From Identity Theft to Identity Threat to Identity Security

Women in Identity Panel, or I should say the topic which is discussed by women from Women in identity. And I hope we have also, yeah, Melissa is there. Hi. Hi Melissa. So we have also Melissa online and two other women in identity on site. And I welcome everyone to this panel on an interesting identity topic of course. And this is identity from identity theft to identity, threat to identity security. And first of all, I would like to have you get to know the people who are sitting there or I'm standing, but I will sit down very quickly.

My name Iska, I'm for a very, very long time in security and identity, Jo, and I just recognized that we are, I would say 18 with ours of this. And so, and my current role is the CTO for identity and access management in the Center of Competence in IBM security services, emea. And I am with women in identity from, from the very beginning in 2018. And we think in our organization, and you have heard perhaps yesterday morning this presentation from Emma and also Melissa on what Women in Identity does. So we work to make identity for everyone.

And here on the panel is then also with me is Melissa again. Melissa, could you please introduce yourself?

Yes, thank you. So my name is Melissa Carvello. I am based out of Toronto, Canada. I am the Vice president for Identity and Access Management at Royal Bank of Canada. And I'm also a board member for Women and Identity. Thank you Melissa and son besides me? K. K. Thank you. Hi everyone. I'm K Chopard actually for the French speakers in the room. And I am also on the global board of directors with Melissa. I serve with her and I've been one of the early folks to volunteer with women in identity.

In my day job, I am the executive director of the CANTARA Initiative, which is a nonprofit organization and we are very focused on standards and we do certifications against digital identity standards in the US as well as the uk. And I've been talking with folks about perhaps moving that also to the eu. And everyone at this conference, not surprisingly, has said, I think you should start in Germany.

So anyway, that, that is what I, I, I do for my job, but I'm actually a lawyer by training and I've said to to Angelica that I will, you know, be able to talk about legal policy far more than some of the technical things. But I appreciate the opportunity to be with this really terrific group of folks and it's been a pleasure to work with all of them. So thanks. Thanks. Okay. And Yeah, my name is Yaba CDOs. Today I'm a freelancer doing consulting only on the strategic level when I think an assignment is interesting enough.

But before, I was running identity for the past 20 years in four global banks. The last one was European Investment Bank in Luxembourg, which manages all the EU funds. And I was the head of, I am there. So I've seen everything from the financial sector and they're quite, yeah, precise and regulated, heavily regulated, but by education, I'm not a lawyer, but I'm a linguist, Latin and Greek. So I like smoke apps. So my hobby too is looking at all the compliance parts and reading all these laws which I've done like G D P R for 20 years and following everything. And I love to do that.

So that's my sort of, yeah, occupation. Great. You see here, and we had discussed that in the get together of Women in Identity, which had been upstairs before that session also, where, what is the education background on? Many of us haven't started in identity or security or even computer science or something like that.

Yeah, Well I did my reeducation to get focus, Yeah, at some point in time. I think we all need to do that. Reeducate us on computer science. I'm also by education, a mathematician, but not an applied mathematics in theoretical mathematics so far beyond computer science. This was my education. But anyway, so you see here, this is the, these are the panelists and, but let's get a little bit deeper into that topic. Identities and threats. You all know, you all know.

Now, I would say that we don't have only human identities. We have also a lot of non-human identities. I've put some here together. It's devices, it's robots, it's things and it's applications, APIs, some pieces of software, something like that. And you are also aware of that, but you also have organizations with identities. Companies have identities. You as a lawyer would say, yes, a company has an identity and you have also governments with an identity.

And this really contributes to the, these variety contributes also to the threats or in the sense of the threats also attack or you have attacks to this variety of identities. And it had started, I would say long time ago with identity thefts in the physical world. Like for example, thefts, stealing credit cards, credentials, passport, if you want to have, if you want to read a fiction book about it, there is a really, really nice one from TC Boyle, which is named Talk Talk. And this is really a good, really a good friction on what happens if someone steals your identity.

It's a relatively old one, but I think it's still worth reading. And then this of course has advanced as all technology has advanced, which we see here also in identity to not only in the physical world, but also fishing, buying credentials from people, but also taking over identities, non-human identities because you gain, you often with non-human identities, you gain much more insight into various and valuable assets.

And this gets now, so what we see in the last years, I would say also into a tax of identity infrastructure, whether that be a directory in a company or what we also see in in countries what we are calling identities, eids in countries that we see a tax on these really the infrastructure itself. So we have really a variety of threats on a variety of identities. And this doesn't make that very easy. And this topic we want to explore from various angles in this panel. And I would say if you have a question or something like that, jump in.

