There Are No More Outsiders



Announcer:  I would like you to please welcome Richard Bird, Executive Director within the Office of the CISO Executive Advisory Team at Optiv. Richard is an information technology risk and information security executive with more than 25 years of experience. In his current role as an executive director within the Office of the CISO, he works with the chief information security officer, boards of directors, and senior executives within our clients as a trusted advisor, helping to assess, develop, guide, and improve information security management programs while ensuring alignment with business goals and objectives.

And Colin Anderson, who you just saw if you were in the keynote, he's a global CISO. Colin manages an international team responsible for information risk management, regulatory compliance, and IT enterprise risk management for a global organization with $5 billion in annual sales and over 2,700 company-owned and franchised retail locations in 35 countries around the world. So would you please welcome Richard and Colin to the stage. Thank you.

Richard Bird:  Thank you. Thank you very much. Ethics.

Colin Anderson:  All right. Grab one of those.

Richard Bird:  Well, good morning, everyone. I don't know if you're currently nursing one of those "what stays in Vegas ..." There we go. There's a few of us, right? But taking just a second before we get started with the overall presentation, There Are No Outsiders, to each introduce ourselves with a little bit more probably rustic background as opposed to the bios that get sent in. Because everyone that's sitting in this room wants to know ... you've already had an opportunity to hear Colin speak, but you want to know, "Why should I listen to this person?"

In all my experiences, I did spend close to 11 years at JPMorgan Chase. When I was at Chase, I left and finished up a stint of about three-and-a-half years as the global head of identity for all of Chase's consumer businesses. I'm always reminded of Albert Einstein's quote. "If you think math is difficult, think of my problems." The challenges that I saw managing about 350,000 employees and about two-and-a-half million machine accounts at JPMorgan Chase gave me a lot of scars. I learned a lot of things about identity early on, where many companies are just getting to that point now. That's a bit of my background. Colin, can you share?

Colin Anderson:  Sure. How many people saw that TV show way back in the ... way back called The Fall Guy? Yeah, you remember that one? All right, yeah. I've been the official fall guy for the last decade for the various companies that I've supported, and it's a great role. It's unfortunate that, like Richard mentioned, it's a thankless role.

People expect security to just work, and it doesn't. You have baseball players go to the hall of fame when they bat .300. A security professional bats .300, they're out of a job. We have to be really. We have to be next to perfect in our jobs, and we have some very determined adversaries out there. Hopefully we can share a little bit of wisdom today, and look forward to it.

Richard Bird:  Excellent. We'll go ahead and get started. The first thing is, we're required to read all of this before we can put ... I'm just kidding. Safe Harbor statement. Talk a little bit about the point that we're gonna cover today. First of all, when did the perimeter collapse? I think this is an important message that we need to be sharing with our executives and with our boards, and many times is not being translated to them in a way that they understand. We'll talk about that a little bit.

Reconciling the digital and the analog self. This is going to become a bigger and bigger deal over the next several years, meaning that access control is not simply an administrative function, but is a combination of that control along with authentication. We'll talk in some detail about what that means for all of us.

What do they want? My apologies. What do they want? What is is that an outsider ... and I really, really hate that term. What is it that an outsider wants, just in general? I think a lot of times too much focus is placed on, "They want access to financial transactions." Hence all the notices that ever come out from a major breach are first ... the PR organizations are first to declare, "No credit cards or banking accounts were breached." All your personal information was breached, but none of that other important financial information was breached. The problem is that that's a very narrow view of what those outsiders want. We'll talk a little bit about what it is that they really desire.

The client experience. We've got a great set of examples on how a partner has gone through the efforts to really address those issues of outsiders no longer existing, and how do you manage all of these different identities and all of these different personas? Then finally, we'll talk a little bit about what's next.

Let's talk about this perimeter issue. One of the things that we have as a problem is this challenge where we continuously forget our history and our lessons, right? If we look at the analog world over the last several centuries, we can see that the perimeters that have been extended into the technology world are analogous to the perimeters that we used to have going back all the way into the Middle Ages: walls and moats and locks and keys, keyholders. Overtime, as technology advanced, those things became less relevant.

