All Other Identities - The Risk That Is Hiding in Plain Sight

Well, I'm really excited to be here. You can tell that I'm not from town, I'm from the other side of the Atlantic, but we'll dive, dive right in. I wanna introduce myself because I've been doing identity things for quite some time, but I did them in corporate environments. I, I raised my hand in 2009 to be the new head of identity when we were taking identity out of Microsoft administrator, hands in infrastructure and it, and moving them into information security. Now think about that timeline 2009. That's a very early time in identity history for identity, be associated with information security so early that it wasn't called cybersecurity back then. And I always tell people I'm not an expert. I simply accumulated more scars and more beatings in identity long before everybody else did. So hopefully I'll share some information with you. That's new on how to think about identity because the last six years I've worked on the solution side of the equation.
I've been a strategic advisor. I spent three years with ping identity as a chief customer information officer. I travel around the world when we're not restricted from travel. I work with governments, organizations, agencies, all over the world. If there's anything that I can lay claim to, I've seen identity functioning, probably in more companies than maybe only a handful of people on earth. And, and I've really enjoyed this phase of my career, but I've also been a CIO. I was an it operations in banking, CSO, global head of identity, as I mentioned. And for some reason they keep quoting me in the media, which is really strange for me because they ask if I've got an opinion about something, I send a quote in wall street, journal, financial times, all that stuff, all that's to say, you know, hopefully there's some credibility in my background that justifies the things that I'm about to share with you.
But when we look at this, I, I actually, I'm always conscious of where I'm speaking. So I have no idea if Ryan Reynolds movie, the free guy was a hit in Europe at all. There's some nodding heads, but the whole premise of the movie is this notion of non-player characters. This is a question for you. How many non-player characters of you are there? Most studies suggest on the consumer side of the equation, you have anywhere between 150 and 175 consumer accounts that are digital and allow you to transact with those, those different companies. But when we come into these types of settings, it's important to ask a, a question of everybody that's here, who here has more than just their employee credentials and access for identity in the business setting, sandboxes dev environments, working with other companies, partner accounts. Who's got those. So I'm not gonna ask how many you have, but I can tell you that whoever you have those with those types of credentials and those types of relationships with, they don't know how many of them they have either because this falls into this category of all other identities, but I need to talk about identity briefly.
I do a lot of research and identity, and actually there's very little that we've done about researching the history of identity. And I think it's fascinating to do that because in 1961, there was an argument about where the Genesis of the accountant password structure came from. And there's been a debate between who caused it for a long time. It was said it was IBM. And then it was said it was the students graduate students at MIT, turns out what happened was IBM installed a mainframe system for advanced competing classes at MIT in 1961. They developed the account and password construct in order to be able to share time on the CPU, on the mainframe to get their coursework done. And the really fascinating thing about this story. If you think about the origins of our history, identity, people in the room, our origins of our history start with that MIT student, figuring out how to hack that account structure in 11 hours.
And the reason that they hacked the account structure was so that they could sell each other, their compute time for studying during coursework. So we literally have built the foundation. The history of our practice is built off of something that we knew was flawed and could be hacked in 11 hours, decades ago, right? And accountant passwords are obviously still construct in place. So this is kind of where identity has been for the last several years. Now. I wanna be really, really conscious of the fact that we have all been working hard in identity to make things better. And I have to, you know, share something that's probably difficult to hear in the workforce space. And remember I ran workforce identities and I came from paying in the workforce space. The thing that's difficult to hear is that workforce is solved. Why is workforce solved? First of all, these are people that, you know, these are people that have a life life cycle.
They are linear in nature. It is solved for. And if you do have problems with identity in your organizations, typically it's because you haven't federated the entire universe of your applications to your identity stack. There's reasons why right. Low risk applications. And we don't want to burden the system more, more usual. We don't wanna pay more for subscriptions, but the truth is is that the, the workforce space is solved. And if we really, really focus our attention on the rest of the universe of identities, it becomes very, very clear. We've spent 30 years working on the easiest use case 30 years working on the easiest use case and companies still get it wrong, right? I'm not saying it's solved universally. And it works everywhere. What I'm saying is the tools, techniques, process, and technology exist to solve workforce identity in any company on the planet today.
But that was the easiest use case. So what is an identity? I always like to level set here. There's a lot of confusion out in the marketplace. You all know this because you're a practitioners. When we think about what an identity is too often, it still as related to an account and a password, which means that it's also linked to so associated with strong authentication. People believe that your MFA call is an identity and it is not an MFA call is simply an entry point into transactions. In session, the identity is actually an actor or an agent that is the who or the you for every single digital tra transaction in process. I'm an old it operations guy. None of us in this room really worry about identity when somebody's not in session, right? So best security ever, if you're not logged in, you are not a risk, right?
But in truth, we allow people to log in and we don't just allow them to log in. We allow them to stay there for very long amounts of time. And it's that persistent access that creates these massive problems and risks within our organization. But these are actors that act on your behalf. So what is an actor? Okay. This is difficult for people to hear as well. There are no human identities in the digital world. Every identity in the digital world is a proxy or a representative of the physical you, or some other thing. Every identity in the digital world is non-human, which is really important to understand, because this is why it is so easy to take somebody's credentials and turn that into a breach or exploit because we are represented by an avatar for a lack of a better term. So when we look at all identities being non-human, there are digital proxies for the analog, you in the human interface case, right? I wanna be very, very clear because there are lots of other identities. So when we think about all other identities, I like to use a O I D because I learned a very important lesson from the guy who created zero trust. Who's a friend of mine, John kinder vag. I asked him one day, does every time somebody mentions zero trust, you get a royalty. And John said, no, all that work product was done under Forester. And I said, well, I'm thinking about this thing called a O I D. And he said, trademark.
