Event Recording

Geoff Webb - The Identity of Everything

Keynote at the European Identity & Cloud Conference 2014

May 13-16, 2014 at Munich, Germany

So Jeff Webb is up next. Jeff, are you here? I haven't actually seen you. Oh, Jeff. Great. Fabulous. So I'd like to introduce you to Jeff Webb from net IQ and please welcome Jeff.
Great. Thank you. Thank you. So, and am I on, oh, there you go. So yeah. Thank you so much for the introduction and thank you for inviting me to speak, as it says, I'm Jeff Webb, senior director of solution strategy for net IQ. And let me start with a, a quote from somebody from this part of the world, this at least roughly this part of the world, Sigma Freud said that anatomy is destiny. And it's understandable why you would say something like that. It's anatomy defines a lot of us. It is probable that I am never going to be a, a ballerina or a professional basketball player or any number of other things because anatomy defines much of what we can do, even if it's not something that we can't overcome. It, it certainly presents some challenges, but our identity is much more malleable, much more changeable than our anatomy and our identities are changing.
In fact, I would go further and say that the role of identity, the way that we think about and use identity is changing very rapidly. Indeed. The whole concept of what we mean by identity. Just the very idea of identity is undergoing a very significant change right now. And what I'm gonna talk about for the next 20 minutes or so is what that change means, what that change looks like. What is driving this change in the way that we think about and use this idea of identity. And then also what that will mean when we move into a world in which we are surrounded by devices that are monitoring and watching us and communicating with each other and exchanging information as we build this internet of things, this internet of everything. So we know that for organizations that the landscape in which they are operating is becoming very complex and changing.
And those changes are driven by things like, you know, mobility and cloud and big data and bring your own device, bring your own cloud, bring your own application. Social identity is driving change. And so all of these things are making the business information technology world change very rapidly and very significantly. And what this means is that it becomes very difficult for organizations to meet this, this core challenge that they face, especially when you think about things like privacy and security. And that challenge is to somehow balance two very opposing forces. On the one hand, this requirement from the, the business, get me access to everything. I want everybody to have access to all of the services and all of the information and all of the devices all of the time, wherever they are whenever they need it. However they want it. On the other hand, you've got this requirement that says, no, you must keep things safe and secure and private and control it.
And these two, these two different drivers are very much in, in direct contention with each other. And so businesses have to think about how do I, how do I meet that balance? How do I balance between these two opposing forces? It's very, very difficult. In fact, in many organizations, they really struggle a great deal. It often feels like there's almost no way to be successful. If, if you are, if you're too open, then of course we know there's a risk. That information will be accessed by people. It shouldn't be that information will be shared or stolen or exposed that you have an ugly breach or a problem with a compliance driver that you have to meet yet at the same time. If you make it too restricted, if you put too many controls in place, if you make it too hard for people to get access to the information they want, then what happens.
They, they go around you. They, the, the business user needs access to information to do their job, and they will go around the security and it organization they'll work very hard to circumvent your controls. And then what happens? You have a breach and information gets exposed again. And so this, this balancing act is extraordinarily difficult to maintain. And even for those organizations that kind of get it right and are okay for a while, what happens? Something comes along, sweeps away the game, reshuffles the cards, and they have to start all over again. And we see that driven by what we call the three CS, right? Change consumerization and complexity. These things keep reshuffling the game for organizations that even get close to being able to meet those two different drivers. And so you think about those things, right? Think about change. Obviously we all know if we work in the it industry change is something that we have to deal with all the time.
It is a constant. And yet I would argue that more things are changing now faster and in more ways than we have ever seen before more is changing in more different ways. And that makes it extremely difficult to meet the requirements that you have to meet. Then on top of that, you have consumerization this desire to bring consumer technology into the business, whether it's a consumer cloud service or a, you know, a mobile device or some application that somebody uses or a service somewhere. And actually, I would say that even more significant than the actual technology is the mindset that it brings with it. The expectation, the consumerization of expectation is a huge challenge because people assu let me, people assume that everything is as easy to use as this, right? This smartphone. It has one button, therefore everything should be just like this. Why isn't technology like this all the time.
Isn't there an app for that? That's that expectation accelerates the rate that businesses have to change the way they do things. And then on top of that, of course, all of these pieces come together to increase the complexity of the business problems you have to solve. And the complexity of the interactions of the technology. And as we know, you know, complexity is never the friend of security. So complexity increases for the information we have to deal with with the landscape, with expectation, with risk and threat and penalty and the legislative landscape that we must deal with. So all of these things together make it extremely difficult to maintain the balance between give me access to what I need to do my job and keep my information secure and private to prevent a reach from occurring. So, so what do we do? How do you tie together the pieces?
