Event Recording

André Durand - No Security without Identity


The holy grail of security is to ensure the right people have access to the right things, always, anywhere, everywhere and all the time. Is it simply coincidence or a premonition of fate that the mission of the Identerati is to enable the same thing? With identity becoming the control point, the backplane and the new perimeter in a world with shifting borders, it's time to rethink our overall approach to information security. Identity defined security is moving to center stage and this session will explore the patterns and architectures of this new approach to security.

So it's my pleasure to introduce Lasky speaker before the award ceremony. And it's an old friend of the ESE Andre welcome.
Well, good evening. And it's great to be in sunny Munich. I've been here three times over the years, and this is the first time I've seen a blue sky. Of course I came in and it was, it was raining. I figured, oh, another, another rainy Munich, but it is gorgeous here. So I just wanted to share, I, I know it's later in the evening, couple of, you know, I'll just say big ideas, high level ideas, bring it down to what is my vision for identity going forward from 2015 forward. I've been at this since 2002 identity management. Wasn't really a term back in 2002 Federation. Wasn't real, we've come a long ways as an industry. All right. So just kind of start off. I just, it's hard to, it's hard to see the grass grow sometimes and things move really quick yet they move really slow.
I just highlight the three macro trends that I've seen that have led to the world we live in and why the imperative is to change the way we think about security and identity. So just start with this simple notion of an enterprise. A few short years ago, security and identity were relatively simple. It was never simple, but it was relatively simple compared to what we do with today. And the reason being is we put all the stuff that we cared about, that we wanted to protect. In one place. We put our users, our data, our apps, and our network in one place, we put a firewall around it. We put the things that were presumed good and or known on the inside. The things that were presumed malicious were the unidentified on the outside around 2008, some of our applications started to fly. The coop and commercial SAS was essentially born today.
About 20% of enterprise applications are consumed as commercial SAS in 2010, we as users followed our smartphone off the network, off the corporate issue device and now into the world of, at and T and Verizon and our own personal devices. So that was the second major shift. I would say. The third one is upon us. And from an enterprise perspective, this one's really, really big. So the third one is how do we collapse the data centers, the mandate to collapse data centers. We have customers with dozens of worldwide data centers. They're looking at those saying, how do we collapse it to something manageable, half a dozen? How do we take advantage of public and private cloud infrastructure? How do we move our thousands of applications to this infrastructure or platform as a service? And you look at this world and you say, okay, things have now changed the assets that we're looking to protect.
And the people that we're looking to get to those assets have all moved. And where is the new perimeter and how we, how do we define it? And so it was out of this view of the world that a friend of a friend of mine, Dan Hedrick at GE said, identity is becoming the new perimeter. And true words have not been spoken. My whole mission in life is to enable a world where identity is that new perimeter. So the mandate to security the enterprise and how we think about security and the relationship to identity, they're kind of converging. And I'm gonna talk a little bit about that. So cloud and mobile are clearly the big drivers in the, in the constellation that we're dealing with. And they've, you know, expanded our universe of things that we need to protect kind of exponentially both in size and in complexity, how we're consuming services and where we're consuming services has fundamentally changed.
And so our systems are driven. You know, we need to think about our systems a little bit differently. And of course, whenever there's massive change in the cracks of that change, you get a lot of chaos, a lot of breach and a lot of fraud. And we see that daily. So as a manifestation of the change, we know that we haven't yet caught up to it as long as these are the headlines. So the question is, how do we defend what we don't control? And so much of the infrastructure we don't control. You don't pick the firewall vendor anymore of your platform provider in the cloud or your SaaS provider in the cloud. I heard a great quote. They said the essence of business strategy is to figure out what you do when, what you do today to make money is free. Think about that, apply that to security. What are you gonna do when the way in which you think about security, doesn't work, fundamentally doesn't work than what. And so the whole notion that it's safer to assume you've been breached and figure out what you need to do, or what architecture you need to support in that world then to just count the days and wait for your headline moment to come because your headline moment will come.
So on the one end, it's kind of interesting. And I don't know that this is a perfectly true statement, but I'm a big fan of wave theory and ying and yang. And so on the one end, we have, sorry about the, the, the words up there. The font got kind of compressed on the one side, we always have like kinda this massive consolidation of compute in the cloud multi-tenant gives us that. And on the other hand, we have this massive decentralization of compute with all the power in our hands, on our mobile phones. So these two worlds are really two halves of the same coin. They really couldn't live without one another, not at scale. And I see identity as the steel thread to actually bring those to together. So the whole notion that we will redefine the security perimeter around an identity infrastructure is really the central theme.
It's the central theme of this show. It's been a mission of ping for many, many years. How do we create the, how do we maintain the security yet enable the convenience. And so all of that's very abstract. So let me just kind of bring it down. And I no longer am one of these individuals at times, I will say, I'm not gonna work in the office. I'll go work in a coffee shop. The fact that I can is pretty interesting. The fact that I can even work in my hotel room, you know, it's different. It's just better today than it was the good and the bad of it is that we're always now working, but this term coffee shop it. It's another term that Patrick Harding, our CTO came up with. And this is real. This is very real. Now it might be different for very large companies or established companies, but certainly if you're a company born in the last five or six years, you're kind of in the cloud and you're on your device and you do expect to access everything.
