Identity and Security: Why Identity Belongs in Security

[Music] thing between us and uh lunch here so hopefully I'll make it interesting uh identity and security it's time for hug and uh as I go through this I may sound a bit like sort of an old man complaining about things but there's a purpose behind it so and a bit about that old man so I'm Eric Woodruff I work for company sempress in our product group as a product technical specialist uh we do identity threat detection response things around 80 and Azure 0 or entra uh that's not why I'm here though um this is really observation from having been in the industry for a couple plus decades working in the identity space security space whatnot a Microsoft

security MVP uh social media handles there as well you know feel free to reach out um picture I love the outdoors I'm from New York um and I was actually in Seattle earlier this week and then flew last night to Calgary and got here at about uh in my hotel about 2 am um so this might be the jet lag tired Edition but hopefully we'll still make it interesting enough for folks um and uh I'm actually very excited to be here uh living in Northern parts of New York I've always like secretly wanted to be Canadian on hockey uh since my dad passed I haven't really followed it that much um but I'm also a Rangers Fan which

there's probably not much there to follow these days so all right so as we get into things we have a question here where does identity sit in your organization and not going to do hands you're right but uh if we look at a lot of orgs out there and right trying to understand where identity right the ownership of it uh from the you know the technology from the prop processes procedures people all that right so where does it sit is it in security right so has the organization security however that may look right sort of already embraced active directory OCTA AWS identity whatever your organization owns right or is it an infrastructure right which is where historically it's

kind of evolved from right Windows Server if you go way back netwar right e directory all these things uh which would typically be the people that owned all the servers right in the organization uh some or that we look at right uh it might be in client management right so your end user devices the people that are doing out laptops workstations all that good stuff phones and sometimes client management May own Identity or you may have split ownership so I worked uh in public sector for 15 years and we actually had a scenario where security was driving policy and active directory was sort of co-owned and maintained unfortunately between client management and infrastructure groups and it it made for

quite a mess uh from a policy and sort of infighting perspective and some organizations don't know right or it might be someplace else uh right and hopefully by the end we'll we'll see why airplan should be answering that if it's not in security right that it should go there so uh you know lots of security conferences you go to you may see identity is the new perimeter identity is a new security perimeter remarketing loves this craft but also it is the truth right here's a bunch of news articles that I picked up uh just a a smattering rate of how identity is a new perimeter and it's year 2023 well in 2013 so a decade ago here

right we're asking is Identity the new perimeter and six months earlier we've already said identity is a new perimeter in 2012 right so calling it the new perimeter right it it's happy 11th birthday identity is a new perimeter right it it isn't the new perimeter and we need to stop treating it like it's the new perimeter it is the perimeter right and when we say perimeter right sort of what are we talking about here and again in our picture we have like our wall Garden right which would be our firewalls and you know we go back a decade plus and historically you know you'd have your DMZ and then your you know internal networks and sometimes and

those you'd have other firewalls you know surrounding things um when I was in pubc for example there we wanted well our security folks wanted to put a firewall around active directory we're like well we have 20,000 devices and users that need to talk to it every day and if anyone's familiar with how ad works you need a smattering of ports so like it's kind of pointless to really protect it anymore than where it already is right but we we would have sort of these Rings right of of firewalls protecting everything and then we might of exchange or a bed server or something for blackberries WR that with little holes into things but generally that Walled Garden was a thing that protected

everything right so on my flight to Seattle this this isn't a picture from that but here we've got right secret real time pii data

where they want blod right they want to use stuff uh they want their personal devices Executives right who are targets are the worst and that they don't want to be bothered by using company devices you can go on any flight and find someone doing some sort of work I had this guy had some Financial spreadsheet open sitting next to me right and part of me wants to sort of Shame them but I'm like ah too tired right but this is what it's like right it's everywhere and then there's me I mean that's not me but right on your flight wherever you are whether it's actually in person or whether it's right like virtual the threat actor is right there right we

don't have firewalls around any of this stuff and we've got vendors and contractors and work from home and all these things going on right and that's why identity is the new perimeter or identity is the perimeter not the new perimeter so I have a couple silos here you can pick one could be security one can be you know identity that usually exists within infrastructure right some fancy animation here is that we really need these things to come together right because in too many organizations it is not security that

owns own the identity program and the identity Architects and engineers and analysts and the whole identity team right it's not just setting the policy those people need to work within the infos team the cyber security team whatever that may be at your organization but I'm not just suggesting right that you force a bunch of people who don't like identity to do identity work right it's it's moving folks over there and I'm I'm biased because I'm an identity person but you know when we talk about information security right and here's meme time that when you at identity in this is what it really looks like right because if you think of all of our end users and and all of us right