Physical protection is back in the scene nowadays, as we're seeing physical security organizations mesh with overarching security organizations. Because now it's no longer enough for us to manage just the digital component. But because of the ability of people to walk into our four walls, we're having to see a lot more collaboration and coordination around that physical security aspect.

But we went into these phase over the last 30 or so, 40 years, in technology where everything operated in isolation. Made it really easy to protect it from an account-based standpoint. PBXs, mainframes, dedicated computing terminals. I don't want anybody to tell me how old they are, but does anybody here ever remember the experience of actually working on green screens? SV Tams? There we go, yeah. I actually love showing that to college graduates today, because they ask what that device is. They've never seen anything like that. But that was our experience. They were isolated. Our printing systems were isolated.

Those began to change as we moved into the client server era. Once we did so, those of you, again, that have been around the block for a long time, just the worst kept secret in the world. Active Directory, on-prem Active Directory, is not a security framework. What was Active Directory originally made for in the client service space? It was made for file sharing and printing. Now we've spent years and years and years trying to bolt on securities technologies to manage the Active Directory space, when it was never built to be an identity store to begin with.

This is when the bleed-out starts. This is when the perimeter starts to fail for us. Now we've moved beyond. We've evolved. There's a lot of discussion about what the viability of physical firewalls and VPNs are gonna be in the very short-term future. Because anymore, everything is getting to be about who's accessing what, where, when, and how. Not, "Keep them all out." The perimeter is failing for us.

Now we add on top of it ... I don't know why they call it IoT, because I think it should be called TOI, things on the internet. I don't know why everyone thinks it's a new thing. Anybody from manufacturing here? Manufac- There we go. Great. Has not Windows XP embedded been on just about every control device that's been manufactured over the last, I don't know, 20 years?

Colin Anderson:  Absolutely.

Richard Bird:  All it has to do is get a wakeup call, and all of a sudden you've got email flooding off of the water jet machine. That, again, has accelerated this collapse of the perimeter. Not anything new to anyone here. You guys have experienced this.

The issue is that, how do we communicate the reality of this rapid change from a historical principle that everybody understands? We understand walls. We understand locks. We understand doors. I go talk to an executive and say, "We need firewall equipment." They pretty much know what that means. But if I go talk to them about, "We need Okta," I get the blank look. Because the idea of controlling at the individual discrete identity is so foreign, because all we have to do is lock the doors and close the windows. Which those of you in this room know, that's no longer the solution. That's no longer the answer.

The other problem that we have is, we spent a whole lot of time in the last several years working on a whole lot of security control domains. Within that space, we've had a lot of great progress. We are implementing tools, all of us in this room, that didn't even exist two, three, four years ago. Didn't even exist as companies two, three, and four years ago.

Now as we put all of this stuff in, it's being defeated. By who? By our own employees. I've said for a very, very long time, "The best hacker in the world is Bob who works in accounts payable and needs to get his job done." Any control that I put in place, I can guarantee you that if it affects Bob's ability to do his job, within less than 24 hours, he'll figure out a way to get around it.

It's the same thing that we're experiencing in particular with phishing. How many of you are doing phishing security awareness training within your companies today? Regular basis.

Colin Anderson:  Of course.

Richard Bird:  Many of you are probably doing it just annually, right? Which is a fascinating thing to me, because anybody that's worked in the old factory space ... I did as a kid, the tough college job. Every time you came in and punched in the time clock, it said, "We have had 361 days since our last accident."

Can you imagine how quickly you'd change user behavior if you had a little tag on your corporate internet that said, "It has been 16 minutes since the last person clicked a bad link, exposing our company to risk"? Believe it or not, I've actually convinced three companies to do that. But user behavior is killing us, and it's exposing us, and it's opening up these opportunities.

I'm gonna share just briefly an example that I like to use when I travel around about this notion of insiders being unknowing or unwitting collaborators in allowing the outsiders in, which is what phishing is all about. The issue that I see ... I'm very fortunate in that I've got a very diverse life. Beyond doing this kind of stuff, which I really only do to fund bourbon, music festivals, and hot rods. This is all that I work for. But beyond that, I'm actually an elected official.