So this notion of, of a shorthand for all other identities is this differentiation between what we know in the easy use case workforce and customer. The characteristic that is bonding between those identities is that they are linear. They have life cycles, they have onboarding entry points. They have, you know, a, a identity should be associated to how long you work for a company and then goes away after you leave the company. That's a very linear progression. Non-linear B2B great example. I was just talking about it earlier. Suppliers, companies change suppliers all the time. There's no natural linear life cycle for a supplier. There's no natural linear life cycle for 20,000 volunteers at, at an Olympic games, right? They're very non-linear. They are ad hoc. They occur spontaneously. They need to be provisioned spontaneously the data owner doesn't completely dictate the identity definition. This is why I say workforce is easy.
You dictate the identity definition. You set the rules. But when we look at all the other identities in the world, they are not owned by you. You are not the boss of them, which means that you do not own substantial amounts of information that allow you to gain identity assurance or surety in your environments. Contractors. It's interesting. Contractors are actually, and I always hate to say this, cuz it sounds crude. Contractors are not human beings. Contractors are financial instruments. Contractors are financial instruments that are represented by a human being, right? And because they are contracts, they don't fit into identity solution systems. I would guarantee you all around the room. You've come up with tons of different ways to try and accommodate for contractors. You companies will try to put them into HR systems that creates problems because they are not human resources and some countries or states in the United States.
There have been lawsuits that suggest if contractors are in HR systems, they are now fully employed and they need all the benefits and all of that associated with them. There are all kinds of factors that contribute to these different identities, not being in your control. I used an example. I was a CISO for a company in Switzerland called Metler Toledo. And with Metler I had a problem where I had 16,000 device calibrators who were able to access core information around weights and balances. And none of them worked for me. And the only way that I could manage them was an ad on the other side of the DMZ. Right? And while that sounds antiquated and quaint, I know lots of companies that still manage their account access for their business to business partners through active directories on the other side of the DMZ many companies, right?
So a O I D is the single largest unmanaged risk in every company's environment. How do we know this? Well, we kind of take a look at all the different variations. We've got supply chains, both physical and digital. We've got agents working in telephone centers, possibly as contracting agencies, totally different nations, totally different, you know, telecommunications networks, but they're representing you. Right? And we've got, I I've asked multiple times for this to be changed since they're all non-human, but this is what marketing built for me. These, you know, these non-human outdoors bots, service accounts, all these different component pieces are all running around in your organization. Now we can make it, the argument, a service account is not an identity, except we, that, that argument phrase apart, when we start to think about the reality that a service account is an actor inside of your system, if it is an actor inside of your system, it is not a logical leap to consider it to be an identity because it is doing things right.
And in fact, service accounts have been one of the biggest pieces of, of the attack surface because nobody owns them. Nobody manages 'em, there's no entitlements or attributes associated to them. It's just simply vaulting and warehousing of these types of things. So this universe of all other identities is enormous. So I had mentioned zero trust. I'm actually a senior fellow fellow with the zero trust Institute. I'm the identity person that gets to talk with all of the, not identity people in that organization. And there's a very interesting question that is asked by John kindergarten. He says, how much unknown network, unknown traffic do you have on your network? Right? And everybody always shutters in the room because they know they have lots of unknown traffic on their, on their networks. Same question applies when we're thinking about identity and all these other identities, how many unknown identities do you engage with digitally on a daily, hourly by minute basis within your company's organizations and agencies?
It is a massive number that we don't go count because it's scary, right? We actually can know these identities, but we choose not to. Right. We absolutely choose not to know these identities. And this is important because these identities are unknown unmanaged and unmitigated. The, the last four years of significant compromise, catastrophic, compromise have all been executed by external third party actors. Right? If you think about, I, I, I love the page one exam page Thompson example for AWS and capital one contractor no longer on contract still has aged VPN credentials uses VPN credentials to then use functional accounts and machine accounts inside of the AWS stack to make a production copy of an S3 bucket and move it out of monitoring and exfiltrate something like 3.1 terabytes of data. Right? Think about that for a second. Think about how, how, if you had managed all the other identities in that chain, you could have prevented what happened with AWS and capital one.
Edward Snowden obviously is a, a glaring example. In fact, I always like the Edward Snowden story. Like I said, I do a lot of research about identity Edward Snowden, intentionally lobbied for a different position as a contractor that paid less money because he knew it had greater access at the data layer. Think about that for a second. Right? If you think about the weaknesses that you have currently within your organizations with, with all other identities, a bad guy, like Edward Snowden knew that it existed and capitalized on it. It's really astounding. I would really highly recommend that you look@blackheight.com. It's really the only source for the aggregation of mandatory reported third party breaches and accesses. I, I don't know anybody at black height, but I use this as a resource tool. So, you know, I wanna make sure I leave a bit of time for questions, but what next right?
Call to action. It's always important if you're a speaker to have a call to action. So get curious about all those other identities, right? Think about how all of these other identities are associated to you, right. And where they're at, who's managing them, how they're being managed and then evaluate and analyze the unmitigated risks associated with those. This is, this is critically important as we look at this world of a O I D or all of their identities, because it's the largest unmitigated risk in every company on the planet. If you even get started to work on it, you begin to cut down on inherent risk. You, you can actually make great strides in reducing the risk in your organization. By just even thinking about these identities, let alone, starting to aggregate them, count them, manage them, understand them. You know, finally, like I said, do something, anything to reduce these risks, it can't be emphasized enough. Ransomware is successful because it's riding on these unknown identities, right? Everything is associated with what you don't know, but we study all of the things that we do know to quantify our risk. And it's the things that we don't know that actually get us. So get after the unknown identities and all other identities within your organization. That being said, I think I have a couple minutes left for questions.