Achieving Zero Trust – Securing Workforce and Customer Identities in a New Business Paradigm
0:00:01.2 Bill Harmer: Alright, everyone, we’re gonna kick off today. I like to thank you all for taking time out of your Thursday to join us to talk about zero trust. My name is Bill Harmer, I’m the chief evangelist and CISO at SecureAuth. I’ll be hosting today’s webinar, and we have a couple of guests with us today. First, we have Chris Convey, who is the VP of IT and Risk Management and CISO at Sharp Health. Chris has an extensive background in security, both in risk and technology. Prior to Sharp, Chris was with Millennium Health, and Kaiser Permanente before that, and PwC. Sharp HealthCare for those that don’t know it, is a non-profit regional healthcare located in San Diego, and they run about 18,000 employees with 2600 physicians doing incredible work, especially in this time. For myself, as I said, I’m the chief evangelist, and CISO for SecureAuth. I’ve been in IT for 30 years, security for 20, and privacy for the last 12.
0:01:02.7 BH: And more importantly, we have an honored guest today as well in Andras Cser. He is the Vice President and Principal Analyst at Forrester, serving the security and risk professionals. He is a leader in the identity space. He also covers cloud security and enterprise fraud management, and he helps his clients develop enterprise strategies for creating business value, and we are truly honored to have him. Andras will be taking us through his view on identity as a perimeter becoming the double-edged sword. Andras, I’ll turn it over to you.
0:01:39.2 Andras Cser: Thank you, guys. Hopefully, you can all hear me. I appreciate the opportunity to speak on today’s pretty exciting webinar. So identity as a perimeter has been something that we’ve all been looking at as the next Nirvana after the network perimeter being dismantled. Identity authentication, authorization are the core principles of zero trust. The question is if getting access to all the data, all the network, all the applications in somebody’s corporate environment only depend on having a password or having some authentication and enforcing access policies, how do we make sure that we only allow folks on our corporate network, accessing our corporate data, who are authorized? So really this is our kind of theme today.
0:02:37.5 AC: If you look at the password ecosystem, it’s relatively clear to see that passwords are really expensive to support out there. You have snoopable problems, snoopability problems, you can track and really look at passwords on the internet, on a corporate network, by just setting a computer’s interface on a poorly isolated and compartmentalized network to snoop passwords. They’re phishable, stuffable, crackable, you can reverse engineer them, and these numbers come from some of our interviews and estimates. Passwords are a drain on the budget because the help desk calls to a great degree are password related, “I forgot my password,” “I can’t type my password.” Step of authentication for customers is even more painful to effect or authenticate or understand. Really, it costs an average company about $31 to resolve a password-related issue, and this is basically translating to $179, $180 per year to resolve really password-related issues.
0:03:54.8 AC: So again, not a cheap exercise out there. As we look at the current pandemic, COVID-19, it really also mandates remote work, so we’re stuck here. We have to be able to support remote work, really all the access, whether you’re using VPN or not, depends on some kind of authentication. Our estimate is that during the pandemic era of COVID-19 globally, the global workforce, so basically folks who can actually work from home and don’t need to be physically present in an office or location, so this population increased probably approximately three to fourfold to what it was before COVID-19. So there’s all classes of people, all new groups of people like sales folks or some project managers that actually need to work from home these days and these times, during these times of COVID-19, and this absolutely mandates that you have a good policy around enforcing access and making sure that only authorized people can access, only location-wise, they can come in only from those locations where they live or where they’re supposed to be working from.
0:05:23.4 AC: There’s definitely a big premium on performance, so a lot of organizations are seeing 10 times the VPN performance requirement than what they were used to before, and obviously we see huge increases in cloud adoption and cloud security adoption as a result of people working from home, and firms and companies not being able to support this increased level of operations using on-premises call centers. So you have to make sure that there’s not a lot of friction for your employees so that they can add value and do their work, and obviously if customers, they require and demand a lot of this as well.
0:06:07.9 AC: So again, really important. And identity, as I said, can be the double-edged sword’s perimeter. If you have the identity, you’ve got access to a lot more things than what you had access before, so yes, we can protect things from the network perspectives to some degree, or the workload perspective, but identity continues to dictate who has access to what. So it’s always a triad and a delicate balance, which is really hard to kinda maintain. In a lot of instances, the security element is there, so very much we have to keep focusing on the security aspects of the organization. At the same time, we cannot have armies of people doing the joiner-mover-leaver process or enforcing these policies, and the customer convenience is also playing a big role in this area, and this can be employee or business partner or consumers.
0:07:10.8 AC: So and in response to all this, the overall IAM vendor investment themes to make all these areas more tolerable and even delightful, there’s a lot of skim integration, on-prem application integrations, identity solutions increasingly are able to look at the device from which the request or access is coming from, so to some degree partially replace enterprise mobility and management or mobile device management tools, by just looking at device posture, looking at things like, “Is this a jailbroken device?” “Is this device in a known rogue geography?” Also passwordless authentication is a big driver here. We’re seeing more and more requirements around not using passwords, but using global device-based authenticators, or even one-time passwords being just text messaged to a phone number and then users using those, or one-time use links or one-time use codes actually being sent to people’s email addresses, again, relying on email security and authentication.
