Podcast 80 | People Centric IAM and Breach Prevention With FRYdentity

Podcast 80 | People Centric IAM and Breach Prevention With FRYdentity
Podcast-Visual-System-IAT-Landing-Page

Podcast-Visual-System-IATCSpotify-Icon

Subscribe to Identity at the Center

Identity at the Center is a weekly podcast all about identity security in the context of identity and access management (IAM). With a combined 30+ years of IAM experience, hosts Jim McDonald and Jeff Steadman bring you conversations with news, topics, and guests from the identity management industry.

Do you know who has access to what?

 

Subscribe


Protiviti Podcast Transcript Transcript
Male
You’re listening to the Identity at the Center podcast. This is a show that talks about identity and access management and making sure you know who has access to what. Let’s get started.
Jeff Steadman

Welcome to the Identity at the Center podcast. I’m Jeff and that’s Jim. Today, we’re going to be talking about people-centric identity and access management, and breach prevention. We’re going to get to that in a second. Before we start talking about it, though, I want to make sure we talk about a report that’s coming out from our friends over at the Identity Defined Security Alliance, the IDSA. They’ve got a report coming out on Thursday, February 4, which — tearing down the fourth wall —today is Wednesday as we’re recording this, so tomorrow. We’re going to talk a little bit about that later toward the end of the show, but I want to give people a sneak peek about what to expect from that report. 

Without further ado, why don’t we bring out our guest? His name is Alec Fry, also known as FRYdentity. Also, he has one of the best, I think, LinkedIn profiles imagery I’ve seen, that includes the Millennium Falcon and a Superman shirt underneath a button-down shirt. Welcome, Alec. 

Alec Fry
Thanks very much. Nice to be here.
Jeff Steadman
Well, thanks so much for joining us. I know that with time differences, things could be interesting, especially when we’re working across the world, but super excited to have you on here. One of the first things that we always like to dive into when we have guests on is identity and access management and their background in it. How did you get into IAM, and is it something that chose you, or did you choose it? 
Alec Fry
For me, it’s kind of a strange — like a love story tragedy, I guess. Boy meets some identity. They have fun together, but then boy moves on and does other things in cyber security. Then, I crossed paths with identity again later on and realized how much I missed it, how much I loved it, how much we were made for each other, and just came running straight back. I guess it felt like it chose me first off, and I took it for granted but then came back when I realized just how much I loved it.
Jeff Steadman
“Please take me back. Please take me back.” I imagine that. One of the things that I think is really interesting about your background is, you have a history in standup comedy — which, from my records and my recollection, I think you’re the only person that’s come on our show that has that background. You could argue that we’re all comedians, in some way. My wife likes to think, certainly, that I am. I’m curious if there are any crossover skills from your background in that performance space that has translated over into your work within IAM itself. 
Alec Fry

Yes. Oh, definitely. I did standup comedy for 11 years, but it was as a hobby — it was an after-hours thing. I was still in cyber security and identity all through that time. What I did find is the component where you’re trying to know your audience and see what resonates, make sure you’re not losing any part of the audience. 

Fondly enough, that actually translated in more of like a generic consulting type of scenario where you’re in a room of seven or eight people, especially if we’re talking about a part of an identity project where we are trying to get or initiate and buy-in by not only the project sponsor but also the finance team and the operations support manager. So, you target your presentation in a way to get into some of the ROI benefits so the finance guys interested. As soon as you see the ops guy start to whine a little bit, you’re like, “Oh, but then, think of all the efficiencies, the procedure improvements,” and then he perks up. It really helps you sharpen your ability to try to read your audience, so to speak, which really fits a lot more for the presales side of, or consulting side of, identity. Still, well, just that interaction with people, I just find that invaluable to have picked up skills in that space. 

Jeff Steadman

One of the things that I always find impressive around not just standup comedy, but also I think, in general, in performance arts, I think that — I’m curious to know your thoughts on this — I find that the best performers in that space are excellent storytellers. They’re able to engage the audience. Sometimes, you’ll see comedy in this space — we just talked about that — where it is serious, and then it’s not. It flows very well, and it all hinges on the storytelling ability. 