I want to make it very clear. I am a non-partisan elected official, and I serve on a school board in central Ohio. That school board is the ninth-largest school district in the state. We have 15,000-plus students. Now, how many of you in this room have children K-12 in school right now? All right, cool. Want you to think about this thought exercise for just a minute as it relates to somebody is inside. Okay?

You have a great school district. It's run very, very well, and you love your principal for your child's school building. Everything is awesome. Communication flow is just amazing. One day you get a phone call. It comes through the mass messaging phone call. Or you get an email, or you get a text. It goes like this. "There is somebody inside of our school building. We don't know who they are. We don't know what they want. We don't know why they're here. We don't know when they got here. We don't know how long they've been here. But everything's cool."

Think about that just for a second. Think about the notion that you have something that is extremely valuable to you, that you love, that you cherish, that's in that school house, and you get that phone call or you get that text message. Show of hands, who's feeling really, really good about that? I just described an on-premise inside attack. Do we have the same sense of urgency within our companies today when we go, "Okay, there is somebody that is using a credential, or there is somebody that is inside of our system, and they are doing something and we don't know what it is, and we don't know how they got there, and we don't know how long it's been." Is there that same sense of urgency that we would have in the analog life?

Now let's complicate it a little bit further when we talk about human behavior and enabling and these connection threads with phishing and other actions that we end up with being challenged in this evaporating perimeter world. I'm on a school board. I get that text. Now, here's the challenge. I have 37 buildings. I have 15,000 students. I have 1,071 teachers. I have 1,400 staff and employees, and I don't know which building they're talking about. Now I've just explained the Cloud. That is the problem that we face, because as we've continued to expand ease of use, ease of access, ability to gain access to those resources, we have managed to multiply greatly the complexity that we're trying to manage.

I love this slide. I've used it for a long time. I love it because the picture is just so freaking creepy. This is what happens when you build a presentation and then your marketing organization says, "We need to be the ones to put the pictures in." I actually was asked, "Would you like to take this picture out?" I said, "No, it's so creepy, it's just awesome."

But the reality that we're facing is that ... and the struggle that all of us, we're facing is that any analog, hopefully, if anybody has more than one personality in the analog, you can sort that out yourself. But in the analog, we have one personality. We may have multiple personas. I'm a career professional. I'm a dad. I'm on the school board. But my personality is consistent. Within the digital world, how many personalities do you have? Facebook accounts, other social media accounts, work account, VPN access, remote access, you name it.

Is any of it federated? I mean, if you're lucky, it may be federated through Facebook, and I use the term "lucky" a little bit loosely on that one. But there's no reconciliation of the digital and the analog self, which means that in the future, what you have access to is gonna become less and less important to the question of, "Are you who you say you are?" Because ultimately, if you are who you say you are and we can confirm that, then we can manage the rest of the access control space with monitoring, with orchestration, with workflows.

But if you aren't who you say you are, but you're using credentials that say you're somebody else, this is why outsiders no longer exist. Outsiders want in. Once they're in, they're no longer outsiders. Once they're in, do they operate like an outsider? Do they put themselves out there and flash up all this information that says, "Come find me"? No, they act like somebody that has been in that seat, doing that function, that whole time. And that's the stuff that we can see.

So to be successful, we need to know our insiders and we need to know them well. We've really become disconnected from our employee populations as companies. Whether it's remote work arrangements or global or ... So we don't know our employees well. We've abdicated a lot of that. We need to understand the universe of outsiders. The outsiders just aren't hackers. Many of you have been put at risk by partners and vendors and suppliers, either their lack of security controls or their bad screening or ... Those are all technically within that outsider realm.