We have some time today and, but we will start with some of the questions I would like to ask my core panelists on how do you experience these threats and how do you deal with these? And I would like to start with you, Melissa, on that one. Maybe you can give it a start.

What, so, so I know that you are working in the bank and when I'm thinking of a bank, yako has also worked in banks. It's a highly regulated industry. But on the other hand, you have of course a lot of privileged accounts and privileged accounts means these are accounts where you usually circumvent business processes and have success to data, which you wouldn't have if you, because wouldn't have from a business perspective. And I think this is a category of identities which are very, very, I would say heavily targeted. So what's your experience with that, Melissa?

Well, so, so I've got a lot of experience with privileged accounts. Privileged accounts can be on non-personal IDs. So things like service accounts. Application accounts can also be on personal IDs. And so a number of things that we're seeing, RVC is a global bank. So we have not only people across the globe and systems across the globe, we've also been on an acquisition spree. So we've also bought organizations.

So my job is a little bit tougher because not only do I have to worry about privileged IDs and rbc, but I have to worry about privileged IDs and all the companies that we've acquired. And you know, when I, when I think about this and I think about privileged IDs, think about a number of things. I think about the fact that many application owners don't really remember or have inherited their application so they don't understand the privileged IDs and how they work and how they operate. And so that makes it really difficult for us.

One topic that I think about is the great resignation that we experienced over the last couple of years when people left our organization, they took a lot of mindshare with them on these privileged accounts. We know that bad actors like to exploit vulnerabilities we don't understand and inventory our privileged accounts. We have a lot of problems around that. So that's one topic or area that I'm seeing as a trend. Many application owners don't understand the privilege accounts they have, which makes it really hard to apply security to it.

The second topic or trend we're noticing is cuz we're a global organization and people are accessing systems from home more often, we now have to think about time and location based access. So while they might be working during their normal hours and can access a privilege id, we shouldn't be able to do it outside of normal business hours. It's not something that we typically had to apply policies for and now we have to apply policies for it. Privilege again is a vast space, but those are some of the key areas that we are now starting to explore or look into. Two.

This is exactly what I was just thinking when you talked about the policy. So this leads me to uk, haha, policy, organizational thing, standards. Would it help in this area or what do you think? Actually, I think that it is very helpful and, and and, and unfortunately I think a lot of times we haven't thought about the kinds of policies that need to be in place. And one of the things about the organization where I work now, my day job is that it is one thing to say we have standards for how we maybe, you know, handle these kinds of things.

It's another thing to say, so what does it mean to meet that standard? Because typically it's about how do you implement it, how do you execute that? And a standard is often written very much like a goal of we want to make sure that we protect X, but then how exactly do we do that? What are the processes we put in place? What are the policies that we thought about? And I think that Melissa has given some very good examples and unfortunately what often happens is we learn by, by experience, right?

We learn by mistakes and we discover that, for example, when she talked about, you know, someone that leaves and we didn't appreciate what their privileged identity was and allowed them to do and now we've either left it open and haven't actually made the correct changes or processed it properly. Or for some, I've been in organizations where we didn't even think we had to do anything right? And suddenly we've left ourselves open for an attack.

So I think that the standards are really important, but by the same token, I think that any organization needs to think about, so how am I going to implement that? How am I going to make that actually work in a way that's practical but make sure that I'm really tackling the issue in the way that I should This?

Yeah, yeah, this makes sense for me. So if you are saying supporting that, are there any guidelines from your perspective, not only the standards and the policy, but more like how to into that one? Do you see anything there? There? Yes. Am I allowed to talk about?

Okay, Well I, I would just say that yes, and I think it's, I think that there are guidelines that are a little different in different countries, right? So I'm based in Washington DC and the CANTARA initiative for example, has taken the standards that are out there and actually put together the criteria. Or you might, you know, sometimes it's schema that says, okay, if you're gonna meet these, this it, you have to have done X, Y, and Z kind of a thing and really broken it down.

I don't know if any of you, this is an example from my previous life for me, but I used to do a lot of strategic planning and I did a lot of strategic planning with a variety of organizations. And in many ways what the standards were like, were like the goals, right? They were the big goals, there are things we wanted to achieve in there, but to get to that we had to have objectives that sort of broke that down. And to meet those objectives we had to break it down even further. So it's a little more granular about what are the tasks that go into this, what are the activities?

That's what we do as an organization where we take the standards, and it might be in the US as I just described, we also do certifications in the UK and we're working with other governments about trying to help with some of their, their things. And it's the same thing. So the standards typically just at face value doesn't tell you what you have to do. And there are guidelines available in many places and, and some of them are done privately, you know, Cantara, like I said, has done essentially those types of things in the us.