0:08:21.1 AC: Identity analytics is definitely an important aspect to this, understanding the normalcy behavior of what a user normally does and where the anomalies could be from that activity is important. Multi-factor authentication remains a very core and really key component of an access policy enforcement solution. You really have to be able to support it on any end points, in situations where you may not be at home, you might be sitting in a disconnected area or you might be working from a different location. Conditional access, again, defining policies around time constraints, you can only log into these resources during the work day, so Monday through Friday, 9:00 to 5:00 from a certain location. If we geo-fence this, so again, really the questions around this, and those questions need to be translatable into policies in access management.
0:09:25.8 AC: Looking at information protection, so Microsoft information protection, Azure information protection really come up, and ultimately people wanna be able to protect their data and really only allow their trusted parties, workforce or business partners, or even customers, to look at it if they have a legitimate need to do so. FIDO2 and WebAuthn are definitely the next step in authentication land, so this allows for a better passwordless experience, as well as almost a limitless biometric and two factor authentication implementation. Templates, identity experiences in all business-facing, employee-facing, business partner-facing, and customer-facing, so B2E, B2B, and B2C type of scenarios are very important. These kinds of use cases or enrollment registration, self-service login, etcetera, play a very important role. If they have canned templates being provided by a vendor, your implementation work is gonna be substantially less than if the vendor does not offer these things.
0:10:35.2 AC: Some access management trends and themes for investments. Again, rules-based [0:10:40.5] ____ is still there. So the more granular pulse definitions you see, the better. Contextual policies, IP address, device posture, you may not be able to access this resource or application from a jailbroken device, but you can from a non-jailbroken device, fast federations, adding business partners in a really snappy and quick manner, roles-based management, again, nothing new here, but the roles are much more dynamic and can look at the attribute values of users on the fly and to take some dynamic decisions. Mainframe support still is an interestingly odd requirement. We still get questions on this using an ACF2, RACF, Top Secret data that a user stores. These things are alive and well to this day, at least in North America.
0:11:37.8 AC: And then these credentials for enrollment and authentication, these are the wallets presenting a driver’s license or a claim or proof for enrollment registration as well as authentication… And then lastly, coverage via APIs for identity orchestration and much finer entitlement management. So this is all about maybe in a customer-facing situation that the head of the household may be able to change plans or look at some more sensitive data on a mobile device, mobile phone account, but the kids, they can only look at the number of minutes used or change some less sensitive or risky attributes of the subscription.
0:12:23.9 AC: So again, looking at a zero trust authentication architecture, so making sure your identity does not become a double-edged sword in the wrong hands. You have to have a number of different components to monitor the user’s journey. This includes navigational pattern analysis, understanding where the normal group of users click. Make sure that there’s human-based authentication, risk-based authentication. Again, creating a risk score based on the IP address of the user or device ID, device reputation, session speed, and other variables. If this risk score is high, then you might force the user to do two multi-factor authentication using one-time passwords or biometrics, or even make them use password-less. Otherwise, if it’s a low-risk kind of transaction, then you just let the user login without further ado. And then once the user is on the session, you wanna allow them to interact, but watch what they’re doing. So this is what we call continuous, or behavioral authentication detection. Understand how a normal user, the legitimate user, works on a session or interacts in a session and then being able to flag any kind of anomalies to that.
0:13:38.7 AC: If somebody’s credentials were lost or stolen and you have a hacker doing something on behalf of a victim, and you’re able to actually identify these situations and even intercept the activity by ratcheting down the permissions of the user, or even locking out the fraudster from the environment.
0:14:02.1 AC: Again, some two-factor authentication, multi-factor authentication requirements vital to and [0:14:07.1] ____ are definitely taking ground at really great speeds. Password-less as well as SMS text message based, as well as voice based password, one time password delivery, and understanding when you cannot deliver these passwords. We see blockchain based verifiable credentials using decentralizers like yourself, sovereign identity, risk-based multi-factor authentication enforcements. Again, only prone to users if their risk score is high for two-factor or multi-factor authentication. Voice callbacks and really third party authentication integration, self-service, and OATHT or TPHOTP support is definitely an important part of it.
0:14:55.3 AC: So these are aspects and layers of multi-factor authentication. And then really forgetting the password and really moving away from passwords is an overall theme we see out there. So if there’s no passwords, there’s no secrets to forget, snoop, phish, steal, write on a yellow sticky on their keyboards, drawers, etc. And it’s much easier. Usually most knowledge workers would have a mobile app. You can send a mobile notification to the assigned mobile application and you can look at things like geo-location, GPS sensor data, posture data, cell phone tower triangulated physical location data, device identities, and they’re all protected in the app and are readily usable. And then if you are using a mobile app, obviously that you have to authenticate, there is still a requirement to switch between the mobile app, the business app that you might be using, and a dedicated, authenticated application. Obviously, you can kinda merge these two things into one application. That is absolutely something we see out there.
0:16:05.3 AC: So again, behavioral biometrics. I just want to kinda quickly highlight the importance of behavioral biometrics. It’s the what you do, in addition to what you know, what you have, and what you are, kind of aspects. So looking at mouse movements, how you use your mouse, screen swipes, how you touch your screen, force, the patterns, how you type on your keypad, the typematic rates, travel times for fingers between keys on the keyboard, how you hold the device, ambient light sensors. And all these things are important in behavioral biometrics. Again, watching what the users do and get real time and drawing conclusions, and even adjusting the level of privileges and entitlements that the user has in the session is something we see there.
