In this episode, we unravel the complexities of Identity and Access Management (IAM) and explore the cutting-edge concept of Zero Trust. Join host Tyler Shields as he sits with Christine Owen, a recovering attorney who found solace in IAM and Zero Trust principles. Christine sheds light on the modern challenges of protecting digital assets in an ever-evolving threat landscape. Christine introduces us to the game-changing concept of Zero Trust, an approach that challenges traditional security paradigms. Tune in now and equip yourself with the knowledge to navigate the changes in cybersecurity.
—
Listen to the podcast here
IAM And Zero Trust: Preparing For A New Era In Cyber Defense With Christine Owen
In this episode, we equip you with the tools and insights to safeguard against digital threats arising from unintended human error. Join us as we delve into IAM and Zero Trust with Christine. Friendly Fire gives you the knowledge to defend your digital realm. Christine, welcome to the show. How are you?
Thanks for having me.
I traditionally like to open up with a little bit of background on our guests. Your background seems interesting. You have been an attorney in a previous life. Now you’re in cybersecurity. Give us a little bit of background on where you come from, what prompted that shift from your legal background, and how that influenced your cybersecurity views.
I graduated with a BA in German, so that gets you far in life. I have done a little bit of writing. After undergrad, I felt like I needed to get a second degree. I ended up being an attorney because, partially, that’s what my grandfather had done. He was a judge. Partially, it is because I was what else am I going to do. I did well on the LSAC. After five years, I realized I didn’t like being an attorney. I didn’t enjoy other attorneys very much. I wanted to be a consultant. Though totally surreptitious, I ended up consulting in GSA’s Federal ICAM Policy Office in 2013. I learned all the things that you need to know about PKI and Federal ICAM policies.
I had to learn all the different aspects of IAM from a policy point of view. In 2015, I don’t know if you guys remember this, but there were a couple of different incidents in the federal government. I was in the right place to be able to see how policy and the technical implementation of those policies work and interact and how poorly written policies and standards will not get a good technical implementation. Since then, I ended up going and working on the technical implementation side. Now I run pretty large, transformative modernizations with IAM, and also with Zero Trust, but I still have my technique. I still work on the policy side, and because I give a lot of grief all the time. I have fun, and I enjoy them. I’m excited about the standards that are coming out soon.
You are a Director at Guidehouse, where you are focused on IAM-style projects, building up teams around IAM and Zero Trust. You’ve been there for over four years. You have a significant background in IAM and ZT. For the sake of the audience, Zero Trust, let’s start there. The concept of Zero Trust has been around for a while. It’s overloaded marketing people like myself who like to spin it and make it into something that may or may not be traditional. Can you lay the groundwork for our audience first by describing the foundational components that make up Zero Trust and IAM? What are the key things you need to think about when you’re thinking about implementing a Zero Trust style policy or an IAM-based security program?
First off, I feel like every product out there says that they have Zero Trust. That’s partially true but not fully always true. The reason is that if you spin it in cybersecurity, pretty much everything does touch Zero Trust. The biggest difference between the current security model and the Zero Trust security model is the ability to move within a system laterally. Micro-segmentation is the cornerstone of Zero Trust, whereas lateral movement is what has been around forever. We realize that doesn’t work for attackers because both internal and external bad actors can get into all your systems if you allow for a lateral movement, whereas they’re not allowed, they get stopped at the door of many systems if you place rigorous policies that create a micro-segmentation of your network.
To be able to do that, the first thing that you have to focus on is Identity and Access Management. We need to know your identity, which means we need strong identity vetting. If you’re internal, if you’re external, we do a risk assessment and decide how much we care about knowing who you are. It’s based on what information you’re trying to get. Next, we create an IDP or an Identity Provider. An IDP usually gives you a credential. It doesn’t always, but let’s say it does a credential or an authenticator so that it can be anywhere from a username password, which would break my heart, all the way to FIDO, something that’s phishing-resistant, maybe a FIDO Authenticator or a PK credential. That’s the next phase.
We also need identity governance. We need to have a life cycle of that identity. We need to know when that identity needs to join the organization and when it needs to move from one organization to another within the grander scheme of organizations. Also, when that identity needs to be revoked from the organization. For elevated users, like privileged users, you might want to privilege access manager. To be able to do that micro-segmentation, you typically need to modernize your network. Maybe get a SASE. While you can do it without a SASE, a SASE would make it a lot faster for implementation purposes. Within your network, and I like to call it a Zero Trust broker, but essentially, you need to be able to have device-level signals, such as something from your endpoint, like a detection response tool, and your credential or your authentication passed over to the Zero Trust broker.
