How should organizations be thinking about identity and access management today?
In this episode, Plurilock™ CEO Ian L.Paterson talks with Andre Boysen, chief identity officer at SecureKey, about user complexity and risk, balancing security and customer experience, where workforce authentication lives, the business importance of identity security, and more.
|Ian L. Paterson
Ready to listen in? Click play below.
Ian: So, Andre, thank you very much for attending. Welcome to the show.
Andre: Ian, thanks so much for having me—I’m looking forward to our conversation today.
Ian: So how did you get started? What was your cybersecurity origin story?
Andre: Well, that’s a good question actually. So, my whole career has actually been in financial services and I didn’t really start in cybersecurity per se, it was more about doing service delivery innovation with banks and that’s going back to, you know, early days was Footprint and then after that was 7/24 Solutions that kind of journey continues today with what we’re doing at SecureKey. I guess the thing that’s interesting is, as I said, I really came at this from a service delivery point of view. And what I kind of saw as we were working through what we’re doing at SecureKey is that we were focused on doing NFC payments—so we were going to be really focused on making payments easier for consumers—and we didn’t get a long way down the track with that initiative—what we saw was there was a real opportunity to take the same technology, the same systems, same processes that we use in payment systems and apply it to identity and access. And that’s been like the key insight or innovation that we’ve been provided from a SecureKey point of view—is just making the digital identity story better by, rather than trying to invent something completely new, let’s use something that’s already understood and is well tested. We have 6 billion payment cards in circulation and it’s run quite well, and that’s in contrast to the way the internet works, which the way we access stuff changes every single day.
Users can’t get in any more on the cost of managing this way is just not scalable—so we have to do it differently.”—Andre
Ian: How does digital identity affect a CISOs job to secure data and systems?
Andre: Well, today we actually don’t have digital identity—and so it’s a huge problem. It’s every web service for itself! And so today, the problem for a CISO—your job is to keep the data safe. If there’s a breach or the data gets out, that’s your head that’s on the line. And so often you’re in tension or in conflict with the people who run the business and own the customer experience and your job as a CISO is to keep the data safe. We put a lot of rigor around what it means to access the services and to keep the data safe, but the consequences are real users have a hard time getting in too. When we have a breach after breach week after week, what we’re effectively doing as CISOs is say, “Right, we had six feet of security fencing last week, we’re going to have another three feet this week and next week all our users climb three feet higher and it continues on, so on, week after week, and it’s gotten unmanageable—users can’t get in any more on the cost of managing this way is just not scalable—so we have to do it differently. So what good digital identity is going to really improve the CISOs life dramatically, because when we have good digital identity, it’s going to actually reduce the attack surface and because of that, it’s also gonna make the customer experience better.
Good digital identity is going to really improve the CISOs life dramatically, because when we have good digital identity, it’s going to actually reduce the attack surface and because of that, it’s also gonna make the customer experience better.”—Andre
Ian: So ultimately the question is how does digital identity affect the CISOs job to secure data and systems?
Andre: So, when we have good digital identity, the customer experience is going to be much easier because as a consumer, I have something that makes it easy for me to get in—at the same time, the crook can’t get in because they don’t have my credentials in the form of the physical credential that I carry in the form of my phone as well as the password I like to use because it’s anchored on my phone. It can be simple now I don’t have to log the long, complex password anymore, so my user experience is better. And because I’m managing my credential better as a user, that actually reduces the attack surface and that actually makes your job as a CISO much better. And so the real inversion here that’s happening is because we don’t have a trust layer on the internet and it’s every web service for itself, what we found is that we have this thinking as a CISO, is that it’s an inside out.
Because we don’t have a trust layer on the internet and it’s every web service for itself, what we found is that we have this thinking as a CISO, is that it’s an inside out.”—Andre
Andre: “I’m the CISO. My job is to keep the data safe. I provision credentials to everybody and you have to get through the hoops to get into my service.” That’s how we think, and when we get good digital identity, the thinking changes to outside in, “what does our user have, that they possess and care about that we can use as a mechanism to make identity and access easier?” And that’s how credit cards work—I don’t as a merchant issue credit cards to every customer I have, I let them use the credit card they have already to reach me. And so that’s outside in and we want to do the same thing and identity too—what can we use the consumers already have, but I can trust to make accessing the service easier for them and more trustworthy for me is the CISO? And that’s the big change.
Ian: How do you think about that, that shift from inside out to outside in with regards to internal workforce authentication?