0:16:54.8 AC: So again, these are some of these implicit aspects of activities. This really fits the zero trust model very well and can be used before, but also during and, most importantly, after login. So sometimes you can use it through augmented running score point system for driving policies, for accessing resources. It can be implemented in EPI or human facing kinda manner. Also applicable to omnichannel, so not only mobile web or desktop web, but also mobile applications for phone call center type of activities. And you can also use risk scores based on the company’s own data. And more importantly, these organizations, the vendors of the space, actually offer a lot of share data consortium though they’re from their own customer base that they can be securely and privacy consciously exchanged between organizations. So you can see if a fraudster had probably been able to take over accounts at another customer of your vendor and be able to protect and defend against that sort of things. And linking devices using identity analytics is absolutely a core building block in this aspect too.
0:18:18.2 AC: So this is a table that I’m not gonna go into because of time constraints, as to how traditional biometrics and behavioral biometrics are similar and different. The biggest difference is that behavioral biometrics needs some time to burn in, so it may not be functional in day one. You have to actually spend some time before the model is sufficiently trained and is production ready. Some predictions that we see here at Forrester… So definitely an important aspect of behavioral biometrics expansion that we’re seeing here, error rates, equal error rates as well as false accept and false reject rates are definitely improving here. There’s a lot of performance improvements for large scale deployments. And again, using share information, device IDs, hot lists, white lists, black lists, as well as patterns, compromised IP addresses, compromised passwords in some instances, are definitely important.
0:19:22.1 AC: Understanding and identifying and even blocking jail-broken, rooted devices or jail-breaking and masqueraded devices is important, and then we see a lot of interesting use cases of using behavioral biometrics with the payments space, again, to improve the customer experience. So with that, I’d like to conclude my part of today’s presentation and hand it over to Bill.
0:19:51.2 BH: Thank you very much Andras, very much appreciated. That is some really, really in-depth information as to what we’re seeing in the identity space and some of the ways to move towards zero trust, relegating passwords to the trash bin where they belong, and doing it in a safe secure manner, taking into consideration some of the things that we have to deal with. So, what I’m gonna do now for you is I want you to take what you heard from Andras, take his concepts, his ideas. I’m gonna give you a little bit of background about more of the world in general, and how that has led to where we are, and then I’m gonna talk to Chris about his challenges and how he has gone through this.
0:20:35.1 BH: If you look at the current landscape today, organizations are being forced, and I mean forced, COVID was a base jump off the platform of security into a world of never going back to where we were, the new normal… Pick any cliche you wanna slap on it, but organizations were absolutely pushed into meeting business requirements much more rapidly. When COVID hit and the stay-at-home orders went out, businesses did not say, Okay, I’ll stop doing business today. They said, No, you find a way to make it work to the IT people, the security people and the risk people. Organizations have absolutely accelerated the roadmaps, so, a lot of what we in the industry have called fast followers, the ones that wait to see how things play out with other organizations, they’re not waiting, they don’t have a choice, they now have to start accelerating those road maps and finding out how to get to where they need to. The software vendors as well, rapidly accelerating roadmaps to deal with the new normal.
0:21:31.9 BH: Threat actors are absolutely not going away, this is an absolute key time for them because in moments of change, in moments of dramatic change is the best time to attack to get in on the confusion and the chaos find ways to plant accounts, if everybody suddenly went home and suddenly the help desk was flooded with calls to create accounts for remote access, how hard would it be for a threat actor to get in there and make some extra requests and did the help desk have time to check those validate they were real? Employees, etcetera? Or were they given the mandate, get everybody online quickly. That’s the type of thing.
0:22:07.1 BH: As this settles down and you come out of it, these are the types of things you wanna go back and start auditing to make sure that these things haven’t slipped through, and of course, many have absolutely realized that the new normal is what it will be… Most organizations will not suddenly say, “Okay, everybody back to the office… Let’s do it the old way.” They are going to look at this and say, Alright, how do we manage this? We’ve told people that they can’t work from home now, we’ve proven that they can, we realize we don’t need as much commercial real estate in downtown New York, we can have people work from home, so there’s no commute, they work longer hours, whatever… There’s pros and cons into all of these pieces that will now become the future of where we start to do business.
0:22:56.0 BH: That and digital transformation, for anybody who has seen or heard the term digital transformation, it’s results in what I call the sprawl, we have our employees working from everywhere, coffee shops, airports, home, we have applications going everywhere. When companies came in and started pushing out software as a service or services out to vendors, we saw things like your workdays, your success factors, your sales forces, the Juggernaut was 0365 from Microsoft. Anybody who’s ever run an Exchange environment knows the happy day it was when they got to get rid of managing exchange and [0:23:34.6] ____ managing users, and then all of the other pieces like infrastructure that went out to Azure, to Amazon, to Google, it is now this global infrastructure that most organizations deal with. And the connectivity between them came from companies like [0:23:50.1] ____, like Palo Alto, like Cisco, and created good secure tunnels in between services, managed them, IDs, IPS, sandbox, and all being done and everything being hinged on that unique identity.
