Speaker Spotlight

EIC Speaker Spotlight: Eric Newcomer


Well, long time ago, I did an application for Solomon ski for their warehouse for subsidiary years around the world. And for that application, because there was no solution, I had to create my own identity management service. So I got to know quite well what it takes to do that. And I would never do it again, of course, now that they're such good offerings on the market, I would, I would just buy them. And it's much more efficient to have a single solution across the company that have each application first and develop their own, but it gave me a great insight into exactly what's needed. What's what's there, what you have to do, how hard it is to maintain administratively the overheads of this kinda thing. So I had that basic experience of having coded one of these things a long time ago. And then when I joined Citi about, I discussed about 10 years ago now we had a very strong identity management function there, which had to do more with identity cards and payment cards than anything else.
But we did go into a sponsor, a sponsored partnership with Microsoft, where we worked with Kim Cameron, who is well known in the industry for his identity thought leadership. And we were working on things around how to decorate or enhance the social login credentials from Facebook and Google and things like that to make them strong enough for banking, which was, I thought a very interesting approach to things. And on top of that, by Citi, we had done identity cards for the department of defense. This was one of our big contracts, and we were trying to think, how could we enhance those cards to have payment information, which gets you into full another level of identity management, again, strong enough for banking. And then there was another aspect to this. We tried to morph that into, which was for the payments systems, social security in Italy, to get a proof of life identity.
It's another interesting challenge in that area, worked with Microsoft on it a bit. Unfortunately none of these things ever really came to fruition, but it was a great time. Great background, great education for me on identity management, a great chance to work one of the, with one of the leading figures in the field as well. And I last but not least I should just add my, my recent role at Citi. Most recent role was head of security, architecture and strategy for the consumer bank. And there, I got involved in the Google project where we were federating the identity of Google users with city users in order to enable this Google pay application to do banking services. And that was, you know, thought very interesting, not the least of which was the culture difference between what it means to have an identity in the Google world and what it means to have an identity in the banking world, manage Tosh together. And that project should coming fruition sometime.
Yes, it's a kind of a catchphrase, I guess you might say, but if you look at the, the world and you see code becoming greater and greater part of our lives with all these smart devices and smartphone and homes and cities and cars, you know, Tesla basically reinvented car as a mobile on wheels that happens to be drivable and you have internet of things. You have Alexa in your home, you have all of these devices at the edge, you know, the Xbox game statistics doing an amazing job of adding computing at the network edge. So computers and code is just becoming every everywhere and becoming a part of our, our daily life. So for everything is code, I think in the cur of security, it becomes also a mentality or a kind of a culture change where we start thinking about how can we do as much in code as possible since the world is moving to code and we'll need to have security code as part of all of these devices and all of these smart things, they need to be secure more than ever proliferation of, and of the lack of attention on security aspects in,
Well, I think two main aspects here, one of them is the cloud influence. When you bring an application to the cloud, to Amazon GCP Azure, you don't have an operations department anymore to stand up your infrastructure use APIs. And this is becoming, you know, more and more popular trend because it's also very efficient and creates an ability to automate deployments and automate the provisioning of infrastructure that otherwise would've had to do manually or ask somebody to do and put in a ticket to change something or so on. So there's this whole aspect of how can we automate the whole provisioning management administration process. That's kind of going on not only in the cloud, but also moving to on-prem as applications become more and more automated security testing becomes more and more automated standing up of infrastructure and management of infrastructure becomes more and more automated.
So you've got that aspect. You want to make sure security is a key as key part of that. It works well with all of those trends because security needs to be baked in, right from the beginning in any of these efforts of moving apps to the cloud of creating digital solutions, creating IOT solutions, all of these things, as much as those things are being automated, security needs to be automated as well. And the infrastructure and the administration of it. The other aspect is on the, the coding part, the code that you need to implement security policies and processes also needs to be made available as external libraries that developers can download and integrate into their, into their projects as seamlessly as possible. Because a lot of developers don't have a lot of security skills and have trouble, of course, keeping up with, with all the rapid advancement, the security area, where things are evolving almost daily between, you know, new techniques for authentication and authorization, new attack surfaces, new ways to protect APIs, new attacks on APIs.
It's very hard for developers to keep up or all of that and still deliver the business functionality there they're meant to deliver. And this creates in some cases, and we, we saw this at Citi fairly clearly when I was running the security architecture team that developers sometimes would not want to pay much attention to security until it was too late. And we would have to, it's very common thing. And we would have to review projects and say, no, you haven't done your encryption correctly. You don't have your authentication done to city standards. You cannot go to production and they would get very angry with us. Of course they wanted please, their business sponsors go to production, meet their deadlines. We just wanted them to think about security from the beginning. So we wouldn't end up in this, in this kinda position. And some of that, some of the people would, but having the security libraries as security capabilities as available as code makes it easier and helps break down some of these traditional barriers between the security teams and the application development teams.
So that you can say to them here, just take these pre-built libraries, these policy definitions, and implement the company standards. Please include them in your development process as early as possible. Make sure you have the automated testing. So you can test those APIs for the correct authentication, authorization capabilities and policies, check all the vulnerabilities, putting the code, scanning, putting the can container scanning everything in the pipeline. So there's this whole process of getting into the coding process, the modern coding automation processes with pre-built into security code security tools, getting that shifting one of terms for possible to help. We want,
Well, as I was previously saying, the security as code trend provides a lot of code of access that's available in library form for handling things such as identity access management. And that in particular is a specialization of the security as code trend, where it's becoming more available from, from different vendors, from industry sources, from open source libraries that a lot of the code that you need to include in your applications, mobile apps, web apps, internet of things, apps is available as a downloadable library. So what you wanna do is make sure when you're doing your development, that you act that you identify the library specific to identity access management functionality, and for policies that you need to include in your code chain as you're building it out. And as you're testing it, another important aspect of this is to make sure you have automated tests, especially for the identity of APIs, for example, which can be a real vulnerability to tested. Well,
I'm really looking forward to EIC and talk. I'll talk about the topics we mentioned today and go into more detail about how exactly it can be done so that we can improve time to market, which is a critical thing that, you know, sometimes you have this problem where security's not baked in it's, you can't really put it in very, very well at the end. How do we avoid that problem? How can we shift left? How can we include the code in our pipelines? How can we ensure we have the right levels of testing? In other words, kind of the bits and bites of the mechanics of, of doing this kind of thing, as well as just covering the concepts in bit more detail. What does it mean to think about security as code in particular for the IAM space? And so we've got the conceptual, how do you think about it? How do you do it? And with a particular focus on being productive and getting that code to market with as few hurdles as possible, avoid those security guys saying no, get the time to market productivity for those APIs and for those digital transformation projects as.

Video Links

Stay Connected

KuppingerCole on social media

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00