In other countries it's actually been a different body or sometimes it's, and a government agency, I mean Australia for example has really taken and they have written all of that so that you know what that looks like and what has to be done. But it still has to start with what's the standard up here, what is it we're we're trying to accomplish? And then I think there are several resources to get that figured out about how do we go about doing that.

Yeah, understand. And you said talked about government piece and jacoba, you know, for me you are always, if I have to learn about electronic identities, eids, you are always a person I go to because I know that, you know, and can tell me what's important in that area. If you are have talked about, Melissa has talked about in an, I would say in a company, in organization and privileged, you have talked about the standards and the guidelines and what else with eids, what, Well, if you mean by eids, national eids, yes. State issued if you want to, well of course we have the ADAS legislation.

I'm not drilling into that, I'm coming back to legislation. And it also goes for policies. Policies are a generic standard. They need to be generic because they need to be applicable in all cases. So they cannot be precise. But that has to trickle down to an operational level because you need to know what to do. And there is a gap by nature, you can't, the same is with legislation. You can't write legislation that writes exactly that. This password should be 12 characters and you should have, you can't go into technicalities, but you need to know the technicalities when you want to implement.

And this is exactly where there's a big gap for interpretation. And I see the struggle and an example is the EI IDAs legislation, which is coming from the start in the, the historic whatever, previous versions of that. And they were talking about assurance levels, levels of assurance. How do I prescribe in a legislation or in a policy, a level of assurance. I can measure my dykes in centimeters. I'm from Holland, I know that the water was this high last year, the highest it ever was was here. So if I have a dike three meters, I can measure and it will be right.

That's very precise level of assurance. And I know the water is there and the land is here. The wind can be a bit like that. I can calculate, I don't even have to guess the risk, but I can precisely calculate my measure, my level of assurance that I can defend myself. But security I, so I cannot, I can measure the water level, I cannot measure the security level. I can estimate a risk level or I, and that today, if I measure it today, tomorrow it will be different. There will be new attackers, new vulnerabilities, I don't know, it's volatile.

But now I'm making a law that has to prescribe a level of assurance, which cannot be technical because it should be generic. Now, and this is the problem with anything about legislation, prescriptions, of course you can say that this process should be in place. You can do some mitigations or some measures, but you can never measure the security of those because they will change the minute you write them down or be outdated. And another thing too, there is some saying, I have no source for that, but at the CISO office, one of those banks, we used to say this as a budget underpinning reason.

If you want to have the same level of security, you need to be each year 10% more expensive or do more work or invest more in security all the time more because it's rising. So these are a lot of parameters that are volatile and you cannot prescribe that well and let's alone the ownership who, who has to do it in a company.

Okay, I was just gonna, I I, I totally agree with the ABO saying, and when I talked about some of the guidelines that we've put together, they're really, they can't be solution specific, right? Because then everyone would have to do the very same thing and that would really stifle innovation. And I think that innovation in the marketplace is really, really important because that's really how we keep moving forward and how we, we keep actually making progress and, and better able to do things.

And yet we have to find that balance because as you say, in legislation, in the standards that we see, it can never be specific enough. But yet what we try to do is, is find a way to be able to say, you need to be able to accomplish this, whatever it is, without prescribing to do that you have to do it with a certain, you know, type of solution or a type of technology. And we try to be very neutral about that. But because, because what's wonder, you know, I don't know, do you have this saying here, there's more than one way to skin a cat?

So that, just saying that, right? I mean that's what, what is the beauty? I think of identity solutions. There's more than one way to do it. And the nice thing about that is then that means purchasers have options. But I think ultimately we still want to know that we have mitigated the risk to the extent we can, that we've identified that we need to take those measures and then each company will say, here is how we're able to do that.

And I, I guess I I Maybe some basic fundamental level. Of course you Sure, But you example from the Netherlands with water, this brought me to a picture that this is very volatile with climate change. You also can only touch the risk. Yeah. But that will be by centimeters not right, you have your meters, you're sure. Okay. One point I have regarding the time making, because I see it's still 59 minutes and 59 seconds, which I don't believe is true. So the time is not counting. If someone can help me and tell me if there's only 10 minutes left, 30, 38 minutes, I believe.

Sorry, 38 minutes. 38, fine. This is fine.

Okay, no problem. Good. Then this was just in between, but you are talking about, okay, applicable also. And then I would like to ask, Melissa, you are in an organization which has to comply to some of these things and you'd get some nice guidelines, but maybe you would say, Hmm, guidelines and, but I don't really directly know what to do with that, how to deal with that, to put that into practice. This would be my question.