like every day everything that we access everything that we do right identity is the only real security system that everyone has to interact with all the time right people authenticating whether they know it or not um ensure we have our mail systems or maybe we even report fishing email and all that stuff but right authentication authorization these systems are the things that our end users have to interact with all the time and but if you just again look at pretty much any talk at conferences big small Keynotes right uh there's always some piece uh this morning where it's you know talking

about server 2003 but I mean generally speaking it was kind of easy stuff I mean there was some identity complexities but we had our Walled Garden right so create users in ad maybe you delete them when they fire or they're fired or they retire quit or whatnot right but you're not really that worried for the most part about the accounts right um it was it was generally simple because you only had to worry about people logging into workstations authorization and you know Access Control was not really as complex as it is today which is this is what it feels like to really work in identity and we're going to break this down a bit so so here's Melissa and Melissa is

going to be our identity architect for these examples right and so when you're working in identity there's all these things that you need to know and not just like surface no like no no if you want to be competent in you know identity as a practitioner in whatever it is that your organization does so if we look at a consumer identity example here right so I built these stories around actual uh I was a consultant for a while and um you know some projects I was working on and had this one that was rolling out a consumer customer identity and access management solution and it was Azure ADB Toc and we had to learn secure devops right we had repos

and we're version controlling things and we have pipelines and and ultimately it's right we have a Dev test staging production environment for identity now the company was a heavy uh machinery company that likes the color yellow and their name is three letters right and they have a global presence right so when you're talking about like millions of accounts for you know customers and partners and vendors and all this stuff right it's not turning knobs and dials and things and just sort of hoping you don't mess stuff up then you get into regulations and actually on this project found out that in certain countries if you send an SMS text even if it's for something like MFA

if the end user believes that it's spam right like a spam text that your organization can actually get in trouble for this sort of stuff right so there's a lot of regulations when you're working in identity and we're all global companies these days or a lot of companies are right that you need to be aware of privacy right again so we'll talk about something like gdpr right it's going to be the identity person's problem to figure out if you get that gdpr request saying delete my you know identity from your systems and I want to not exist to sort of make that stuff happen right and again if you do not adhere to gdpr regulations uh your

company's going to be in some hot water you know interestingly user experience now as an identity person I wouldn't say I actually enjoy understanding the user experience but right if you're in retail and you sell stuff you have shopping carts online right and uh a big problem there is abandoned shopping carts because your authentication process sucks right whether I can't set my password because your off process sucks or I can't you know do self-service password reset because it sucks while just go look somewhere else to buy the same thing for the same price right and this is something that isn't really a you know typical sort of security function but right businesses exist to make money and

we work for businesses to make money but I don't think anyone for the most part works altruistically right and so if we have all those abandoned shopping carts we make less money we do less good and we might have less jobs right and so that user experience is a real thing and it's not just in the consumer right it's same with Workforce identity that's when you get into Shadow it problems where right people don't like how you handle authentication at work well they'll just try to go around you and so societal factors also comes into play here when we're talking about consumer identity systems because right in some countries people might perhaps not access to a smartphone so you know

I'm a huge proponent into password list pass keys and all that good stuff but some countries you don't have iPhones right people aren't spending 1,200 bucks to get the latest smartphone and and you have to factor in right that you can't just throw the security hammer down and say right strongest best all the time you need to understand right who the users are that are trying to consume your systems so we go maybe a little closer at to home for some folks when you talk about Workforce identity so another project here is going to be rolling out an identity governance an Administration solution or IGA right and so these are the things that are supposed to really help

automate you know processes around identity and again it has a lot of security functions in

it it was at an organization where security was the one who wanted IGA uh but it was the infrastructure folks who owned active directory and they owned Azure ad um and the ceso didn't want to sort of understand and any of the business processes around things you just wanted the thing like you know installed right and that's that's not how it works and you know when I went in there and started trying to you know build a understanding of the organization right their operations or service desk it Ops people were basically their IGA right they're the ones who are handling new user requests they're the ones who are that intersection of all the things that

happen when someone's hired and you really need to understand those processes if you want to place them into a security product and same with business right so with business processes here we're talking about human resources in particular these days again modern identity right it's really your HR uh organization or HR team within your org that is a source of authority right source of record for who actually should or shouldn't you know have an account because they know who really works for your company and so these days you take your work days and things like that your hcms your hrm's and you actually want to pull all the data out of those to feed into your identity

