Identity & Access Management - Securing Data in a Borderless World

just to kind of dove tail on that a little bit I just came back from a national conference where for the first time ever I got to speak at the national level and besides being scared witless you know one of the things that the the host of the conference said at the very end in similar vein is a lot of people have a story to tell and if you think you want to tell a story don't be afraid to if you're looking to people to encourage you to you know submit a proposal and do those things do it this community in particular has been super supportive of me doing it and you know I will

certainly offer my willingness to encourage anybody who thinks they have something to say and and want to get up on the stage and do it because everybody has great ideas just the the conversation that took place towards the end of the last presentation was indicative of that so a lot of people have some great ideas so I would say if you're thinking about it jump in you never know what will happen and usually you'll walk away the pretty great experience so we're going to talk about identity and access management and I'll very briefly kind of give you my safe harbor slide background I've been in and around identity management for about the last 22 years that of course didn't call

it that back then that that's really kind of a modern creation of about the last 10 years currently I work in I am former King company I were a lot of different hats I'm also a volunteer high school speech and debate coach that does not come with any warranty or guarantees as to my performance today you know hopefully my students might see this video and go oh hey the old man actually knows what he's talking about but we'll see how that goes but more most importantly the opinions expressed here even though I do work for Mark are my own so in case it's not obvious from the previous picture I have two passions in life one obviously is digital identity

that's why I'm up here talking to you guys the other is my horses and it's pretty rare that those world intersect but within the last month I had what can only be best described as a self-inflicted teachable moment related to my horses that I think is particularly instructive for today's discussion my wife and I live in Charlotte and we are blessed to have a very small horse farm and periodically we let our horses graze on our very small pastures we can't let them out there full time because they would have her graze it quickly so when we do that the horses have to pass through a series of gates in order you know very much

like in the enterprise in order to access their data I mean grass and in that process obviously we're doing so to make sure that they don't wind up in places they aren't supposed to be so one day last month I did not securely lock one of the gates and the littlest one there got out and like most reaches I was not the one to find this out my neighbors were and that followed by a phone call to my wife followed with a phone call to me and let me tell you that is not a conversation I would wish on anybody the good news is we were able to get pony back she's safe and sound

yes her name is actually pony however I have nicknamed her Dropbox now because dlp is kind of a little weird but so what does all this have to do with digital identity management well connecting the dots a little bit in particular with identity management but it's in some respects true security in general identity as only as good as the people processes and the tooling that you use in order to secure your enterprise and any one of those legs fails in my case locking the gate and you can have a breach or horse running around and so what we'll talk about in the identity management world is you know trying to engage in these programs is usually very complex so I'm going to

try and unpack it a little bit this is going to be a little bit of a general talk but I'm going to go through a lot of the different air riaz or disciplines within identity management and I deliberately have crafted this to allow for deviations or deeper dive so if there's particular areas that you're interested in by all means please speak up so what we'll do is initially is kind of unpack what identity management is and then we'll talk a little bit about some of the most recent breaches but it's going to be done specifically with respect to the identity layer and then you know we'll also talk about the types of identity management programs you can engage in

we'll talk about some of the latest developments and identity there is help on the way and then finally we'll talk about you know some of the adoption approaches you can take what are those keys to success and then I'll finally talk about a note on security versus opportunity so why identity hopefully most people recognize this because it's classic identity confrontation you're getting challenged by three questions before you can cross this bridge the reason why identity and part of this was alluded to in the previous talk although not directly and that's one of the reasons why I enjoyed the previous presentation so much as you're looking at where your threats are and the business doesn't always understand what

those threats are and one of the areas of threat without question is identity and I'll talk specifically with that with respect to the breaches does this look familiar and I don't mean that specific site this was actually at a conference that I attended and you know it it's I've invented an acronym for this I have no idea if it's unique but it's yaller and it's yet another log in or registration and that's one of the things that is probably our biggest challenge in the identity world and you guys all feel this how many of you just curious use password managers probably good share hands I checked my one password account the other day and I'm

up to about 250 for logins some of those work you know good chunk of those are work but not all of them and that's probably not even all inclusive but that gives you an idea the scope of what we're dealing with is you know simplifying this world is a huge Challenge one of the arguments that has come up i would say in the past three years it was actually invented by a gentleman from General Electric named Dan hedrick who at the time it was a very good idea that it was a concept that you know with the expansion of where everything is moving not just in the enterprise but in the world you know identity is really your new perimeter

