Ditch Siloed IAM: Convergence, a Must For Identity Threat Detection & Response

A very good afternoon, Berlin. It's always, always a pleasure to be here. And our congratulations, Martin and the entire Kago team for, you know, the European Identity and Cloud conference has actually become a ritual. It's been successful year on year. And thank you for inviting all of us here. What I'm gonna talk to you about today is likely to be spoken a lot. Identities, I'm sure you know, you've been here since morning is likely to be spoken a lot for the next five or 10 years, especially because of various topics.

One could be attraction identities attract each other, distraction, privacy, and, and, and security. And the topic that I have today for you is the way that we look at identity today. And nothing wrong with us, it's how the world has evolved. The way that we look at identity is, you know, very siloed approach because the world strongly believed that security tools are likely to be good when they're point in time solutions. I repeat the world strongly believed that the security tools are likely to be good when they're just point in time and point for function or technologies.

And, and that is why we've always looked at it from a siloed approach. But if you were to take a step back and think through identities for the next five years and have a vision for identity, I think you may have to for sure dish the siloed approach. And if you were to go any closer to identity threat detection and response, then convergence is a must, right? And I think all the speakers who, who kind of came before me since morning have more or less hinted or are spoken in the same direction. What I'm likely to talk to you about is not about a product.

It's strongly a message saying that, hey, you know what? It is time for us to visualize convergence in a way that it practically works and reduces the friction, whether it is a workforce identity or whether it is consumer identity. And today what you look at is access is a people process and a technology mesh, which is also a mess, right? Why is that so? Because after the pandemic, you have no idea where people are coming from. You have no idea who is actually coming, who's, who's behind that device that you have, right?

And all of them are wanting to come into your infrastructure, whether it is hybrid cloud or improvise and wanting to access every piece of information which could have different meaning for different people, right? And that's how you start having a mess. And then this infrastructure itself is likely to be just about anywhere in the world. Can you imagine? How do we even solve a problem which doesn't even look solvable to all of us? So let's try and see what, what did we do in the last five years?

Well, we heard a knee jerk reaction to every problem that we have. Most of the time humans are tuned to have a knee-jerk reaction to the problem. Why? Because your board wants something. Why? Because your CIO wants something. Why? Because your security guy wants something. And about all because the auditors are asking for something which is ous, right? And you just wanna give a 0.9 solution. So you had, you had an active directory, you had MSS Azure, you have ldap, you have authentication. And of course in today's world, you have something which is called zero trust.

Honestly, I have no idea what zero trust means, because even vendors who have nothing to do with zero trust talk about zero trust. It's become more of a fashion nowadays, right? But so be it. It's an interesting topic. And you have all of these technologies today and then everybody wants an mfa. Everybody wants a single sign on. Everybody wants an identity and access magnet solution. Even though it might take you 10 years to implement the identity and access manual solution, then you want the iga. Then of course now you have the machine identities and the API credentials.

Have you ever even thought about managing the life cycle for APIs? I don't know. Do APIs? Are APIs important? APIs are just about everywhere. We do not even know. We do not even have an inventory half the time. How many APIs are running and talking to whom? Of course all of us would have an API gateway, right? And then of course you have the CM now, which is a very interesting terminology. And then we have the PAM solution. So some are business driven, some are technology driven. And you know what we started by wanting to protect our digital assets, which is on the right.

Our use case was that we had some digital assets and we wanted to protect the access and govern the access. And you know what? We landed up creating more digital assets, trying to protect some sort of digital assets. And today you have devices, you have authentication sources, and you know what? You take all the time in the world to try and manage the authentication sources. Half the time, the management of the authentication sources itself is a big problem. Why? Because we love to have as many entitlements as possible, right? We love to give somebody just one piece of access. Why?

Because the auditors are asking for it. Literally, if you have a company of 10,000 employees, you may have 10,000 into end number of times the entitlements that you have in a company, right? And that gets it even more complex.

And, and, and sometimes I keep repeating the word horrendous. And then you have the VPN and the vdi. Fantastic technologies. You need an army of people to manage, an army of technologies to be able to protect your digital assets where you actually started off from. Right?

Well, well thank you so much. I think security products are fantastic point in time, point in function, but I think it is time for us. I'm not saying right or wrong, there is nothing like right or wrong. I think it is time for us to be able to visualize is there a different way of trying to do what we are trying to do? And that is what is likely to keep us ahead of time, right? And of course you had the adaptive authentication today, which serve the purpose because user IDs and passwords are no longer interesting. But you know what? Eventually everybody is out for data and data is everywhere.

In improvise, in BPOs, in KPOs. Does anybody hold?

You know, you invest in stocks and mutual funds. Do you even keep those I inventories in your home any longer? They're with some BPO and KPO companies or they're with some companies who happen to just keep your demoralized accounts all across the world. Just imagine what happens if they go wrong, right? We've lost all the possible wealth in the world, correct? So security is not the wall, security is behind the wall. And you know what, this is very, very interesting and I will impress upon you to look at this carefully. Governance was supposed to mitigate risk. Am I right?