In reality, we need to think about the fact that these people aren't outsiders and they never have been. They are in relationship with us. We need to start thinking about relationships. Not whether you are outside of this fantasy demarcation and you're not part of the inner crowd, but, "What is my relationship with you?" That relationship should dictate what is appropriate for you to access and not access, not an account. If you are a contractor, you should never, ever, ever have capability X within my company. Why? Because your relationship is contractor. Doesn't matter the job that you do. The relationship says that I'm not going to display highly confidential data to you. That's just an example of how we need to understand these relationships.

And why do they want to be insiders? They don't just want the financial transactions. PII data, PCI, source code, HR data, production schedules. My personal favorite, SSH keys. They want all of these things, because they're all the keys on that old perimeter-based thinking key ring that allow the unlocking of things that are extremely valuable and important to you. With that being said, I want to make sure that I turn things over to somebody that has been dealing with it.

Colin Anderson:  Yeah. All right. Let's start our journey. I'm gonna take you back in time a little bit, and actually, unfortunately, not too far back in time. When I joined my current company, Levi Strauss, a little over two years ago, the good news is we didn't have a whole lot of security technology, not a lot of legacy technology. The bad news is also, we didn't have a whole lot of legacy technology. We were starting from a situation that was not ideal.

We had audit issues. Auditors were coming in and bayoneting the wounded. Every time I wanted to do something, I had to break out that checkbook, do custom integrations, just painful, painful. Our platform was stuck in the Dark Ages. We talk about these outsiders. We talk about the people that we open our doors to, to come in and help us. The reality is, every business today is leveraging partners, whether they be supplies, whether they be contractors, whether they be partners. There's a huge mix of these identities that you have to manage. Each of them, you have a different relationship with, and you have to understand what that relationship is and, to the best of your ability, manage that relationship.

Then you have your business. What are their priorities? Are they looking to innovate and grow and take risks, and bring the security organization on that nice journey, where they're trying to figure it out as they go and they just expect us to be able to figure it out as well, fly by the seat of your pants? Sure, most of us have been in that situation, and unfortunately, it's not very ideal. No question about it.

Then you've got the challenges of an IT organization. You've got contractors, consultants coming in, talking with your business, telling you about how they can do it better, faster, cheaper. You have your business coming to you saying, "Hey, I just heard this great pitch from ..." name your big four, "saying they can do it better, faster, cheaper. Why can't you do that?" 

When you have that pressure on a IT organization to grow, evolve, simplify the environment where you've got all this legacy technology. And you know from a budgeting perspective, everybody likes to focus on the shiny new thing. The whole care and feeding of your old environment to uplift systems, keep them current, that's boring. That's IT's problem. They'll go figure it out. Of course, you don't necessarily have the budget to do it, but they expect it to be figured out. It's not an ideal situation, and I imagine a lot of us in this room have had some of these experiences, have similar challenges in our background.

Let's move this forward a little bit. Okay, so how did we approach this? Net net is ... we needed to almost scrap what we had and try to take that leap forward. But identity is one of those things that it's like open heart surgery for your organization. It touches everything. It touches your ERP, your payments environments, your supply chain. It's not one of those things to be messed with lightly. It requires a lot of work, and requires a fair bit of time too to get it right.

But we needed some quick wins. We needed to get out of the gate and do it well, build some confidence that we knew what we were doing. Access is one of those quick wins. Honestly, Okta was a little bit of a slam dunk. Wasn't too difficult. Wasn't gonna be something that we couldn't necessarily roll back if we had to. And it was in users' faces every day. It was changing that user experience. All of a sudden, IT was making things easier. I got a nice kudo, good win for us. But it built that momentum, built that confidence that, "Hey, all right, we're moving in the right direction."

As I mentioned in the keynote, I'm a strong proponent of keeping it simple, removing friction, making security transparent if you can. I was really focused on low-friction solutions. I imagine you've all dealt with users that bring in their consumer technology. Put your thumbprint on your iPhone, and you just authenticate. You're in. It's easy access. Our employees want that type of experience in the enterprise environment, and it's not always easy to recreate. But again, we all tried to go for those low-friction solutions.