Also, other things could include a watermark from the device that you’re working on and your IP address. Maybe also the time of entry in your past user behavior. All of those together create essentially contextual authentication. That Zero Trust Broker does this wonderful thing that I see wizards and hamsters involved in. They decide whether or not you, more than likely, are who you say you are with the devices and the other context. We then move on and decide whether you’re allowed to go where we say you’re allowed to go. In that case, there are probably also more policies in place. That’s the PDP and the PEP for those of you reading along at home, NIST standards.
A ton of tools are required for ZT.
That’s why everyone can have Zero Trust.
A ton to spend to implement a Zero Trust and IAM-backed security system and security policy. The reason I bring that up and say a ton of tools isn’t to shoot a hole in Zero Trust and say that you have to buy a ton of tools. It’s more for people who might get connected to a company that says, “We sell Zero Trust.” There is no company and no single product that sells Zero Trust. You have to build a policy. You have to build a procedure. You have to build all of those fundamentals that Christine ran through to have Zero Trust as a program. That’s one of the things when it comes to Zero Trust. What’s your take on Zero Trust as a whole? Do you like the term? Do you think the term is overloaded and ruining people? What’s your opinion on the term Zero Trust? I’m very strongly opinionated on that one. I’d love to hear yours.
If you had asked me this years ago, I would have screamed about how it is the dumbest. I hate the term, but then here I am a few years later. My career is based on Zero Trust at this point. I guess I have a love-hate relationship with it. The reason why I hate it is that when you go to a CIO or CTO and say, “There’s this concept called Zero Trust,” it doesn’t make any sense to call it Zero Trust. The other issue is that there’s this conception that you have to redo all of your cybersecurity measures to be able to get to Zero Trust. I still need firewalls. All of those things are still in place. All we’re doing is shifting our focus from that perimeter-based control. We’re shifting our focus from making everything happen at the firewall level to modernizing our tools and working towards more policy and a bigger picture of that user when they’re attempting to get into that resource.
You mentioned this in your foundational description, which I love. Thank you for that. I don’t think a lot of people understand the foundations of what makes ZT and IAM-based security programs functional. You mentioned there are a couple of things that I want to double-click on and dive into. You mentioned insider threat. You mentioned lateral movement. I don’t know if you mentioned it, but I’ll bring up an addition to the list of unintentional human actions that can be blocked and detected. How does ZT enforce those kinds of things? Fundamentally, you’re taking the concept of a perimeter, bringing it down to data, device, or whatever you’re trying to protect, and making that perimeter at a micro level. Can you help me understand how that protects from lateral movement, unintended human actions, or even malicious insiders?
There are a couple of things to it. One is when you’re focusing on an IGA tool that not only gives you that joiner mover levers for the identity of the user but can also decide what access that user has. First off, you can give the user what’s called birthright access. Those are access to your typical tools. This is for internal users. An example would be whatever your email suite is or whatever your document-sharing tools are, those are all things that generally a user would have access to from day one. There are other things. If I am a supervisor, which I am, I need access to certain HR tools. I need certain permissions with those HR tools.
One way that that can happen is you can either do birthright access, and I have certain attributes attached to myself, or you can set something up where I ask for permissions to get into that application to be able to see that data. It depends on what the organization wants to do. What that tool does is it helps for auditing purposes. It also helps verify that that person needs access to that thing. When it comes to unintended users, a user can’t go to the HR tool, sign in, and see my data unless they’re a supervisor. They have to have auditable requests and auditable permissions to be able to get into it. That’s one thing.
As we all know, there are certain attack vectors where an external malicious actor can act as if they are an internal malicious actor. Part of that is because micro-segmentation needs to get into place. In those cases, if a malicious actor, internal or external, does not have access, the appropriate access to that tool, and/or not only the permissions but also maybe the attributes, if you take that as I like to call it Zero Trust broker and put all of the policies in place properly, you can stop that person from accessing whatever piece of information that they’re trying to access.
