Podcast: Zero Trust and the Evolving Role of Identity and Access Management

Listen to this podcast on iTunes, Soundcloud or wherever you find your favorite audio content.

Identity matters. As noted by Forbes, privileged credential abuse paves the way for 74 percent of corporate data breaches. On today’s SecurityIntelligence podcast, our trio of experts — IBM Security Editor-in-Chief Pam Cobb, IBM Security Strategy Associate David Moulton and IBM Competency Leader for Europe Bert Vanspauwen — dive headlong into the critical, complex and sometimes confusing world of identity and access management (IAM).

Role for Initiative: The Impact of Identity and Access Management

For Cobb, identity shares common ground with tabletop gaming: While players know their own character details, they have only limited access to the identities of others.

“You as another player don’t necessarily know all the points and elements of my identity,” Cobb says. “You don’t know that maybe I’m a level-nine mage, you just don’t know that.”

Moulton, meanwhile, compares online identities and HVAC systems: “They’re big, they’re important. People aren’t really paying attention but when they don’t work, everyone is really upset and they’re super expensive to replace.”

What You See and What You Get

According to Vanspauwen, the ideal IAM system is “well-hidden because it’s very transparent.” From the user’s perspective, visual interaction with IAM systems is minimal — perhaps once or twice a day. For many companies, this is a challenge: Vanspauwen has encountered IAM onboarding processes that take weeks or even months, in turn hampering productivity. When it comes to offboarding, meanwhile, organizations still struggle to ensure former employees don’t retain current access to collaboration tools and databases.

A Mage and an HVAC Technician Walk Into a Bar…

The ultimate goal for IAM is zero trust: Organizations use identity characteristics in isolation to confirm access. The caveat is that companies must be able to verify this data without compromising user privacy. Vanspauwen points to the example of a bar: Age is the single data point that matters. Using government-issued ID lets bartenders and waiters confirm a guest’s age without compromising other identity data.

What does this look like in practice? According to Vanspauwen, it depends on your IAM model. On-premises deployments provide maximum flexibility for capturing and verifying data, but companies are responsible for end-to-end oversight, while cloud deployments streamline the process but limit customization. For Vanspauwen, the “Holy Grail” of identity management is hybrid IAM, which provides a “service where we look at which patches do you need to deploy, which integrations actually make sense to do next, how do you continuously evolve your set up and your road map for your IAM platform.”

IAM isn’t a zero-sum game. Hybrid solutions and the evolving role of zero trust offer new ways to approach the critical role of enterprise user identity.

Episode Transcript

David: If you were asked to explain what role internet identities play in security, what analogy comes to mind?

Pam: For me it’s tabletop gaming. When I think about having a character card and there’s so many elements that go into that, and you as another player don’t necessarily know all the points and elements of my identity, you don’t know that maybe I’m a level nine mage, you just don’t know that. So I think about that all the time when I’m playing games with my kids and all the things that we reveal in different interactions. What about you?

David: I kind of think about these identities in these systems like HVACs, right? So heating and cooling. They’re big, they’re important. People aren’t really paying attention, but when they don’t work, everyone is really upset and when they don’t work, they’re super expensive to replace.

Pam: That is very true and having studied HVAC as part of my undergrad studies, they’re also a bit complex and can be hard to understand, too.

David: Absolutely. So those are two ways to think about identity, but we’ve just learned a third, one that focuses on a daily interaction

Pam: This is the Security Intelligence Podcast, where we discuss cybersecurity industry analysis, tips, and success stories to help organizations grow securely, prove compliance, and stop threats. I’m Pam Cobb, the editor-in-chief for IBM Security.

David: And I’m David Moulton, a part of our strategy team here at IBM Security. Part of what I do is help craft stories that matter and I’m excited to be a part of this larger conversation.

Pam: And I think we both came to this independently like, “Gosh, it would be fun to tell more of these stories.” That’s part of my day job here at IBM, but I think you and I, when we do get to work together, end up having a good time. So I hope that comes across in the podcast.

David: Absolutely. And I think stories are the best way to unpack what’s going on in our world whether explaining a complex topic or something that ends up being a threat, or even some of the wins that we’re seeing in security.

All right. Let’s get into it. We spoke with Bert Vanspauwen, who works with a team of experts across Europe to help clients address their I and AM issues. We discuss the business impact of identity and access management, the benefit of re-evaluating strategy around legacy identity programs, and where consumers heads are when it comes to data, privacy, and convenience. Here’s our conversation.