0:24:07.0 BH: The steps into zero trust are numerous, and some of them have already been taken, as Andras has mentioned, we’ve gone through operational efficiency, which was your single sign on into two-factor, we’ve seen that happening across the board even multi-factor organizations are taking steps into that. The consumerization world is also doing it. So we see things like Twitter, Facebook, Instagram, all throwing out two factor over the air, SMS type 2FAs that your average user who wouldn’t know what 2FA meant are starting to use. And I think that’s fantastic, that’s an adoption, that’s a thing that we need to have to bring that back into corporate and get them to understand why multi-factor… Why adaptive, why continuous authentication is absolutely critical, leading to what we call the Dynamic Identity policy, and that is enabling engagement and security, if you don’t enable both, you will fail.
0:25:03.6 BH: We all know there’s insecurity, if you make it too hard, if you make it too difficult, if they are not able to use it effectively, they will find ways around it. It’s an indisputable fact. All of this is, of course, built on what we call the challenge of balancing digital transformation, which is this concept of identity, self-sovereign identity, national identity, there’s the work that’s going on in India with Ardus and other things that are happening in Europe. There’s a balance between privacy and all of the things that need to happen in that arena are currently moving extremely quickly. The business demands, they do not stop. You’ve got your customers. You’ve got your employees. You’ve got your partners. How do you engage them? How do you manage them, how do you do M&As during this time as well? How do you get users access? How do you handle legacy applications? Andras also mentioned where they’re talking about mainframes.
0:26:01.1 BH: All of that has to continue to happen because business doesn’t stop. As soon as business stops, we don’t have jobs, there’s no point in doing this. And the threat actors never cease as long as money is to be made, they will be out there and they are incentivized to innovate, they’re incentivized to share data amongst themselves. The attack surface has become so dramatically large because of the sprawl, that identity is now the new attack surface. We always say… You probably always hear, “Users are the weakest link,” and I think that’s a horrible way to describe it. In truth, users are the most vulnerable target. And I will use myself as an example. If you put me into a finance department, I’m gonna pip in two weeks, I’m fired in three, because that is not my job I am not good at, and I’m absolutely not passionate about it. So to expect marketing people, sales people, retail to all be as expert about security as we are, is also a failure on our side. So with that, I just wanna bring in Chris Convey and talk about strengthening… His approach to strengthening authentication. Chris, thank you very much for joining us today. Very much appreciate you being here.
0:27:08.6 Chris Convey: Thank you for having me.
0:27:11.1 BH: So as you’ve heard, Andras did a phenomenal job of laying out a very, very broad spectrum, and I tried to at least carve out a piece of it to give some focus as to what we’re gonna talk about. In speaking to you, you have said, “Identity is the new firewall.” In there, transition away from perimeter-based security, talk to me about how you and Sharp Healthcare have gone through that.
0:27:36.9 CC: Yeah, so I think we all know it’s the new firewall, it’s the new perimeter or whatever cliche we wanna use, and I think COVID really accelerated that as you talk about… Or think about the transition from on-prem legacy applications to the Cloud, you no longer have the firewall to protect you. And historically, we have this moat or this castle wall, and you could be squishy in the middle, you could be soft because we had this colossal wall that people had to get through, which of course we know isn’t always impervious. Well, that’s breaking down. And with healthcare, traditionally, we are more of a traditional type of environment as opposed to some of these other companies that have really been able to migrate to the cloud, or they were born in the cloud from the get-go, but it is absolutely changing.
0:28:28.7 CC: If we wanna stay competitive in this marketplace, we have to move to the cloud. And when you think about any health system, your mission really is to provide high quality affordable care, that’s the number one mission. It’s not security. So we have to be an enabler of that, we can’t inhibit that. And one of the things that may be a little unique about healthcare is we don’t have a lot of intellectual property, but we have a lot of medical information, and we have a lot of employees with access to that information, because that’s the way we operate as a company, you have to. And so we’re sort of in this dichotomy, when you look at HIPAA and you look at what’s happening in the industry and how we would drive more efficiencies in healthcare, people want us to share more. They want us to give more access to patient access to care, they want us to share more with other health systems and what they call interoperability, which I completely agree with, that’s the only way we’re gonna drive efficiencies and drive better care. But in the mind of a CISO, or a Chief Privacy Officer, that’s kind of a challenge. That could be a nightmare of, “Gosh, we gotta share more,” but we gotta keep it protected.
0:29:40.8 BH: Yeah.
0:29:41.6 CC: And that’s what really, really becomes difficult when you think about identity. Well, that’s why identity is the new perimeter, because now this data, it’s gotta follow the data and follow the person. And so that’s…
0:29:55.8 BH: Yeah I think… Yeah…
0:29:56.8 CC: That’s why that focus is… You have to have it.
