it's gonna reduce the likelihood that, you know, something bad will happen to be compromised. Why? Because it's in that secure box. That's good. If we record the session, it's gonna reduce impact. Why? It's gonna reduce impact, it's recorded session, it's gonna accelerate our incident response time. We know which database was exfiltrated, okay? We know the privileged commands that were executed, we can unwind that more effectively.

Now let's bring in some of our connected identity scenarios. Just in time with just in time. We reduce the time window. So that statistical risk that it can be compromised, it just doesn't exist, you know, very much just in time. And then with privileged access governance, we again can drive the impact down. Why? Because we have very tight control over, you know how somebody can move later laterally or get access to resources?

Oh my god, I'm sorry, that they shouldn't have access to. Alright, so what's the net effect? We've driven down the risk, but guys, here's I, and I suppose this is my central slide cuz I know there's gonna be a stampede for coffee. The point here is you can reduce risk to some extent with siloed or point-wise security solutions. But if you want to squeeze that residual risk out of your environment, you really have to start having those systems talk to each other. And partially, or perhaps arguably entirely, that's where the whole identity threat detection response stuff goes. Okay?

Now there are other examples which I don't have time to dwell on, but you can play this game with, well, if it wasn't a privileged account, but maybe it was a guest account in Azure. So that's the example on the bottom right there. What would that look like?

Well, I'll give you a hint. Throw in some mfa, throw in some behavior driven governance. Is the thing being used, is it being used in a strange way? You can drive the risk down.

Okay, so what we've done sort of paying, I suppose I hope not too much of a sycophantic nod to the cooping or terminology, right? The fabric. What we've done is we've woven the strands together because it's not in an arbitrary way, it's a very deliberate way to expose capabilities that bring us value, okay? That unlock value and make us more secure. Now the the one question is for me is why are more people not doing this right?

And, and trust me, you know, at our user conferences and so on, I talk to customers, I ask, why are you not doing it right? And the analogy here is it's not that the teams, cuz we're all identity teams, it's not that we can't see the value, right? But it's that now we've got a scientist here, it's the activation energy, right? To get to unlock that is too high.

It's just, it's too much effort. Okay? So when we talk about a fabric, you know, this is the analogy, we don't, I want the fabric. Like I want, if I, I want the silk dress, well I don't want a silk dress, maybe I want a silk blazer. But if you're lady, maybe you want a silk dress. I don't want you to deliver me a sheep, right? And I have to share it and then weave and clean it and weave it and all of that.

We, it's been too hard, right? So it's all our responsibilities as vendors, right? As consultants working here to reduce that activation energy and just make this easier. Just make it easier. That's perhaps the most important thing I hear from our customers.

So, you know, I think we're all try trying to get there. So, and this can be the final slide guys. When I draw those identity pillars in this way overlapping, okay? You should understand hopefully at this point that I don't just do it to make it look like a nice picture actually means something by this, right? I mean that we've integrated them, you know, quite deeply, quite intimately together directory Pam can talk to each other, they share a data model. That's the language that, you know, it uses that. So systems can communicate.

We've integrated the native workflows in those systems together to unlock value like just in time, okay? And when we do that, we can get the advantages we talked about, we can get advantage of reducing risk, right? Remember the risk snooker, that's an easy thing to remember. But think about this, and this is super important.

We, we can get what I call true compliance, right? Versus rubber stamping compliance. You've probably all run access reviews. What does it do for your secure?

Nothing, right? Everybody approves everything all the time, right? It's quite embarrassing. But if you have behavior driven governance, you can go to those line managers and say, dude, why are you approving that stuff? Half your team's not even using it.

Oh, I didn't know that. Okay. So we need to surface that information and make that easy, make those recommendations for, you know, line managers. And that's such an easy thing to understand. Use it or lose it. Why are we not more of us doing it? I don't know.

Anyway, those are the things you can do when you bring a dentist in all its different forms and you bring it back home and that is it, apart from come and see us and say hello, we don't bite. So we've together and we have one anonymous question. Should we be prepared to have detection and prevention measures when identity and access control is so complex with all the silos to work better together? So the preventative controls IAM and the detective controls. Yeah. Yeah.

Yes, absolutely. I agree with that.

And, and I, of course there are things in the identity world that I don't show in my picture. There's the four pillars, but there's all the policy server stuff out there as well. And then the sea and soc and then there's the emerging area of identity, threat detection, right? Where they scan all that stuff and they surface those information, you know, to us at an identity level. And those things need.

But I'll, I'd say one thing about that topic. If you can deal with the threat detection within the identity ecosystem itself, you don't have to send it to the SOC and wait for the guy getting off his 12 hour shift to kind of go, I wonder what that log means now let's keep it in the family, let's deal with it at an identity level. Cuz we are the guys who know what these things mean, right?

Of course, we'll take help from our idt, our friends and our SOC friends if they ever actually, you know, deliver messages to us. But there's a lot we can do within the identity ecosystem itself that we're not exploiting today. And that's, that's really the message though. So Make a good mix and weave it properly together. Thank you Robert. Thank you Robert. Thanks.