systems but again if you aren't friends with your HR people and they're very protective of you looking at their data right um you're not going to have a good time implementing modern IGA Solutions right in device management another thing that right identity people need to work with closely uh not just because we have contextual authentication right where devices have identities and systems these days they've had identities for a long time because you've had computer accounts and active directory right but we're starting to do things with them now but even again these days we're we're shipping devices directly to you know users and they're enrolling the devices themselves in right Cloud identity systems and it's not white gloving you

know we're going to sign in as the user and get their device all set and hand it up to them when they walk into the office on that first day and again if there's not this relationship and understanding of device identities and how the device team handles this stuff uh we're we're going to run into issues here and a lot of this boils down to Identity people needing to really understand change management I'm not just talking about like Change Control boards or yes you're allowed to do something this is organizational change management not that you have to be a pro with this stuff but two components of that are awareness and desire uh it's the Adar model where it's right you have

HR who doesn't want to give you their data you need to sort of help them build the awareness of why they want to you know give you that data and the desire to do that right and a lot of identity projects fail because it's back to the C ciso who's just like install the thing right and with modern identity that isn't just the thing it's this kind of continual you know system that you're implementing and again regulations found out here that if you uh have employees in Germany for this other company um that if they go on extended leave or family leave or whatnot that by law you actually need to disable their user account to make sure

that they can't work and the whole law is right to make sure that employers aren't forcing them to work but you can get in trouble if they can go read their email or something when they're on leave right and so there's all these things you need to factor in because Ely it's going to be that identity person who's probably the one that's in hot water when the things don't work right so if we look at this sort of similar but different way here right we're used to the identity team regardless of where we sit you know if we're in infrastructure or security or what not working closely with security and devices teams and infrastructure here but we also have to work closely

with the developers and app owners right businesses are in business to make money to do whatever their business is their business is businesses aren't in business to be secure and so the assumption that all our developers should understand identity security or Security in general right is a bit of a it's something I would argue right we we want our developers to write secure code but we shouldn't be asking every developer to understand like every Nuance of open ID connect or the 5,000 OA flows that exist and when you're working on identity modernization projects so at one that I was working on we were migrating from active directory Federation Services Azure ad this organization had 600 apps that were

moving that's 600 app owners that you have to talk to and coordinate right and again they don't understand or really care why you're doing any of this stuff right it's disruptive to them and it goes back to really needing to understand things like change control and uh organizational change management you know and as I already talked about there right with the service desk and Human Resources your identity people really need to understand and have a good working relationship of what these processes look like right because uh you know both from the service desk perspective you look in the news right social engineering is all about right so we need to really have a good relationship

with those folks to protect them from themselves and protect our users uh and again HR is the thing that's really helping Drive things to make sure that right when I retire that my account is disabled when I retire and when I'm hired my account isn't active right before I actually start and it's complex stuff right and this is back to the the meme that was up there so this is kind of like right the the the proactive pitch for all the stuff that goes into identity and why we can't just sort of shoehorn it into security without having people that work in there that really understand it all but if we look at sort of the you

know reactive side of things so in the Microsoft digital defense report from 2022 with the number one contributing factor in on-site response engagements so this is Microsoft's Dart their incident response team right was weak identity controls and so 84% of admins right across organizations were not using any sort of privilege identity control no Pim no Pam 88% right so this is what they're seeing when they go into these on-site response engagements right not employing security best practices for active directory in Azure 88 and 88% not even using MFA um and I think it was around this spring that Microsoft had said that they have up to 30% of global administrators using MFA which is a terrible number I mean right

that's like domain admin but worse these days if you're in the cloud if you get Global admin now they're doing work to push out policies to sort of force Global admins to start having to use MFA but there's nothing to prevent them from going and and turning that off now right you may say well this makes it sound like identity people don't know what they're doing if they have all these problems but I think it really goes back to right that we have these silos that when I was working on the IG project right the identity people are not just identity people they're managing your VMware and your hyperv and your Cloud infrastructure and all this other stuff

right they don't just have I security as their only priority they have lots of things that they're doing and just like our developers right they they have good intentions they want to operate securely but security isn't necessarily an infrastructure team's number one priority and you know I think partially this is where I'll sort of rant about the industry and exams and things right is that you know I see things like this but from a blue team perspective this is really how identity is treated and it's on purpose that you can be read it there right so looking at some uh certifications and exams and things right that we want people to have out there to be cyber Security Professionals