Andre: I think it’s interesting—so there’s a really important line that we’ve got to draw as a CISO between our employees and our customers. The relationship we have with those constituents is very different. The privacy thinking is different. As a consumer, you need to have very strong privacy. As an employee actually, we need to have a level of oversight because it’s our data and you’re acting on our behalf, so the nature of the relationship is different—so the privacy is different. The other thing that’s different is the power relationship.
Andre: If I give my credit card to my daughter because I want to send her across from the shop to buy something, that’s my choice. The bank may wag their finger at me, but in the end it’s my choice—they’re not going to fire me for doing that. If by contrast I give access to my daughter with my online credential at the office, however, that could be a firing offense and with good cause actually, because I made a promise that I would keep the credential for myself and not share it. So the power relationship is different. And so we’ve got to recognize that users are going to manage their credential like it makes the most sense for them.
And so we’ve got to recognize that users are going to manage their credential like it makes the most sense for them.”—Andre
Andre: What the net of all of that is—you can’t treat employees and customers the same way in terms of credential management—they’re very different. So you can’t use the same strategy for both as a point, but I do think in the end they’re going to come together. Today we issue user IDs and passwords for employees, and then we have a different strategy that we use for customers. But in the end, I think we’re going to see a gradient where we start using consumer identity to help onboard and manage credentials in the enterprise too.
Andre: When I first become an employee, at SecureKey, they want to know things about, my tax information and what my bank account information does and so on—and then as I become an employee, I get issued credentials. And the challenge is that if you’re a larger organization or if you have a lot of transitional or seasonal workers, the credential management thing to it gets to be a bit of a challenge. And so the password reset thing is like,”who’s got this thing? who’s managing it anyways?” It’s a challenge
You can’t treat employees and customers the same way in terms of credential management—they’re very different.”—Andre
Andre: And so when we have a consumer identity, we can use that identity to onboard the employee at the corporation—can actually become part of the lifecycle of the credential management inside the enterprise too, particularly as it relates to password resets, and eventually, you know, sometimes I need to have access to company resources beyond my employment. Perhaps. I’ve been a downsize, but I continue to have benefits or access to some internal resources. And so you don’t want to have a corporate credential necessarily, for that so the employee relationship becomes important too.
Ian: So, what does that best in class digital identity strategy look like? And how does that look today and how would you want that to look in the next three to five years sometime in the future?
Andre: Yeah, so the best in class I would say is just recognizing this transition that’s happening. The problem, as we’ve talked about already is there is no trust layer for the internet, but it’s emerging—we’re starting to see the trust layer emerge. And I would say, you know,—let’s just compare payment systems and the internet for a moment. With the credit cards game, you’ve got a, an important element that’s missing is you do have a trust layer. You have a trusted network operator to somebody who operates the payments team and what their job is to do—is connect all the issue inside the banks and the credit cards with all the merchants. And so that trust layer means that the attack surface is actually much easier to manage.
Andre: We don’t have to connect every single merchant to every single bank—there’s a trust layer in the middle. And so we need that same kind of thing for the internet. You know, as a crook, I can’t kind of pop up in the middle and say, “Hey, I’m a Crook—I take MasterCard, I take VISA.” You have to apply to get into the network. You have to behave well to stay in the network, and so when you contrast that with the internet, you don’t see the messages saying, “Don’t go to the local Tim Horton’s that got breached last week and they’re going to compromise your card if you go there.” We don’t see those types of messages, but that’s very different—on the internet every single week, some crazy website on the end of the internet I’ve never been to got breached, so I get messages saying I’ve got to change all 300 passwords in my life. Right? And so it’s just not scalable and users aren’t going to make all of those password changes anyways. They’re just going to say “huh, it’s too hard” and they don’t! And so what we have is latent risk propagation living inside our systems, because users can’t manage this level of complexity.
And so what we have is latent risk propagation living inside our systems, because users can’t manage this level of complexity.”—Andre
Ian: So it’s tricky. I mean, how do you then think about that trade-off? How do you juggle that trade-off and how do you help users with it? Because to your point—when, whenever I get the breach notification, I look at what the site is that’s been breached and then try and make a determination like, “Well, do they actually have anything important? Like, do I really need to go and reset that password?” But for the average consumer, how do you have that conversation with them?
Andre: So, the one big thing that’s missing in the internet, in terms of credential management, from my point of view, is this concept of user self-interest. So the challenge with the relationship between users and the services they access is there’s a power imbalance, right? The first time I go to a website, I don’t know if I’m coming back—it’s like a first date, right? And so the website on the other hand is very serious and they think I’m a prospective customer, so they’ve got a very intense kind of thinking about what’s about to happen. Whereas I’m very cavallier, because I’m not sure if I’m coming back.