0:30:00.9 BH: Absolutely, it’s very refreshing to hear a CISO talk about the business. And I’ve said this for years, that CISOs need to know their business because I’ve always used the pacemaker as a great example of a horrific story, because if you look at pacemakers, they did that study they saw 4000 some odd vulnerabilities in them, and when they re-did it, they found over 8000. And one of the unique ones was there’s no username and password on a pacemaker, yet all the patient’s data is attached to it, but that’s a usability feature, that’s knowing your business to say, “If I put a username and password on this to protect it and the guy’s lying flat on his back, I want that thing as open as possible, I want all my data rushing out to whoever it happens to be there can get me off my back and then we’ll talk about how to manage it later.” I think that’s fantastic that you’ve got that vision in there.
0:30:49.5 BH: So a tailored IAM vision. You said this is crucial to each organization to increase security user experience and reduce operational costs, and touching on that, the pacemaker idea, and I think with doctors, doctors want to get access to data as quickly as possible, they cannot be fumbling with codes or looking for devices to read numbers off of. Tell us about what you’ve gone through and your challenges in getting that tailored IAM vision.
0:31:16.9 CC: Yeah, and this is, I’ll bring up the topic of zero trust, and when you think about zero trust in the examples you gave, and you think about healthcare, it’s almost like they don’t seem compatible. And so it’s one of those things where you go, “It sounds like a Nirvana, but in healthcare, man.” That’s why it has to be a tailored, gradual process to get there, because we have to be very careful as we flip switches and turn knobs that we don’t inhibit again, our mission or we inhibit our ability to provide care. And so in healthcare, we have a lot of unique and complex authentication use cases and access use cases.
0:32:00.8 CC: And for example, it has to be… We have to drive toward friction-less. And What people don’t know is our ability… We’re not for-profit but we still have to pay the bills, and so growing is absolutely part of our strategy, as well as driving cost down. That’s critically important. And so, for example, the ease with which we can operate with outside physician practices or the health systems and the ability to onboard them, get them access, have them authenticate and make it secure is part of our ability to grow and perform.
0:32:35.9 CC: So as far as the tailored vision, there’s a lot of things you gotta do. What’s your inventory of applications and systems? What are your authentication use cases today, what are your authentication use cases tomorrow? Where is your company headed? You gotta know your vision. So understanding the business, hoping that your technology vision aligns with that business vision, and then that your security vision aligns with that business and technology vision. That’s why understanding the roadmap two to three, five years out is so critically important so that you’re heading down that road in the right way.
0:33:11.9 CC: One example of that is, what’s your deployment architecture for this? Are you heavily on-prem? As you buy solutions, people think, “Oh, I’ll go after the shiny fancy object that has a lot of marketing behind it but not because my… ” I know some other company did it. It’s like, “No, you gotta know what your tailored roadmap should be.” We happen to have a lot of legacy applications, we’re on-prem. Being a health system, I don’t know that we’re ever gonna get away from on-prem in my lifetime or at least in my career. Maybe someday it will but certainly, that hybrid flexible environment is something that we made part of our tailored IAM vision, and that every company has to consider. So my best advice here is, don’t let a product vendor dictate the package you go or what do they think you should solve. You have to figure that out and then make sure you pick the right solution set and of course, having the right partners to help guide you through that is really important.
0:34:20.5 BH: For sure. Absolutely, absolutely. And that concept of on-prem, whether it goes away or not, we are currently on a work-from-home where nobody goes to prem but the prem is still in there, and the on-prem is now changing. I guess, if you did surgery at home, then maybe you’d have [chuckle] a fully cloud hospital but there’s always going to be… As long as there’s a building to go to, there’ll be a premise to be on and somebody will have something there that needs to be dealt with. So I think, as we change our thoughts, as we look at this differently and… The nomenclature is incredibly important that we start either changing the definitions of some of the words we use or really clarifying them ’cause… I’m sure you’ve heard me speak before. When I say I hate the term cloud, it means nothing. It’s so out there. It’s good to really nail down what it is we’re talking about.
0:35:13.4 BH: My favorite topic, the death of password. The importance of MFA tokens in your environment and getting rid of those passwords. Was this a positive? Was there a lot of resistance to it? Was it something that was being asked for and how did you go about it?
0:35:30.6 CC: Who likes passwords? They’re such a pain. You mistype ’em. A lot of our help desk tickets is something as stupid as a password. It’s often the way that hackers are able to escalate privilege, cracking passwords, sniffing passwords on your network, phishing passwords… We can all agree it’s just a weak form of authentication and it’s a lot of overhead burden to any organization. We, by no means, have gotten rid of the password. We still have the password. At some point down the road, I agree, I think it’s gonna die at different rates for each organization but having the password and then having a token, an MFA, whether it be a YubiKey, whether it be your phone, a soft token, a hard token, this is absolutely… I think we all agree. You have to have multi-factor authentication if you’re gonna protect yourself. If you don’t, you’re either hacked or you just don’t know it that you’re hacked but either way, you’re hacked.
0:36:32.1 CC: So what becomes really important is, and it goes back to identity being the new perimeter, is proofing that individual, that identity, as you hand out those tokens because if a hacker gets through that proofing or exploit that proofing exercise, then it’s game over. They have someone who has that token. And so, really spending a lot of time and effort as you register people for MFA, to really do it in a conscious way and really prove their identity ’cause once they have it and you’re confident that they have it, then it’s easy. You can go passwordless, you have all these different variety of ways that they can use the token and it really becomes the lifeblood of you are who you say you are. And so, with the death of passwords, it becomes even more important.
