Eric Newcomer, Chief Technology Officer at WSO2 is to deliver a presentation entitled The Rise of the Developer in IAM on Monday, September 13 starting at 6:40 pm at EIC 2021.
To give you sneak preview of what to expect, we asked Eric some questions about his planned presentation.
What significant identity projects have you been involved in?
Well, long time ago, I did an application for Salomon Ski for their warehouse subsidiaries around the world. And for that application - because there was no solution - I had to create my own identity management service. So, I got to know quite well what it takes to do that. And I would never do it again, of course, now that there are such good offerings on the market, I would just buy them. It is much more efficient to have a single solution across a company than have each application person develop their own. But it gave me a great insight into exactly what's needed, what's there, what you have to do, how hard it is to maintain administratively, the overheads, and this kind of thing. So, I had that basic experience of having coded one of these things a long time ago. Then when I joined Citi, about 10 years ago now, we had a very strong identity management function there, which had to do more with identity cards and payment cards than anything else.
But we did go into a sponsored partnership with Microsoft, where we worked with Kim Cameron, who is well known in the industry for his identity thought leadership. And we were working on things around how to decorate or enhance the social login credentials from Facebook and Google and things like that to make them strong enough for banking, which was, I thought a very interesting approach to things. And on top of that, at Citi we had done identity cards for the Department of Defense. This was one of our big contracts, and we were trying to think how could we enhance those cards to have payment information, which gets you into a whole other level of identity management, again, strong enough for banking. And then there was another aspect to this [that] we tried to morph that into, which was for the payments systems [for] social security in Italy to get a proof of life identity. It's another interesting challenge in that area, [we] worked with Microsoft on it a bit. Unfortunately, none of these things ever really came to fruition, but it was a great time, a great background, great education for me on identity management, a great chance to work with one of the leading figures in the field as well.
And, last but not least, I should just add my recent role at Citi. [My] most recent role was head of security, architecture and strategy for the consumer bank. And there, I got involved in the Google project where we were federating the identity of Google users with Citi users in order to enable this Google Pay application to do banking services. And that was very interesting, not the least of which was the culture difference between what it means to have an identity in the Google world and what it means to have an identity in the banking world, but we did manage to smush those together, and that project should be coming to fruition sometime this year.
When you say “everything is code” what do you mean by that?
Yes, it's a kind of a catchphrase, I guess you might say, but if you look at the world and you see code becoming greater and greater part of our lives with all these smart devices and smartphones and smart homes and smart cities and cars. You know, Tesla basically reinvented the car as a mobile computer on wheels that happens to be drivable. And you have the internet of things, you have Alexa in your home, you have all of these devices at the edge, you know, the Xbox game statistics doing an amazing job of adding computing at the network edge. So, computers and code is just becoming everywhere and becoming a part of our daily life. So for everything is code, I think in the case of security, it becomes also a mentality, or a kind of a culture change, where we start thinking about how can we do as much in code as possible, since the world is moving to code, and we'll need to have a security code as part of all of these devices and all of these smart things. They need to be secure, perhaps more than ever, because of the proliferation of them and perhaps [because] of the lack of attention on security aspects in the early days of creating these devices and their APIs, and so on.
In what sense is identity management becoming code, and how is that useful?
I think two main aspects here. One of them is the cloud influence. When you bring an application to the cloud - to Amazon, GCP [Google Cloud Platform], Azure - you don't have an operations department anymore to stand up your infrastructure. [You] use APIs, and this is becoming [a] more and more popular trend because it's also very efficient and creates an ability to automate deployments and automate the provisioning of infrastructure that otherwise we would have had to do manually or ask somebody to do and put in a ticket to change something or so on. So, there's this whole aspect of how can we automate the whole provisioning, management, [and] administration process that's kind of going on, not only in the cloud, but also moving to on-prem as applications become more and more automated, security testing becomes more and more automated, [and] standing up of infrastructure and management of infrastructure becomes more and more automated.
So, you've got that aspect, and you want to make sure security is a key part of that and works well with all of those trends because security needs to be baked in, right from the beginning, in any of these efforts of moving apps to the cloud, or creating digital solutions, or creating IoT solutions - all of these things. As much as those things are being automated, security needs to be automated as well and the infrastructure and the administration of it. And the other aspect is on the coding part, the code that you need to implement security policies and processes also needs to be made available as external libraries that developers can download and integrate into their projects as seamlessly as possible because a lot of developers don't have a lot of security skills and have trouble, of course, keeping up with all the rapid advancement in the security area where things are evolving almost daily between, you know, new techniques for authentication and authorization, new attack surfaces, new ways to protect APIs, [and] new attacks on APIs.
It's very hard for developers to keep up with all of that, and still deliver the business functionality they are meant to deliver. And this creates in some cases, and we saw this at Citi fairly clearly when I was running the security architecture team, that developers sometimes would not want to pay much attention to security until it was too late. It’s a very common thing, and we we'd have to review projects and say, no, you haven't done your encryption correctly. You don't have your authentication done to Citi standards. You cannot go to production. And they would get very angry with us, of course, because they want to please their business sponsors, go to production, meet their deadlines. We just wanted them to think about security from the beginning so we wouldn't end up in this kind of position. And some of the people would, but having the security libraries and security capabilities available as code makes it easier, and helps break down some of these traditional barriers between the security teams and the application development teams.
So that you can say to them, here, just take these pre-built libraries, these policy definitions, and implement the company standards. Please include them in your development process as early as possible. Make sure you have the automated testing so you can test those APIs for the correct authentication, authorization capabilities and policies, check all the vulnerabilities, put in the code scanning, put in the container scanning - everything in the pipeline. So, there's this whole process of getting into the coding process, the modern coding automation processes with pre-built security code, security tools, and getting that “shifting left” is one of the terms for it - as much as possible. And to help do that, we want to provide as much of the security capabilities and policies in code as possible.
How can organizations ensure that IAM code is wherever it is needed, when its needed, and that it is automated like any other code?
Well, as I was previously saying, the “security as code” trend, provides a lot of code that's available in library form for handling things such as identity access management, and that in particular, is a specialization of the security as code trend, where it’s becoming more available from different vendors, from industry sources, from open source libraries - that a lot of the code that you need to include in your applications, mobile apps, web apps, internet of things apps, is available as a downloadable library. So, what you want to do is make sure when you're doing your development, that you identify the library specific to identity access management functionality, and for policies, that you need to include in your code chain as you're building it out and as you're testing it. Another important aspect of this, is to make sure you have automated tests, especially for the identity of APIs, for example, which can be a real vulnerability.
When you publish APIs, you need to have a strong identity, and that needs to be tested as well as part of the identity access management as code capability.
What can attendees of EIC expect in your presentation?
I'm really looking forward to EIC and to talk. I'll talk about the topics we mentioned today, and go into more detail about how exactly it can be done so that we can improve time to market, which is a critical thing. Sometimes you have this problem where security is not baked in, and you can't really put it in very well at the end. How do we avoid that problem? How can we shift left? How can we include the code in our pipelines? How can we ensure we have the right levels of testing? In other words, it's kind of the bits and bytes of the mechanics of doing this kind of thing, as well as just covering the concepts in a bit more detail.
What does it mean to think about security as code, in particular for the IAM space? And so we've got the conceptual, how do you think about it? How do you do it? And then with a particular focus on being productive and getting that code to market with as few hurdles as possible, avoid those security guys saying no, get the time to market productivity for those APIs and for those digital transformation projects, as smooth as possible, while relying as much on security as code, IAM as code, as possible. Why [to]do it and how to do it.