for controlling access to things and there is some soundness to that but my argument is you can't talk about things anymore in terms of parameters the perimeter is gone the idea of the old days where you have the castle and the moat and you have that solid perimeter of detection you can control who gets in and who doesn't get in is gone you've got users that are accessing or demanding access to data from any device at any time in any place using a variety of means so the picture on the right is a little closer to that the good news is there is a control out there that can assist you in that effort and obviously

you know reason I'm up here is I think identity is one of them so now we're going to talk about a few breaches and I actually updated this yesterday because of some recent news that came out actually on Friday that just made my blood boil this was not the one but I'm going to start with the IRS breach everybody pretty much familiar with what happened there for the most part IRS decided to launch a user friendly service that would allow you to get your tax records concept it's a great idea the problem was they were using knowledge-based authentication in order to initially enroll the user and unfortunately they were using information that was pretty easy to

social engineer or even just simply search for on google in order to find a person you could set up a trial account on ancestry.com and probably find out a lot of the things you need to do what that resulted in was roughly about a hundred thousand taxpayers had their not their identities compromised but really the set the stage for identity compromised I just refinance my house so I paid particular attention to this but paying it you know looking at the full detail of my 1040 you have a lot of information that can be used to steal someone's identity and that's ultimately what these guys are facing and some of the other breaches they're facing even worse ironically when this

feature came out I was one of the first people I being an identity geek I'm wanting to go kick the tires and see what the IRS is doing or more importantly not doing right and so I created an account that was ironically the easiest way to protect yourself because you already had the identity created so the hackers couldn't come in and create that identity now could they compromise my identity sure but that process is a little trickier than just simply using some basic knowledge so obviously that's a huge challenge for the hundred thousand people that were impacted by this and I would argue that that number is even higher because those are the filings which often times or

joint returns if you happen to be married so it's more than 100,000 taxpayers and obviously anthem has already been mentioned but i want to lay this one with the identity context as well actually i want to back up just one second with respect to the knowledge-based authentication i don't know how many of you have experience with that but oftentimes when you're applying for credit or you're applying for particularly sensitive credentials they will try and use knowledge-based authentication it's stuff that you should know an easy example of that is they may send you a list of addresses and they'll say which one of these did you live on and they may not even have a valid address in there and of course the

answer is none of the above that's the type of things that they can do that is an inherently brittle way of authenticating users unfortunately it has to be used sometimes in the digital world because you don't know who that person is at registration time and that was the challenge that the IRS faced was we want to roll out this great service to allow your average taxpayer to get their return and be able to print out those records especially when they get audited right and unfortunately they failed because of the brittle nature that so they they had to pull the service offline so when you are looking at using knowledge-based authentication especially within your enterprise pay

attention to how those services implement that we use a service that I won't name because I don't try and focus on vendors in this space but they're kba questions are terrible I mean any of the ones that are canned pre can't kba questions are often terrible there are things you don't want to answer like where were you born you know that that's not hard to find out from somebody if you're trying to hack their account so if you can avoid kba please do but if you're forced to do it allow the user to create their own questions because oftentimes they can come up with that the challenge with that is the user has to remember even the answer to those

questions and I actually had a colleague true story just joined the company and my job was to train him and one of the first things I told them I said you know go to our password management site because what's the number one reason for people calling the helpdesk password reset or password changes or my counts locked out whatever it is passwords so I said first thing do go to the site do your thing two days go by I have another session with them and I say well did you set up your profile he says no he says I can never remember the answer to those questions so I just didn't bother to fill it out if an information security

guy won't fill out that program how are you going to expect regular users to do it that's the challenge we run into so now let's talk about anthem it's now being called officially the largest PII breach in history not just US history but history 78 million users or insured records or put the math to that one in four Americans insured adult Americans i should say that's a staggering number and the good news was the actual medical records i don't believe were part of that breach to the medical history at least according to anthems official what happened statement they didn't get the actual medical history on the user's which is particularly sensitive data but it's still obviously staggering in terms

of the impact and that's why so many people are able to raise their hand somebody even commented that they got a letter from anthem how did they get in and then this is where we start talking about i denti first of all they fished into the front door real simple they tricked somebody using and this was particularly clever they used a dupe of the Wellstone calm website instead of the 2 l's and wellstone they put numbers so even if the user was trying to be but you know somewhat you know prudent and looking at the Earl going to that website if you're not paying super close attention or if you have my eyes you might mint you

might miss the fact that that's going to a site with two ones in the number instead of 2 l's anyway it asked them to provide their credentials in order to get into the site so that's how they kind of got in the front door once they got in and I'll talk about this a little bit more later but classic you know kill chain methodology they're looking to escalate privilege you know because there's a good chance the insured that they just got in with or you know the user they just got in with that system may not necessarily have the type of access that they want to do to execute the breach they're looking for something