When you talk about engaging whoever your target is, whenever — in any space in IAM itself — you’re going to be having these conversations with stakeholders throughout all levels of the organization. I can only imagine that, having that background and that experience, this is something that comes with it, helps with that messaging. Being able to articulate yourself, engage the audience, whoever that ends up being, whether it’s a manager, an analyst, a CEO, whatever it is, being able to target and craft the message toward who you’re speaking to and keeping them part of the conversation, instead of just being spoken at. Does that resonate for you, or is that just me reading into it a little bit more than I probably should be?

Alec Fry

I did a presentation three years ago to the Melbourne group of the identity Meetup community on multifactor authentication. I tried to make it entertaining. Interestingly, six months or so later, I was on a project to do identity consulting — mostly role-based access definition — and walked in to meet one of the lead contacts at the project. He said, “Hi, how are you?” and greeted me like we were old friends. After five minutes of him saying, “I know you’re from somewhere. Have we worked together?” then the penny dropped and he said, “Oh, no, no. It was just that I saw your presentation six months ago.” 

I thought that’s a side benefit I wouldn’t have even picked that, by getting up — I’m sure you probably have the same thing, is that you’d get up, you’d present, and people know your name, they know you by reputation. When they meet you, there’s already that extra level of connection because they feel familiar with you. So, for me, that was one of the benefits. It’s just a side thing that people immediately feel like they’ve already had a conversation with you on identity. 

Jeff Steadman

 Whenever I show up at a client, I always have to beat everyone off to get their autographs in and stuff like that. It’s like, “Hey, hey, hey, we’re here to work. We’re not here to sign autographs or anything like that.” I’m sure Jim feels the same way whenever he’d show up to clients, that sort of thing. Right, Jim?

Jim McDonald

Oh, yes, especially with the podcast now and our world team. It’s interesting, Jeff. I’ve heard you talk a lot about your background in the restaurant business. I am often asked, “Oh, what did you go to college for? Was it computer science?” It’s actually political science. People say, “What does that have to do with what you do now?” It’s like, “Oh, yes, there is no politics in identity access management, none at all.” It’s just like with the restaurant service: It’s all about service, putting people first. 

That’s a segue into the question I was going to throw back to Alec, but actually, what I was thinking was with standup comedy, one of the toughest things that I’ve found being in consulting is the heckler, the person in the room who is like, “Yes, that won’t work here.” The person just doesn’t — who wants to give you a hard time. I think being able to have that stage presence or that — being able to work through those situations and not getting rattled, man, what a valuable skill. Honestly, I think that only comes from getting up there, doing it over and over again, building the calluses, building the experience and building the comfort level — that, hey, you can rebound even if you make a mistake. Does that resonate with you, Alec? 

Alec Fry

It does — but, interestingly, in a reversed way. The interesting thing is onstage, if someone’s a heckler, your model of responding is generally trying to put them down in a way that’s going to get all the rest of the audience on your side, and everyone tends on them with the way that says, “OK, you need to shut up, because you’re just interfering with everyone else.” 

Funnily enough, though, what I find in that scenario of a heckler role — someone who’s adamant on the competitor’s technology or whatever it is, that is just going against what you’re trying to present — the challenge there is almost more to make them feel important and say, “You know what, everything you’re saying has really a lot of value. However —” It’s trying to win them over in a way that you don’t fight them directly. You agree with them, but then try and slightly turn them to your side. Now, having said that, of course, being able to make jokes along the way and keep things light is definitely where the strength comes in there and where the background really helps. That slight variation of just making them a friend rather than putting them in their place is the only difference to that. Yes, I agree. It really helps to have that engagement capability. 