Melissa, are you still there? I am back now. I've been in the lobby for a little bit, but I am back and I missed the question. Can you just repeat the question?

Sorry, my question would have been, so we have the guidelines, we have this some sort of legislation which has to be on an abstract level, but you have to deal with this abstract level and how do you do deal with your experience with this level to put that into practice that it really works that Yeah, it's, it's not a simple thing to do. It's something that we do with a lot of collaboration with our lines of business and then with the industry.

And, and the reason we have to do it in collaboration with a number of people is because sometimes the standards and the policies just don't work in the way they're documented or they're intended. And so it's a little bit of trial and error. Maybe if I can think of an example, one of the standards we have is around testing and reviewing access. And so our auditors take that literally and they think every application and every single access needs to be attested to or reviewed.

And what ends up happening when you do something like that is managers and others get inundated with a whole bunch of line items and things they need to attest to and it doesn't necessarily make sense to them. So we work very closely with the, the team that works on our standards. We work closely with our regulators to make sure that things make sense and are meaningful. And then we work closely with individuals like Kay for example, to make the policies and standards that are being put out there, be practical in nature. Makes sense for me.

And what I also see from my experience now is in the last years, of course with the, I would say common adaption of cloud, many things have become technically more difficult. But on the other hand, I see also that some basics are not there, which would help, I wouldn't say it would solve the world, but some basics. You have mentioned it, Melissa, is the coordination with the stakeholders, with all the stakeholders, bring everyone in the boat, but also simple things where I thought we had discussed that more than 10 years ago.

Also, like in identity governance, having valid lever process there. So one that is working, for example, where I was thinking, I have talked about that 2009, 2010. So how do you see that from your perspective? On the one hand, the technology is going into really disrupting everything, but on the other hand, some of the basics are not there.

Yeah, I think when we, we talked during this conference yesterday and today about very modern ways of wallet, self-sovereign identity, policy-based convergence. But many corporates and also some banks I know of and really, really big corporates don't even have role-based access control, which we all consider as a very old-fashioned stuff and it's still not there or they don't even know how to spell the word i a m that exists. And those are not small companies with no budget, but just there is no guiding, the whole topic is not known as such.

There is cybersecurity, there's a C, but it's not a separate discipline scene as a different, and that's where it start, I think. So one, having the right person owning the topic and dying to do it right, that helps. And of course, if you can't stand your boss and they don't listen and you don't get your budget, go to the auditors, talk to them, ask them to make a lot of red crosses in the report and talk to your boss and help you to defend yourself.

I mean, and or in their worst case, let it go wrong. Yeah. And that's not the case you want, but often it helps a lot. And I think adhering to the policies and to the the work proceed procedures and yeah, it has it, it takes maintenance. If you don't look tomorrow, it's already old maintenance, maintenance, maintenance. This is what you mentioned with every year, 10% more budget for security.

No, that's just because the risk is increasing. That should be your average running budget, which should be there. Okay? It's not just implementing technology and and having stuff right tomorrow. It's already all date our data and you have to go back and back and back and keep developing. But not every company is able to, from a staffing perspective or something like that to have an, I would say a knowledgeable person for everything. So you have to address that.

Melissa, what's your report? I was Actually, I was actually gonna add to this because during the pandemic we saw a lot of this happen. Retail companies, stores, restaurants had to digitize, governments had to digitize and transform and they didn't have the luxury of finding cyber specialists, identity specialists. And so they started to implement very basic identity things like just passwords or the personally verifiable questions that they put out there. But they didn't have good cyber programs and they didn't think the policy or the standard applied to them.

And when they realized it applied to them as well, they didn't know how to implement it. And so that created a lot of vulnerabilities that were exploited if, if you think of it in, in that way, we, we saw a whole series of things, things like lack of global registration programs, you know, people who are marginalized today being even further marginalized. I think that there's a whole realm out there of topics and vulnerabilities that you have two extremes. You have the individuals who understand identity and cyber in organizations and they implemented and you have the ones that don't.

And we're only as strong as our weakest link. Yeah, this really confirms what I also see and what I also recognize here on the conference, I was this morning in the identity fabric session with Martin Kuppinger and he was showing this capabilities matrix, I would call it. And of course there are different capabilities matrix on the ma matrixes on the markets, but in the end they drill down to some topics, what I would call critical capabilities, these basics.

And, and what we see is that you might have another technology to address these capabilities. You might have also another technology for what you were saying in the pandemic. Everybody is working remote, so working together or underlying infrastructure technology, but nevertheless the critical capabilities are always coming back, boiling down to the same piece. So your experience on that?

