Securing Your Identity, Secure In Your Identity

person um uh I'm really honored to be here at bides Tiano um uh I I've been to many conferences around the world but this is my first time as a keynote speaker and so I'm really honored uh for the opportunity to share uh to share something a little different than what I normally do uh in these uh in these conferences so the presentation title is securing your identity secure in your identity and we'll explain what that means normally these presentations start with an introduction like who am I why should you maybe listen to me why should you not listen to me and when you say who are you there's many ways you can answer that question usually in society we

answer with my name is unem or maybe where am I from you can hear it in my accent right maybe it's my job title does that communicate what I know in a way that maybe you would listen or maybe which university did I go to these are all kinds of credentials and things that we use to describe ourselves um but sometimes it actually separates people because what if you didn't go to university or what if our football teams hate each other are we actually separating ourselves more than coming together so I'm going to do this presentation a little different I'm going to save the who am I for the end of the presentation although I will

start just with at least the name so there's at least a little something there my name is Daniel Bohanan and throughout this talk you'll learn a little more about me and I hope that we'll all learn about ourselves and our community in the process so I'm going to be talking about what does it mean to secure you secure your identity and I'm going to use the context of cloud security because that's been for the last two years for me uh this whole new world that I've been learning and researching and studying and so I want to share some of the findings of how identity Works in Cloud environments and then then we're going to move on to what does it mean to be

secure in your own identity and we're going to take those Concepts from cloud and see what we can learn about our own identity and ultimately how that affects who we are what we do and really everything in life and once we cover all those topics I will finally end with the who am I not in context of my title or my vocation but of my identity so in the world of security identity is important you can't secure what you don't know so if you're doing an investigation if you're hardening an environment you're looking at activity but really you need to know the identity what's The Who Behind the what and technically speaking there are many ways

we try to do this sometimes the identity is a username sometimes it's a little different maybe an IP address uh a fully qualified domain name a file name Etc but you know what attackers are really good at kind of adding a layer of abstraction so you actually don't know the real file name or you don't know the real username maybe it's compromised credentials or an IP address is hidden behind a tour Network and you can't actually see the home IP address of the user so as a good security person we have to understand all the depths to actually get to the truth when it comes to Identity and Cloud uh or identity in in any aspect we

have this acronym AM identity and access management um and if anyone here has had any kind of security uh uh interview you've probably been asked a question like can you explain the difference between authentication and authorization so at the fundamental level you look at the the base words here authentication has the word authentic in it it's saying you're saying that your name is Daniel but are you really Daniel so I can walk into a university here and say my name is Daniel here's my driver's license here's my passport and I can auth authenticate myself it's really me but I might not have any authorization to do anything in that place yes you're Daniel but you

don't have any reason to be here or you don't have any access to do something else so what are you authorized to do so with this as the initial stage let's look at how authentication and authorization play out in a cloud environment and I'm going to use AWS as an example here so we have some real terms to use so let's say we have a user uh her name let's call her daa what can she do in a a cloud environment well in AWS we have these Concepts uh called U policies and so policies are these Json files that say here are the permissions here are the actions or privileges that this user can use and those policies can be already

predefined by AWS we can write our own policies But ultimately you have to somehow attach the permissions from those policies to the Identity or to the user so for Dua we can actually give her uh what's called an inline policy that's one way of doing it we take a copy of a policy and assign it directly to her user next what we can do is we can use what are called groups so groups are a collection of individuals who are members of that group and each group can then be assigned policies and it can reference a managed policy it can reference multiple managed policies you can call these groups anything you want whatever it helps you remember what kind

of permissions you are giving the group and similar to the user you could also assign an inline policy to the group so that copy of the policy is now part of that group uh and rides around with it wherever you go now a user has to be added to the group so once Dua is added to these two groups she is now inheriting all of the access that was granted to these different groups in addition to the access she already has to herself so access management is getting a little more complicated because there's many steps and layers to evaluate what can she actually do next we have a concept in AWS called roles now roles initially I kind of

thought sounded like another kind of group but AWS actually defines a role as its own identity just like Dua as a user and here's why a role also is going to reference different managed policies directly it could even have an inline policy as well so we can have a copy um but what's interesting to note here if you look at there's some small red numbers here that are showing the number of unique permissions that each of that the user has each group has each role has each policy has so if we were to stop here and say how many permissions does do I actually have we would have to look at what does she have directly as a