Jim McDonald
Yes, absolutely. Where I was going with this is — Jeff mentioned it: You’ve got a really cool LinkedIn, not only profile but also presence. You do a lot of posts. A lot of what I’ve seen you posting about recently is this concept around people-centric IAM. I’d like to hear what you think of that. I’d like to give some of my own perspective on that because I think that perspective is too often ignored, and, like what I was saying, I think people tend to think of this as a technology problem, especially if they’re not in the space. I think the longer you’re in the space, you start to realize how important that customer experience is. Talk a little bit about people-centric IAM. What is it that makes that approach important? 
Alec Fry

For me, I guess, one of the interesting things is, way back when I started in the very early days, where I was working with two-factor authentication with tokens, the most interesting thing about this was — we’re talking mid- to late ’90s — strong authentication was seen as, if a user is trying to access something and a password is not good enough, then you put a token in their hand and they have to go through this extra checkpoint. The interesting thing there was it was, as great as it was, because I loved working with that technology at the time, especially, but it was a one-size-fits-all, or it was trying to sell the problem just by using this one tool. What I’m so impressed to see in the IAM space over the last 20 years is how much it’s matured and just the way technology has exploded as well. 

Now, in my opinion, to do a very comprehensive identity strategy with the people-centric stuff, what it is, is about knowing your audience from the point of view of the user type. Really, not just looking at your users being, “OK, they are the internal users — staff — or external users,” that there are so many flavors, and even when people have talked about internal and external, that’s progressed to the whole B2E, which is your employees; B2B, which is your business partners; B2C, which is your consumers, or SIEM. Similarly, there’s even the citizens for the government environment, which is a user type. It’s knowing all the variations of your user type by their classification, but even further than that, by their usage patterns as well. 

Jeff Steadman

Yes. I feel like that’s something that gets often overlooked — the one-size-fits-all approach that a lot of organizations take. Frankly, there are really not any excuses, I think, at this point. Maybe back in the day, it probably was more related to what was available from a technology perspective, but every access management solution today — Okta, Ping, Microsoft, whatever it may be — has some number of methods that support things like MFA. You can have somebody with a physical token, or another person is using a soft token on their phone. Another one is using SMS and email. Even though they’re not the most secure method, it’s still better than nothing, and maybe there are cases where you’ve also got conditional rules — where people are coming from geographically.

All that stuff is now baseline in these products. I think 10 years ago, I probably would have said, “Yes, this is the best as it’s going to get based on what we have now,” but with so many different variations of being able to authenticate people into an environment, with the efforts that have gone into educating the consumer market — and I’ve said it before, and I’ll give them credit again: Apple did a fantastic job of really putting MFA and second factor in front of people’s faces literally on their phones through things like Face ID, Touch ID. Android has the same thing, where there is the Android equivalence of that, those sorts of things. It’s helped bring up the overall awareness of these types of capabilities, but where I see a lot of organizations struggle is, they just had, “Well, this is the way we’re going to do it,” because they’re not willing to have more than one or two or three different methods.

People are going to find ways around things. If you have a rock in the river, the water will flow around it. So, you want to pry out as many of those MFA rocks to stop it up as best as you can before you leak data — whatever it might be — or you allow people to authenticate past that. Is that something that you see as well, or is that something you think that’s more specific to the U.S. market? 

Alec Fry

No, I do see the same thing. What I see here is more of a reluctance to put the effort into using all of the functionality that’s in a solution. That’s where our topics here might overlap a little between the people-centric and the breach prevention — some of the functionality in identity solutions that include things like adaptive authentication and even preauthentication checks, or what’s referred to by one vendor as continuous authentication. The whole model that says, “We’ve got a number of things that we can pull in, like risk assessments from external sources,” and, like you said, the geofunctionality, so even that, you can use certain countries that you block, or you can even have geofencing, where you say, “Anything inside this perimeter is considered within the office location area or region,” or something, then anything outside that border is next level of consideration, where, like you said, you’ve got your rules, your MFA rules, that apply to anything from the geographies to the usage patterns of people, like what times they’re logging in.