Yeah, I think so when we look at privileged access management, like in the beginning, non-personal accounts, people who maintain servers and whatever infrastructure, then it's outsourced. The employees follow the outsourcing outsourced company and then all at once the whole governance and who owns what and who is having to do what is unclear. And can we audit at the venue of our service provider?

Yes, no, who does that? What happens to the report? And it's a big fuss, not the IGA itself, but who owns the iga, who owns the cyber arc? Is it going to the vendor or do we keep it on premise? I have seen a lot of problems coming from there, even in a, in a very large bank. And then that was crazy. The C I O had found that with penetration testing they could enter the active directory, which is pretty bad. And then he ordered, and I was the new head of I a since one week.

And what happened there was mail going around that by next Monday, 1000 servers owned by the bank should have new password policies, not new passwords, new password policies. They should be 40 characters instead of six or 12. And it had to be done before Monday, but we had no documentation what server or what NPA is talking to, which, which server application and whatever. So you would have, so I told them, well that's the project. We have to find out what every account is doing, every NPA or server service account.

And then one by one we could probe them and see if nothing is dropping then we can do the next. But then there was a meal going round or whether this new head of IAM couldn't shut up and just do her job.

So, and this was a bank with 3 billion of money, outgoing money approved per week on a European level. So I'm not saying anymore, but when, when the CIO is this doing these things, we have a different problem I think.

But yeah, ownership and accountability, but also knowledge at the top I think is very important. Sorry to interrupt. We have 27 minutes left and there's a question online for Kai. So the question is, how can organizations like the entire initiative adapt to the changing cybersecurity threat landscape?

Well, I think that, I actually think that some of the things that people have talked about here, the way that we adapt is that we look to ha to be to use a collaborative process, which Melissa talked about, which Elica talked about, to where we always end up with better guidelines, we end up with better products.

And I think that that is one of the things I have loved about the Women in identity organization is a recognition that when we have diversity and those who help us not only develop, you know, whatever guidelines or criteria or whatever we wanna call it schema, that we're constantly looking at that to make sure that it's better. That we are looking at what's the experience when those things get used in the field. Because the, because the iden, the digital identity industry is not monolithic, right? There's all of these different things.

So we need to learn from experience, we need to bring in multiple people to talk, just like Melissa is bringing in various parts of her organization, we need to do that, which often means stakeholders. And by stakeholders I don't just mean people who are doing different kinds of solutions. I mean people who are purchasing these solutions and to the extent possible people who are using these solutions. And I think that's one of the beauties of women in identity is they've really been able to take a look at and do a deep dive into does it make a difference when we're more collaborative?

And I think the answer is yes, absolutely. And we end up in a better place and we're in a better, we are better able to continue like that continuous improvement cycle, right? We're always able to make it better. And I think to do that kind of collaboration in some ways you have to let go of ego. You have to let go of who gets the glory and you have to say, you know what, are we better today than we were yesterday because we came together and recognized what it needed to be done and did it. So that's what I think groups like Kenar can do. Thank You.

I think this is a good point, this collaboration piece because it's always very helpful and I've also learn, learned a lot with these women in identity discussions, which we have regularly in our dark group. So we also talk about content and how we solve problems and fortunately this competitive view is not there in these calls. Maybe this is something what women in identity also provides for us learning from each other and what the others are doing. And I think we are sitting here to do that then.

Yeah, we have now talked about couple of areas, but I would like to get a little bit back to the threats and you have addressed that with an attack to an active directory, for example. I think for me this is very frightening, to be honest. It Was a pen test, but nevertheless, Nevertheless, nevertheless for me it is very frightening what we are seeing in the last, I would say really that it is so massive in the last two years, three years maybe really with the pandemic that it had forced this one, that really identity infrastructure is targeted.

And this is for me so frightening because with, if you, if someone gets hold of identity infrastructure of what we have seen with Labus, for example, getting into really the system, setting up new machines and all these things that really attacks can take over not only your infrastructure but also your complete business. And this is, I think this is frightening for me. And what would it from your perspective be as we want to get to identity security, besides talking to the stakeholders, but, and and talking to each other, what do you think would be really helpful in these cases?

Well, let me say it that way. I, I think we can't prevent everything. What can we do in these cases?

So where, where our identity infrastructure is attacked and even in the governance they have the same issues. So what can be done, it starts With governance.

So you, you are able to execute whatever you want to execute. I think that's the main first step. So if you are on that point, then you can start making strategic plans. And what I've seen is there is the preventative thing, keeping the door closed, preventing bad actors to come in. That's one way of doing it and skinning the cat. But at the same time, it's a wise thing to also make sure that the detective and the repair controls are well into place. And I would say maybe a more holistic view, being very well aware about your situation.