In some ways, if I were to distill this, you’re saying that the modern version of IAM security and the modern version of Zero Trust is about understanding the identity as an object, what that object’s attributes are, what the context and actions that that particular object executes, and then putting a policy in place to make sure that the actions match expectations in reality. You’re drilling Zero Trust down to strongly enforceable identity and access management policies.
It’s like a dumb-down version of ABAC, Attribute-Based Access Controls. That’s what it is. You’re exactly right. That’s why identity professionals have a better starting point for Zero Trust than, for example, network professionals. I say that with love because there are a lot of things I had to learn about networks to be able to get the understanding that I have. A lot of the policies that you need to put into place include identity and access management policies.
Identity professionals have a better starting point for zero trust than, for example, network professionals.
I get a lot of pitches as an investor for different startups. One of the trends I’m seeing now is a massive movement towards identity as the key component in detecting attacks, blocking attacks, and security in general. It’s attributable to the exact thing that you’re talking about, which is the concept of Zero Trust has been distilled and comes down to IAM in many ways. Now, there are network components too. You have to understand that and how you break it down at a network level. I am seeing significant investment going toward IAM-based products, solutions, and technologies now. It’s very interesting.
I agree. There’s a certain PE firm that tried to buy almost all of them but then got blocked.
Let me shift a little bit here and talk about credentials, authentication, and authentication management. Setting aside the ZT components of the discussion, let’s dive into the actual operational side of protection. We all agree, and everybody has been screaming passwords suck for a long time. Nobody wants passwords. Passwords are awful. Bad UI, bad UX, and impossible to use.
It’s very insecure for many different human-related reasons, as well as potentially computing-related reasons. How do we solve the credential issue for humans? You already alluded to this a little bit by saying contextual identity management, but can you dive into that a little bit and talk about individual password authentication technologies that are exciting to you and what the future of password or authentication, in general, might look like?
In the future, we will not have passwords because I can’t stand them anymore. Here is one way that organizations do not necessarily eliminate but at least help reduce the amount of passwords in their system. The first thing is we can’t get rid of all passwords until because that’s the problem. One of the things that we have to do is we have to modernize our systems and include legacy applications that are focused on passwords, either in the foreground or in the background. How do we make sure that we still have strong cybersecurity measures but know that passwords are still going to be in our system for the next few years? One way is to use a password manager. On the front door, the user would use a passwordless MFA, phishing-resistant, in particular.
For example, they would use, FIDO calls it a passkey, but something that would be phishing-resistant. It can also be a PKI token because that’s not considered a FIDO passkey. That’s one of the ways that we would do it. The second way that we would do it is we would modernize the IDP. Modern IDPs do a lot of cool things nowadays. They can allow users to have multiple authenticator types depending on what they need at the time and what device they’re coming from, be it some managed device or some device that has an MDM.
It depends. What the organization would do is they would do a risk-based analysis and decide, based on what risk they see and also what budget they have, what they should move forward with.
Phishing-resistant is your best option for sure. If phishing-resistant is not something that the organization can pay for, build up, or whatever, the second best option would be MFA with number matching where you verify on your phone where you match the numbers. That’s your next best bet. After that, don’t do it. It’s not worth it. A lot of modern IDPs that are out of the box that are “free,” have to pay for MFA. Don’t get me started.
My next crusade is to tell IDPs to stop making people pay extra for MFA. For now, that’s your next best bet, and it is “free” to a modern IDP. The last piece of all of this is to be able for organizations to make a good determination of whether it’s the right person accessing the right data, at the right time, for the right reason, from the right place, and all of the right things, that organization needs to collect as much data as possible and spit it out into a decision point. That’s where we have contextual authentication. We look at where the user’s coming from, whether this is a normal time, whether, normally, they’re coming from this device, whether they’re logged in somewhere else at the same time, whether it’s normal behavior for them to be logged into two places at once, or 3 or 4.
By the way, there are reasons for people to be logged in to two places at once because I know I do it all the time. I’m logged into my company’s email on my phone and also on my laptop at the same time. That’s where companies and organizations need to sit down and say, “What things am I trying to block? What are the typical behaviors of my users? How do I create policies to make sure that my users can still accomplish what they need to accomplish at work but also I can quickly revoke access automatically if I need to, or at least put a massive warning bell around some behavior for a human to go back and look at?” I will tell you that some organizations are very scared to revoke access based on certain policies.