I know people do this at home, on your Wi-Fi, whatever: You might you say, “OK, I’m going to set a rule that says my kids can’t be on the internet after eight p.m.,” something like that. Translating that to the business scenario, it could be, if users are logging in in the country, they’ve got x level of authentication required. If they’re overseas, even if it’s on holidays or whatever, then there is next level. A lot of businesses that says, “We know the features there. We’ll get around to using it at some point, but we just haven’t made the effort at the moment to do the research on clearly defining which users are where and when. It’s something we know is there,” but they still don’t put it in place, because they haven’t gotten around to it, more than anything.

Jim McDonald

Jeff, I was expecting you to bring up one of your catchphrases, which is around the Amazon shopping cart: Nobody teaches you how to use Amazon — you just figure it out. I really feel like that ought to be the mind-set we strive for with identity management. What ends up happening is that as practitioners, we work within the tools, we color within the lines, and a company like Amazon, they’re are the ones creating the lines. They’re the ones creating the new technology future, but it’s that mind-set of — to me, that’s what the people-centric is a lot about, which is that we’ve got to remember, nobody in the company or organization was hired to approve access or to request access. That’s nobody’s job. It’s something that they have to do in addition to their job. If we put that mind-set on, then we say, “How do we make this so that we would get the quality that we need but, at the same time, make it as easy as possible, take as little time as possible?” Anyway, I want to throw that back to you, because I was almost expecting that that’s where you were going.

Jeff Steadman
Well, that’s a good point you brought it up because, I think, the other thing that entered my mind is, when you’re designing people-centric IAM services, you need to take into account all the people. What happened 10 years ago, when people were using physical tokens and they’re blind, they can’t see the numbers, or they, for whatever reason, have some inability to use a certain method, or whatever it may be. That may force the hand of organizations to adopt other forms of authentication to make it easier for people to use. 

I think there are a lot of ways that you can try to help your organization become more aware of some of those capabilities. Be aware of what the capabilities are within the application itself, but don’t get into this struggle that Alec mentioned, where you’re rushed to get something installed and you get 10% of the value out of it, and then you move onto something else for a checkbox compliance elsewhere. You’re fighting fires, typically. It’s like, “We need to get it in place. All right, now we have tokens. Good. Let’s move on to the next thing.”

That’s OK, but you need to remember to come back and keep expanding and extending the IAM services, so that you are getting full value out of whatever technology you’re putting out there. You’ve made the investment in the technology. The more that you can get out of it, the better, or more of a rock star, you end up looking as you’re putting that stuff out. Would you agree with that, Alec? 

Alec Fry

Absolutely. That’s been a big focus of mine — to make sure that people are using all the functionality that’s available in solutions that they’ve got to cover up as much of that requirement as possible. Aligning it not just with what functionality’s in the solution and where it’s relevant to their situation but also, as we touched on, the usage patterns of different user types or personas. A great example I just came across is in the environment where you’ve got retail workers. Of course, you’ll have 20 roles that are just doing this job as part-time while they’re at university, for example. As we all know, 20-year-olds are glued to their smartphones and do everything on them.

Then, the other end, you’ve also got people in their 50s or 60s that do this for part-time work — anything that they do on their phone is really just phone calls and text. For them, if, for example, they had to log in to choose their next shift, they’ll go home and do that on the PC rather than do it standing in the store on the phone. You’ve got to know when to apply IAM through things like a mobile app versus through a desktop version and the usage cases around those. Yes, I agree completely. It’s all about making the most use out of what you’ve already got. 

Jeff Steadman

Yes. When you come around and you start making these investments, I think that’s typically one of the bigger drivers that we see from identity and access management — what are these investments for? If they’re typically to reduce risk, which means reducing or outright, if you can, eliminating breaches and trying to prevent those sorts of things. What do you see in, in your view, that trend of breach prevention, and where is IAM intersecting with that? 