Where am I real tr treasures that I really have to protect? And someone today told me very nice, I don't remember who it was, but about Estonia where they have complete replica of their governance government, it digital existence in a country in the European Union, a completely different site which could be acting as a hot standby in case something wrong happens with back act, bad actors. We all know which one we are, meaning that is a sort of be prepared for the worst. And I think, yeah, when you hear about zero trusts, that's actually what you're doing, being prepared for the worst.

And so detecting and preventing and repair controls all making them even stronger because there is a limit to what you can do in keeping them out. They will get, they will get in at some point.

True, true. Melissa, anything you want to add to that one?

Oh, Melissa, I think Melissa has an issue with her line. Maybe we can open the floor for some questions from the audience.

Yes, of course. Or okay. Did you want to add something to what was No, I guess I would just add one thing and then we'll go to definitely questions from the floor. Even probably, this is maybe really more basic, but partly because I, I've only, I'm a, I'm a fairly recent identity person, right? And what has been amazing to me is that I think identities permeate almost all of society, all government services e every type of business really. And that was really made so evident during the pandemic because as I think Melissa talked about, people had to quickly digitize.

But I think that what I find, and because I, I practice law and I worked in the courts and all of that, you know, I, I'll often talk to my colleagues and they'll be like, well what is this identity and access management, what is that stuff? And that just doesn't apply to us. Oh my gosh. And I have a heart failure, right? You courts records all kinds of things that absolutely should be dependent on digital identity and identity and authentication and it's appalling.

And so I guess I just think that when we're here in this group and we all understand the significance and the importance and the emphasis, and yet I think there's so many places where even after they've been through the pandemic, they're like, identity, why is that a big deal? When in fact it's a very big deal. And so even the person who's got the boss who doesn't understand, I think we have to keep educating and educating and in some ways we have to educate in our own personal lives because people need to understand better.

Because otherwise, if they're not aware, they just make it easier for the bad actors, right? They just make it, we saw that in the pandemic, you know who, who reaped a lot of rewards from that. At least many of the folks that I work with organized crime. It wasn't just some hacker somewhere organized crime, saw the vulnerability and went right after it and managed to make millions and billions of dollars.

So anyway, I just, I think that education more broadly and all of us came to identity from someplace else for the most part. And what we see is we had that epiphany and we want everyone to have that epiphany, I think, sorry, Yeah, maybe we should have a cyber driving license in schools. Like they learned how to manage the danger in traffic. Good idea.

Yes, it should be teach in school. But getting back to questions, any questions from the audience now? Anything you ever want to ask?

If not, there's a question online. So referring to threats and challenges coming from non-human identities, would you say that AI, like Chad BT has an identity? I wouldn't say that Chad g p d has a general concept, has a digital identity, but I would say each instance of Chad g p d has a digital identity. This would be my, there, there Was a scandal in my country where it was, or in some that it was looking like it was a person, it was acting as if it was a person and some users thought it was a person, but it wasn't. Yeah. Yeah.

But the question is does it have, does it need in the sense of I am a digital identity, does it need that? And I think chat G P T is for me to prod to have it is not specific enough to have a digital identity. I have one digital identity, this is my personal belief. You can say I have many digital identities, but I think I have one where several things come together.

But, but chat G P T, what does that mean? An instance, it's a program, but there are various instance To make it more generic, you could say that every robots would have an identity. Yes. Or service, just a running process transition, yes. Has an identity.

And if, if we look at chat G p T one process or transaction acting, it would indeed have some session or some process Id, This would be my opinion on that one. So The question maybe is going a bit beyond the ID kind of more technical thing. If an AI like chati PT would have an identity, it would mean legally, for example, it could own something, it could be a legal entity, you could, you could bring it to court, these kinds of things. So it's your opinion that those ais sooner or later would be dealt in a way as if they had such an identity?

I think that that is, would be a little harder to make that kind of a stretch. Cuz I'm not sure every identity is not necessarily per se a legal entity, right? A legal entity I think is something very different. It could be, but I'm not sure that that type of an AI entity could do that. Now that said, you see identity theft in which people go out and pretend to be someone else and buy houses and do all kinds of things.

So they have the appearance of being a legal entity perhaps, but I'm not sure that in the same way we, you would be able to, I, this feels like a legal discussion about now what is, what does that mean and how do we define the terms? And, but I just don't think you can make that leap right away. But I think I would like to make that easier and Jacoba has addressed that before a chat G p t instance, let's call it an instance or something like that. I think also this could have an identity, but it is a non-personal identity.