0:37:27.0 CC: I don’t know if we’ll ever get to a point where it’s just one token. Maybe it’ll be a pen or something easier that we wanna use, or badge access. We use some of that for our single sign-on for doctors on clinical workstations. So it becomes a… Maybe it’s not one token, it’s multiple tokens, but that becomes the pathway in, and so making sure that you have that registration process nailed down becomes critically important.
0:37:54.0 BH: Yeah, and I think, Andras, has talked a little bit about the telemetry that you can get from the user, either the device that they’re using, the behavior that’s happening. I think when you start adding that on as well, is the nurse supposed to be on shift, is he supposed to be a shift manager or simply an acting nurse for a night shift ’cause you have varying levels within the organization or should they be logging into the restricted drug cabinet, those type of things, you can look at those behaviors and add those on to the multi-factor, as well as start seeing, “Is the token trying to violate its behavior?” And that way, we’re not just replacing the password with the token and creating the same problem.
0:38:33.3 CC: Yeah, that’s a really good point. I think one of the misconceptions of zero trust, at least in my mind, is that I have to authenticate and be challenged every time I touch the computer. I think, with some of the technologies out there that have really good behavioral analytics, adaptive multi-factor authentication. And so part of the architecture that we’re driving toward is how do you funnel all of those log-ins from all those various places into one centralized identity provider? That’s a really important part of our vision because the more you can do that and have one big funnel versus a bunch of funnels in different ways that people log in, the better that telemetry is gonna be. The smarter it’s gonna be as you take advantage of products out there that can do machine learning and behavioral analytics to determine… I really think the risk profile on this user is high because I saw them log into an on-prem application, then I saw them log into a cloud application, and it has that complete vision. And that’s why, that’s part of the architecture we’re choosing to go down that we really like as it becomes that firewall, you want it funneled into one central place, if possible, if you could do that.
0:39:46.8 BH: Yeah, absolutely, absolutely. Because at that point, we as security professionals like to always make things harder, longer password, more complicated, change it more often, add on, find a problem, add on, and in this case, we can actually start getting rid of stuff. So as you said, the concept of password list could also be that that need to not challenge every time. If you’ve got multi MFA out there and you’ve got three or four different things that are being used, it doesn’t mean you have to throw them at every single application as well, because then you’re just overloading everything versus finding your risk profile for your data, finding your risk profile for your user, the combination of those two, etcetera and appropriately, authenticating.
0:40:25.6 CC: Yeah. No, I would say the adaptive piece, when we implemented it, which we did in the last year or two as you know, and the push to accept and all of these, but it’s still challenging them, was a huge hit with our physicians. It went from I gotta log in and put in a code every time, to now it doesn’t require me to use a code because we’re analyzing the behavior risk, profiling them, and it’s just a simple push, but it’s still secure because it’s being challenged. It’s not just a yes, no. A huge hit, and that was an example where we maintain security, probably increase it to some degree, and vastly increase the user experience.
0:41:03.7 BH: And bank some credibility for the next thing that you have to push out because they’ll be so happy with what you did.
0:41:07.5 CC: Exactly.
0:41:10.2 BH: You gotta give me on the next one where you’re not having to fight up hill again.
0:41:13.4 CC: They have that trust with us. Yeah.
0:41:15.8 BH: So that leads us to the roadmaps. Roadmaps are incredibly important. As you said, you have to know five years out. Tell us a little about what your vision or what your roadmap is.
0:41:27.9 CC: Yeah, I think I described it a little bit. I think the roadmap is, we want everything going. Our architecture is we want everything going through one identity provider that’s purpose-built for that, that has strong security analytics, the ability to do user identity behavioral analytics on it and risk profiling so that we can continue to provide that good user experience, but still maintain really solid security. So that’s really the vision. And it’s not only that for security, but it’s also part of the vision is being able to federate with all of these apps seamlessly, so that you talk about single sign on. The concern with that, of course, as people say is is well, if you have single sign on, once you compromise that identity, then they can get everywhere. Yeah, there’s truth to that, but that’s why again, it becomes so critically important to manage that identity from the get-go and really prove that they are who they say they are, and then it’s seamless everywhere they go.
0:42:28.1 CC: Again, since we have on-prem, we have Legacy apps, we have Cloud apps, we needed a product or a solution to be able to be flexible enough across all of those scenarios. You know, it’s gonna take us years. The transition I think that people need to realize is, yeah, you can’t do this overnight. I think that’s, I don’t know that anybody really believes that it can be. Some companies will take longer than others, but one thing that we’ve learned is picking a solution that will evolve with you, that knows your roadmap out, that they’re willing to share their roadmap, and can you influence that roadmap? That’s really important to me because you can seek, maybe see what’s out there two to three years to take a guess, but we all know that it’s a crap shoot to some degree. Things will evolve and change, and you need partners that will evolve and change with you and be adaptive.
0:43:23.6 BH: Yeah, no, you’re obviously spot on, and I could not agree with you more because as much as I would like to think that I know everything that’s coming and never wrong, and my wife will tell you otherwise, we need our customers to tell us what’s happening in the real world. We could build products that seem functionally great to our minds. They’re the perfect security system, or the perfect this or the perfect that, but in the real world, there are challenges. There are little things. There are nuances of what happens day-to-day, and that’s where our customer feedback is incredibly important because that’s what has to drive our roadmaps as well.