They want to be strong on policies, but they’re scared to revoke access. That’s because now, we’re not used to that. End users are not used to the concept of, “My access can be revoked if I’m doing something that seems not right to the organization.” That’s a change management behavior that we’re going to have to start working with end users to understand. Sometimes you’re going to have to not be able to access it. There’s going to be friction because you are logging in from your resort in Mexico. You decided to take a vacation, but you needed to get into something. That’s okay. In those cases, we need to have extra guide rails.
It’s super interesting you bring this up. There’s something, for years, I’ve called infinite point authentication. I love your term way better. Mine is dumb sounding, but contextual-based authentication authorization. I call that infinite point because, as many points as you can take into include the color in the context to make it accurate and to make the decision accurate, the better. Even when I was writing about it years ago, you could detect whether someone was left-handed or right-handed by how they held their phone because of the tilt of the phone. That’s a key piece of potential bio-context that’s like, “No, this is not a left-hand person. This is a right-handed person. They’re holding the phone differently.” That’s another flag of many potential thousand flags that we can decide on.
I love the concept of contextual, but you also bring up a point on the enforcement side of it. It very quickly goes to more of a fraud-based behavioral analysis instead of a true attack-based behavioral analysis. Now you get into managing the user interface or managing the user experience of the process. For example, let’s take our credit cards. When they started putting contextual detection on our credit cards to look for hundreds and hundreds of data points to then potentially flag risk, everybody complained because “I got on a plane and I traveled to Las Vegas. I normally am not in Las Vegas, and now my credit card’s are getting declined. I have to call and confirm it.” That’s gotten better. My credit card doesn’t get declined anymore. They are much smarter about it.
That takes time to build up understanding, and that takes time to build up a process for the human being. You send me a text, and I can respond very quickly, and that eases the context. All of those things will also come into view concerning contextual style security. If that comes into play more and more, how long will it take people to be okay with the shift in the process? At the end of the day, this is a human question. What matters here is the impact on the humans because, if the friction is too big, they stop using it. If the friction is too small, it’s worthless. How do you balance that?
The first thing I do want to say about this is that people, for some reason, think that anything but passwords is too much friction. I don’t understand that because I feel like passwords are more friction for me than anything else. I don’t like passwords. This is my prediction. We can come back in fifteen years to see if I’m right or not. My prediction is we’re slowly plotting towards this different way of authenticating. Maybe in five years, we’ll have more organizations doing this. There’s going to be a big boom, and that’s going to be probably around ten years out.
The moment quantum computing starts to hit and decrypt very important keys that are based on lower encryption levels, we’re going to have to change things again completely. Honestly, I’ve been in identity for a couple of years, and we’re hitting a stride finally. It’s going to take at least another ten years for Zero Trust to hit a stride. The way that it’s going to hit that stride is we’re going to realize that we need to be able to do a full holistic view of the user. It’s going to be because we’re in the quantum computing phase. 10 to 15 years is the answer. I’m going to plot around until we get there, and then I’ll be like, “Finally.”
You brought up quantum. I’m going to bring up a different thing in a similar buzzword of the day type of vein, which is blockchain. Talk to me about the impact of blockchain on identity. Is there a positive to that? One of the arguments for blockchain is that it is non-reputable, or whatever that word is, where you can’t change the audit trail.
There’s going to be a complete audit trail. Is blockchain going to be imperative to the success of IAM in the future? Before you answer that, I want to layer on one other thing, ML and AI. Since we’re going to catch all the buzzwords, let’s get them all right. We got quantum. We got MLAI. We have blockchain. Hit me on your thoughts on blockchain’s impact on authentication authorization-based cybersecurity programs.
I’m going to start with the easier one where I’m not as worked up. MLAI is already in identity. Modern IDPs use MLAI to determine what the identity attack vectors are. They use that to block identity attack vectors. If your organization’s not on a modern IDP, get on one quickly.
If your organization’s not on a Modern IDP, get on one quickly.
I would argue back to my statement about general banking fraud. That’s also what leveled up the general banking fraud to make it much more accurate.
I agree. On the IDP, MLAI is being used for what I call a zero-trust broker. Also, it’s getting used there too. Now on a blockchain, I don’t know why I feel it’s like moths to a flame when it comes to blockchain bros. They come to me and tell me how blockchain is going to revolutionize identity. It’s not going to, I’m sorry. It’s not. Blockchain is great for things for real estate ledgers. What a great idea. Why don’t we reduce the amount of money we have to pay when we go and buy a new property so that we don’t have to have someone to look back to the time that the land was granted by the King of England?