So, the one big thing that’s missing in the internet, in terms of credential management, from my point of view, is this concept of user self-interest.”—Andre
Andre: And so, you know, when you look at that power dynamic. They’re making me make three promises that I know I’m not going to keep. First promise that I promise to make this password long and complex. Well, you know what? I’m going to make the password as short as I can, right? The second promise I promised to, I’ll change this password often—I’m going to change the password never actually, if I can get away with it. The third promise is I promised not to make this password the same as any other website I’ve ever been to. Well, I like you and everything, but I’ve got 300 websites, so I’m going to make some of them the same—that’s just the truth of it.
Andre: So no, there’s this power imbalance. So the way to solve this is to tap into user self-interest. So let me just give you an example that we have with the Government of Canada. The challenge the Government of Canada has is they’ve got to deliver services online to you and I as Canadians. The challenge is that when you and I go to the government website, we haven’t been there for a year. The challenges every single time would go every single time.—without fail—we’ve forgotten the password. And you know, the government can’t do what Amazon does—they can’t do an email password reset because that’s not secure enough. And so what happens is, they have to do something more rigorous. They send me a piece of mail to my house. My job is to type the thing into the internet two weeks later—so that’s where they were stuck. And so what’s interesting is it just, when you compare a bank account as a mechanism to access government, versus a government-issued user ID and password, the contrast is actually really interesting when I haven’t gotten into the government of Canada for an entire year, my conclusion is when I tried to get in that is that I forgot—and most of the time that’s the truth, I forgot. But in the small set of circumstances where a crook took over my account, I don’t tell anyone, because I think I forgot. So the fraud continues.
The problem is all of the ‘digital dust’ that I’ve left behind there is enough for the crooks to cobble together enough information to be able to breach me somewhere else where I do care. And so that’s the thing we need to fix.”—Andre
Andre: Contrast that with my bank account when I can’t get into my bank account, I know I didn’t forget—I was in there yesterday. More importantly, I’m on Defcon 5—we’ll sort it out. If I discovered right now, I couldn’t get into my bank account. That is user self-interest. Right? So the CISO doesn’t have to sit there and admonish me, I’m going to do it because I care about me—that’s self-interest. And so if we can build identity schemes where we can tap into things that users care about out of their own necessity—their own day-to-day life, we’ll get it to a very different place.
And credit cards are like that too. When I can’t find my credit card—same thing. I’m on DEFCON 5 and I run out and sort it right away. When I lose my loyalty card for whatever service I went to, I don’t care. Right? If somebody finds the loyalty card, “Good, they’re going to charge stuff up to my name and I’m going to get the points!” I don’t care about the loyalty card so there’s no self-interest there. And so too, with the password at the internet, the internet for the site I signed up to once and never went to again, they get breached—I don’t care and I’m not going to do anything. The problem is all of the “digital dust” that I’ve left behind there is enough for the crooks to cobble together enough information to be able to breach me somewhere else where I do care. And so that’s the thing we need to fix.
Ian: So, talking about building identity strategies that are more consumer-centric, that are incentivizing users to behave in their own self interest. How do you do that when there are over a million cybersecurity jobs that are currently left unfilled, out there in the industry? Like how, as a CSO and you’re thinking about implementing these strategies, how do you do so when you still haven’t been able to hire half your team?
Andre: Yeah, that’s a really good question. That’s a very tough answer, actually. The market demand for skill is so high right now, and having better wages, having a great workplace, and offering a life balance, are just table stakes—things to getting anyone to look at you as an employer.
Andre: Everyone wants meaningful work. That’s something that is interesting and has impact in a meaningful way is what you’re going to use to attract employees. It’s about showing the value of what your company does, offering a meaningful role for them to play and providing a path for growth—I think is going to be the thing that differentiates organizations in the future and is going to attract the best talent.
The user experience is the security and the more complex that you make that experience, the more attack surface you’re going to have to manage.”—Andre
Ian: So if you were thrust into a mid-sized financial institution as a CISO, what does that first 90 days look like for you?
Andre: Yeah, hard to answer it in a vacuum because every organization has its own individual challenges. But there are some broad comments I can make, which I think is really what you’re asking. So, some of them we’ve already talked about is just recognizing that there is a very different relationship you have with your employees than you do with your customers and even with your suppliers in your value chain. So don’t try and use a one size fits all kind of strategy.