Alec Fry

Excellent question. What I’m seeing, and what I’m really impressed with in the IAM space is that the breach-prevention component seems to be addressed in a number of different areas. As an example, there’s the component that I’d like to call “Head them off at the pass,” which is trying to prevent the breach before it happens, or ensure that only the people that are being authenticated into the system are valid people. That’s where you apply those things that we touched on before, like adaptive authentication. What I love, as well, is preauthentication. Things like, if you’re using — I’m sure your listeners are familiar with federated authentication models where you type in your username with the domain on the end. Based on that, the system you’re connecting to says, “I’m going to read the domain and work out where I’m going to forward your authentication request to.” 

In that scenario, where preauthentication checks are involved, it can do everything from saying, “If I’ve got Jeff from Identity at the Center trying to log in, well, is he in the country that he’s normally in?” If he’s not, then there’s a slight threshold of risk added to that. What would be his midnight? That’s also when he doesn’t normally log in. All of those checks that can be done before you’ve actually done anything related to trying to verify who you are — which is add the password or do the token code, or show your face or whatever — is the next step. Like I said, that’s heading off at the pass. 

The next part that I like also is the shutdown-ASAP-type model that came in some years ago when I was working somewhere, and they introduced a product — network user behavior analysis. One of the stories I loved from that vendor was, they said they at a company in the States that was a manufacturer of something like jet engines for high-profile military, or something like that. 

They were showing the demo where you let it run for a week, and you’re watching users’ behavior. Then, you come back at the end of the week and say, “Look, here is where —” anomalies, or whatever. As they were demoing it — and normally, it was occurring before they arise — they’re going, “Hang on. He’s the guy from admin or something, and he’s gone – he’s accessing the R&D database, and he’s pulling down truckloads of data right now. This isn’t normal.” The system interacts and prompts him with an MFA or whatever. The interesting thing was, they actually said, “Let’s go and check on this person.” They walked to his desk and saw him. Basically, he was stealing company data that he was going to go and try to sell. 

That kind of stuff of “Let’s find them and shut them down” — and that translates, because that was more a user behavior tool example — in a more classic IAM example, there is also the one that just says, “You’ve logged in. You’ve got access to certain things, but as your behavior is looking more and more risky, we’ll throw in another authentication request” and everything else, or an MFA or whatever.” That’s where there are horror stories of someone was breached, and a hacker was sitting in there for 40 days before they were noticed. This is where you get the much earlier pickup of someone’s been in there for a day, and they’ve done one thing that looks slightly out of place. They’re being pushed for extra authentication that they can’t meet, and then they’ve been kicked out. 

The only last point I’ll add to that is, one of the things that helps in breach prevention is the educational awareness. Also, people being taught on a daily basis to try to spot phishing attacks, and that kind of thing. To fit that whole people process, this technology, it’s across all of those that you can help address that. 

Jim McDonald

You hit on a couple of points there that are so relevant that I want to take the moment and tease them out. I think the first thing is with breach prevention — probably, the biggest thing is breach detection. You mentioned 40 days versus one day. It doesn’t mean that in one day, some damage won’t occur, but it’s going to be less damage than what occurs over 40 days — or we sometimes see longer. A lot of the reports that have been put out there put that timeline as even longer, on average. Some of the breaches that we’ve seen, hackers have been inside the system for a year or longer. You can actually trade a lot of data in that time. You can install a lot of malware that continues to leave that tunnel open to continue your exploits. 

The other thing that I thought was really interesting, you were talking about this internal person who is stealing data. We had Dr. Chase Cunningham on the show last week, and he was talking about zero trust. I think that has become such an interesting framework — such an important framework. It’s been around forever, but within the last year and even two years, it has picked up so much steam — gotten a lot of recognition within the industry — but it’s really recognizing the fact that not all breaches are coming from the outside. 

I don’t remember the exact report — and Jeff, you might remember — but it’s something like a third of data breaches are performed by internal actors. If you’ve got a third of your breaches happening from internal actors, keeping the bad guys out isn’t the full solution. It’s not that it’s not important. You still have to do it, but you need to think that the bad guys may already be in. In fact, the bad guys may be people that you quote-unquote trust. They may be your domain administrators. 