And what we say as a, as a law for identities is every non non-human identity must have a human owner. And this would be one you are the legal, the lawyer, and I'm not, but I think the owner of that, this would be one who would be then punished for, so It would be a transacting process acting on behalf of a human user or Or an organiz legal organization. Yeah. Or legal organization. But I always say it must drill down to really one person. I think it's a legal organ, it is an organization like a company.

Yes you can sue a company, but in the end these are some persons who had put that as a topic on the plate. Right. Sometimes that's the hard part though. Yes. Is trying to get down to that person. But you know, that's why organizations have insurance for their directors and everybody else.

Yeah, right. Because it, you never know exactly how that will come, will come out. But I think that's true that you, and you know, I'm sure you all heard trying to pierce the corporate veil, right? Trying to get beyond just who the company is to try to hold someone individually or someone once could be more than one Yes. Accountable. That's not always easy to do even in the legal system.

But, but I think you're exactly right. It it, you know, someone owns or has responsibility or something. Accountability. I would Accountability, yes. That's Fortunately there are different words in English that you don't have the same different words in German. This makes it so difficult in term to decide or to distinguish between accountability and responsibility.

Yeah, so, so I always talk, I have a lot of discussion currently with a customer on that one. Accountability is the one who will be sued and responsible are the ones who are doing something on that one. And of course have some sort of responsibility. But the owners are the accountables and I think this is really where English was better than German. Probably one of the few times, The few times. I know that there are German expressions on that one, but it is very difficult to understand, to be honest. Does this answer your question?

So you would sue the, the person behind or the legal entity behind but not chat G P T I would say partly because I still think that those ais they provide a bit more than we are used to. They kind of become entities that act on themselves. Doing things like very, could become much more difficult to find somebody who would be accountable. So you're just embarking on new legal territory there. And I mean truly, I don't mean to be really facetious, I think that's true. I don't think we have had enough experience and the courts, the law has not had enough experience with AI like that.

But I think if it, if it becomes that way, will they, I don't know. Can that happen? Will they be sort of self acting? Will they be doing things that are beyond whoever the original or maybe may organizations Are now in certain cases prohibiting the use of AI for certain reasons so they can be sure they're not sued as the person behind or the organization behind stuff. But I think this is not the solution to, this is not the solution to say you are not allowed to use it. This is fun.

Yeah, and and what you are saying your identity and they are acting on their own. Yes, I think so because this would mean for us that we cannot really trace everything and how they had come to their decisions or their output. Let it call it that way. Yes. But I was just thinking of nevertheless, there is maybe someone else, a person, a human behind it who is accountable. I was thinking of children and parents. Children are also acting on their own. You know that. I know that we know that.

But you have the parents at least to some age, and maybe as you said, maybe we see a development at some point in time where we say, okay, Chad, g p d is acting for itself or something like that. But we are not that far.

Melissa, oh Melissa, you are there again. Back again Uhoh. There's some questions here from the audience. Can I add to that or can you hear me or no?

Yeah, you can hear me right? Yes, yes, yes. Hear you now. Perfect. The only thing I was gonna add to that was you're seeing more and more stories of a likeness. So an image of a person, the voice of a person, and it's being manipulated. So you know, the elderly are getting called to their grandkids and they think it's their grandkid saying that they're being held hostage or something. And so the, the elderly individual feels obligated to pay.

So whether, you know, you can say this AI has an identity or not, there needs to be cyber controls around it because you know, our vulnerable are getting manipulated by some of these things. And so we really need to think about security as layered and ensure that these type of things don't happen.

Yeah, true. Okay, thank you. I have one question maybe a little bit back. From the very high level to the operational level, I thinks the same way our children would use church b d to cheat at school and to, to let them do their homework.

It's, it's natural that ki is very, very good to, let's say build a role model for a IM or for IgE and to do a lot of things, which is very hard to do today for a lot of customers. But nobody looks into the algorithms or nobody really understands how the AI will come up with a result, even if it works perfectly. Yeah. So a question is do we have concepts to use AI to automate IM processes and be sure that what they produce is not inherently endangering the results? I think so. I think so. At least this is how I approach that.

Maybe TEI PT is not that far as many think, but of course you are right, you are right. Truly AI piece is something where it is not easily derived how it came to a conclusion. And this is true to the fact that any AI usually works on an amount of data which one person is not easily able to work on. And and this is something where we say, okay, this is like, it is, this is why we have AI for it, otherwise it wouldn't be there. But of course there need to be some sort of controls into it if it makes sense. If you build a, you were saying a role model.