What is the common thread that pulls all of that together? How do you meet those different goals and the answer and surprisingly given I'm speaking here is, is identity. Identity allows us to get to the root of the problem that you're trying to deal with, which is who is this person? And should they have access to that information now on that device, from that location for this use? Is it okay that they do that? Do I understand enough about them to make a decision to enable somebody to get the access they need? Or do I understand enough about what I see going on inside my organization or externally to make a decision that says, wait, this isn't somebody I want accessing my information. I don't know who that is. Or maybe it looks like somebody, but it's not really them. It's a, an external attacker masquerading as an internal person. If I understand identity sufficiently broadly and in depth, and I can bring it as a tool to tie together those challenges and address, what are the root causes of the reality. Most of the significant breaches we see, which is a failure to understand the identity of the people involved when they're accessing sensitive information.
What we also see therefore, is that identity now is seen more and more as a tool to provide context to other decisions that I have to make. It's especially important. When we think about the security organization, they need to make decisions very quickly. Am I seeing something that is okay? Am I seeing something that is not so identity becomes part of their context, the environment in which they must make those decisions? So identity on the one hand is context for better business decisions is a good idea. Is this a bad idea, better security decisions? Am I at risk? Am I not? But also identity itself is increasingly composed of more and more pieces of context.
It used to be, you know, when, when you join a company, you're kind of handed an identity, right? The it organization does stuff and things grind away in the background. And there's your identity, right? I am. I'm Jeff dot web@netiq.com. That's kind of one piece of my identity, but more and more, there is a lot of context to that identity that my business cares about it. Isn't just that I am that email address, that domain login, I'm also, I'm a, I'm a LinkedIn handle. I'm a Twitter handle. I'm a Facebook account. I'm a I'm, I'm that smartphone. This is something that my business cares about. I'm using this to access business resources all the time, email files. How do I use this? Where am I using it from, what am I doing right now? These are parts of the context of the identity. That is me, that my business cares about.
So the concept of what makes up my identity expands very rapidly to become much more of an aggregate composed of many, many different pieces. Now there's a lot of pieces that are my identity. Some of them belong to the business that employs me, right? Some of them are net IQ. Some of them belong to me, my LinkedIn account, my Twitter handle. These are parts of my identity that I control. Some of them belong to third parties over, which I have no control whatsoever. Businesses that I buy from places that I register government agencies that may or may not be interested in what I'm doing or where I'm going. These are all parts of the identity. That is me, that some people care about some of the time that some pieces that I own, that some pieces that are their own, but there is an aggregate identity that is me that exists out there.
And at some point somebody's gonna have to deal with pretty much all of those pieces at some point in the future for some tasks. So this concept of identity expanding outwards is very, very important, which is good because as bad as things were, things are going to get a whole lot worse. We are facing a, an enormous explosion in the level of complexity of the challenge that we're facing. And the reason is not just that there's gonna be a whole bunch more people around. There's certainly lots of people, but the number of people in the world is, is not gonna be your problem. The, the challenge is there's going to be an explosion in the number of devices and things around us that are again, watching us interacting with us, monitoring us, talking to us, listening to us, trying to sell us things, keeping us alive, moving us from place to place this geometric explosion in the complexity of things around us that are exchanging information is coming it's happening right now.
It's accelerating. And it is going to drive a huge explosion in the complexity of the environment that we have to deal with. When you look at the numbers, depending on who you ask opinions always vary about the future. There's anywhere between 25 billion and a trillion items will become active and live and doing things and monitored and interacting over the internet. By the end of the decade, it's, it's a huge, huge explosion. It's a hundred fold explosion in the number of things we're going to have to deal with. So the internet of things or the internet of everything, or depending on whose marketing you like to deal with, the internet of things is going to be a huge driver. And these devices are going to be everywhere. They will exist, obviously in the places that we work, but they will exist in, in our homes, smart TVs, smart refrigerators, washing machines, even items of, of food packaging that you buy from the, the, the store that you bring home.
They will exist in the cars that we drive, whether it's communications devices or self-driving cars or whatever else you can think of, they will exist. Obviously in places that we, you know, are clothing. Things that we walk around in Google glass is a, is a simple first example, but things like smart fabrics, for example, which have embedded processing and capabilities and in our bodies, increasingly medical devices, either things that monitor what we do, whether it's something that monitors, how far you run in the day and walk, or even something that's physically inside, you keeping you alive. These devices are for convenience and information and all kinds of good reasons, becoming smarter and aware and communicating with everybody else. So what we're gonna have is a hugely complex environment in which lots of things are talking. And if we want to have the ability to maintain some degree of security over that information, and some semblance of whatever we now define as privacy, then we better start thinking about ways to monitor what those devices are doing, because they're already under attack.