It’s not that I’m preaching to the practitioners out there that you should distrust those folks that work for you, but you can’t write them the blank check to say, “We trust you. We’re not going to watch you. We’re not going to have the internal checks and balances to make sure that your activity is being logged and monitored.” In fact, I think it’s probably important to the extreme to do that because the level of access that those internal actors sometimes have is so highly elevated that the amount of damage that can be done is super high. 

Jeff Steadman 

I think you’re right on there. It’s about a third of where breaches come from, is on the internal side of things. It could be employees, it could vendors, etc. — traditional people inside the firewall versus outside of the firewall. That’s the thinking behind it. 

Alec, you brought up one point that I thought was interesting. I think this is something that I’m seeing in more products being available, and that is being able to take advantage of things like factor sequencing. What this does is essentially allow you to say, “I’m going to throw up the MFA prompt first and then do the password.” In an area where somebody who might be getting a lot of password requests, password-reset requests, etc., that could be a way to improve the usability for some people and improve the security at the same time. That might be something that’s worth taking a look at. If you’ve got that capability within your access management or your authentication stack, take a look at things like factor sequencing to tailor certain scenarios where you’ll alleviate some of the pain that’s on the end user and be able to take advantage of all the bells and whistles that come along as part of your application or your service. 

Jim, you brought up another one that was important — the whole trust thing around internal actors. Most people want to believe that people who work for a company are trusted resources and are going to do the right thing. I’d like to be the optimist and say, “Yes, I think that that’s the way most people will handle it.” Where I find that the challenge typically comes in is not the intention of trying to do something bad. It’s, you get lazy. You start to find workarounds to get around the security methods, and you slip up. You’ve made a mistake. You weren’t trying to do a bad thing, but now you’ve reused this password on a system that has become compromised somewhere else, and that’s the way that someone gets in. It’s a matter not only of stopping absolute bad actors inside but also of putting up some guardrail to hedge against the human trait of laziness that some people might end up having, or bad practices, bad habits, etc., that add more risk in the environment. Does that make sense, Jim? 

Jim McDonald
 Absolutely. I saw as recently as today that factor-sequencing piece that you’re talking about. The way I think of that is, one of the things that’s really annoying is that the bad guy’s going to lock out your account by just peppering the password, then, you’re locked out. They never get to the MFA prompt. You can just annoy somebody to death, whereas if you ask for a multifactor, that is the first step to prevent that. That’s just a little side thing. One thing that I wanted to also bring up was something that Alec mentioned to us in a previous discussion around that RSA PIN project that you had worked on back in the day. It was a story I had never heard in the IAM space. It’s the gun-behind-your-head scenario. I won’t steal your thunder, Alec. Why don’t you go ahead and tell that story? 
Alec Fry

Sure. It was in late ’98, when I was a trainer for RSA, and one of the features that they have in their solution that I was blown away by was a thing called the duress PIN. The idea behind that is, for everyone that’s familiar with using two-factor tokens back in the day, where you had to type in your pin number, followed by the number on the token, the model here was that if you transpose the last digit of your pin by one — if your PIN was 1234 and instead you typed 1235 — that would alert every administrator on the system that you’ve logged in under duress. The intention is, you’ve been forced to log in because there’s a gun held to your head, then, yes, the system will log you in, but it will highlight to every administrator. It can also send an SNMP trap and then sends texts to people. It can be done so that in real time, administrators are aware of that. 

My favorite addition to that function was that if you yourself were an administrator and then logged in to the log file to see exactly what’s being shown, your view will be filtered so that you don’t see all of the alerts that went to all of your other administrative colleagues — the reason being that if the person with the gun to your head is smart enough to say, “You’ve just logged in, but you’re an administrator. Show me the logs to prove you haven’t done something like the equivalent of a person in a bank pressing a little button under the table. Show me you haven’t alerted everyone.” They won’t see that you have. I was impressed by that. That, for me, fits into that breach prevention or breach detection of “Shut it down as soon as possible,” even though it actually occurred. This is technology from 20-odd years ago, or 23 years ago. Some of those things have been around a long time. I’m very impressed with that. 