user and then what are all the permissions she has associated with all the groups in which she's a member so in this case she has 995 unique permissions well what if she wanted to assume that 2024 audit role um this is the actual terminology that AWS uses it's assume role now when this happens daa no longer has all these permissions think of it as taking a coat or a uniform she has now assumed the role of 2024 audit and she has all the permissions that Ro has but she's actually left behind any of the other permissions she had before so temporarily she is not daa she is 2024 audit now this can give you more access

it can give you less access but it's a really important distinction that when you assume that role you're changing the abilities of what you can do in this case with only 123 lastly there's a concept of service control policy uh or SCP now these are written very similar to a policy but they actually do the complete opposite an SCP does not give you any permissions it defines what is the maximum possible permission that somebody can have so it's a way of contr ring for every user every group every role what's the maximum you can do make sense all right so that was just looking at identity in AWS in Cloud as an example um how do most organizations

even log into that in the first place how does Dua even get started with wanting to do something in AWS well most organizations will use what's called an identity provider or an IDP and again I'll use a specific example I'll use one called OCTA so in OCT you authenticate to OCTA it has its own set of authorizations saying which applications are you allowed to access like AWS and then if I click on AWS it will initiate a single sign on a SLE transaction so that I can then start acting as Dua in the AWS environment like we like we just looked at in the previous slides so how do you log into the identity provider this is what looks a little

more familiar you have a username and a password so Dua perm. if my password is correct I'm now prompted for a multiactor authentication I enter that code stuff happens in the background if everything works out and I gave the correct code now I'm authenticated and I can log in so what are just general best practices that we can Implement for securing your identity at this level well in every integration like AWS or Azure M365 the concept of least privileged access is always a good thing to do it's not easy it's easier to say than to do but making sure that users don't have more permissions than what they need or what they're using in terms

of idps in general using strong passwords so again if if people are not using password managers if that's not something that is actively promoted in your organization it is a tremendously valuable thing to do to ensure that password reuse is not happening and that you can use really strong passwords U multiactor authentication again being uh something you have something you are something you know is tremendously important in improving your security posture a very talented attacker can find a way to trick you into giving you that but it's forcing them to really pinpoint you as an individual organization as opposed to large scale attacks and then when you have identity providers there are also sometimes capabilities like uh conditional access

saying you're only allowed to log into different places so these are just a couple of the concepts that are helpful to think about so let's zoom out real quick I log into an IDP it is authentic ating Who I Am from there I can then go into I can use that authorization to go into an environment like AWS and this defines what I can do but now I actually have to do some stuff and this is where the activity comes in and so these are all happening in different places so if you're only looking at at the activity you might not actually know the identity that's doing it and so as a researcher this is the kind of problem that we set

out to solve to understand The Who Behind the what in everything that we're doing so this is setting the stage for what is a practical example of how identity Works in an Enterprise in a cloud environment so now let's focus on what does it mean to be secure in your identity how does this actually get real and personal how does this affect our day-to-day lives not just in the IT world that we're doing but in really everything that we're doing so I first just want to say we are called human beings not human doings who we are is more important than what we do I like to clarify this is not a call for us to be lazy but it's recognizing

that our value to our family our friends our society is not about the things we do it's about who we are because the things we do don't Define us it might Define our reputation or people's perception of us but if we know who we are in our identity then that should actively inform and guide what we do do so there's a really important connection here but I think as a society I can definitely speak for myself um uh in in the West in the US uh that we focus really heavily on what people do and we give more importance to the to person that says here's my title or my vocation without actually taking the time to get

to know who you are and who your identity is and seeing how that informs what you do so what is identity even if you were to look up definitions of what's the definition identity is the perception of yourself based on images and experiences in the past these can be good these can be bad they can be terms I'm going to use as true and false because the problems are the way we perceive ourselves might not actually be true and sometimes the truth about ourselves might not be anything that we're perceiving about ourselves so if identity is informing action and we don't even know who we are or we think we're something completely different then our entire lives might be guided by

decisions from an incorrect starting point so I'm going to use the term true identity and false identity as we go forward to kind of highlight these differences so let's think back on this example of AWS and I've changed some of the some of the words here daa she can be part of many different groups maybe she's a part of a group called perfect students she scores all tens everyone's told her her whole life you an amazing student you're brilliant you're great do everything you can that could be a really good motivation for for some people that can be the heaviest burden to somebody else because they feel like if I get a nine I'm going to let my