right so I took the cloud security Alliance ccsk last fall um this is awful so this is from their identity and access management domain and they're actually talking about using open ID now open ID is a standard and if you want to know who uses it uh nobody because it's open ID connect and open ID connect has existed for the past decade or so right so it's again just like identity is not the new security perimeter open ID connect is not new and it's perplexing as to why we're teaching practitioners and security standards that aren't used so if we look at ISC squared cissp now there's not a lot sort of up here to to really talk about but um if you go

read through lot of study material uh there's a one of the things is synchronous Dynamic token now if anyone in here has their cissp you may know what it

means about if I said top or OTP or onetime passard right so as I read through a lot of material for this it effectively feels like security people went and took a bunch of identity systems and made up their own language right about how these

things you know group of people who are learning things that aren't really aligning I mean the the the technology and the knowledge might align but the the terminology right doesn't align and the last thing we need are more acronyms and more ways to communicate where we're not all speaking the same language in in security right and then uh the partner here right our ccsp for cloud security well identity is only a section of domain four and we have you know Federated identity identity providers SSO MFA casby rather Cloud access security broker secret management under Cloud application security right so this exam is 150 questions and each domain is uh 177% average weight so there's about 25

questions 25 and a half on cloud application security so if you then break that down out of 150 questions for ccsp right there's going to be probably about three and a half questions on identity and again we say identity is the perimeter for things but we're only asking three out of 150 questions about identity right you're not even going to ask one question on each of these things here so we'll pivot right and we'll just go Google top cyber security jobs and you hit out the first link right and we see a bunch of jobs up here and you might argue that well security architect right could be identity people um which we'll sort of see why that usually isn't

the case but but I mean there could be some sort of identity job on here I mean they've got database administrator which you know who wants to be that right so so to our Sans poster and I know this is is a lot and it's kind of hard to read but if we look at sort of three security related roles that kind of fall on the blue side of things where we've got our it's even hard for me to read I need my bifocals uh Cloud security analyst cyber security analyst and our security architect or engineer right so the security architect up here following this nice model again when you start to go down the rabbit hole of what a nice

model sort of security architect is there's very little identity in here right and even sanss I mean there's only one one class out of all three of these careers that has any real identity components to it which is oddly enough a red teaming sort of one that's uh on this this number eight year so I mean if you took all these you'd have a lot of iPads or whatnot from Sans but not a lot of identity knowledge and so when we talk about education right and so I I you know do not know the college so I'm not speaking about you know this college but just education universities in general in a lot of cyber Security Programs

identity is an equivalent sort of like section or day or chapter or something right um in uh this group ID Pro that I'm a member of this guy Lance who's a adun professor in North Carolina uh he actually built a identity class for a cyber security degree that they have um and he's trying to get more traction in other universities right to offer this thing and again we're not saying everyone has to like or want to do identity right but in the realm of if you don't know what you don't know right if we don't really offer identity from a blue perspective right to folks like how are we going to know or how are we going

to let people have that opportunity there's bunch of cool red thing team red team things all the time right people poking at identity and right uh you know you can come to any sort of conference and see all this sort of I've hacked into this thing I've stolen tokens I fished people right and it all relates to Authentication or authorization where are the people that have the knowledge to defend against this stuff right how are we building them up it usually in most ORD scils back to your infrastructure folks so right for universities it's a bit of a tough one because it's a bit of a like what came first right like chicken and egg problem that without

more ass for these classes universities don't want to offer them but if we don't offer them right we're not really going to understand understand what sort of uptake they may have so pivoting back to certification Zoo there is the certified identity professional Sid Pro exam that and and so ID Pro is a nonprofit that I'm on the body knowledge committee for um so I'll pitch right that effectively we're trying to be like the you know ISC squared of identity both as a Professional Organization for practitioners but also Al having an industry certification where we're still in this spot where right organizations you go look at job listings everyone wants CSP sort of regardless of what the

role is right but you don't really see this yet for identity uh roles and we're trying to sort of change that but but this is 150 questions so it's similar to the ccsp from a number of questions but right it's all identity related stuff here and this is foundational so you only really need to have a couple years working knowledge of ID identity uh to go for this so just some other resources here right uh again ID Pro um there is not only uh the

certification organization have interest and identity that you can as an individual join ID Pro or organizations can right you you try to make your company pay for that um women in identity is free and they they let men in also I'm I'm a member there um I complained about Cloud security Alliance from a uh you know exam perspective but there is the I am working group where they publish some good material about identity um and you know also interestingly the open ID Foundation

um and work on things like open ID connect and that's actually an area that I would pitch we need more security people who aren't identity oriented