Andre: And I do think, for sure in the consumer space, we want this outside-in approach when it comes to credential management, let users bring things that they have already have to the equation. I think we’re going to see more and more of that start to get used in the employee space too. In particular, inside our supply chains, we’re going to start seeing there’s a trust layer that we can take advantage of so that we don’t have to provision and manage everything ourselves. So I think that’s the second thing. The next thing is—I haven’t said this yet, but it’s consistent with all the comments that I’ve made—let’s say you need to recognize that the user experience is the security and the more complex that you make that experience, the more attack surface you’re going to have to manage.
Andre: So, our job is to make this as simple as we possibly can and hide complexity from the edges. The reason we have so many breaches today is we’re pushing security up to the edges and users don’t know what makes sense and what doesn’t. I’m going to give you a simple consumer example, but it applies to the employee space as well. None of the banks in Canada use SMS to send security messages to consumers on their phone because they don’t believe it’s safe. The challenge is lots of other web services do. Google does it, Amazon does it, Facebook does it. So when my dad gets a message on his phone that purports to be from his bank and says, www.tdbank.com-crook-rail.com my dad doesn’t know that’s not going to go to TD—it looks like TD to him. And so despite the fact that TD has very, very good security controls in place, my dad’s given the password to a crook because he didn’t know what was going on. That’s the problem with pushing security to the edges. Users don’t know what makes sense and what doesn’t. And so they get tricked out of their data.
That’s the problem with pushing security to the edges. Users don’t know what makes sense and what doesn’t. And so they get tricked out of their data.”—Andre
Ian: So that’s a great segue into my next question, which is what is the highest stress security incident that you’ve been involved with or maybe that you’ve heard from a colleague?
Andre: There’s lots of good things to pick on here—because every year there’s usually a major event, but one that still sticks out in my mind is the Heartbleed Breach. You know, it was the first real big security event where your security strategy had a “no clothes moment”. But the problem is there was an open source library that was in the news that had a latent bug in it that was present for quite some time. So the hard part is knowing how much data got leaked out. Because, of course we’re in saying, “Hey, we’ve got a leak here and we’re going to exploit it.” They didn’t say that—they took advantage of it as long as they could. So we found out way after the fact. And so that was one part of it, you know, that you could actually intercept and get the data.
Andre: What was worse in that breach, is if you know how to kick the server just right, it would cough up the encryption keys so you can have all the data in the future too. So this is terrifying! And so I guess, what’s important to remember is okay, well, we’ve got a value chain in terms of how our data gets out from our services to the user, and so the first thing is we’ve got to make sure we understand what the entire value chain is. But the second thing is, recognize not everybody uses the same stuff at every level in the chain—there’s a plurality of providers. So you make assumptions about it’s going to be this browser and maybe that TLS stack or whatever. But you know, every user’s just configured the machine in their own way. So these architecture diagrams that we use to manage our security attack service, bear little resemblance to the facts on the ground out there in the wild. And so just keeping that in mind is actually super important. Yeah. So that’s, you know, open-source actually has a very important role to play, but one of the challenges is that some elements of the open-source architecture gets more attention than others. And so when we have an area like here, TLS wasn’t that well traversed in terms of how many people were looking at it rigorously—we actually have challenges. And so it’s not the panacea or the silver bullet to solving our security challenges, you know? And so we just need to keep that in mind—it’s not a panacea.
Ian: What are you proud of but never have an excuse to talk about?
Andre: Laughs. What am I? Hmm, that’s a question. I think the thing I’m most proud of is what—we’ve seen at SecureKey—this idea of using payment system technology for identity and access. I do think that’s kind of a unique point of view that we brought from SecureKey. And it’s getting a lot of interest—people are starting to recognize this rather than trying to build it from the ground up that we need to kind of look at what’s worked already in the past. And the real difference, I guess, is that we continue to view identity access as a technology problem, and it really is a business problem, right? How do we make it simple enough for users to get in while also keeping the costs low and often having enough trust to continue to serve. And so applying payment system technology to identity and access is something that I think is going to take root and is going to be the thing that wins out in the end.
We continue to view identity access as a technology problem, and it really is a business problem, right?”—Andre
Andre: But it won’t be the only method. But I do think it’s got a lot of benefits because it’s been so well proven in payments. And that’s what the crooks are after in the end—money. So if it’s working for the money system and should work for identity and access and data too.
Ian: So maybe just as a wrap up question, where do you see the industry going and how do you think it’s going to change in the next year or two?