entire family down or I don't even know who I am if I'm not making tens other people might be in a different scenario maybe they failed out of University maybe they never went to University at all are they less valuable members of society no but sometimes we treat people that way because we have different values based on what you can produce how much money you can earn how many people you can influence on social media these are not inherently bad things but if we place more value on the doing than the being then we're getting things backwards when it comes to roles we can also look at this incorrectly as well maybe my role is I'm an overachiever I

have to go speak at that conference I have to start something new those can all be good things but if we're doing those things to earn some identity then we have it backwards if we start with our identity and our identity guides us to do those things that's a completely different way of looking at it and lastly in the concept of service control policy remember this is that thing that's written like a policy but it's actually the limitations it's saying no matter how hard you try to give yourself authorization to do things you'll never be able to do these things this is a ceiling you'll never be able to travel to that country because you're not in

the EU you'll never be able to do that because you don't have Visa liberalization these are a real problems and I really don't mean to sound like they're small because they're not small they are real challenges that I know you have to to deal with and I'll never fully understand it but it's so profound to see ways to still make those things happen if your identity is leading you in that direction and opportunities can happen but if we stop there then who knows what opportunities we're letting go by so before we really look internally more at what true and false identity looks like if you look at Psychology even if you look at economics there are

actually two World Views two ways that you can see the world and the word worldview is actually used in different ways often incorrectly but think about it like this a worldview is like a pair of glasses and it's the only way you've seen the world so you don't even know that you have those glasses so it's one colored view that's the only way you noce see the world so the first worldview is what's called separation worldview separation worldview is based in the concept of scarcity there's not enough there's not enough time there's not enough money I'm worried if there's going to be enough coffee out there I got to go get my cup first this is a selfish motivation

that's so common in our culture again I'm speaking for myself and maybe there's some truth here in your own culture but I'll leave that to you to decide when there's a scarcity mindset it also means you have to be certain about whatever you do you can't risk messing up like what if I don't take that job maybe I'll never get the next job maybe my whole life will be ruined that also leads to Perfection if I get that job I have to be perfect just like I had to get tens as a as a student I have to impress my manager I have to get that promotion me me me and if I'm fearful that there's only one promotion

I'm not helping my teammates with their projects because they're going to compete with me it's all about self-protecting self-promoting how can I help myself now there's a place for advocating and showing the work that you do but I would argue that there's a way to do that in a way that helps other people as well and that leads to the second worldview which is connection worldview and if you look at the way that nature operates it's actually much more in line with this it's instead of a concept of scarcity there's a concept of abundance there is enough there's enough coffee and chai for everyone there might only be two internships today there will be more and

I will be happy for my friend if they get that internship and I don't or if they get accepted to that conference and I don't because I know that if I'm helping them they'll also be helping me and together we will improve together it also uh this connection worldview removes the mindset of uh having to be certain about everything as humans we think we like certainty like I want to know which university I'm going to go to which major I'm going to study which job I'm going to get who I'm going to marry which which city I'm going to live in as humans we want to feel like we're going in a certain direction but actually if

we knew the ending to every movie we wouldn't keep watching these movies or shows humans we really like the idea of mystery of wondering what's going to happen next how do I finish this story as as long as we feel like there is guidance and it's going somewhere that is good we really do embrace the idea of mystery that also allows us to embrace the idea of fallibility remember in in the separational worldview we have to focus on being perfect if we get this job we have to be perfect we can't make mistakes but fallibility says it's okay to make a mistake if I fail at this presentation right now I can choose to do two things I can say one maybe I had

too much coffee today or maybe maybe I I used examples that didn't make sense and I can improve myself and try again later and ask for help and input or I could say if I fail at this presentation I'm a failure I will never present again and when I look at my own life there are examples of situations even in public speaking where I failed hard and I spent the next 20 years running away from the concept of public speaking because I made it a part of my false identity because of something that happened to me and lastly for connection worldview I mentioned it it's focused on others like it's not saying you ignore yourself but

if you focus on helping others succeed then that's how we all rise together so if I to Define this in two simple words I would say fear and love that might sound kind of strange but love being an outward focused on others and not just self-interest and fear really describing what drives decision-making in this worldview now what's really interesting to me is that if you study psychology ology and biology as humans we are only born with two innate fears that is the fear of loud noises and the fear of falling every other fear that we deal with as humans is learned it's taught knowingly or unknowingly we have received those fears and it now is