Governance was supposed to mitigate risk. Governance is becoming a risk factor itself.

You know, we had this interesting company in India a month back, which is one of the largest enterprises valued at 250 billion just because there was a report from somebody who managed to write one in the United States saying governance of that organization may be a challenge, a perceived challenge. This company lost 150 billion, I repeat 150 billion in two months. So what governance itself, the entire function is becoming a larger risk. If there was no governance, probably they wouldn't have lost 150. They would've probably lost 10 billion. You lose 150 billion mfa. Interesting.

Everybody loves an O T P, you know, in the South Asian or the Asian countries, the telephone numbers or the mobile numbers go through your rotation, which means the same number is recycled, right? So you had the number six months back, I have your number. Now what happens to MFAs and OTPs, right? So MFAs itself are likely to become a risk factor in how do you manage them. And the one that I love to talk about is the entitlements.

You know, you have so many of them and everybody loves to have entitlements, you know, I think sometimes less is more and I'm gonna talk to you about that. But what I'm trying to tell you is the compliance itself is becoming a risk because the regulator is smarter than you are today. They have invested a lot in technology. The reports are becoming a risk. Why? Because if something is wrongly reported, the CEO has to come on the stage and Alize to people and say that, Hey look, you know what? I'm sorry we made this mistake this was never heard of before.

And this keeps becoming more and more complex today, especially the entitlements because you have number of solutions available in the market, thousands of SaaS products and thousands of more entitlements coming up. Hey, you know what? We still could not overcome this challenge. Forget about the SaaS.

Are you, are you even able to overcome this challenge? All of this. And then you have new versions coming out every month, right? And we could still not get it right? In spite of the fact that we have the largest possible stack of technologies available in the world, we still cannot create a user ID on a Linux box through a technology. 80% of us here would actually go on the Linux box and create a user id.

Right or wrong, right or wrong, my experience in the last several years after even 20 years of talking about identity and governance, you still have to go to the firewall to create a user id. You still go to the storage devices and create a user id. You still go to UX boxes, you still go to databases. 80% of us still happen to do that, right? And we've still not solved the basics, right?

You know, unfortunately, even if you've got it solved, you know, we still can't get the definition right? Definition of what is a privileged identity are root accounts. The only accounts which are privileged identities are any identity which is on our Unix or Windows or any technology or digital assets is a privileged identity. I believe that if it is IT infrastructure, anything that you have on the platform is essentially a privileged identity. Why? Because if I get access to one of your Linux accounts, I have a higher probability of trying to crack and get into your Linux boxes.

Every, every single identity. What is not a privileged identity is the one that you have on your applications and you access your applications because you've got your rights, you've got your entitlements. Anything behind the scene is a privileged identity. For example, again, there is nothing like right or wrong, but have you ever thought about bots accessing those devices? Do you even do session monitoring of ports? We are not even sure whether we can do session monitoring for route accounts, right?

So how do you look at APIs and how do you manage hardcoded entitlements after having spent 10 or 15 years, right? The hardcoded passwords still trouble us and most of our applications continue to have all of them put together. And then, but all of us have invested in an IM solution. All of F has probably invested in a pam, probably invested in I G A. You know what? After having put millions of dollars, it's becoming very difficult for you to triage all of this and, and, and get to the right answer of who's got access to what.

Hi there, how much minutes? How many minutes do I have? A few.

Okay, I thought I had 20. But anyway, having said that, I'm saying all of this is becoming a very interesting and a complex subject because you need to keep buying tools to even figure out who's got access to what. I would urge you to reimagine identities for a couple of minutes with me since I have a couple of minutes more. And I think we need to probably try and rearrange them right in the order of whether, in the order of whether we can create a converse identity platform for us. Just remember, you just need to remember three things.

Digital identities, digital assets, and sorry, human identities, digital assets and digital identities. That's it. Nothing more than that. And anything and everything that you have, applications, infrastructure, they're all digital assets and anything that you have on them is a digital identity. Today I walked in and I went in behind to get myself micd up. And you know what, the Mikey guy put up a box here for me and he said, you're number eight, which means my digital identity today for their purposes is number eight. Because you know, my mic is number eight, for example.

I'm saying these are two important messages. Create ownership for every digital identity. And you have, you have hundreds and hundreds of them and make sure that you reduce the noise on entitlements. Less is actually more. And if you were able to construct it, you would be able to go and take a step back and construct it in an order that you can have a conversed identity platform. I know everything may not work in this platform, but if you do not have this, and if you do not have a single vision, you have literally wasted millions of dollars. Why?

Because you still can't get into your CEO's cabin and answer in five minutes who's got access to what, right? And I think it's also important to now take a step back and think of what is a digital identity. It is actually mirroring you. Digital identity is nothing but the other you, your thoughts, your likes, your dislikes, what you do, whether you work, you're a professional. All of that put together, that's a digital identity. And I'm trying to tell you this, why?