Andre: Yeah. So I think we’re seeing a lot of interesting experimentation going on around the world in terms of what’s happening in identity and access and what’s good about that is we’re going to learn what things are \the right way forward and other things are going to teach us what needs to be better. And so I think that’s kinda cool, but you know, maybe just closing in on this data breach thing. I kinda made the connection between data and money a second ago, but let me just kind of make it clearer now. The reason the crooks are, well, I guess we could ask the question, why are we having so many data breaches? And the answer is really simple actually. It’s because the crooks can make money from the data. So the question then is, well, “how do we stop the data breaches?” And the answer is, is to make the value of the data zero to the crooks. And so the way to do that is to make sure that having Ian’s data isn’t enough to be Ian on the internet—which is exactly where we are today. And so that’s the big push is we need to get to trusted data more than anything. And so, you know what I like to compare this to as card systems when I buy stuff, you know, in person with my credit card at the terminal, the risk at the terminal is almost zero. When I buy something on the internet? I’m just heading to my credit card number on a browser that’s called card not present. And the challenge is that that’s risky –the merchant doesn’t really know if it’s me. And so there can be a chargeback and that’s why there’s a higher risk fee attached to it.
In the end, it’s, what you have, what you know and what you are. And the problem is all the internet stuff today is just what, you know, stuff. It’s secrets.”—Andre
Andre: The interesting thing is that all identity today, whether in person or online, is all card not present. We have no way to test against the issuer of the things that are being asserted right now about Ian are true. Is the information by Ian true and is it Ian presenting the data? We have no way to test that. And so that’s where we need to get to is “card-present identity.” And when we can get to card-present identity, the data breach thing is going to go away because having your data won’t be enough to harm you.
Andre: We may be able to embarrass you, but the crooks aren’t into embarrassing—they want to make money. And so when we have card-present identity, they can’t make money from the data anymore—it’s going to change the story. And that’s the big push that we’re going for in digital identity today is to shut down the ability to replay attacks with identity data.
Ian: Isn’t the argument though that either traditional biometrics or or certainly our flavor of biometrics, which are more and more behavioral, get us closer to that idea of having some sort of attestation that we can prove that yes, Ian is actually Ian and here is my fingerprint, or Ian is Ian and here is my typing pattern. Doesn’t that get us closer?
Andre: It is bringing us closer. And so there is no single authentication method that does it all. And so what your company does is actually quite important. Continuous authentication maintains the trust that we established at the beginning of the transactions throughout the transaction. That’s really important but that’s not that alone—So that’s, you know, for the transaction, when you look at a life cycle, then we need to make sure the credential was managed well. You’ve got to make sure we’re doing continuous authentication to make sure that we haven’t changed users mid-transaction. But we also need to manage the recovery as well. And so the whole life cycle needs to be managed with all to have integrity. And so in the end, it’s, what you have, what you know and what you are. And the problem is all the internet stuff today is just what, you know, stuff. It’s secrets. And so we have all these data replay attacks happening in identity and elsewhere, and pure possession services won’t work either—bare tokens that you know are, are used without any other controls won’t work either. And I’d also say, I don’t think biometrics on the norm will work in there, you know, by themselves. We need them all together. And bringing this whole thing together is we’ve got to do this in a way that’s simple enough for users to be able to follow along.
Continuous authentication maintains the trust that we established at the beginning of the transactions throughout the transaction. That’s really important.”—Andre
Andre: What I like about what you guys do is that for the enterprise use cases it’s actually quite strong. It’s not in the user’s way. And so you’ve hidden the complexity away from the user. The user doesn’t need to be aware and be an active part in all of this—and I think that’s actually good. So we need to apply that same kind of thinking as it relates to the issuance of the credential. How do we get access? And then also most important in recovery, because recovery is usually where the attacks start. The crooks are very good at managing the recovery process, and that’s something that traditionally hasn’t been done very well for the horizontal internet.
Ian: Yeah, absolutely. Andre, this has been a slice. Where can people go to find out more about who you are and what you’re up to?
Andre: So, our service that we launched—this identity service with the banks is called verified.me. And so you can go to verified.me and you can learn lots there about how we do identity that works across the economy for consumers and business.
Andre: Do you want to find me? You can find me on LinkedIn and easily Andre Boyson and I’m on Twitter as @IDgorilla
Ian: @IDgorilla. Awesome. Andre, thank you so much.
Andre: Thanks Ian, I appreciate the talk. ■