Bert: I’m Bert Vanspauwen and I run the European identity and access management business within IBM which means that I have a European team of identity and access management experts that help clients across Europe addressing their IAM issues.

It impacts the organization on multiple levels and I think that’s where you see that identity and access management. If it’s running well, it’s hard to see it. It’s well hidden because it’s very transparent. But if it doesn’t work well, it will show up everywhere because identity and access management is typically in the middle of most processes because everyone needs access to be able to do their work. So if it works it’s invisible, if it doesn’t work it’s extremely visible.

Pam: In the spirit of understanding the visibility for employees and businesses, how many times a day are people actually interacting with identity or access management systems?

Bert: I would say that there is a split or a different number depending on what you look at or what you look for. If you talk about the times that you visually interact with identity and access management for your business, that ideally is as little as possible. So you would authenticate to your work station and then maybe once more to single sign-on onto all the web applications that you use, and maybe once more during the day if you have a long period of inactivity. But ideally, that would be the only times where you visibly interact with your identity and access management system.

However, in the back, you would interact very frequently with your identity and access management system because every time that you open a new application or maybe even if you’re trying to run the transaction in a certain application, in the back, the application would go back and validate that you actually have the access rights to do the transaction or to execute transaction that you want to run. And that’s of course the ideal situation. You have a very limited number of times where it’s a visual interaction where the IAM actually asks you for information and then in the back, probably quite often because every time you were trying to do something, the system will want to validate that you have the rights to perform that.

Pam: So which do you think is the bigger challenge then for organizations: the frontend that the employee see or the backend seamless transactions that aren’t obvious?

Bert: It’s a combination because if you have an IAM system that is not functioning as it should, then you will have a lot of very visible interactions because every time you go to, for example, a different application, you will need to authenticate again, right, because the one application will not know that you were the same person as the person that just authenticated to maybe a different application. So you would have to authenticate throughout the day, over and again.

And in an ideal state, you’d take that the way and you add the single sign-on layer, meaning you… Well, the name says it all. So you sign on once and then for each and every application that you use, you would actually use the same sign-on that you already had, so the system or the layer on top would recognize that you’re the same person and would actually allow you to access the application without asking you again to validate.

And then as a step-up from that as you maybe use more sensitive applications, you could have a step-up authentication, which means that the system would come back and say, Well, I know who you are and I know that you already authenticated, but now you’re accessing sensitive data, for example. Can you actually provide me a second factor which can be like an SMS or an email, or right now, face ID, or something else to actually validate that it’s you, but at a higher level of confidence? Because it’s not just something you know, so your username and password. But it’s something you have, for example, or something you are. So biometrics or some other second factor.

David: Bert, when you think about this challenge that’s in front of businesses to take a legacy system, something that’s been homegrown and is a bit complex and migrate it, so that it is moving fast and doesn’t have a huge UX burden, where do people start?

Bert: There’s cloud applications and there’s also identity in the cloud which means that you have like, for example, SaaS providers, that allow you to move part of those IAM processes that you have on-premise so you don’t have to worry about all the layers underneath and keeping your solution up to date, and installing new versions, and all the challenges that we know on-premise IAM environments.

My view is that it will depend on the use cases. So if you talk about business to business, business to consumer, those are situations where IAM in the cloud can cover the complete spectrum or could cover the complete spectrum. But for enterprise, I see the requirements that organizations have are often too complex or are too bolt-in with on-premise applications to move everything to the cloud. And so, the challenge I see is actually to help clients or to help organizations identify the right balance between things that you do in the cloud, so the pure SaaS, things that you do in a single-tenant hosted model. I think the challenge that organizations face right now is to identify the right balance between those models, find the right balance, what do you do, where to, on the one hand, to optimize cost, but on the other hand also keep supporting the business processes which of course are key. That’s what it’s all about.

David: Are you seeing any patterns emerge on how customers, in particular industries or in regulated areas are divvying up the requirements?

Bert: Yes, I see differences between different industries. So, of course, regulations can identify or can force organizations to do specific things. For example, in a hosted model because it needs to stay within the borders of the country. For example, in Nordic countries, there are rules where a country needs to be able to shut its digital borders and their solutions, especially for critical infrastructure needs to keep on running. So that means that the model that you deploy is actually a different one than if you are on a B2B use case for a telco operator where cost and flexibility is extremely important and they would rather adapt to what the cloud solution can do to bring down price and bring up flexibility.