Because every business, and I spoke about it last time when I was here in Berlin, every business model that you could look at in the future is actually only this four. And I'm not saying this, the World Economic Forum is saying this outcome based model. Outcome means, you know, Tesla is not valued at a trillion dollars because they have invented batteries. They have valued at a trillion dollars because the car engages with you. The car engages with the identity, the car understands you hyperpersonalization.

You want to buy your shoes, walk in and you can create a shoes which is blue or a pink in color because you may not like white at the same time. That's hyper-personalization. And access versus ownership is nothing but interesting is cloud. People don't want to own assets today. People don't want to own it. Our sons and daughters today, they don't wanna stay in the same house for more than a year or two years. I have lived in the same house for for 40 years, right? So what's happening is identities are at the forefront of every business.

And identities are likely to drive business models such that consumers are becoming producers. I repeat, all of us are becoming producers and that is so interesting. Telecommunication company is not about technology of speaking. Telecommunication company is a content creation company today. Why? Because they have already paid for the pipe. So if you look at balance sheet of any large telecommunication company, they're actually content creators. At and t would probably blend a buying Netflix or Netflix would probably become an at and t of the future. Banks are API driven.

That means you interact with the core banking system, which you never used to interact before, right? Power is likely to be generated by you again in identity, which means identities are likely to have a very different discussion. I'm sure I think Eve before me spoke about it a little bit, but I think if you look at the internet fraud battlefield, everything yellow you'll see is to do with identities again. So just wanted to try and close this by saying that maybe in the next 10 years you may not even see a workforce and a consumer identity solution. They would also likely to get merged.

They have to because you know what? You already are K Y C person. Why go and create the same identity when you join a different company? So this is likely to happen if this were likely to happen. I think it's important for us first to maybe try and figure out if we can converge at least the workforce of it, because it is definitely a little more complex. And if you have to, then you need to have a platform which is able to onboard a machine identity for you, which is able to onboard a interactive non interactive business identity. Or a privileged identity. A privileged identity is only a tag.

Why? Because the entitlement of the user is more than the entitlement of somebody else put together there, right? So you need a platform to be able to service all of this, which could be on the zero trust, which could have remote access and which would have a strong identity governance. Is that too difficult today? I think it is not so difficult. If you were to just take a step back and figure out if you would want to have a tightly constructed solution and not maybe getting four of them together, you would probably buy, or you would probably find them in the market today.

Why do you want to do this? That's the last two slides. Why do you want to do this? The world is likely, well, I see a two, two minutes, 43 seconds here.

So I'm, I'm indulging myself in here thinking that, you know, maybe this is right. But the last two slides that I would want to talk to you about is that the world is moving towards identity centric security and contextual data model security. I repeat identity centric and contextual data model. This two things are likely to become very, very important. And if you look at Analyst report, including maybe Gartner last year in 2022, these are the two things which are coming out.

Identity, threat detection and response and digital supply chain security. And if you were to want to implement an identity threat detection and response for the future, which I'm sure all of you would would want to look at it, then these are the elements of an identity threat detection response, mfa, a single authoritative source, identity proofing mechanism, deception, identity breadcrumbs, a single sign on solution, account takeover, privilege, access management, and an identity governance below that, literally.

And this would help you to create an identity centric security framework within your organization. And if you want to do this, there is no way that you can achieve by having different sets of tools and technologies across the world. Why? Because they would always, always fall in the crack. So I would encourage you, right? Well since I'm here from my organization, I work for a company called Arcon, we believe strongly in this, in this vision. And if you think that, you know, we are on the same page, would love to have an engagement with you down.

But I strongly believe the world, whether we do it or somebody else does it, I think the world would have to move out of this to create value proposition. 25% of all identity and access management programs in 2025 are likely to be converge identity programs. You know what? Why pay for the same identity 10 times over? So you'll literally pay 25% of what you're paying, not because it's cheaper and you get 10 times the value because you don't have that value today. So thank you so much. I really love this Netflix.

I believe it's low friction, high security and that's what you need from an identity solution coming to that. Right? Thank you.

Okay, we Have some sun left one. We do have one question in the app. That's all cause Of you. And I'm asking you all The claps because you know you were here, right? So thank you so much for being with me. Thank you. But there is one question in the app. Sure. And we have to keep it short. So your answer will be yes or no. And the question is No, first. Yeah. We have siloed identities, siloed tooling, landscape, siloed detection, siloed responses. Could it help to defend the data and assets from looking at the data towards the outside world?

Like a cell in a body is defending itself starting that Is no right or wrong answer in in, in ID security. Yes or no?

So, so I'm gonna say no eventually because they definitely do fall in the crack. Unless you really have a system where you're able to have more rigor, the people in the process, part of it has to be slightly better than the technology part of it.

So, so you know, if you were able to do that then sure. Otherwise, no. So Thank you. Yes and no. Yeah. Thank you. Thank you. I don't have all that. Thank you. Thank.