to elevate access compromise of credentials is the number one way in which that happens the good news in this scenario a and I don't think it gets enough attention in response to this particular breach and I think part of it was because of the size of it anthem started sharing their threat intelligence with other healthcare companies and this is something that for a long time companies have been unwilling to do and I'll be honest it's true even in the pharmaceutical sector as well because we're you know a whirl rivals we may be collaborating on different types of drugs and whatnot but we tightly control what they get access to and so even the threat intelligence

might be information that might cause one guy to get breached and not the other guy and you think oh well that's a competitive advantage well we finally gotten past that stage and say look we're all in this together so the group's high trust and nhi sac which are both health care-related security organizations have worked with these various members of that organization to start pooling and sharing the threat intelligence and to me that's an important milestone because that begins to it's not going to level the playing field but it least gives companies a good heads up on what's coming and this was the big update to my slide deck from yesterday I'm sure some of you guys are

familiar with what happened with the office of personnel management but as a US taxpayer and I suspect all of you in this room or probably taxpayers in some form this was just staggering now I'll be the first one to admit this is not full in terms of we don't have the forensics yet to understand how much of an identity layer there is on top of this but I do want to talk about a couple of pieces related to that the first one is their HR department or the office of personal management which is basically the HR department for the largest employer in the United States they were not encrypting Social Security numbers at rest I don't know what other

p I i wasn't being encrypted at rest but that's a basic principle of security now to be fair encryption does not completely protect you they can decrypt that data potentially but at least make it a little harder the piece that came out yesterday that just really blew my mind was the sf-86 database was breached for the second time and what that database is is if you're a federal employee and you are required to have a security clearance there is a hundred and twenty seven page form that you have to fill out that you're pretty much pouring out your entire life on there if somebody wanted to compromise you that is the key to your castle because

they're going to find out your tax returns they're going to find out what financial institutions you work with they're going to find out what foreign nationals you communicate with on a regular basis they're going to find out your drug history your financial history in terms of like if you've had bankruptcies it's a Bible on your life effectively and that database was breached as I said for the second time it actually happened previously last year the first layer of impact in terms of the four million current and former employees that's devastating by itself that's 4.1 million people who just got pantsed in the public sector in terms of their ability to interact and do transactions but the sf-86 breach really

put a lot of people at risk and frankly put our country at risk because one of the commentator you know part of the commentary that's been coming out of this is you know if China was in fact the country that did this and the evidence appears to be strong but again the government saying what they're saying you know do you trust him do you not but if in fact it was the Chinese government you now have a large amount of data to manipulate an individual to do things that ordinarily they wouldn't want to do and so the ability to turn people into spies and that sounds very Tom Clancy asked but that's the reality of what this happened now the one good

news was most CIA personnel wasn't part of this database it's actually a separate entity but it's still federal government employees that have a high security clearance oh by the way that includes NSA employees there's something to bear in mind one of the things that I thought that was particularly interesting was the Office of Personnel Management did not have a security department until 2013 which just really is is that the era that we live in and the other thing I thought was staggering as well is in order to externally access their network they did not have to provide any second factors of authentication so any device anywhere could get into that network with a single compromised credentials so you

can probably guess what the forensics reports going to look like when they come back and they say how did they get in pretty straightforward as I've noted here and it's going to be linked on the slides and one thing I did was say I will make the slides available on SlideShare after this talk tonight and the wired article that I linked in there is a must read on the breach and there's going to be much better journalism that takes place but the wired article at least frames a lot of this some of which I frankly borrow a little bit in terms of the talk but it's just a good primer on it and it's a

good thing to be educated on the other thing I thought that was interesting and you guys obviously already read it by now they didn't find this out by one of their administrators or the Secret Service knocking on their door they were getting a demo from a vendor that found this breach taking place of course the vendor at this point I can't even remember their name at the buoyant it's actually mentioned in the wired article they've got to be going to Ching you know you know you can't get better advertising than that you know and that's obviously bittersweet because there's millions of people that are going to be impacted by this and that's the thing that just makes my blood boil

about it is we should be expecting a better OPSEC from our government on that obviously add Snowden proved that we don't have very good OPSEC to begin with but you should expect being a public employee that they're going to protect your data better and as a taxpayer we should be expecting that as well because as the IRS just proved they're not doing such a good job either so what does all of this tell us well the first is the threat landscape obviously is changing daily that's one of the reasons why I picked those breach examples is they've all happened in the last six months as I mentioned early on the elevation or compromised the privileged access is a

key stage and one hundred percent of all attacks and that may be coming out a little bit dark but it's a hundred percent that's from the cyber sheath report this is basically the critical attack vector out there this is why identity basically the recent verizon data breach investigation report basically said that one hundred percent of the data breaches involve the use of compromised credentials whether it's you know getting that privilege escalation or getting in the front door through a phishing attack so before we start talking about identity management as a whole in drilling into some of the programs it probably helps to kind of lay the groundwork as to what identity management is and I'm borrowing a

