Hello, I'm Steve tout bear clouds company here in Seattle, Washington. So it's great to have the conference here instead of meeting Germany and all, although it's nice to go to Munich and, and spend a few days.
So I really liked this idea that I'm hearing all day yesterday about balance and striking a balance. And for me, that definitely rings true after spending 15 years in the identity and access management space from working in telco to financial services and high tech, doing everything from implementing, supporting, maintaining systems.
I decided that it was time to pretty much hit the eject button on my career and really to find because I knew there was more in me. I knew I needed to be able to contribute more to the industry and be able to do more, to improve the overall effectiveness and the security and the scale of the identity and access management systems. Not that I wasn't challenged in, in the various roles that I had been in, but I just knew that more needed to be done.
And so it's not really exactly a, a good career move if you like having healthcare or vacations, extended vacations, or having peace and, and calm, you know, at home with your, with your household CEO, you know, who likes to have a regular income and a, a daughter who, who, you know, thinks that have a real job, but nonetheless, it was a jump that I had to make.
And, you know, as they say, I slink, I sleep like a baby, every two hours, I wake up and cry myself to sleep.
So after some time, you know, I, I discovered, you know, some new technologies that are, you know, still nascent to the marketplace today. This is the fine line, the wrote that, that I have to walk because of the, the, the journey and, and the career choices that I've made. I'd be happy to discuss the entrepreneurial journey with any of you be kept me afterwards. But when I look up at that, I see my former colleagues. I see everyone in this room walking that same balance, that same type of, you know, I, it is hard not to mention all of the data breaches that are happening and occurring today.
When you look at 2016 alone, there are over a billion compromised credentials. When you look at the first half and 2017, it's, there's some research that indicates that there are already 6 billion credentials compromised, and maybe that's because we have better tools and better insights that we see more compromised credentials, or maybe it's just the fact that there are more compromised credentials, but either way you look at it as identity professionals and securing professionals working inside of, you know, I'm seeing some of the largest organizations in here.
This is a balance between user experience, you know, privacy by design and enabling the customer in order to be successful with enabling the business and having a successful business venture. Right.
So, you know, I, the other thing I, you know, I was just mentioning in keying in on yesterday was, you know, they, they talk about success is off, is never final and failure is rarely fatal. And when I think about that logic as applied to data breach as, and organizations, I tend to, I tend to agree with that. But then on the flip side, I tend to think about that.
You know, I think our, you know, our corporations and our democracy and, and a lot of things that are at stake that are really just suffering death by a thousand data breaches is just gonna continue and continue. So this is, this is the balance really that we have to live with every single day that we have to strike.
And as professionals, it's not as much about technology as it is balancing, as I, you know, I've heard, and everybody knows you have people, processes and technology. So it being a consumer conference.
And, you know, I just, you just talked about this consumer journey. So I had to start here. If I were to spend more time talking about this customer journey, my presentation would sound a lot more like Jason's, but that's really just my starting point. And then I'm just gonna fast forward through to the dimension of risk. It's the title of my talk is risk aware.
I am, but as a point of context, what I'm gonna be talking about through the rest of the presentation, you know, just sharing some of my experiences and how they've evolved from, you know, just implementing basic identity and access management capabilities.
One of the last projects that I worked on for one of my former employers before, you know, diving into the entrepreneurial world, was working with the opposite, the CTO, and working in a cross-functional group to look at what does it mean to have identity span across the whole entire organization of a 6 billion company with multiple business units, all claiming to have some aspect and ownership of the customer's identity.
And then how do you measure and assess the impact of the user experience as that user goes through the, the, the buyer's journey, if you will, the life cycle from, you know, just getting to know you, I really like this idea of progressive identity and the, the, the way that the experience and the technologies evolve and graduate over time to provide better user experiences. But there are also questions that you need to be asking right about how the technology impacts users and their lives, the, the balance of user experience and privacy.
But then when I start, you know, flipping through the pages of history and I in the identity and access management world, we really looked at business driven identity and access management marketing as really keyed in on this idea of intelligent identity and access. And that's bringing additional attributes to, to, to bear in the context during the users' journey, right? Enabling better user experiences by integrating your identity and your access and auto provisioning capabilities directly into your, your marketing applications and CRM systems.