If you're an enterprise looking to enable this world, this whole notion that we've been talking about it anywhere, anytime, any network, any device, well look, congratulations. It's here now. What? So we created the dream and simultaneously created our nightmare. Yeah. So break down this notion of coffee, shop it. And the new world, the internet is not something that you escape to the enterprise. You need to flip it on its head. The enterprise is now a node on the network. Your users start in the cloud and end up at your enterprise. And the question is, how do you make that experience? Not a VPN connect into the network and into the network apps. They need to be natively exposed to the internet. We need to have a construct that makes that seamless, where you don't feel the boundaries, the boundaries will actually still exist, but the way in which we move between the boundaries needs to be fluid and identity is one of the rare security technologies where it actually, if you do it right, it makes the user, the user convenience goes up at the same time.
You're increasing security in most security technologies, the user experience declines with the amount of security that you're providing. So I think that's just a very unique opportunity for us. So there's this notion of cloud rail. It's just a term. It's just the notion that we have an identity infrastructure that allows coffee shop. I, you know, it to exist. We can still secure the things that we need to secure and enable convenient access for end users, but they can do it from anywhere on any device. And there's things that you need here as a backbone. It's more than just identity. So I don't pretend that it's all identity. There's DLP. We now need to manage devices. We're on the cusp of IOT. The smartphones are only the tip of the iceberg in terms of what's coming behind that we're gonna have a relationship with the devices in the end.
You think about it. We're only trying to connect everything to everything, and we need to define the relationships. Everything will have an identity and everything will have well, we will have systems that define the relationships between us and our devices, between our devices and services between our devices and applications. That is the mandate of the next generation identity infrastructure that collectively, we all need to build viewing identity. As the steel thread, again is the central message here. So this is, this has been kind of a, a, a meme of mind. For some time I drew this picture differently. Five years ago, identity was this little pimple on the ass of security. And if you look at the spend right now, about 7 billion is spent on identity and access management about 70 billion is spent locking things down and blocking us from doing our job while we're protecting ourselves from the bad guys.
And what's wrong with that picture. So if I have one vision or one mission in life, it's to make identity, the center of security. And so I'm gonna enroll all of you now to help me do that. And we're gonna do it by hijacking terms. If you will, these markets have been separate markets, they are not separate markets. The goal is the same. How do you let the right people into the right stuff? And by inference block the wrong people in from getting into the right stuff, the goal is the same, the way in which we go about it is extremely different. It couldn't be more opposite, but it's time for us to bring those together. So I'd like to introduce the term identity, defined security, identity, defined security, or ID sec for short, this is about redefining security with an identity core. If you will, it's about making identity central.
It's about designing security, not reacting to threats and things that happen to us. It is about playing offense, not defense. So identity defines security, ensuring the right people get access to the right stuff. It's plain English. It's not complicated. In theory, it is extremely complicated in practicality. It's our job as an industry to make it real and to make it simple. Okay, we need to bring an end to silos. We live in a connected world, get over it. I mean, it's the world we live in. It is always chasing the disruption. That's happening at the edge. There's a new device that we need to secure or lock down or identify or a new service out in the cloud. Well, guess why it's been doing that for forever and we'll continue to do it. Things will be moving as technology spreads further and further out to the edge.
And we're always coming back around behind the scenes and trying to figure out how to control and manage it and secure it. Okay. This is just the latest manifestation. It just so happens that this manifestation is massive. I mean, truly, truly massive. So we need to embrace the inevitable here. As I said before, this is about playing offense, not defense. Now I'll admit I'm not a good defense player. My mind, I don't think about threats. I don't stay up at night waiting for my pager. I've only rarely been exposed to being attacked. I will say this about being attacked. There is an adrenaline rush with it. I can see how it's kind of addicting. It's like, where's the next attack coming from? And then everyone jump on it. And it's, it's interesting. Like I said, it hasn't happened to me. It's only happened to me a couple of times and I've gone, wow, I get the appeal. I can live in a world where I'm just constantly reacting to threats. Well, that's not the world I frankly wanna live in. I want to design the future. I wanna design a future that enables us to go anywhere. We want to go and invisibly and automatically be recognized where it and the appropriate people have control over what's going on. Okay.
So it's time to redefine security. It's time to do it around identity. The perimeter becomes flexible when we do that, it's going to enable the business. That's really, really key. It's going to enable the business, the agility that we get. If we architect this right, it's loosely, coupled based upon standards. I'll talk about that a little bit more. It's really, really important. Okay. So the vision for identity defined security, this is kind of my take on it. It's probably last two years worth of work at ping, where we started in Federation and single sign on. And we started to apply those principles or those constructs, if you will, to the broader life cycle of identity in a, in an inherently connected and federated world. So here's what it boils down to. We have kind of six principles. If you will, we call 'em the pillars.