The reality is ... Aww, that's funny, how they cut off that T there, huh. I didn't even notice that. We're all gonna be in this hybrid state for many years to come. We're all moving to the Cloud at different speeds. We've got different drivers that are moving us in that direction. But the reality is, unless you're working for a company that was born in the Cloud, chances are you're somewhere in that journey, and you're in that hybrid state where you're moving at different speeds, moving different applications through the Cloud.

You're gonna have to manage identities both in a Cloud world and your legacy environment. You're gonna have to provision, deprovision, report on GRC, address your auditors, look at capabilities for protecting crown jewels, protect those identities in both the Cloud world and the enterprise world. There aren't a whole lot of solutions that do both of those things well, but that's the reality of the world we're living in.

Then you have to accept, if you're focused on that end user experience, you really want that, that's your goal. That's what's gonna really move the needle for you. If it's messy behind the curtain a little bit, you can live with that for a little while. If IT has to jump through a couple extra hoops -- maybe the workflow isn't ideal -- you can live with that if, in fact, your customers, out front of the curtain, it looks great, new, sexy, does what they need, it works. You can kinda clean that stuff up after the fact, and that's what we're doing right now. We're definitely on this journey. We've gotten several wins along the way, but by no means are we across the finish line yet.

Then while you're going on this journey, stuff's gonna happen. There are gonna be people that get into your environment that may not be behaving themselves, whether that be a very curious intern that wants to see where they can go in your world, whether that be an outsider with some malicious intentions, whether that be a contractor that's looking for his next opportunity. You're gonna have these people that you have allowed into your world, that maybe aren't playing by the rules that you've outlined for them.

I'm a huge proponent of UBA. That's one of the things that's helped me, along this journey, understand what normal is, helped me identify when I've got somebody doing something in the environment that they shouldn't necessarily be doing, and go deal with those situations. Because until I get to my end state, I'm gonna have different risks along the way that I still need to manage until I get to that end stage. Even by the time I get there, I'm sure the finish line is gonna change, and we're gonna keep going.

But in order to get there, you want to make sure that you're doing the best job you can. Make sure that you're not end up explaining to your board how somebody got in and what they took. Being able to monitor and have visibility to identities in your environment and how they're being used, I think it's really critical to that overall process. Like I mentioned, I'm a huge proponent of UBA.

Mid-term results here. As I mentioned, we're partway through the journey. The user experience is leaps and bounds better than it was two years ago. If anything, we've raised the bar in terms of expectations, and they want more things like Okta that are easy, that are intuitive, that makes that business productivity actually better. They don't have to write down their passwords on sticky notes anymore because they don't have to manage 10 different credentials. They don't have to get really sneaky where they hide their sticky notes, because they know the security team is walking around looking for them. We're moving forward, and it's been generally a really good experience for everybody.

You heard Todd talk about how Okta's looking at identity as the cornerstone, the lynch pin, whatever term you want to use, but it is the foundation of a lot of what we do. With the perimeter not being what it used to be, the reality that whether it be IoT or TOI in your environment, the reality is, identity is the foundation that a lot of this is built in, and it's one thing that you really do control. You may not control the endpoint. You may not control the network. The application and data might be sitting with a third-party provider that you have to trust is doing the right thing. Really, the one thing that you can control and put a lot of strength behind is identity.

That is really one of the cornerstones of our program. We put a lot of energy into looking at how we want identity to function today and in the future. We have a lot of IoT devices coming into our environment, and how do we manage those identities? That's still something I'm trying to figure out, to tell you the truth. Because each IoT device that we've taken a look at has different levels of intelligence. Some are a little bit more easily managed, and some are just take what you get and do your best.

We're moving ... I would say, we're on the on-ramp to the express lane. We're certainly picking up some momentum, getting some quick wins under our belts, which is creating that flywheel effect, where success builds success builds success. It's become almost, we've raised the expectations. We're particularly concerned and focused about not stubbing our toes. We've done so many things well. One misstep, one screwup can set us back several steps. As we move onto that express lane, we are even more diligent in terms of what we're delivering to our end users. Behind the scenes, it's still messy. No doubt about it. But from our end users' perspective, they say, "Wow, this is what we've been waiting for. Thank you." We're definitely moving in the right direction.