This stuff is being built and the bad guys know it, and they're not waiting to be invited. They're already coming in. There's a story probably I think three or four months ago of smart fridges, the fridge that it sits there. It knows when it's run out of one kind of drink and it goes, and it orders that kind of drink so that somebody will deliver it. So it's always ready to sell stuff. Well, these things are smart and they're connected and the bad guys knew it. And now they were under attack and they're hosting botnets so that they can send out spam because the thing sits there idle for most of the time. So, Hey, why not use it? There was a report published the end of last year, showed that a significant number of smart devices in us, hospitals, things like x-ray machines and MRI machines and sort of expensive smart devices were already compromised with malware things already.
They're already malware installed on them waiting to be used to further expand the footprint of attackers in the hospital systems because that information is valuable. So use those devices to get in. You only have to look at the, the target breach in the us when you see how do the attackers get in. They get in through the air conditioning systems, right? These, the devices around us, the devices that are embedded in the businesses and in our homes and in our bodies are intelligent and available to be attacked. The bad guys know it, they will attack them. So what do you do? How do you deal with this? Well, we already talked about a world in which there was a lot of complexity in a lot of pieces. What was the answer? You focus on identity. You have to be able to ask the question, well, who are you and what you're doing and is this normal?
And do I want you to do that? The difference is that before I was asking an employee, a contractor, even a customer, who are you? What are you doing? Should you be doing that? Am I okay with you doing that? Is it reasonable? Increasingly what I will have to do is ask the devices around me, who are you? What are you doing? Am I okay with that identity becomes the lever. And we must therefore adopt an identity centric worldview. If we're gonna have any chance of building out this, this internet of things in such a way that we can keep it under control. So if there is an internet of everything, there must be an identity of everything. We will have to understand what the identity of all these parts are, manage it, monitor it, control it, own it, and use it for businesses. The driver's enormous.
If I understand the things around you, I understand who you are. I can market and sell to you more directly than ever before. The opportunity to embed myself as a business provider in your life and in your home is unprecedented and will redefine the way that organizations look at these markets. The businesses that get it will thrive. The businesses that do not will cease to exist. It will be that simple identity is going to be the key to survival and growth in this new world. That's why people like Google are out there buying this kind of technology. They wanna be everywhere from your car to your home, to your, the things you wear, right? This is important for them. They're smart. They understand that knowing you lets them be successful. So a couple quick conclusions, okay. First of all, the internet of things, the internet of everything is going to change the way we think about identity, because everything will need an identity and you'll have to use identity in a much more complete way in order to be effective in that world, that identity itself is going to be much more of an aggregate quality made up of many different pieces, and that we're going to have to lay the groundwork to understand it and monitor it and manage it and secure it now because the bad guys are already moving in to this new world that we're building.
So finally, just some quick things to think about. You already have identity information. You already have identity stores in your business. Start to think about them as a strategic resource to build where you need to be in the future. Understand that identity information, build identity into the context of what you do, and then build an extensible way of approaching identity, such that you can be successful in the future. And that I think is that,
That's my phone. That's not your, my phone. Right?
Very topical area. I, I gotta say one of the things that's always troubled me a bit about the way that we think about identity though, is saying that I'm the aggregate of all my stuff. Cuz I've got a car today and I may not have it next week. Right. And if I, if the sweater I'm wearing happens to be part of my identity and it now gets trashed, it's it seems to me that maybe there's a separation here between who I am and the things that you know about me. Yeah. And, and I didn't sort of hear that come up in the way you talked about this.
Well, I think the, the interesting things that will happen there is first of all, there's a requirement to maintain the interactions of all of those pieces, because really they don't, I'm sure you have a lovely car and a lovely sweater, but the reality is that most people don't care about the identity of those devices, those things that you're wearing, the stuff you're driving and what they care about is your identity. So what they want to understand, therefore is, okay, what are the, what are the interactions that I need to watch? What are the things that are going on that tell me, oh, it's you that's wearing that sweater, not somebody you just gave it to it's you that's driving the car, not somebody else. And of course, what will drive that is that collection of all of the other pieces around you that will enable me to build a picture of what you're up to. So I think what will happen is yes, individual elements of that aggregate identity will come and go. But the businesses that are smart enough to understand that's changed, but I don't care anymore. The rest of it is still you. They're the ones that can reach you most directly.
Okay. Thanks. My, I, I sort of might push back on that a little bit. I think there's distinct between signals and the things I use and interact with exactly. What's to call me. I have trouble with, it's just everything that's known about me. Thank you. It's a great presentation. All right.
Thank you.