0:44:03.3 BH: So first question, ’cause I like to sort of bracket this with how did it start and how did it end because these are big, big projects. So what for you triggered in your head, I need to do this, because there are a lot of people out there that are sort of looking at it, and COVID was a big eye-opener. But you’ve been at this for a while. You’ve been quite successful in your implementation over the past couple years. So just tell us what were the signs, the signals, the feelings, the thoughts that said to you, said, “Chris, get your butt in gear. Gotta get going on this identity thing,” so that way maybe the people listening will see some of those signs and signals in their organization.
0:44:44.5 CC: Yeah, well, it’s a couple of things. The only way we’re gonna be able to manage this is by having a singular vision and architecture. And so I think all of our talk about identity being the perimeter in your firewall, we were seeing the writing on the wall from a while ago that as we’re moving to the cloud, you’re losing control. So we really needed to start to think ahead of, how do we get ahead of this and how do we manage it seamlessly so that if somebody goes off and purchases some SaaS product that we don’t know about, we have a process to say, “Hey, let’s set it up and federate it, let’s get the MFA on it, let’s make sure we have… ” The longer you wait, the more you dig yourself into that hole.
0:45:29.2 CC: The other thing too is we’re just seeing a lot of help desk activity, a lot of our volume, passwords… “I got a problem with my password” or this and that, or whatever. So we knew that by moving forward with the right vision and architecture, we were gonna also reduce cost, ultimately. Automation, self-service, and then the ability to secure or consistently secure and set up a consistent authentication experience across all of our apps. We just knew, in the long run, if we’re gonna secure ourselves and we’re gonna drive costs down in a healthcare space, we’ve gotta do this. People think, “There’s a million ways you can drive cost efficiencies in healthcare and this industry are doing… ” Our part of doing it is by implementing a proper identity and access management vision with those benefits.
0:46:26.5 CC: We gotta stay competitive like any healthcare or… Sorry, any industry. You have to evolve or die. So in order to stay competitive, you think about Amazon, Berkshire Hathaway, Apple. They’re all nudging into the space and we gotta evolve with it. And I think you mentioned it, Bil, earlier, we all know this threat landscape is evolving, it’s changing. Cybersecurity is the new warfare and it’s not going away. So if we’re gonna have to do this, drive cost down, avoid breaches and grow, and provide a good frictionless user experience, IAM’s at the heart of it. It truly is at the heart of it. And our patients need comfort that their information is not gonna get breached, that it’s gonna be accessible, but it’s gonna be protected, so there’s really no way out of it. You have to do this if you’re gonna achieve those outcomes.
0:47:26.3 BH: I could not agree with you more. That is absolutely solid. Last question then, I guess. Lessons learned. Is there one or two things that you learned from this that you can give our listeners some feedback on to either watch out for so that they don’t do it? Maybe a mistake that you guys fell into or an unexpected positive.
0:47:52.6 CC: Yeah, a lot of times, with IAM in general, I think one of our biggest lessons learned is the governance over it is really truly getting buy-in as to who owns the strategy and architecture because we know well there’s pieces of IAM throughout an organization. Who manages an app, who designs roles for the app, who manages authentication, who manages federation. When you walk into this, it’s important to make sure that you get agreement across all of your IT partners and your business partners. We need to set up a governance structure that’s clear so that when decisions are made, the strategy is made, that there’s an accountable owner who’s making those decisions versus, “I don’t really like that because of this.” And there’s always a consensus and there’s partnership, you always maintain that, but making sure that that accountability structure is set up is critical because there are so many tentacles with identity and access management.
0:48:47.9 CC: Start small, manageable chunks, get some quick wins, prove yourself out, like the adaptive, the push, that was a big win, to your point, bottle a lot of political capital, then take things to the next level. Think about your use cases and how to make things frictionless and easier for your users. And oh, by the way, we can make things more secure as well.
0:49:11.2 CC: One last thing I’ll mention is, if you have an enterprise architecture organization or structure of your organization, leverage it. Ensure that your IAM vision matches with the… And I think I said this before, your IAM vision and security vision matches with your technology vision which is aligned with your business vision. That’s critical that that happens so that you don’t deviate over time as your roadmap continues down its path.
0:49:41.6 BH: Yeah, there’d be nothing worse than putting in a beautiful IAM solution that doesn’t work with any of the technology and either throw the CIO under a bus to have to rip and replace or throw yourself under the same bus.
0:49:51.7 CC: Exactly.
0:49:53.2 BH: Fantastic. I love this quote. I just wanna put it up there for everyone. Chris came up with the idea that identity is probably the most important security constant amidst an ever-changing digital world. I could not agree more. I call it the keystone in the security tunnel because everybody’s trying to get access to stuff somewhere and without that keystone, the tunnel does not stay up. So Chris, I wanna thank you. We’re gonna open this up to Q&A. We do have a question already up.
0:50:21.8 BH: So the first question we have is, “Who are the people or roles within the business the security team needs to engage and convince that the value and benefit of a zero trust approach are measurable and beneficial to the business?” Wow, that is a heck of a question. So summary, Chris, in your organization, who did you have to bribe, cajole or threaten to get them to understand that zero trust is important?