Gartner definition that is adequate but obviously will overlay some context to kind of broaden the definition a little bit and it's a set of business processes and supporting infrastructure for the creation maintenance and use of digital identities and I promise that will be the last slide that I actually off of but you know one of the things I like about the definition is the first word that comes out as processes and that's a piece that insecurity we don't talk enough about as with the gate with my pony as with the gates within your company how people get access to systems and the gates that they go through are often the weakest links in that equation

and part of it's because you've got human beings doing the work with them you can put all the IDS's and IPS and firewalls out there in the world but if you don't have people operating those gates appropriately or approving accessing those gates appropriately you're at risk ultimately identity management is about user time device and location and that list is not meant to be exhaustive but what it creates is a context and the good news is that's actually helping us in the war in securing identities is our knowledge of what a user is doing and more importantly what they should be doing or what should be normal is improving dramatically and I think that's going to

help us long term and I'll talk about a little bit about that when we talk a note about authentication so these are the four programs and plus a note at the bottom that are typically mentioned when we talk about reducing risk within an identity and access management program the first ones user management provisioning then entitlement management privileged access management which was actually the talk that I gave last year and I would suppose we'll spend a little bit of time on that Federation both in terms of provisioning and single sign-on and then finally I'll talk a little bit about authentication provisioning is what most people think identity management is it's the process of getting a user that you know a new

employee walks into your company you get them their network ID you get them access to particular systems and it's the processes that goes on behind that too you know crud create update delete that users access oftentimes you'll get attributes or authoritative sources from many different places hris systems are typically the most common one but when you're dealing with partners they may be coming from from other sources as well ultimately within that piece the processes as I mentioned are what drives the events around at an employee entering the organization or you may have a new contract with a partner in the case of Merck you know we may have a new contract with a clinical research

organization that's going to conduct a trial for us testing a particular pharmaceutical you know effectiveness those processes will vary based on the types of users in your organization key protocols and standards that are related to this obviously ldap is a very common one SPM L won't spend a lot of time on because frankly it's old and a lot of people avoid using it and that's frankly for good reason skim is an emerging standard and I'll talk a little bit more about that later and then there's also the WS star spectrum of protocols that are used for that as well entitlement management is sometimes referred to as access control or access management and what it is is it's kind of another tier

provisioning it's okay I have an ID now what can I get access to and sometimes it can be as mundane as just adding a user to an Active Directory security group or it could be policy-based where you're evaluating an attribute of a user within their organization determine if they have access to something oftentimes this is kind of described as the next phase of maturity for companies that are getting into the identity management space because you want to you know now you know okay they have easy access to things they're able to get into doing their job now what do they have access to and how can we manage and control that and keep protocols within this area

Samuel is one of them with respect to what we call the just-in-time provisioning profile and I'll talk a little bit more about Samuel in the Federation side SP Mel's mentioned again I also WS star exactly which stands for the extensible access control markup language which is a mouthful is also key here I would also include oh off in here but I'm gonna talk a little bit more about that later and then obviously held up as well privileged access management is kind of that next tier of maturity of your identity management program obviously the name is kind of self intuitive it's really focusing on those identities in your enterprise that cab you know proverbial keys to the castle

where those keys are though I would encourage you to kind of include have a holistic perspective a good example of that one of the breaches that I used to talk about was it Saudi Aramco an insider found out he was about to get laid off and he happened to have the insider knowledge that every single one of their pc's was controlled by the same local admin password so he executed a script to wipe 30,000 hard drives of all of their pcs so most people don't think of that as a privileged account because it's not a critical system account in the server you know client-server sense but it also manages what your client can do and when you get into the malware

space if they don't have the ability to execute malware oftentimes you prevent that malware from even taking a foothold in the workstation so it's one of the things think about within privileged access management or Pam the focus really is on auditing and compliance and what controls you have in place who has access to the system how did they get that access who approved it what did they do well they have it if they have you know root access to a Linux system you know what commands are they executing and that's where you get into you know the key use cases within this space our password vaulting and Susteren session management or and recording that list is by no means exhaustive but you