But as you know, data breaches continued, increasing information becomes more at risk and intellectual property being stolen. There's, there's more to think about than just providing excellent user experiences, right? And so some of the shortcomings, although not technological things, right, is that traditionally I didn't even access management has been focused within the perimeter that goes, without saying that static protection for access based policies have really been the norm.
And I think continue to be so for the majority of organizations today within their environment, meaning there's not really a, a direct line of sight into the risks that are associated with a user accessing any given information at any given time. And so just for example, for most organizations, it's a transformation to be able to distinguish a real user from a potential hacker without embracing and integrating advanced security capabilities, driven into your access authentication layer authorization.
Typically what we've seen is that identity access management systems have been separated and isolated from so and GRC systems. So there's a disconnect there that oftentimes, you know, really allows getting access management to continue as an enabler of the business, but this associated from legacy systems and applications, we just see how, you know, perhaps outdated TLS or an unpatched Apache server led to the breach of one of the largest data breaches. Now in the last week in history.
So companies that are battling not because they don't have access to great identity and access management technologies, but simply the disciplines and the people tend to leave a lot more to be desired, and then too many silos, no visibility into external threats.
And so, as we fast forward into today, what I would consider modern identity and access management is this idea that the companies that have been forward thinking to implement contextual authentication or to enable user behavior analytics can integrate with services that are coming from the lives of cloud access security brokers, and, you know, the contextual authentication in layering in the threat intelligence, into their author authorization and looking at risk scoring as a, as a user navigates through the corporate network or over SAS applications.
It wasn't too long ago.
It seems like, you know, one or two months ago, now that, you know, we used to think that, you know, identity providers and SaaS companies were more secure than on premise applications, who believes that I, I do for the most part, I, I happen to believe that, but, you know, I think it just occurred. And I think there's gonna be more of these where one login had a data breach. And I think it shattered the romantic idea that we have that cloud identity providers and SAS applications are more secure than on premise.
And as I was speaking with one of the CEOs of another cloud identity provider in, in the wake of this data, breach was really simple. It really came down to this. The thinking was how we don't want to be a part of the massive data breach.
And I think this represents a lot of the thinking because a lot of companies now are moving their workload and their applications into, into the cloud. Right. So right till we were thinking about these things, we want to make sure that our information, that our identity providers are as secure as they should be, or as they could be.
And what does that look like? And companies are rightfully beginning to prioritize their spend and their limited budgets around making sure that their infrastructure, that their data secured. And interestingly enough, if you look at the frequency of data breaches that are now coming up on us, they're actually outpacing the spin that companies are allocating for cybersecurity.
So, you know, what, what are, what can companies do to be able to accomplish more in the area of data privacy and cloud security while not being able to double or triple their spend on cybersecurity. And so I pose that, that the thinking the mind shifts that needs to occur is that risk aware I am is the new black.
We need to be thinking that risk should be pervasive and integrated into all of your identity and access management systems that we have, you know, going back to the customer journey slide, right from, you know, the, the day one, when users begin interacting with your systems and through the entire life cycle of the customer throughout the customer journey.
So looking what, you know, what does that mean?
You know, we've already heard a lot of great things of what that looks like. Certainly none of you in this room have, have like this, right. Everybody already has contextual authentication. Everybody's already using user behavior analytics. Everybody in this room is already using Sims pulling logs into your Splunk and doing run analytics on those to have a holistic field of user activity across the cloud and on pen. Right. But a lot was that in our dreams. Yeah.
You know, even though I, I consider most of us, you know, professionals, expert style leaders, there's still a lot of work to, to be done. And when you go and look at the average company in corporate Americor or how companies are scrambling to become, won't better compare for GDPR. There's a lot of gaps. There's a lot of distance that's gonna need to be traveled before we can get to a place where we have systems and processes that are oriented around.
I really know who this user is really be allowing this user to access this system.
And so there's a lot to be said for being able to apply the contextual authentication and a lot of the modern capabilities, but oftentimes the risk scoring engines, the user behavior analytics, even within IDPs are not on by default. Those are things that you have to go and enable after the fact after your company has made this migration into a cloud identity provider, a SA service. And then there are just literally hundreds of applications and, and sensitive data that still on print that makes the management and the integration of all of these capabilities, somewhat of a burden.
