The Changing Face/Fate of Identity

Transcription

1 #RSAC SESSION ID: IDY-T09R The Changing Face/Fate of Identity Ian Glazer Senior Director, Identity

2

3

4

5

6

7

8 And then, we woke up

9 Partner Employee Consumer

10 Partner Employee Consumer

11 Partner Employee Consumer

12 Partner Employee Consumer

13 Partner Employee Consumer

14 Partner Employee Consumer

15 Partner Employee Consumer

16 The Changing Face of Identity #RSAC

17 Employee-Centric Identity Right Access Right People Right Place Right Time

18 Critical piece of Security

19 Necessary partner for Privacy

20 Employee Identity = Cost Center

21

22 Profit Center

23 Consumer Identity = Profit Center

24 New Stakeholders

25 Digital Transformation Sales & Marketing Community Dev.

26 Customer-Centric Identity XP Right Experience Right People Right Place Right Time

27 ( + + ) x x

28 Sign-Up Sign-In Onward Journey

29 Sign-Up Reduce Friction, Increase Customer Acquisition Try signing up for your own services How friction-free was the process? B2C Social sign-up Progressive Profiling and Proofing B2B How do you verify a supply chain partner? How can that be improved?

30 Sign-In Strong Test of User Experience Avoid YAUP: Yet Another Username & Password Standards de-risk deployments SAML and increasingly OpenID Connect Be ready for standards like protocols

31 Brand Hub

32 Brand Brand consistency is an issue of trust Consistency across Form-factor Lifecycle event Synchronous and asynchronous Multiple brand scenarios increase complexity Product line Line of business Brand Segregation

33 Hub System of record for customer Pattern #1 - IDP as a destination My Profile My Consent My Preferences Redirects are okay

34 Hub System of record for customer Pattern #2 - IDP as a directory service Consult IDP to verify identities exist No redirects to the hub No content in the hub Identity-based integration services only

35 Solving for Customer Engagement 3 Major Components of Customer Identity + +

36 Optimizing for Customer Engagement 2 Primary Variables of Customer Identity + + ) x x

37 But what about the Onward Journey?

38 The Onward Journey The Goal of Digital Transformation Why we do identity Enrich the relationship Identity provides context Rally the business around a single picture of the customer Trigger business process as the relationship matures

39 The Onward Journey The Goal of Digital Transformation Identity provides the context needed for every interaction: In-person Business Process Web Mobile API Connected Product

40 Connect all the things #RSAC

41

42 You Must Recognize Your Customers With Every Interaction Web Mobile Connected Products APIs

43 Two Standards in Play JSON Web Token OAuth Token Exchange

44 Two Tokens in Play Subject Token Represents the identity of the party on behalf of whom the request is being made Actor Token Represents the identity of the party that is authorized to act on behalf of the subject

45 Four Logical Actors Customer & Device Registry Device Backend Services App / Interface Connected Device

46 1. Authentication: User Authenticates using App

47 2. Registration: Token Exchange + Device Metadata

48 3. Business Process: Asset Management and Integration Asset Tracking ID Name Serial Number 02iD00GMg Thermostat Business Process

49 4. Token Issuance: JWT minted, returned to app,

50 4 and provided to the Device

51 5. Device sends data to backend, secured with Token

52 6. Backend Identifies Customer and Takes Action

53 What about APIs?

54 Along with the Access Token

55 Use the ID Token

56 Use the ID Token

57 Customer Identity Identity for IoT

58 The Changing Fate of Identity #RSAC

59 Where is Identity in the org?

60 Consider the stakeholders

61 IT Operations HR Compliance

62 Digital Sales & Marketing Community

63 Merge with Security? Infuse into the Org? Both?

64 Identity Security Privacy

65

66 ISACA

67 ISACA IAPP

68 ? ISACA IAPP

69 Identity industry lacks a professional organization

70

71 ID Pro

72 ~400 practitioners stepped forward in the first 3 months

73 Networking & Information Sharing Body of Knowledge Code of Practice Certification

74 Get Involved!

75 Birds of a Feather! Thursday 7am!!

76 One Fate We Must Prevent #RSAC

77 No one wants to build a system that can be used to harm others

78 No one wants to build a system that can be used to harm oneself

79 If your identity repository is of value to you

80 Then your identity repository is of value to an attacker

81 Meet Our Attackers Bulk Single Row

82 Bulk Attackers SELECT * FROM EMPLOYEES_t Wants: All the data Possible Goals: Identify everyone in a region who shares Medical condition Ethnic heritage Employer Set up a spear phishing attack later Set up oppression campaign