If you build a role model for a company, I think there are a lot of tools which have, I wouldn't really call it ai, I wouldn't call machine learning something like that on that one to give you patterns, indications for roles. And this is perfectly fine as long as someone who knows the organization very well looks into it on that top. And it can be very helpful for everyone. Yeah. I have an example from the banking world in one of the banks where dated quite well. They were using identity information from the IAM systems as is from the east situation, how it was.

And they combined it with the fraud detection information and then they took out all the, the app use cases and they found out that a lot of the unseen hacks or breaches were actually not the user itself was typing the password, but someone else, they found that usually these attacks or these fishing stuff were coming from computers with really high resolution screens. And they set that as a parameter for the fraud detector and they caught them all because that was obviously some people who are doing this, they have money to have beautiful, nice screens and my grandma doesn't.

So that would be our risk parameter, which they wouldn't have thought of. But pattern recognition found a lot of things that could stop attacks. So this is not ai, but I can imagine that you could scale up or yeah, make it more intelligent in certain ways, especially if you have a more holistic view. And as a human I would never have thought of that, but maybe pattern recognition, which is, or even rule-based stuff could, could help here automated.

Yeah, I think prescriptive response and control is, is going to be game changer. AWS and others invest here heavily in this.

So, so the only point I want to make is that tr bt already today is used not only to find the pattern, but also to implement code. Yeah, yeah. So they are coding what before was done by developers in the team and And self repairing vulnerabilities. Yeah.

And, and they're, they're there. I see some challenges because in the end, in the enterprise it's about time and money and as more control you add as more money you spend. And this is a dangerous field, I would say True. But we are learning, as you had said, and and we are learning on that one. And I just now thought how is Cantera dealing with AI in that sense? You said you are learning, you are adapting, but I think this is a topic which you also have to take into account. It It is actually, I mean, and we've been talking a lot about this, so I, I I hope I can digress just a little.

So at Qatar, we are very collaborative. We are, and we have like a whole section of work groups, right? And we have been saying just, just in the last few months, we really need to, we need to put together a work group to tackle the AI issues, all the things that you're raising, the things that we're talking about here. So I would just like to solicit volunteers from this group. If anyone is interested, see me later, contact me through the app because we would like to tackle this.

And then I need people who are asking the right questions and seeing the right kinds of scenarios so we can try to, you know, not play catch up and, and try to get ahead of this. I, I think your points are excellent and I invite you it would be terrific.

Okay, I think we have three minutes left. Yeah, so maybe one more question, one more question and then I can Yeah, yeah, no, I just very quick comment because I just asked Chad GDP if it has an identity and I got a long paragraph which sums up no. Okay. But as you said, there are different ways to do identity and I think it has, but not only the instance, not church, g p t as a concept, but only the instance, but several ways we learn with each other. So I would like to sum up this interesting discussion with my last slide and with all of you.

So we had a very lively discussion on various topics, but you see this is how broad identity is, how broad identity threats are, how broad identity security must be, tackle all these topics. But now my question to you is what is the one piece of advice you would like to give the audience a takeaway?

Melissa, do you want to start? Yeah, I think it's collaboration is key. Not only to eliminate bias so that we, we open our vision but to also save some of our budget because we're not, at least my organization, we're not necessarily able to increase by 10% a year. So I rely on my collaboration to think outside of the box to help me out. Thank you. Okay. Well I've been trying to think about what my best piece of advice is and, and this discussion, gosh, we've really gotten into some great topics.

Can, can I just share a little tiny story? Maybe you know this story. Do you know the story of the two wood cutters? So there were two wood cutters and they were both cutting down wood in the forest and they were making a stack right of wood to take back. And one of the wood cutters kept leaving throughout the day. He'd work for a while and then he'd leave and go away. Then he'd come back and then cut some more wood and then he'd leave and go away. And at the end of the day, the wood cutter who kept leaving had a bigger pile of wood and the other wood cutter said, how is this possible?

I stayed here all day, I didn't take any breaks, I did nothing but cut. And what did the one who kept going away say, I went away and I sharpened my ax. That's what we are doing when we come to conferences like this. To me that's the advice. Keep sharpening your ax, keep being focused on learning and, and, and facing the challenges. But I think that's what helps us get through. Thank you. Okay.

My Advice would be fall in love with I am and you'll never fail because you have will make small steps, have a long persistent breathing and keep spreading the important, how important this is anywhere, anytime you can. Thank you very much and I can only agree with all of you. So I am in this topic for many, many, many years and it is never boring. It is always exciting and it is always hard work, but I think together collaboration, we are able to do that. So I would like to thank you all, Melissa, especially for you. It's early morning. Thank you very much.

Thank you Yaba and Kay for your participation and I hope you enjoyed the session. Thank you.