know that's the traditional one so you go to your privileged access management system you check out that password you log into the system do what you need to do you check that account back in as I stayed at the bottom this is a critical area for modern enterprises as we've already talked about with respect to the breach this is where privilege escalation can happen it's not the only method of achieving it obviously a sequel injection can sometimes achieve the same benefit but the easiest way is to compromise a privileged identity and if you have a mature privileged access management program it's not going to prevent somebody from getting onto your network but it might slow them down or

discourage them in terms of what they do and they might eventually give up we hope one note on this with respect to cloud vendors are still struggling with us a little bit there's a couple of that are targeting cloud systems in particular for example amazon so if you have infrastructure-as-a-service I if I took a poll in here I suspect there be a majority of people saying that you know our company has some instances on Amazon or other cloud service providers one of the challenges with the enterprise privileged access management systems is their ability to talk to those identities and for example change their passwords when their sessions are complete is not quite there yet I think

API is are going to be the key to that and the vendors are recognizing that but they're not quite there yet you do have some specialists in that space but oftentimes what you wind up doing is for larger enterprises you wind up buying an enterprise Pam tool and then you buy the cloud tool to supplement it hopefully those guys are going to you know converge at some point the one thing I will comment on this and this was a theme in my talk from last year is don't think in terms of just tooling in that you know especially for if you're small or medium business well I can't afford to do this don't think of it just in

terms of tooling you can adopt processes again getting back to that p-word you can adopt processes to manage your privileged identities that will continue to protect you better it doesn't make it foolproof but don't think just in terms of the tooling think of the processes that you can put behind that Federation is a broad term I'm not referring to start track basically it involves the creation it's a reflection of the contracts that you have with outside vendors and most of you if you work in an average company today probably have at least one Federation connection and what it's designed to do and it's a good thing is to prevent you having to memorize another credential to access an

external or SAS service they're basically going to take my existence as Lance Peterman at Merck and when I go to success factors I'm still Lance Peterman at Merck and instead of me having to you know in securely entering a username and password it's now going to pass a token to them in a much more secure format to reflect that trust relationship and they're going to say ok I trust that this is Lance Peterman simple use cases single sign on is probably the one that people can relate to when I talk to people about identity management that's usually what they sink their teeth into initially but provisioning is also a part of this and it's it's probably the

tricky just aspect because it's the idea that you know let's take for example office 365 how many people use office 365 or Google Apps you know one of the challenges for the enterprise in that space is well how do I securely give my user access to that without either having to create a microsoft asia i ad account or a google account and have them memorized yet another credential but more importantly when even if I am federating allowing them to login using their base company Pradesh credential how do i create that account in a timely fashion that gives them the axis that they need when they need it and that's what federation provisioning is attempting to do oftentimes this is

occurring I think there's a vendor here today that has a you know some libraries that allow you to do this a lot of times this is through data synchronization which is terrible what you really want to shoot for is what they call jit or just-in-time provisioning so if I mean new employee and I'm going to office 365 for the first time it goes oh you're a merc employee I'll go ahead and create your act your account and then I'm a on the backend have somebody provision the access for that user with respect to access our entitlement management this is where it can be getting a little tricky that's one of the things that you want to think about if you're working

without identity management and you're working with SAS vendors is how do I manage the lifecycle of that user and their access to that system the good news if you're enabling Federation is if you disable the base account the front door is closed for them to get access that's the good news the problem is if you're paying per user you're still paying for that license until you remove it and that can sometimes be a considerable cost savings or cost inhibitor depending upon the number of users that you're talking about as I mentioned you know cloud is making this a little bit tougher when I talk through the help is on the way part you know we

will get into that a little bit the older provisioning standards for this weather it's SP ml whether it's the ws fed piece they're brutal to implement and vendors just simply have an adopt and and so one of the things within the identity management industry is they're trying to come up with better ways of doing this they think they've achieved this with skim and i'll talk about skim a little bit in a second so note about authentication as long as passwords exist and they're the most convenient way of authenticating a user our systems are at risk you guys know this it's the most brutal aspect of system security so I would encourage you within your enterprise even if this isn't going to

be your focus when you're engaging with vendors what other methods of authentication are they capable of supporting biometrics is becoming huge sometimes just the interaction with you know mobile device management from you know i'll pick on Apple initially you know with touch ID you know what other things can i do to identify a user than simply a password where are they logging in from what device are they logging in from is their mobile device nearby you know dude can you detect that proximity it's what we call contextual or continuous authentication those type of things over time I'll admit these aren't a hundred percent here yet there's a lot of vendors that will argue with me on

