Identity as the Perimeter

Ted Girard: All right. We're here to talk about security innovation in the cloud. The thesis of my presentation today is that identity is your new security perimeter when it comes to cloud. Where's my ... There it is. Big green button.

Ted Girard: When I think about information security, this is the mental image that comes into my brain. Josh, I think, from Feud came up earlier today and he had a picture of what a data center would look like. This is what I see when I think of a federal data center, I see this massive castle, incredible perimeter security complete with a moat. 

Ted Girard: What we do is we put all of our IT assets inside the castle, we fortify that castle with things like firewalls and VPNs and intrusion detection systems, intrusion prevention systems, and we lock it all down. You can't just lock everything down. You're going to have to be able to share what's inside that data center with folks that you want to do business with or you have to do business with. We typically, then, throw some kind of identity management system within the castle, tie it all together, and then we interact with our customers via simple username and password. That's kind of how things are done.

Ted Girard: Then, we start reading about these horrific breaches, public announced breaches, 100,000,000 credentials stolen here, hundreds of thousands data records stolen here. It turns out, when you read ... If anyone has read the Verizon report, 81% of all security breaches occur because of weak or stolen credentials. They're not figuring out ways to get through the firewall or creative ways to get through your intrusion detection systems, they're tricking your employees, or employees are using passwords like "password" or "123456" and they just guess it, or they trick them by saying, "Hey, fill out this information, give me this information, and you get a free Amazon gift card," and we freely give our credentials away. Then, they end up just walking right on through the front door, which is crazy.

Ted Girard: What's information security's reaction to that? They do a couple things. One, they say, "No more weak passwords. We're going to make the password this long, we're going to have capital letters and lowercase letters, we're going to have symbols and numbers, and we're going to make you change them on an increasingly more frequent basis. Every 60 days, change your password." Second thing they do is ... That solves the guessing your password thing because you can't even remember the password in the first place, these new ones. The second thing they do is they go, "Hey, you know what? HSPD12 is no longer a mandated recommendation. We're going to have to do it," and we start throwing second forms of authentication, things like key fobs that have rolling codes and PIV and CAC cards and, "Hey, you're going to have to carry this thing around, too." Effectively, what we're doing is we're taking the burden of security and we're pushing it down to the end-user. 

Ted Girard: It turns out people can't remember their passwords. Gartner tells us 40% of all IT help desk tickets are to reset passwords. It's a colossal waste of your IT help desk resources. 40% of the time, they're spending time resetting our passwords because we can't remember them. The other 60% are people that come up with their own creative identity management systems like writing their usernames and passwords on sticky notes and sticking them onto their monitors or having notebooks they carry around with all their applications and their usernames and passwords or, "Hey, you know what? I'm going to use the same password for everything I do with my life at home and at work," and it just takes one Yahoo breach to get your password and now, all of a sudden, they have the keys to the kingdom. Your efforts to make yourself more secure actually end up making the organization less secure because people can't remember them. I'm seeing a lot of head nods on that one.

Ted Girard: The other thing I ... There's a website called the Daily WTF and it's purported to be dedicated to IT professionals and to share with them what not to do. This was an example of what not to do. Apparently, carrying around a key fob that has a rolling passcode is a big pain in the butt. This person said, "Well, I'm not going to carry that around. I'm going to tape it to a piece of cardboard, label it, put it in front of an open webcam, and I'm just going to carry my phone around with that web link and I don't need to worry about it anymore." Again, not a security best practice. I think it's genius. It turns out people don't like carrying just something around just for the purpose of logging into work. I think having dinner with your wife and have your boss call and say, "Hey, I need that report on my desk," and you forgot your key fob at work, that's not a good thing.

Ted Girard: Bottom line is humans are a lot like water. We're going to follow the path of least resistance. We're not ... We don't come to work every day thinking, "I'm really going to impress my boss today by all the security protocols that I follow." They come to work every day thinking, "How am I going to get my job done? How am I going to get all these tasks done to support the agency mission?" If we throw roadblocks their way, they're going to blow right on through them. 

Ted Girard: Likewise, if they ask IT for something that they need, "Hey, I need this service," and IT says, "Okay, great. We're going to have to go to procurement for that. We're going to have to buy the servers for it. We're going to have to load it, then we're going to have to go through ATL. We'll get that service to you in six months," they're going to figure out a way around that, too. They've got to get their jobs done in support of the mission. Evidence of that is ... There's a company called Skyhigh Networks. They're a popular CASB. They published a report last year and they claim that the federal government agencies use ... I think it was 944 distinct and unique cloud applications. 944, that was a shocker to me. I'm like, "We're just getting started in cloud. I'm going to a cloud workshop where everyone's trying to figure out how to do cloud securely," and it turns out the federal government is a prolific user of cloud. 

Ted Girard: The problem is the majority of those applications fall into the category of shadow IT, and I think there was someone that talked prior to me talking about shadow IT. They're not on the approved products list. These are people that go, "Hey, I need this service." "Oh, yeah. We'll get that to you in a little bit. It's going to take a little while." "Hey, I can go to Amazon for 12 bucks a month and just sign up for the same," and they're off and running. Or, "I can go to Box and sign up for this content thing," off and running. Or, "I can go to GitHub and spin this thing up." You can't manage insecure IT that you don't know you're using, but you're using a ton of it. It's called shadow IT. We need to figure out how to close that gap.