0:50:48.8 CC: It’s business operations, primarily. It’s across multiple facets. It’s clinical, physicians. And many people may not know this but in California, your physicians cannot work for the health system, so it’s a federated model. In other states, they can be employees at a health system. In California, that’s not the case, so you gotta… Who are the key users and stakeholders of the environment to achieve the business objectives of your organization, which is care? It’s doctors, clinicians, it’s the users of the… Finance, HR, certainly are a big stakeholder because when you think about identities and how you hook into those identities, it’s often through your ERP system and they are big stakeholders in governing that.
0:51:43.6 CC: So your IT partners, I mentioned this before, making sure that that’s clear as to who’s on first as far as how you implement your roadmap, who owns what pieces of the architecture. And that’s the thing, is it’s a big question because it’s really everyone because they’re all users of the system and IAM has tentacles everywhere. So it’s important to have a cross-functional governance body that’s empowered that you can go to because otherwise, you’re gonna be talking to a million people. And so, who are those decision makers that you can go to and say, “Here’s the vision. Do you buy often like an advisory committee which we have? We have an advisory committee that we bring this stuff to.” And then you can have that empowerment to move forward because you can’t… You also don’t wanna spend years trying to get decisions made. Your strategy will change by then. I hope that answers the question but…
0:52:38.1 BH: I think it does. If I were to add to it, I would recommend that someone throw on the chief risk officer or whoever is in charge of risk, chief counsel, and a data privacy person as well because from a risk perspective, they will be the ones who are very good at articulating what you’re doing into a risk understanding for the company itself.
0:53:00.2 CC: Yeah, that’s a really good point, risk privacy. As we know, security and privacy are like this and as we say, follow the data. Now it’s follow the identity. The identity is just roaming around from personal devices to work devices, to cloud, to on-prem, so ensuring that privacy is in with you lockstep because ultimately, for us, it’s a privacy issue and security is enabling privacy of someone’s medical information.
0:53:24.9 BH: For sure, for sure. Second, question we have here is, in general terms, what are some of the obstacles that organizations encounter when it comes to adopting a zero trust model? Maybe Andras. Do you have any input on what you’ve seen some of the obstacles that orgs have had when it comes to adopting zero trust?
0:53:46.8 AC: Sure. Usually, it’s the application developer’s business portfolio. So with the predominant majority of commercial off-the-shelf applications, you are able to tie them into an open standards-based infrastructure, SAML, OpenID Connect or OAuth and other protocols. When it comes to the OAuth 2 in-house-developed, in-house-built applications, that’s when there’s a lot of down rev legacy systems that a company might have that you wanna work with. So this is the carrot and the stick conversation that Chris has alluded to earlier. There always needs to be some kind of a benefit for an impact at the developer organization, business application developer department, as to why they should let go of maintaining the authentication or identity access management logic in their application and that a centralized tool will take care of it. So that’s number one.
0:55:00.5 AC: Second that can be really challenging is when you have a large ecosystem of non-employee workforce numbers serving customers and you wanna share data across those populations in a zero trust manner. That can be really, really very difficult. You cannot really necessarily count on equally equipped folks out there. Everybody’s gonna have different levels of maturities, as well as tooling. So these are probably the biggest obstacles that we see here.
0:55:34.6 BH: Fantastic, thank you. Yeah, I think the whole concept as well of just articulating what zero trust means. The words themselves come out as, “I don’t trust anyone in my organization.” Truth is, that’s what we’re doing but we wanna be conscious of not insulting, not pushing down this world. It’s simply making sure that they understand that we are always going to be validated, we’re always gonna be vetting, making sure that people are safe and secure throughout the whole process. So Chris, anything you’d like to add to that?
0:56:07.1 CC: No, no. Yeah, I agree, the term is polarizing, right?
0:56:14.5 BH: It’s tough to understand. It’s a tough one.
0:56:16.1 CC: Yeah, I would just say, and I think I’ve said, is just take it slow. You had it on your slides. It’s a gradual transition. Think about your business, think about your objectives, never lose sight of that and don’t take just a security mindset, you gotta take a business mindset to this whole approach. It’s not binary, it’s all gray, so you gotta learn to navigate the gray.
0:56:39.5 AC: There’s definitely a big spectrum between totally zero trust, which I’ve heard some customers of ours determine as “We are securing ourselves out of business” versus the wide open thing. So you can think of it as least privilege. That’s another term you can think about. How can we enable someone do their job while we minimize the threat surface and basically, provide the user with only of the privileges they need to do their job, that’s there?
0:57:17.5 BH: Basically a risk reduction at all times. Guys, I wanna thank you so much for joining us. It’s been a privilege to hear, Andras, your thoughts, and Chris, your experience. I hope our audience has also heard it. We will be wrapping this up. The webinar will be available afterwards for download, if anyone is interested. If you’re interested in more information around SecureAuth, what we do, how we do it, partnering with us and being able to implement adaptive authentication, multi-factor authentication, true passwordless, you can go to the website at www.secureauth.com. And with that, I would like to say thank you to all of our attendees for taking time out of their day and spending it with us. Thank you very much.