informing what we do now this is actually not a bad thing fear is a good emotion if I hear a horn honking I know if I don't get out of this Tonto Street I'm going to get hit by a car it's it's protecting me um but you know what like for me if I hear a dog barking I get excited because I grew up with dogs I love dogs if someone was bit as a child by a dog that is the scariest sound they can possibly hear even if they know that I'm playing the sound of a dog barking on a phone their body is still going to react because that's the protection mechanism because they have learned

early on that that means danger so let let's look internally again if I'm thinking I'm I'm stupid I suck at public speaking I'm a failure the exercise here is when did I first start thinking that like again if a dog barking scares me when did that first happen is there's something in my past that leads me to to to think this way maybe as maybe as a student du I was in was 7 years old in a math class and the teacher was about to teach something new and gives a problem and says does anyone know the answer and she raises her hand and gives the answer and you know what it was wrong and the teacher can say m

you were never intended to know math and you know what she could do she could think she sucks at math and she might let that Define everything she does in her future of ignoring the possibility of studying math or computer engineering or computer science was the teacher trying to divert her entire future I don't think so maybe that teacher had the same thing happened to them maybe they had pressure on them from their parents that we could never even imagine we all carry our own pain and Trauma and we all have a shared history in many ways so how can we help break some those cycles for ourselves for the next generation and show them that no you

don't suck at math don't walk away thinking I'm a failure I'm a disappointment I'm not smart and we have to ask ourselves if those things are true if we can look back and see in life that was not true then we can ask oursel what was true in that situation daa was Brave no other students raised their hand the teacher hadn't even taught the math lesson yet and she had an idea she tried it it was wrong but she didn't say I'm a failure if the teacher had not done that to her she would have learned how to be correct in that math problem but she was Brave she was a Pioneer what if those

were the takeaways from that moment in life and she carried that identity that true identity with her what things would she be doing in the world singing what else could she be doing yeah making art making art with a paint brush making art with music making art with code what's there that has been killed because of something that happened early on in life and as a society we're so driven with social media and and with busyness that how often do we actually stop to ask ourselves what are the negative emotions I deal with on a daily basis disappointment failure when did I first start learning that is there something in my life that I started

believing when I was a kid or when I was a student that is dictating my decisions and if so how can I change that I would argue that the doors in life that we don't go through are those that are labeled with these fears again for me that door is public speaking I wouldn't open that door literally chose my University major on the fact that public speaking was not a required course and for years I didn't go through that door because as a kid once I tried it twice actually and it was it was not good my voice cracked I literally couldn't even pronounce my name the most embarrassing thing I could imagine but you know what 10 years ago I went

through this process and uh here's where I'd say again we all we all come from different places but we all do have some things in common and so this whole talk is about identity so I've tried to be really open and really vulnerable and so in this slide I'm want to share just a little bit more and I would say that for me in my identity as a spiritual person I think identity doesn't have to be separated from our our deep core beliefs so for me I believe in God and I believe God created people to be creative that's how I view my role as a researcher as someone that writes code as someone that manages

people and so if you're here whether you call it God or love or anything like that I just want you to pause for a second and think if I'm created then what are the things I'm believing wrong would God call me a failure or a disappointment and if not I want to reject that and say this is not true I recognize now this is not true what do you say about me what's my identity if du's identity is brave Pioneer what's my identity and when we start to hear the truth of who we are it allows us to open that door and chances are what's on the other side of that door is the greatest thing you could

possibly be doing but you could have so easily spent your whole life never opening that door because of the fears that prevented you from opening it so you have to reject the false in order to receive the true so who am I you know my name my name is Daniel uh you know a little more about my vocation I'm a researcher I work at a company called periso um and my identity when I've gone through this exercise the name that I'm called is developer now this is not just an IT developer the word is so much bigger than that and deeper than that and it's what has driven me to learn what is my identity how do I nurture this identity

in all the things that I do think about a developer in a city they see a piece of land maybe it's empty maybe there's crime there maybe it's the worst place no one goes to that part of town a good developer can use that identity and say I can see the opportunity for a building or for a park or for a school or something good for the community and they can see something that's not there and help other people to see it as well the developer doesn't build it Builders build it the developer doesn't even design it the developer sees it and encourages others to see it and instills that faith and confidence to help them