Jeff Steadman
I can imagine how complex it would be to try to explain to somebody, “Okay, you need to set up a password that is 16 characters, alphanumeric, has the special characters, uppercase, lowercase. OK, great. You got that set? Okay. Now, I need you to set up a duress password with the same type of things.” I think people would freak out completely. I’m sure there’s ways to do it, but I can only imagine how that would work in the real world today with our users.
Alec Fry

One of the things I was hoping to get to earlier in the conversation as well — I’m actually keen for everyone to be looking, especially with features like factor sequencing, toward the sequencing of factors being things like your Touch ID or your Face ID and something like a symbol to accept on an authenticator app but, ideally, moving off passwords. I know you’ve probably had lots of people in the show that have said this, but I’m definitely a strong believer in the camp of passwords are well past their prime. They should be in a retirement home with a blanket over their legs and all that kind of stuff. They did a great job, but they should definitely be retired now. Anyway, that’s my little preach for that. 

Jeff Steadman

I’m with you. I think the technology is there. It is absolutely in place where organizations can start to move away from passwords as primary authentication. It’s built into the OS now, and Windows, and in Mac. The only excuse right now is, basically, organizational will to do it. You probably have most of the things that you already need. If you don’t, it’ll take some investment to get there, but just think how much happier everyone will be when you don’t have to remember that password. You’ll log in with a PIN, plus your phone, or one or the others, whatever it may be. I am looking forward to celebrating the death of the password again this year, as we just probably celebrate over the last several years. We keep hearing the password’s going to die, but I am totally with you.

Jim McDonald

Password Is Dead Day.

Jeff Steadman

 Password Is Dead Day. Yes, we’ll try to make that a global holiday, maybe even strive for a galactic holiday. How about that? 

Alec Fry

Actually, I’d love to see a news story — and it’s probably like 100 years from now, 50 years from now — where today, officially recorded history, the very last password in use has just been officially retired. 

 

Jeff Steadman

Somewhere, there’ll be a mainframe still running RACF ID with a password because some insurance company hasn’t figured out how to move off of that. No offense to our friends in the insurance company, but that’s really one of the areas that is a little bit slower to move off of. 

All right. I think we’ve covered a lot of ground today, and I want to make sure that we leaves some time here to talk about this report that’s coming out from our friends over at the IDSA, or the Identity Defined Security Alliance. As I mentioned earlier in the show, it is coming out on February 4, which is a Thursday.

It’s really interesting. We were able to get an advanced sneak peek of it from our friend Julie over there, so, shout-out to Julie, and thanks to her for that. It is an excellent piece of research that they’ve done. The title of the report is Identity and Access Management: The Stakeholder Perspective – A Survey of HR, Sales and Help Desk Professionals. Kind of a long title, but essentially, what we’re talking about here is people in HR, sales and help desks that are commenting on the state of IAM from their perspective. A lot of times, we see the perspective coming from the CISO, managers, executives, etc. Now, we’re seeing a piece of work that is focusing on the frontline workers of IAM — typically, people who are in the trenches, where I’d gotten my start, too, in the IAM space. I certainly understand how that works. They have some really interesting factoids, and charts and graphs. If you are looking to promote IAM within your organization, it is definitely worth a look. 

There are three main areas — and we’ll talk about it here in a little second just for a quick discussion — but they talk about system access challenges, stakeholder investments and security, and the state of process and technology for system access. I’m going to throw in one stat that came out of this report as a teaser because I want people to go to IDSAlliance.org to check it out because I think it really is good — and that is, under the system access challenges area, there was a survey done, as it’s done in this type of thing: 72% of the respondents said it took a week or longer to get access to all the system a person needs.