The reason that that is so important is another thing that came up today, is we're all technology companies. Technology is the foundation for how we're growing, how we're innovating, how we're growing our business. It really is fueling every business out there. How you can leverage that technology, how you can embed security, make it transparent, make it simple, really goes a long way to the success of your company. As security professionals, you may not get that kudo, that pat on the back saying, "Hey, thank you. We wouldn't have been able to grow our sales X% in Europe without your help." But the reality is, you probably would've had a lot of extra costs and risks taking on that new business opportunity in Europe if you hadn't had security there to help you along the way.

Last but not least, good news. The auditors are moving on to the next victim. If anything, security has become a strong ally of the auditors because at the end of the day, we're both trying to manage risk. We might come at it from slightly different lenses. I still have those debates with my legal team all the time about managing risk. My goal is to manage it. Their goal is to eliminate is, and they think that's possible. I disagree. We have those healthy debates. But at the end of the day, the auditors are on to their next victim, which is good news for some of my guys that had to deal with them on a regular basis, and that's all I have to say.

Yeah. Take questions if you have any. Simple reminder, if you can use the mikes, that would be really helpful for everybody because I think we're recording this. But I'm seeing a lot of head nods. All right. Did this resonate, I hope? I mean, it's not earth-shattering. Nothing new that very surprising. But at the end of the day, it's probably something that we're all dealing with. Different levels of success, different levels of maturity, but it's a pain we're all probably dealing with.

Richard Bird:  Yeah, I hope that ... If I can grab that. I hope that there has been at least one nugget of value. I know it's always challenging when we come to conferences that we hear a bunch of information, and we don't necessarily hear solutions, or we don't necessarily hear things that spark thoughts for us on how to look at the problem statement differently. I am really, really thankful to have the opportunity to share the stage this morning, because it's really important to hear about successes and wins, and understand that it's an iterative process.

Which is the most important message to take back to senior leadership and the board. When they say, "Just buy me the one solution in the Gartner Magic Quadrant that will fix all my problems if you implement it," you can remind them that there is no such creature. Because it takes time. It takes effort. It takes steps. Most of us know this. It's not all technology. Matter of fact, we can make an argument that large parts of it aren't technology. They're process and people and methods.

That being said, the last thing I'll leave you with today is that, just a reminder that you need to look at the world as people that you're in relationship with and people that you're not yet in relationship with. For most of us, we're in companies we want to grow. So when we think about the idea of, "Well, we can't possibly be in relationship with everybody," well, take a look at a company like Facebook. They're in relationship with billions of people, and many of us are gonna be going that same way over the next several years. Think about the notion that you're just waiting to be in relationship, and try and figure out how to manage those relationships ahead of time.

Without true access control, every dollar that you spend on your security program is suboptimized. I love hearing companies talk about it. It is the core of our security program. When you do an identity-defined security model, everything else becomes easier. It really does. But if you try and back into identity, things become more challenging. Finally, access management and authentication is the new perimeter. Thank you so much for your time. If anybody has any questions afterwards, I believe we'll be around.

Colin Anderson:  Yep.

Richard Bird:  And I really, really appreciate your attendance.

In this age of organizations scrambling to finally include identity as the core of their security strategy  we still divide the world into a fictitious construct of “insiders” and “outsiders”. Phishing has exposed the truth of what many already knew; that an “outsider” does not truly exist once internal credentials have been breached. That “outsider” is now fully an “insider” and due to our security frameworks still being highly oriented towards protecting the perimeter, monitoring and management of internal user credentials is still highly deficient in most companies. Instead of thinking about “insiders” and “outsiders”, it is time to acknowledge that there are no more “outsiders”. There are only actors that you are in relationship with and those you are not yet in relationship with. Learn how you can rethink the problem of identity and uncover new methods and approaches to protect your company by attending this session, led by the former global head of identity for JPMorgan Chase and current Executive Advisory consultant for Optiv, Richard Bird, and Colin Anderson, Global Chief Information Security Officer at Levi Strauss & CO.