do something the developer could never do but they all play role someone who knows their identity as a developer can also do terrible things they can launder money with that they can do things that are beneficial for them and not good for the community and so whether people are doing really good things or really bad things in the world they probably know their identity and are walking in it but you still have to make sure that you're choosing uh it in a way that that is helping others to be that others focused and so to end this presentation when I heard this and I heard and received this identity as developer it was hard for me

to really accept uh because it's not something I would call myself it's really easy for me to call myself a failure or not good at public speaking or stupid or not good enough or not pretty enough or maybe not born in the right place or only able to speak one language as an American right like like I tell myself these things like ah yeah we suck at languages but you know what maybe I'm really good at languages and maybe I should stop telling myself I suck at it and maybe I should stop these things that aren't true but that I'm just saying out of wrote memory so when I heard this word developer it was hard for me to accept

because it took it took I don't know it took Faith like really developer like and as I started to talk to other people they're like yeah I could see that you are and then I start to look back at my life and realize you know what I have been a developer my whole life identity is not something you just choose and make yourself it's who you were created to be from the very beginning but life happened and those fears and all those concerns started to cover up who you really are but when you take those fears away and then look at what's been there all along now that can start to inform who you are as a kid I would have ideas

of things to build with Legos and then would develop them and it made me so happy as a musician I would have ideas for songs that have never been heard before using instruments that people don't know and when you create it and share it with the world or maybe just share it with close people around you it's being creative I'm being a developer when I got into my profession and I started doing research writing code writing weird code it made me so happy and to be able to share it with the world and to ultimately have opportunities like this to travel around the world and learn about different cultures and peoples and opportunities to help and say I see something in you

like there's a spark there if you don't see it if no one's ever told you this I see it I acknowledge it build it let it guide your actions because you're not defined by what you do you're defined by who you are and six years ago that led me here to Al Alo and Kosovo uh and ultimately meeting people speaking at hacker spaces and universities and and starting some online communities called grassroot and then locals started the in-person communities to meet and as I look back I see all these elements of being a developer with looking at besides Tian besides Pristina these conferences the world knows about and people are learning who albanians are through these venues and through the

skills that you've had all along being able to present our workshops as an American being able to present at a workshop that my own Embassy help fund was one of the most profound honors of my life and some of those people are my colleagues now moving into a role professionally at a company that values people and that values giving opportunities and giving the ability for people to go further than they thought maybe they could and starting with a team of three interns then four interns and then some full-time people and then more full-time people and at this point being able to come here this week and spend time for the first time with the entire team of

people from Albania and Kosovo has been my tremendous honor and to my team we have a lot of fun together it's not all serious um but I just want to say thank you for the journey we've been on together and what's really cool is to see that when you work hard together you can go places you never thought you could go um with being able to speak on some of the biggest stages in the world at conferences that everyone knows about but where the conference doesn't even know where's Kosovo where's Albania let's add that country to your drop down list so we can authentic ically say who we are where we came from and what we're

doing and the world will take notice of the talent that's here and lastly when I see my team doing those things with me and then going and doing it on their own doing it with others inviting them into something that another person thought they could never do but now you have the confidence to know it's possible and to know a way to do it and so I would say to my team that's in the room here I'm so impressed and excited about what you've done but I'm most proud of Who You Are because that's way more important than anything you'll ever do even though I celebrate your success I celebrate your failings because ultimately that is you

learning how to improve and to continue on and I'm so excited about where we're going to be one year from now and seeing all the accomplishments that you've done individually as a team and the ways that you're giving back to your community so the very last slide I just want to remind everyone here who you are is so much more important than what you do your actions are important but they should be informed and gu added by who you are so when you fail you're not a failure you just learned one way that didn't work exchanging the false identity for the true is the only way to really understand who you are in a way that

allows you to be your authentic self fear versus love is there actually enough do we really believe that a lot of days I don't believe that and it's important for me to say I don't believe there's enough I intellectually know it's true but my feeling is that there's not enough but if we're kind to others and help others there is enough and lastly knowing and walking in your true identity opening that door that you never thought you'd go through it is your greatest gift to the world first to your family your friends your village your city your country your people everybody I really appreciate this opportunity I want to just put in with my contact information here but I will

be around all day today and I really would love to say hello to anyone that's interested in talking uh or teaching me a few more Albanian words but sh following there Rio Paulina thank you so much thank you