So, yes, there are big differences across different industries, but what we try to do is bring this together into what we call integration patterns. And that means that for specific circumstances that there is a typical way or there are typical patterns of which components you keep on-premise, or in a hosted model let’s say, inside the country or inside Europe as an example versus a full SaaS model. So, yes, there are differences, but they are more based on the driving factors for organizations than they are 100% related to the exact industry that organizations are in.

Pam: So Bert, why don’t you tell us a little bit about what it means to companies when they are at a crossroads and they need a little more strategic guidance than maybe they currently feel like they have in-house? And how important it is to engage the right partner to help with that sort of strategy development migration for identity solutions?

Bert: Yeah. That’s a really good question. I think it’s a crucial element because, well, a lot of organizations do, so it’s an ongoing operations which means that they are focused on keeping the ship afloat and keeping the solution that they have running. But as they do that and as they focus their resources on that to keep it running, they don’t look ahead. And that means that they are not following the business challenges. So they are working on keeping something afloat that’s not necessarily bringing them to where they wanna go and this is exactly the point where consulting, where strategy is extremely important.

But that means figuring out, working not just with the IAM practitioners and with the IAM team within the client but working also with the different stakeholders from a business side even, well, the CIO. If there is a digital transformation ongoing, working with those parts of the organization to hash out what’s actually the goal and what does your IAM system need to support. And we can do this in a number of ways.

One of the strategies that we often use is design thinking. There is a design thinking methodology that IBM has adopted to work from a user’s need on and translate from there into which was the actual problem that you need to solve, and work with different stakeholders not just with the I and AM technical team, how do you solve this, how do you make sure that something that sometimes the IAM team does not even see as a problem gets resolved. And often not in a deeply technical way, but look at what’s the real problem and solve for that. I think your strategy needs to be crisp and clear, so that it sets the point on the horizon and actually helps you make your first steps into evolving your IAM environment, your IAM landscape.

David: Bert, let’s go ahead and jump into the future six months. And it’s a little difficult to do this. But what’s gonna change? What’s gonna look a little different at that point in the future?

Bert: The set of functionalities that can be delivered from cloud applications, I think it’s something that’s continuously evolving. There are different elements, like artificial intelligence, which is being used for assisting people or assisting users in making sure that you only ask them the relevant questions. For example, for recertification campaigns. So you see a lot of different evolutions in technology coming together in IAM.

I think one of the other big challenges that we’re not or that organizations are not yet maybe seeing, or at least not addressing, is the whole identity and access management for the cloud. And with that, I mean, as you deploy cloud applications, as you spin up containers and virtual machines in cloud environments, it’s key that you manage or that you handle the identity and access management components of those cloud applications of the administrative layer of the cloud applications as well. And there are platforms that assist in the management of all of that, but they are usually quite light on identity and access management.

David: And while we’re on this topic of going out into the future, how far away are we from “zero trust” as a reality? Is it the next wave?

Bert: I’m not sure whether it’s the next wave, but I think it is an important concept. And I think as we try to get a grip of the identity for the internet of things, the zero trust model or the CARTA model, however you wanna call it is an important model. I must say that’s probably an IOT discussion this is very relevant, but for the typical IAM clients at the moment, their focus is more on getting to grips with digital transformation.

Pam: I find it so interesting as well that as a consumer, I feel like we’re almost approaching zero trust. So we have recently upgraded our home internet and our new provider gives us an app in which I can see and control everything that connects to our home router. And I assign it to a user and establish if it’s household, and if there needs to be access limits aka, bed time setup for the different devices that access it. And I feel like if we are bringing it to the people that surely we are working our way there, at least in terms of providing the awareness at the corporate level and getting to that zero trust model.

Bert: Yeah, I fully agree and I think for the home router, there was already on the technical level a lot that you could do, but I think you’re right. Right now, vendors and the makers of those products are also thinking of not just how to do it on the technical level, but how to disclose it in such a way that it’s available to the larger publicly. And I think functionality like this is becoming more and more important because you are getting concerned at what, for example, your kids do in the evening on the internet. So you do want to get that additional control. So I think more and more at least for a certain set of IOT products this is going to become, I hope a differentiating factor.

David: What should IT or transformation teams do now while they are hit with this message from the vendor and marketing world?