I live in Virginia. That is something that we do here. Why don’t we put that into a blockchain so it’s verifiable and then we can say, “That property is fine?” When it comes to identity, the answer is no. The concept of decentralized identity on a blockchain makes absolutely no sense to me. I will tell you that I wouldn’t trust it if I were an organization and someone said, “I want to use this credential to trust things.” No, go away. I will say that I do know some new identity vetting tools use blockchain in the backend, but that’s not their primary. It’s just that’s the technology they’re using.
Blockchain is a technology. It’s not the end all be all. It will not cure cancer or prevent attacks. There are good uses to the blockchain, and there are dumb uses to the blockchain. Using it as the sole identity thing is a bad idea. I know that some companies use it in the backend, so I’m not going to hate them as much, but I do hate it. It’s only because I go to parties that have a lot of identity nerds like me, and all these randos come up to me. They’re like, “I’m working on a blockchain identity thing.” I’m like, “Do you know anything about federal requirements or about requirements in general? How are you protecting this?” They can’t answer anything. I go, “Good luck with that.”
We talked a little bit about the evolution of IAM. We talked about the role of AI and ML. We talked about the future of passwords. Let me ask you a question. Position me as an audience member. Now I know the foundations. Thanks to this wonderful interview. What’s the advice you have for me for businesses or individuals starting their journey into understanding and implementing IAM and Zero Trust? If you’re going to roll these concepts and programs out into your environment, what’s the number one piece of advice that you’re going to give me?
To get to Zero Trust, it’s modernizing your security stack. You can use what you have now, but you are likely going to have to modernize certain things. To do that modernization, it will cost a lot of money. What you’re going to do when you go to test whatever Zero Trust stack you end up using is you’re going to break things, and you’re supposed to break things. You need to make it so that I can’t get from point A to point B without having some friction. I had someone yell at me once that I broke their entire system, and I said, “Why?” They said, “I couldn’t get into this application that I could get into in the old stack.”
I said, “That’s great. That means that it’s working. It means you don’t have access yet to the current system. That’s not a problem.” I get excited when we break things. In breaking things, what you’re going to also find is that you have to modernize other tools that you didn’t think you needed to modernize because some tools were created to ride the network and do peer-to-peer. A great example of this would be remoting tools. When your help desk goes and remotes in, that’s the peer-to-peer connection that’s riding the lateral network. That’s going to be something that you’re going to have to change. You either don’t allow it or you have to change tools.
It’s silly stuff like that that you wouldn’t know. Quite frankly, I can’t even tell you all of the things that you’re going to come across. When you budget, take your budget and then add way more money because if you want to do it quickly, it’s going to cost you a lot of money. On the flip side, it’s a good thing to do, too, because you need to modernize. A lot of the next ten years is us modernizing security stacks, modernizing mainframes, and modernizing other legacy products that only use Kerberos protocols or other protocols. Where we’re at now is we’re in a modernization phase.
Where can we find Christine Owen in the future? Do you have any speaking engagements coming up? Do you have any books you’re writing? Do you have any cool articles you want to plug in? What can we do to help you, Christine, in any projects you’re working on?
I’ve done a lot of my speaking engagements already this 2023. I likely have a couple coming up in October 2023, but I haven’t finalized them yet. I go to most identity conferences. If you find a conference that deals with identity and is nationwide, I’m likely there. I have a good idea for my next RSA topic. I’ve already connected with the person who’s more technical on this to collaborate with him on it. I’m so excited about it that we’re likely going to get in. Hopefully, fingers crossed, you can see me at RSA in 2024.
That is fantastic. I will make it a point to catch you at those conferences when I see you there. With that, we’re going to go ahead and wrap. We have come to the end of another episode of the show. I want to extend a heartfelt thank you to our incredible guest, Christine Owen. Your profound knowledge and passion for impacting cybersecurity change have been truly inspiring. Your insights into mitigating unintentional human risk will undoubtedly empower our audience to safeguard their digital lives. Remember, cybersecurity is a collective effort, and every step we take to fortify our defenses counts. Stay tuned for more compelling discussions on cybersecurity. Until next time, stay vigilant and stay secure.
Important Links
- LinkedIn – Elevate Security
- Facebook – Elevate Security
- Guidehouse
About Christine Owen