Now, if you think about it, when you’re having conversations with the business, they are always like, “Oh, we need it right away” or “We need it within 24 hours or 48 hours.” The people who are on the ground, actually doing this work, 72% have said that it takes a week or longer to get everything. I think that is unfortunately still relatively normal in a lot of organizations — some things might be automated. I want to toss it around the virtual room here, and maybe we can start with you, Alec. I think you’re probably just hearing this for the first time. Any kind of gut reaction to that kind of statistic? Are you shocked? Are you not shocked? What do you think? 

Alec Fry

Sadly, I’m not too shocked, because interestingly, I’ve just been working in a few project environments where even though role-based access control is something people are aware of, it’s not fully utilized yet, or it’s not fully fleshed out. For that reason, there is always lagging requests for applications that just weren’t processed in the initial sign-on of the user. Yes, it is unfortunate that I’ve seen that in too many places. Similar to the world going passwordless, I’m really hoping that people get their role-based access control and their defined user privileges at onboarding time more streamlined — that that number really dissipates over the coming years. 

Jeff Steadman

Jim, what do you think? 

 

Jim McDonald

We see it all the time. I think what organizations have gotten to the point of doing really well — let’s not say across the board — but 90% is automating Active Directory or Office 365 access and getting people email. That stuff tends to happen lightning-quick. In other words, on day one, someone has that core access, but it’s the applications that are often the hinterlands, and the less automation an organization has, the more they rely on email, passing around forms, even ITSM tickets. The more automation you have, the better. Typically, what I see is that almost everybody’s getting good at automating that core functionality around Active Directory. Then, as it goes beyond that, that’s where things tend to slow down. When I hear a week, I’m thinking the person probably has 50% to 75% of their accesses — that last mile of access that they’re waiting on. That’s been my experience.

Jeff Steadman

I think we’ve probably covered, like I said, a lot of ground here. You’ve got a lot of good topics. Alec, thanks so much for being part of the show. We’re going to have a link to your LinkedIn in our show notes, which you can find inside of whatever app you’re listening to right now. You can also search the web for FRYdentity — “F-R-Y dentity.” You’ve got a lot of good information that’s going out onto LinkedIn. Before we close things out here, any final words of wisdom that you’d like to bequeath upon us?

 

Alec Fry

Probably, I’ll just say for people to look at the capabilities of the solutions they’ve got and, where possible, make sure they’re applying MFA as appropriately as they can for their user base to meet their usage needs and everything else.

Jeff Steadman

 Sage advice. I appreciate that. Jim, how about yourself? Anything you want to close with? 

Jim McDonald

Well, in honor of having our first standup comedian on the show, I say people-centric identity is no joke.

Jeff Steadman

That is terrible, Jim. 

Alec Fry

I’d like to leave you with one more then. I guess when you talk about biometrics and — the one thing I think about with that is that retinal scanning is all fun and games until someone loses a credential.

Jeff Steadman

I absolutely love that, Alec. I might turn that into the teaser. I don’t know. I think I’m going to try to figure out how to work that in. If you don’t get it, stop the podcast, rewind, go back and listen, because I think it’s super clever. It is definitely very good. I don’t know. Is that a Fryism? How do we coin there and make sure that you get the appropriate credit for that? 

Alec Fry

I’d love that. Yes — Fryism. That sounds great to me.

Jeff Steadman

All right. We’ll do that. All right. We’re coming here at the end of the hour. Let’s go ahead and call it for this week. Alec, we certainly appreciate it. Thank you so much for starting your day with us and helping us end our day with this conversation on our side. 

Like I said, there will be a bunch of links in the show notes. You can find those in your podcast app — for the IDSA report, as well as to links to Alec on LinkedIn. You can also find links to ourselves and our website on LinkedIn, as well as IdentityattheCenter.com. You can see us on Twitter @IDACPodcast. With that, we’ll go ahead and close it out for this week. Thanks, everybody, for listening, and we’ll talk with you all in the next one. 

Male

Thanks for listening to the Identity at the Center podcast. If you like what you heard, don’t forget to subscribe, and visit us on the web at IdentityattheCenter.com


Ready to work with us?