Bert: A lot of the focus in these digital transformations is looking at how can you offer more and more functionality to your users to make this functionality visible and easier to understand. But an important component below that is also how will you provide users with a transparent… Well, how do you handle the identity in those cases and then how do you handle the privacy in those cases. And then you are close to making the step to distributed identity. So where as an end user, you remain in control of your identity information and you share that in relevant processes. So turning the world around from a model where in each and every application or for each and every service that you consume, you basically hand over your whole identity into a model where you control your identity and you only give that part of your identity that is needed for them to provide the service to you.

And the typical example that they give them, this is if you go into a bar which is of course, not a digital process or…usually not. But if you go into a bar, you basically need to validate or show to the bar keepers that you’re above 21 if you’re in the States at least, and that’s the only validation that you need to give or that’s the only part of your identity that you need to confirm to the bar keeper. He does not need to know where you live, where you work, where you study. He does not need to know any of your background. The only point that he needs to validate is the fact that you’re 21 or older, and this is exactly the same problem that we’re trying to solve in… Well, if you think about digital transformation and that distributed identity, it’s how can you as an identity stay in control of your data and only share the relevant pieces with the different service providers that you interact with.

And it’s a very interesting problem. And the thinking about this is rapidly evolving. But this is I think, again, the consideration of something that is coming up and where the industry is thinking about how they will address it. But if you go to this digital transformation, if you set this up, if you define that your dot on the horizon, again it’s something important to consider and to be aware that probably some point in the next couple of years that your users are not going to want to give their complete identity anymore, but only the relevant aspect. So how do you incorporate this into your strategy.

David: Absolutely. It does seem that more and more information keeps leaking, and I’d like to have more control. I can’t imagine I’m the only one. So I’ll look forward to that wave in the future. Bert, can you take on just a moment and talk to us about some of the consequences, you know, for businesses when they have a weak or a failed identity program?

Bert: Sure. So I think it has multiple aspects, multiple impact. So one is of course the business impact. If it takes you more than, say, a couple of hours to on board an identity, so that creates a security challenge, but it will also create, let’s say, disgruntled employees. For every time, for example, you need to log in to a new application, people will get annoyed with that process very quickly and will find different ways of getting to the same result and whether means using different applications, cloud-based applications where they don’t need to authenticate anymore or not so often or, yeah, finding, well, a different way of working or, well, if password resets take a lot of time, that’s often a very hidden cost in your organization because people spend time on it. So they are not productive. So I think that’s the first piece in the challenge for IAM.

The second one is more from a risk audit perspective. So if you don’t have adequate processes, that means that people probably have way too much access in your environment and potentially, if they leave the organization, their access right remains open. And before, this was, let’s say, a shielded environment because your border was…the border of your organization, the physical doors of your organization were the first check point. But now that everything is in the cloud, that means that if you leave people active on the cloud application that they are able to login from anywhere. So the risk has augmented exponentially, I think, with all the cloud application. Then if you don’t have your IAM figured out in the correct way, you open up yourself to a significant risk.

Pam: So Bert, let’s go back to that bar analogy real quick. In a zero trust world, would the bartender then have to validate the ID, specifically the age, every time the purchaser went back to get another drink or a refill, or do they even have to show it again to re-enter from the restroom, or if they went outside to take a phone call? Like, what does that look like in this analogy?

Bert: There are different models of how you use this distributed identity. So there are cases where similar to, for example, a driver license or an identity card where you would get a credential or a validation as you have from the DMV where you get something that you can show and probably every time either… Well, if you have a single sign-on domain or if you have that recurring trust, what they call pseudonymity, so they don’t know necessarily who you are, but they know that it’s you. And so, it would depend whether you set up that model or where every time that you would, I go back to the bar where you would do the same claim. So you would show the same credential and the bar keeper would validate that again, which I think in most cases would be necessary unless you start again, to have that pseudonymity of a cookie or whatever where he can actually trace you back to the person that he has seen before.

Pam: Yeah. You could extrapolate the analogy even further. Let’s say that shift change happened and now you have a new waitress who was not familiar with you. Now, they have to recheck because the system that you’re interacting with is different. So I think there’s a lot of fun ways that we can take this analogy.

Thanks, Bert. It’s been so great to talk to you today. We really appreciate your insights.

Bert: Thank you. It was nice to be on.

David: Next time we’ll do it in Belgium.

Pam: In a bar.

Bert: Yeah, perfect.