that because they'll say we have a product we can sell you and they might work but in the enterprise the ability to scale them and scale is the challenge they're not quite there yet but I think this is going to be one of the key pieces to securing the enterprise better or securing users better and just on a personal note if you go to a service and they have multi-factor authentication available to you use it take advantage of it hopefully they've done it well where you could use something like of--they or Google Authenticator or other common you know obviously you don't want 15 different apps on your on your iPhone for doing multi-factor authentication but if they have it

available to you take advantage of it because the ability for a user to compromise your account is greatly diminished it's not eliminated but it is greatly diminished when you have multi-factor authentication the good news is help us on the way eventually and I say that just because there are some standards that are emerging but some of them haven't even been ratified yet but but they're coming and I want you guys to have kind of to be able to walk away with these standards put them in your data dictionary and so when you are talking with vendors or you're evaluating a product what is their ability to support this even if they can't support it today can they put it

on their roadmap or is it on their roadmap because that will give you a sense in terms of where the vendors are at in terms of thinking about security you know we had a great conversation towards the end of the last talk about what can developers do to better secure their applications what things can they think about the number one answer I would give them in that space is don't create yet another login and registration for the user don't create another account if you can avoid it sometimes it's unavoidable but put a price on that because if you do it makes it less likely for you to do it it's going to make your app first of all

easier to use and second of all more secure so the first one we'll talk about is 0 off more specifically oh off to this standard has been around for a few years now it was around previously in a different version but but oauth2 I think was ratified about four years ago it does the auth in it stands for authorization not authentication a lot of people confuse that because there is an authentication transaction that takes place within an OAuth flow and if this were a longer talk I would go through what that flow looks like but it's important to distinguish that particularly when I talk about open ID connect it gained a lot of maturity with

the second release but I will say it's more of a framework than a protocol a protocol has a lot more maturity and control around it you have a lot of flexibility with OAuth in terms of how you implement it and as a result you have a lot of flexibility with how securely you implement it and that's part of the challenge this really is becoming the vector for leveraging API security so this is an area where if you are a developer knowing off what will certainly be to your advantage one of the things i do like about it is there are several RFC's that are tied to it one of them is dedicated to itself as

its own threat model so this is the one that you can have developers take a look at and understand what are the typical threat patterns within this model to code against and make sure it kind of provides you a not so brief about best practices excuse me there's still a lot of great development going on within this standard and I included the link there at the bottom I've already mentioned skim a few times it has an unfortunate name for that acronym it used to be a lot easier it was simple cloud identity management which is much nicer to say the system for cross domain identity management obviously a little tougher but they did that for a reason

and really it's designed to be for everything within the enterprise not just simply managing identities in the cloud this is basically the answer to the giant the ginormous albatross that SP ml was it's much lighter it's much more friendly it's based on JSON instead of XML and it's got a lot of promise I call it an emerging standard because it is right now the most mature spec is the 11 which has some gaps in it from an enterprise context but the key challenge here is the low adoption rate so this is again where I make the appeal to you guys with the companies that you work for or work with if you're a software vendor please take this appeal gets Kim

enabled in your product set because long term it's going to make your life easier and your customers are going to be a lot happier but what it ultimately allows you to do is have a means of communication with your federated system whether it's out in the cloud or it isn't it can even be within your enterprise but it gives you a sin a common library to communicate user provisioning events create this user with these attributes give them this level of access and it can be customized every organization treats their org as though it's through this unique snowflake this allows for some of the unique snowflake pieces to it through some of the schema designs that you can

do in the 2 point 0 spec the 2 point 0 spec is in the process of being ratified I think it's like literally weeks away from being official but the good news is mo of the visionary I am vendors out there like I'm not gonna throw their names out here if you want to know talk to me later but they already know this and they're already in compliance with the 2 point 0 specification because it's pretty much been locked they just haven't ratified it yet open ID connect you know how I mentioned that oooff doesn't have an identity layer or technically doesn't this is what open ID connect is designed to do it provides a

transaction layer specific to identity specific to authentication that allows you to create a what they call an ID token for the user within the oauth pattern you can present a token and it just says i'm tom it doesn't say how i established that i'm tom the relying party is actually just trusting that that transaction took place this is ultimately kind of viewed there is some interoperability with sam'l so it could still be part of this profile but ultimately it's designed to replace samuel if you don't know what Samuel is it stands for security assertion markup language it's part of the Federation protocol stack it's easily the most mature ways that your companies will federated a but this is the next