83 Single Row Attackers SELECT * from CUSTOMERS_t WHERE = thatguy@salesforce.com Want: Data specific to a single subject Possible Goals: Take control of a celebrity's mobile phone Dox an adversary Make an ex-spouse's life hell

84 But there is a third kind of attacker

85

86

87

88

89 The Person Who Has Your Job Next

90 Successor Attacker SELECT * from IANS_ILL_FATED_COLLECTION_OF_PII_t Want: To do their job as they see fit Possible Goals: Promotion Continued employment Receive a payment

91 Successor Attacker Compromised User

92 These attackers can weaponize identity systems

93 Weaponization

94

95 Identity systems are neutral

96 Their applications are not

97 ID Pros have to step up

98 Goals for Identity System De-Weaponization 1. Defend against all attacker types 2. Strike a balance between protection and utility 3. Achieve greater transparency 4. Promote data provenance

99 Maturity Model for De-Weaponization 0: Baseline 1: Managed 2: Defend Against Successors/ Ourselves 3: Defend Against Bulk Attacks 4: Defend Against Single Row Attacker 5: Transparent

100 Access Control Data Management Disciplines for DwMM Data Protection Identity Governance Audit

101 Access: 2FA for Admins No Developer access to production data No Program-lead access to production data Data Protection: No insecure data transfers No insecure data staging Data encrypted in transit Audit: Audit all admin system changes Audit user access to systems

102 Identity Governance Segregation of admin duties No Read All for admins No Modify All for admins Access Control Explicit delegation for System-to-System access Data Protection Selective encryption and hashing

103 Access Control 2-Person Rule for data extracts Data Management Query governors to prevent large extracts Audit Audit all CRUD operations

104 Access Control No self-referential multi-factor access to data about the data subject Don t ask KBA questions whose answers live in the dataset Data Management Behavioral query governors Apply machine learning to query behaviors

105 Data Management Data provenance bound into data Relationship Context Metadata Data without provenance must be assumed to be fraudulent Audit Make public who is querying the data Public will depend on the industry, geography, and legal regimes Flip the Panopticon

106 1: Managed 2: Defend Against Ourselves 3: Defend Against Bulk Attacks 4: Defend Against Single Row 5: Transparent 2FA for Admins No developer access to production data No program-lead access to production data Segregation of admin duties No "Read All" for Admins 2-Person Rule for data extracts No self-referential multifactor access to data about the subject Data provenance bound into data No insecure data transfers No insecure data staging No "Modify All" for Admins Query governors to prevent large query extracts Data encrypted in transit Audit all admin system changes Audit user access to systems Explicit delegation for System-to-System access Selective data encryption & hashing Audit all crud operations Behavioral query governors Make "public" who is querying data

107 Do no harm.

108 Prevent the fate no one wants

109 Deweaponize: Protect identity systems

110 Professionalize: Embrace our changing fate

111 Synthesize: Connect all the Things

112 Digitalize: Embrace Customer Identity

113 Normalize: Reinforce Employee Identity

114 Your Fate is in Your Hands: What to do Next #RSAC Become part of CISO org But split the team and have half work with CIAM Connect all the things Explore Actor Token pattern for IoT Use ID Tokens to bridge API surfaces Get involved with ID Pro kantarainitiative.org/digital_identity_progressional Achieve Level 1 on the De-Weaponization Maturity Model in 6 months Aim for Level 2 in 12 months 114