Pam: So David, I really love that bartender metaphor and I feel like I could go super deep on that, maybe drawing on some experience from college or I would hope so more recently. But, you know, as we reach a certain age, we, A, stop going to bars and B, stop being asked for our IDs. So what did you think about that? Did you feel like it was appropriate? Was it shocking or did it make you think of identity in a new way?

David: Oh, absolutely. And I’m with you. I don’t get carded anymore. I do find it fun when I still do, but I think that the metaphor, the analogy that Bert set up is really useful for putting a real world aspect to it. And you can start to build that out and see where the digital world and the physical world break down. It starts to show how important and how often, you have to prove who you are. And those are complex questions, you know, what type of information can you share that helps give context to who you are versus what type of information do you want to keep private, whether that’s in a online login, going in and talking to an adviser at a bank or getting your medical information—or just talking to a bartender.

It’s something that we’re all grappling with, how much privacy do you wanna maintain and how much information can you share. And then you think about the IT costs or the business costs of identifying and verifying the information every single time. And at first it seems daunting, but I think that where it goes is the level of trust that a customer ends up having starts to grow when they see that a company is doing the right thing or going after the right information, just the information that they need in that moment. It protects the customer and it protects the business.

Pam: And I think we’re seeing regulations catch up to that as well whether it’s the California Consumer Privacy Act or GDPR in Europe. You know, we’re starting to see government recognize and enforce that as well, of like, you don’t need to know everyone’s personal identification number or government issued identification number to do a simple transaction. So I think we’re going to continue to see that evolve.

David: You’re right, Pam. Regulation to me seems like a reaction from public demand and what we’re seeing in some of the bigger laws out of California, out of Europe, and in some other places is that reaction. I think that the temperature of consumers has changed and what their expectations for companies has changed. Going forward, businesses that are privacy-minded and thoughtful are going to have the loyalty of customers. And those that are careless and/or not privacy minded, I believe will suffer for that.

Pam: Absolutely. And since you mentioned temperature, I think it’s time for us to talk about the current temperature out in the cybersecurity landscape.

David: Oh, boy. Yes. We’ve been taking a look at some of the top articles from the security space, from the media and running those through a tone analyzer here at IBM. The IBM tone analyzer gives you a way of scoring, you know, is this an analytical article, is this something that’s filled with joy.

David: So as we’ve taken a look at the top articles in security this week, one of the things that we’re noticing is that the tone is tentative and filled with sadness. And what we’d like to do is see things that are more joyful or confident. Analytical is fine, but where’s the passion? As we came out of RSA, we noticed a bit of a shift there.

Pam: Yeah, they definitely put a stake in the ground when they picked a theme for the event. And for those that aren’t familiar or didn’t attend, the theme for this year for North America RSA was “Better.” And so it’s being better, doing better, and I think it’s really a reflection on our position. And honestly, things are scary enough out there. Like, we don’t need to lean in to those things. We need to be optimistic and look for our strengths and see where we can come together as an industry, and I think we’ve seen some of that at RSA. What did you notice while you were there?

David: I saw some of that, too. Certainly there’s those that are going to lean into fear and those types of things, but generally what I saw was a lot of businesses – a lot of our partners – coming out with a point of view, how to solve customers’ problems, and how to move to a point where we use data and our insights, our cleverness as humans, to push back against some of the problems that we’re facing, and a level of optimism that it’s possible. Listening to Mary talk and her keynote, you know listening to other keynotes and some of the other speakers, you did get a sense that maybe we’ve turned a corner. This is the second year in a row that I’ve seen that upbeat kind of feel at RSA and it was encouraging.

Pam: Yeah, that’s great to see and I hope it continues. I know sometimes we take a little dip when we go through cyber security conferences, particularly when we get to Black Hat and all of the scary things come out, but I think RSA was a good starting point for the year, to kind of establish that more optimistic viewpoint for the year.

David: Yeah, absolutely.

Pam: That about does it for this episode. Our thanks to Bert for joining us as a guest.

David: Listen and subscribe to the Security Intelligence Podcast on iTunes, Spotify, Soundcloud, Google Podcasts or Stitcher. For more security stories, visit SecurityIntelligence.com or follow IBM Security on Twitter and LinkedIn. Thanks for listening.

Contributor'photo

Douglas Bonderud

Freelance Writer

A freelance writer for three years, Doug Bonderud is a Western Canadian with expertise in the fields of technology and...