It's assumed that we live in a connected or distributed or federated world pick your term. It doesn't matter. Okay? It's all distributed. We need to build our systems on standards so that we can connect to everything. The entire life cycle of identity needs to be defined in standards. Now it turns out there's not one standard. There's several, it's making this a little bit difficult, but think about it this way. We're building the T C P I P stack for identity. That's the way to think about it. Why so that we can route identity wherever we need it. It can originate where it needs to, and it can go where it needs to, and everything can be controlled and managed in between. It's gotta be accommodating of web mobile and API. There was a time when it was just web time when we had different infrastructures to control how we secured APIs and who had access, and then who had access on their web browser, on their mobile phone, totally different infrastructures.
Why is that the case? It shouldn't be, we need to accommodate all identity types. It's not just about the use case of workforce getting access to apps or customers coming into our customer. Porwal wanting a seamless customer experience or partners that we, we don't wanna manage their credentials. We want to outsource that to them. All of these are valid use cases and we're on the cusp of defining identities or devices and the relationship of us to our devices. So it's about internet scale. It's gotta be very flexible in the enterprise space. It's naive to say it would be all in the cloud or all on prem. If you're large enterprise, you deal with entropy. It's just our reality.
And so here's what it boils down to three steps. I think to build what I call the realtime identity infrastructure. This is the holy grail of identity. In my view, it's the holy grail. I think of security. In many respects, we could drastically reduce the attack surface if everything were identified and only authenticated traffic moved through our networks and you didn't really worry about the unauthenticated traffic, it's not gonna stop the breach. The identity infrastructure will be attacked the way it's attacked today. 73% of network intrusions happen through lost or stolen passwords bothering with the firewall. There's socially engineering, the attacks on identity that will become the norm. We can make that a lot harder. So here's step number one. On that equation. We have a very antiquated today notion of authentication. It's antiquated given the fact that we are now walking around with one of the most powerful platforms in the smartphone we've ever had as a society, as a modern society, the mobile phone is an incredible platform to achieve what I call the vision of continuous authentication.
It's not, two-factor, it's not, multi-factor this notion of trust that lives between the amount of risk that we're willing to take and the convenience that we demand. And we just say, it's trust. Let me authenticate with a password and have a 10 minute session, time out. I'm just gonna trust cuz either too inconvenient or too expensive for me to do anything more than that, we can do way better than that. As an industry today, we can do way better than that. So continuous authentication, collapses trust. It's a subscription and lasts for a second. As long as it's economically viable. And I'm here to say it is absolutely economically viable. The devices around us can recognize us and do a much better job than we're doing today. That's step number one. Once we authenticate to the network and I use that in the broadest terms, we gotta move.
We gotta move that session if you will, everywhere around the network. And that's where federated sign on comes into play. But lastly, and this is the reason we do identity. We need to get to a smarter, more dynamic notion of access control. It's not about having an account and appropriate access and doing remediation a month later. Okay. This is about knowing whether or not Andre's behavior, which is continuously authenticated is the appropriate behavior, or is considered risky against the policy that a company has mapping those two together, underpinning this. We need to have an intelligence layer that is smart. That is looking at the, the authenticated traffic and looking at good behavior and bad behavior. And at the very least flagging bad behavior or asking for an authorization, if something is occurring risky in real time, I can tell you, I technically have access to a lot more that I actually access on a daily basis. And if I ever did access those things, it should be a red flag, an identity system that's smart is going to do that. So real time smart as automated as we can get it, it's gonna enable convenient. It's gonna enable this more agile future. It's not rocket science to look at the mission of identity and say, these are the cornerstones of it, but getting here is tough. And so with that, I'm out of time. I see my handlers here. So I wanna thank everyone for, for staying late in the day. And, and thank you.
Thank you very much.
I like, I like that story of the identity centric security very much. This is something we've been educating for years, right? Yeah. So, but the main question I see is the distinction that you made between the people that are enabling business by getting people to do what they can do and, and restricting access is somewhat also the distinction between it departments on one side, trying to secure their environment and business oriented security departments. How do you see this evolving in the future? Who are you going to sell your solutions? That's maybe different way of well
Redefine the CIO as the chief identity officer for starters. And like I said, I think there's new titles that are being created. It's, it's almost like the, the importance of the CISO in the last year or so with all these breaches is just taking on a different level of importance in organizations. We're seeing them report higher. They're now reporting to boards and the CEOs because they really wanna understand a, they wanna stay outta the headlines and these massive cyber breaches. And they recognize that they're all exposed. I think that there is a identity role, you know, today they are identity and access management architects, but I think there is a more significant role, both for the CIOs O and frankly, I think the CIOs will care more. So I do see those convert. Typically when you, when you need oversight a large organization, you start to create these lofty roles that are focused on that oversight. Personally, I see an identity role in these orgs to see that happen.
Okay. Very good. Okay. Thank you very much. Thank you.
Yeah, it's fantastic.

Video Links

Stay Connected

KuppingerCole on social media

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00