generation of it it is fully ratified it has a lot better mobile use cases in it even though that's still completing a little bit one of the things that I really like about open ID connect especially because it's a profile of OAuth 2 one of the challenges with OAuth 2 is you don't really have a good cook book that says this is the best way to implement you know this framework from a security perspective there is now a certification model that was created by the open ID foundation for open ID connect that will allow your security vendors if they're leveraging open ID connect they can now certify themselves against that standard so again that's one of those conversations that you can

have when the vendor says yes we support open ID connect are you certified or is the is the vendor that you're using to achieve that certified it's a great way to measure them against I would highly recommend getting this on your internal development roadmap especially if you're using other methods of authenticating users today from a federation standpoint you'll find that these libraries are very easy to use and I'll put a little star on that nothing is you know when you're coding users it's never completely easy to use but it's much easier I guess it would be a better way and then finally there's the girl at the bottom of it this is a slight plug for an

organization that I am a part of is anybody in this room familiar with the national strategy for trusted identities in cyberspace and nobody raised their hand just in case you were wondering and it saddens me a little bit but I'm not blaming anybody because it's one of the most poorly publicized achievements in my opinion whatever your opinion of the Obama administration is in 2011 President Obama signed this executive order and what I mean the name is pretty of evidential it's designed around it's a very well written document around creating a framework for allowing users not just in the US but really globally to have more secure transactions online and one of the groups that's an offshoot

of this that was funded by the mystic initiative is the identity ecosystem steering group and that's the group that I'm a volunteer member of i admit i'm more of a lurker than a contributor because of my day job but i would encourage anybody even if you don't have the bandwidth to contribute if you want to better understand what they're doing here you know you can sit in the plenary sessions are open to anybody and it's some pretty fascinating stuff going on here the one thing I will say this is not a national ID program because that's one of the most common misunderstandings with respect to mystic and I dsg it's really a public-private partnership it's

looking at the big identity players out there today or maybe an emerging identity player or identity provider and saying how can we create a trust framework that's not just isolated to single contract relationships and how can we make it more global to where I could literally use and I'm not going to say we're going to go to the I to utopia of I'll have a single user name and password that i can use wherever I go but if we can reduce 254 to maybe five that'd be a huge help i think and i hope everybody agrees with me on that they have some really amazing pilots going on the one that i want to mention is

actually taking place in North Carolina with respect to the supplemental nutrition assistance program if you're not familiar with that that's the renaming of food stamps and one of the challenges that the food stamps program has and it's not unique to North Carolina is getting people to enroll they have to go into these regional offices in order to sign up and you know especially in the rural areas of North Carolina that could be cumbersome so what they're doing in this pilot is most people have a driver's license one of the problems is we can't take that drivers license into the digital world and have it be an identity but what they've done I think this is pretty

clever is they have their own app for enrollment so and I the irony is not lost on me the idea that somebody who's enrolling for food stamps also happens to have a smartphone but they're becoming that ubiquitous in our country so for those that do they can go to the website on their mobile device and as part of the enrollment process they will allow the user to take a selfie and it's done in real time to avoid fraud but they'll allow the user to take a selfie and then what they do is they compared using facial recognition that face versus the face on their drivers license and they train in you'll be amazed with facial recognition technology how close

they're getting to really identifying people it's you know it's one of those Minority Report level you know type both fascinating and creepy at the same time pieces but for these people who are having to do this and having enroll in this is a huge convenience to them because now that I've officially enrolled you go back to the IRS breach how did I identify that person I relied on some public knowledge to do that but if I'm able to take their drivers license and use a real time photo of that person the odds of a fraudulent transaction taking place there are greatly reduced they're not eliminated this is all about risk reduction not risk elimination so I think that's a

pretty neat program that's just one of the pilots that has been fun out of this initiative they're taking place all over the country but again you know I think as security professionals I think this is an area that I hope this will peak some interest for you and even if you're not going to the plenary sessions pay attention to what's happening in that space and they actually hired a PR firm finally to kind of broadcast the message a little bit better we know in the security world we do a terrible job of telling our success stories that usually the stories that show up are the failures the Sony's the anthems the targets of the world and the

link at the bottom is there so what are some keys to success with any identity management program the first and most obvious one is if you're going to do this have support from your senior leadership because some of these pieces not all of them the good news with identity management is oftentimes you're making lives easier you know when you're doing single sign-on and you're telling a user you know what I already know who you are so I'm going to let you into this website i'm not even going to make you use your username and password they love that that that's the happy story with identity management the pain in the butt is with Pam oftentimes and other