Ted Girard: That's my little path right there. Get it? No one's following the thing. They're shooting right across the grass. I Thought that was cute.

Ted Girard: Anyway, bottom line is you can mandate what your employees ought to do but you can't really control it, it's evidenced in the fact that they're going out and doing stuff despite what you tell them to do, but you can try to make the approved applications more attractive than what's out there. That's really hard and complex, given what's going on. Thousands of cloud and SAS applications available, thousands more come in every single day at a more rapid pace, billions of mobile devices. I've got the new iPhone 10. It's awesome. I log in with my face. It's pretty cool. All the innovations like IoT, big data, blockchain, artificial intelligence, AI, they're all happening outside the safety of the perimeter of the data center. These are all innovations, mega trends, that are ... You can't just take them, put them in your data center like you used to.

Ted Girard: How do you do it? This is where I come to support my thesis of today's talk. It's ... What we're really trying to do, in the most basic and simplest form, is we're trying to connect people to technology. It's all we're trying to do. It's ... When I say people, it's not just my employees and contractors that come to work every single day, but it's everyone outside my organization that I'm supporting. It's my customers, it's my partners, it's my citizens. It's anyone that needs to interact with my agency, so it's anybody. Then, when I say technology, it's not just applications, whether in cloud or on prem or whether Gots or Cots or whether it's mobile or desktop. It's any technology. It's my watch, it's wearables, it's IoT. It's ... I want to connect anyone to anything in a really secure fashion and do it with a consumer-grade user experience, not put the burden on the user.

Ted Girard: To do that, you need to think about identity. Identity is the nexus point between the user and the technology. If you focus on identity and you make that a strategic platform within your security stack, you can deliver a delightful, awesome user experience while making your organization more secure. 

Ted Girard: This is kind of my picture of, and I created this slide as where a customer potentially might be within their digital transformation journey. You're going to have your castle. My previous speaker from SEC talked about, "Hey, we're going to have a hybrid environment," and I see that. Whether you have a cloud-first strategy or a cloud-only strategy, you're going to be at this stage at some point. There's going to be a critical decision point, and that decision point is do I try to refactor my legacy on premise, identity management system, to do something that it wasn't intended to do in the first place? Legacy identity management systems were built and they're in use well before cloud was around, so are we going to try to do that or is it an opportune time to look at the market to see if there's anything out there that's purpose-built for this digital transformation? Thank you. 

Ted Girard: In my experience, everyone is going to try option one first. They're going to go, "here's my first cloud thing. I already got an identity management system. I'm going to figure out how to get that to extend to cloud," and they're going to exert a lot of time, a lot of resources, and a lot of money to get it to go. Then, they're going to do their second project and they're going to realize they're going to have to do that exact same thing over again. That's when, typically, the door gets knocked on, like, "Hey, this isn't scalable. We need to look at a different thing."

Ted Girard: Really, what I want to focus on my last set of slides is really what the user experience is. I talked to a bunch of folks at our table before we talked about user experience and really what a modern digital cloud-based experience should look like is something like this. Your user gets presented with a portal or web page, log-in page experience, and they get ... Whether you're 10 people or your organization is millions of people, it's, "What's my username? What's my password? If I forget my password, click a button that says ..." Asks you a couple questions to reset my password and you do it yourself, you don't call the help desk. 

Ted Girard: Once you get through that, you ought to be able to be presented with, depending on who you are, where you are, or what you're trying to get to, your service should provide you with a multi-factor authentication process or it ought to tie into your existing third party, including PIV and CAC card, thumbprints, facial recognition, or whatever else you might have in play. That should be ... A drop-down menu, select it, off and running. 

Ted Girard: Once you get through that gauntlet, which should take you 30 seconds, you should be presented with a dashboard that has all the applications that you're entitled to based on who you are and your role within the organization. We call these ... At Okta, we call these chiclets. Choose a chiclet, click on it. You see the little Okta spin and you're logged in. No more username and passwords, no more CAC cards, no more tokens. 

Ted Girard: We can talk about this if you guys want to know more. We invented ... We launched the Okta identity cloud in 2009. It's a set of independent services that are served up through a single pane of glass on the world's most highly reliable and secure platform, period. We've got the fed ramp, highly elusive and coveted fed ramp logo. We achieved that in 2019. Most importantly, it's ... Our customers, if you talk to any of our thousands of customers, they'll tell you we've decreased their cost, we've made their employees more efficient, we've made them more secure, and we've accelerated their transformation to cloud. Gartner and Forrester both last year awarded us the top dot for access manager and identity as a service. We got a twofer on that one. 

Ted Girard: Bottom line is the customer experience. This is ... I took this picture. I was giving ... I had a zoom meeting. I was in Northern California at a little café. I had a zoom meeting with my boss and the Okta leadership team. I logged in from zoom at a café on my laptop, highly secure, delightful experience. What we really want to do is allow our customers and our partners and our employees to access the information they need when they want it from the device that they want it in a highly secure, reliable fashion. 

Ted Girard: That's it for me. I think ... I saw the two minute slide so I'm done. Thank you.