involv um I think sometimes that standards writers they kind of are in this little like Corner big braining all this stuff and they put it out for the world right and it hasn't really been looked at from different angles right so um and there's also some es that are identity related but you know beyond identiverse and the internet identity workshop and you know European identity and Cloud conference um there just a lot of bsides I mean you can see pretty much all these there's someone talk about I think there's an active directory talk that was going on right before this right there's always something identity related and if you find this stuff interesting though it's not just getting

the talks in about like here's the cool hack I found right it's like trying to get workshops and things to help foundational sort of blue team knowledge around identity right and so all this kind of it's all intersects right because how we train people how we educate people how we sort of act as like a group right all kinds that comes together but the intention to you know what I was saying earlier is really want folks to ultimately be able to answer right the identity sits in security but it's not just policy right it's the ownership and that security team has the identity folks working under it right and as much as I seem to rant here right it it's

ultimately because identity isn't going anywhere Cloud isn't going anywhere right um and we really just need to sort of all you know work together to um solve a lot of these identity challenges because uh these days it's certainly stacked up against us and if you go look out at jobless things right I mean we talk about the the flushness of cyber security jobs there's a huge deficit of people working identity um out there on the blue side so uh it's a bit bit short there but uh we can go to lunch early but I since we have a few minutes if anyone has any

questions yeah I mean so like when you get into that and verifiable credentials and all that sort of stuff um I have some thoughts but they're not well formed enough to say in front of an audience mostly because I I've been historically working more with like the current challenges and I feel like we have this divide right where we have all the big braining of like what's next and then when I was in Consulting not to pick on clients rate but you'd go in and sort of look at the the horrors that you'd see right and you're still trying to get people to just not do you know some simple things roll out NFA or

whatnot so um there are some people who have some good thoughts about self- Sovereign identity and there are some sort of flaws and misconceptions in it and I are you talking about self Sovereign identity later so I'm I'm going to your talk so

yeah I mean honestly would be um organizations even that have people that understand active directory well uh not understanding the criticality of global admin and without diving into the Myriad of ways that it's easy to Pivot from cloud on Prem if you're like hybrid infrastructure or hybrid identity um either the global admin is also their daily driver user uh right so whatever they're logged on to their device with it ALS o just has standing GA privileges um that that tends to be uh the worst um and or orgs will have way too many over permissioned uh people I was working with one of the 50 states in the US and they had 57 Global admins because they

didn't even understand that you don't need it to work with Azure subscription then right it starts to get dangerous to do this stuff when it's just sort of out there without kind of knowing some of the basics so I I could talk for hours on that sort

stuff yep so I mean there's there's different things so and actually I I feel like um you know my my company would love you because we make tools that do some of that sort of stuff but so there's there's itdr solutions that look more for like misconfigurations around identity systems like your OCTA um you know active directory Azure ENT ID I should say um there's also teen ciem which is cloud infrastructure entitlement management which is more like looking at over permissioned things within like subscriptions or AWS uh accounts or gcp projects and stuff like that um and a lot of these systems will kind of overlap and and identity governance Solutions also will attempt to a lot of them sort of analyze

permissions as well um right identity we have our own problem because everyone's trying to solve things from like 50 different directions

and what not so um but there is tooling out there that that can help you

so oh that's very [Laughter] opinionated um I I I would um yeah so from a a Pam solution perspective I would say having been mostly in

the would be less need for something like a cyber Arch if you're using like paw and you have sort of this horizontal band between your tears but I know that there's features within things like that that can um where some ORS have desires to sort of like record everything you do or whatnot um I'm too removed from the Pam space to be able to well answer that stuff these days so any um

yeah yeah I mean you do and you don't so I think the thing is is that there's so much uh Ricky sort of go buzz wordy here Tech Deb with active directory um and you I'll say that there's been some articles coming out the past couple years that are like right we're moving out of the cloud we're going back to on Prem but a lot of that stuff revolves around like infrastructure like compute and all that um R your sales forces your service Nows your work days all these sass things like they're not going away no one's going to be installing Salesforce on Prem and they're not going to offer that um and interestingly an

article that was written by one company about moving off the cloud actually makes a SF spased email service so um that goes into that I think the identity is here to stay in the cloud and I think orgs need to move off of active directory but there's a lot of challenges right and like when you talk about um like industrial Solutions and stuff like that right it doesn't make sense to put identity out in the cloud if you're still running a bunch of operational things on Prem so right Microsoft would want to pretend it just like doesn't exist anymore I think it's not going away anytime soon um so honestly that hybrid sort of solution of

the two glued together is is likely what a lot of ERS will have so any other questions all right cool well I appreciate you folks joining me and uh you know I'll go to lunch early so thank [Music] you h