controls that you put in place but if you have that senior support senior leadership support and it is driven by policy and I can't stress this enough if you don't have policies around the use of identities in your enterprise if you can at all please get them adopted as I've mentioned this countless times focus on the people and process first the tooling will come but the the upside of focusing on people and processes first is that's going to drive a lot of your requirements and then you can figure out if you're getting the right tool for those be creative with identity management one size does not fit all you know enterprises come in big you know

small medium tiny and you can use some of these tools at all of those levels when you are looking at a vendor look very closely at what their cloud capabilities are because obviously everything is moving outward I'd be picky in that the other piece don't be afraid to eat your own dog food first figure out what your user interface looks like for these tools if they are user facing you know and make sure that that you're using them in the way that your users would use them and that it's an experience that's pleasant for them in the past I'll be honest identity tools have been terrible at UX and so it's a painful experience even the password

managers that are out there you know with the security questions just the interfaces are brewin alone they're finally getting better and then finally don't think you're too small for this even if you're a small business look at where your risk is within the organization that was a great thing that came out of the shades of red talk was you know even if you don't have the funding to engage a red team to figure out how you're going to you know brutalize your enterprise think about risk in your organization think about your business model and where is your risk at and even if you can only tackle those small things to help mitigate that risk you've done a tremendous service to

your company and as security professionals that's ultimately what we're doing whether this is within your discipline or not and finally a note on security versus opportunity and really what this has meant to mean is the value proposition on identity and access management has changed in the past it's always been about two things either single sign-on which users love or putting those processes in place behind the scenes that the users really don't pay attention to its those pay no attention to the man behind the curtain activities that's really more classic security you know people love that you know you might have an intrusion detection system in your you know company or that you have great interfaces with your HR system to make

sure that we revoke access in a timely fashion but the only time they pay attention to it is when things go wrong or things break you know protection and risk management are obviously still the primary drivers but as I mentioned with the open ID connect and the skin and the OAuth pieces identity can now be a little disruptive especially for your external relationships how many of you and if you don't know this it's okay but when you have an interaction with an external customer how many of you create an identity for that customer that you know of got a handful that's the common model that's what we do at Merck and we're trying to quote get out of that I

did business we're partnering with a vendor that they're becoming our main IDP so that they can manage that relationship they can manage that proofing because that's one of the big challenges with the users if you're trying to do more secure transactions but that can be disruptive because for example with the strategic relationship we have at Merck that's probably the closest I'll give you it to the inside baseball at Merck you know one of the things we're trying to do is work with that vendor so that if they have that identity and they do business with Merck there's a good chance that organization or that partner or that doctor or that clinical trial participant they have a relationship

with other members within the healthcare sector being able to use that same identity to go to each and every one of those vendors is a huge value add for the user because one of the biggest pain points and frankly we've lost business at times in terms of abilities companies wanting to work with us you know they may have to memorize up to five different credentials in order to access our various systems and a lot of that goes on the vendor because they don't have federation enabled for their products and as mature as Samuel is sam'l is a 15 year old standard and some of these vendors still haven't adopted it that's where this can be disruptive

because the user now has a single credential with some support to access any of the systems that they need to get to within my company and whether it's hosted at my company or it's hosted in a provider and that's where the opportunity is for you as security professionals because when we reduce the number of credentials that the user has to do yes the attack surface reduced but now we can also make how those credentials are used much stronger you can't do that when you got five different credentials you have to secure and with continuous and contextual authentication we can now make that experience where it is much harder for a hacker to easily obtain a credential

like they do with phishing attacks nowadays any questions yes sir oh that's a great question if you're referring to the company that I think of code space was the company that went out of business because of the breach this is a great cautionary tale and I almost feel bad that I didn't use it in my talk this was a company code space that all of their infrastructure was on Amazon and somebody took the route amazon credential and used that to delete every instance of servers for that company and if you're familiar at all using Amazon Web Services that does not take long to do it all now are their backups sure but what the company did in response to that

was they took a look at what it was going to take to recover all of those instances and all of the data surrounding it and they basically said the cost to do that is going to be higher than our cost to stay in business and so they basically sent a note to all their customers and said we're closing our doors now that's obviously an extreme example of what you're referring to but that's the cautionary tale that identity provides if we don't adequately protect those identities any time you have those keys to the castle you have to protect those identities because that's what the hackers are going after that's what the attackers want is that elevation of privilege so they can

really do the damage that they need whether it's exfiltrating data or in this case it was just drawing data it's a great question thank you for asking any other questions alright my understanding is we have some prizes to give away