And then going after it been addressing the biggest cause of modern data breaches, which is the week are still in credentials. And we've all heard the Verizon data breach report that talks about 81% now of data breaches that are being caused confirmed by the weaker stolen password.
And given the company, you know, that I run and the conversations that I have around what we do these conversations tend to, to be interesting to say the least, but they can go on for 10 to 30 minutes at times, but really it's quite simple.
Being able to prevent stolen credentials from being used during logging, getting access to the stolen credentials that hackers use and are using and weaponizing against your, your companies and your customers and your data, and using that to protect your infrastructure and to protect your data, being able to automate the response and the remediation when you have access to the compromised credentials and use that as one indicator of threat during login or during password reset.
Now that this guidelines that were recently updated keyed into this, and they are talking about being able to check against a database that leaked credentials during login. And so that's gonna be important for private, for public sector companies that are looking to be aligned to the N special publication, 863 B, but for security minded companies, they're already thinking about this as well.
This is another story, and I'm not joking during, you know, just a couple months back at another conference.
I was talking to the CEO of one of the popular integrators, the identity and access management, I guess, integration companies. And he was sharing with me that, you know, how he, you know, his belief was that all of this other, you know, fluff and technology around surrounding identity and access management, I get, you know, machine learning AI. There's a lot of things that have still, you know, yet to be proven and there's a lot of work to be done, but he came out and told me that all he did was enable two factor authentication and called it today.
And, and he felt secure and I'm sure that he felt secure and that he has a reasonable level of prudence and due diligence to make sure that he enabled it on everything.
But then, you know, I think about my mom, I think about the average internet user and the challenges and complexities of just how two factor authentication doesn't seem natural at times.
So, you know, I would also say that, you know, there, there are companies that are into marketing, you know, and I know of a, I know these companies two factor and multifactor authentication is not modern identity in access management. No, no matter how many times you say it, or how many press releases that you give, or how much time you allocate for marketing to send that message out. Right. So what would it look like to be able to use compromised credentials? And what I we'll look at here during login is that being able to leverage that it has to be integrated as a service.
You know what this slide isn't saying is that we're not bringing a data feed to you, which is what, you know, one of a popular source of leak credentials does and is now offering for free. And, oh, by the way, it's leaking PII at the same time. That's really smart. But what this is telling you is that having visibility into compromise credentials is a real capability today.
And we're, and we're making it as easy and simple as possible by making it service solution. We're not going and waiting for it to be blessed by trust framework.
I liked to comment earlier by Phil about trust frameworks are complex. So they're, they're not as popular, right? But if you give a developer a service, any arrest API, things tend to get done rather quickly, we getting close. Okay.
You,
My timer was on. I think I had one more minute, but if I can, you know, I'll get to the, you know, getting, getting to this. We just announced today, my cloud stuff on my Dr. Cloud stuff gives you visibility into such compromise credentials for yourself or your organization.
So really, you know, just in summary, you know, getting there is integrating and uniting all these platforms into your environment, whether it be user behavior, analytics, contextual authentication, credential verification services, are all going to go provide a better risk awareness for your identity and access management systems, avoiding silo thinking. And then, you know, just in summary, like what I was saying, it's not, it's not as simple as just turning on multifactor authentication and that's about it.
Thank you. Thank you very much.
When hear me, one of the issues I've seen is actually, I must now be honest. I have had all those parts you mentioned for the, the issue though, with all those, I need a hundred of angry people and just you can't, this is why I'm so interested in having service a huge person corporation, because you can't train people fast enough. I was train always. Yeah. I could buy everything. Yeah. But I could trained
You're right. It's it's not about buying the technology.
It's about planning quarter by quarter and making
Progress and getting these people to move
Up automating, and then, you know, embracing
New
Capabilities that, that are gonna be enabled by default. Right. And that are automated.
For instance, I even have, I think in this department for this area, I had, there were people in there who also always thought that the second thing was gonna help them. I just move, explain this a hundred times. It's moving these. People's also very, very, although they're all smart and they all have PhDs and that stuff, but they can't move that's questions.
