Valuable resource we have, and yours is precious. And I thank you for sharing it with me. This is a story in two parts, and it starts by thinking about the platform on which we rest all of our it projects. So we hear an awful lot about security and privacy and the tension between them and given our profession, you know, obviously identity comes up, but it doesn't count 'em up all the time. And I think GDPR is a good example of it. I know you are sick of hearing about GDPR.
I get it, but it's a good example in this case, cuz here's the thing. There are certainly regulations, parts of the regulation that are security requirements, encryption classic have a security program. It's probably an obviously a security program requirement and there are some very clear privacy requirements, privacy by design privacy by default. Okay.
But things like do not process things like right to rectification and consent. These are not security or privacy requirements said differently.
The tools that our peers would use from security or privacy to solve these problems do not work well here. These are identity requirements and yet we're not necessarily the go-to for the answers on how to meet these requirements. So without identity, there's an imbalance. But if we in equal measure balance security, privacy, and identity, we provide a solid platform for all of our it programs. We provide that platform for the business. But the thing about it is if a way of expressing this to our peers is that identity is the human interface of security.
Without the identity context, it's just a lot of boring logs and you have no idea what they mean, right? Identity provides the humanization of our security systems. And similarly they are the, it is the operational arm for privacy.
If you think about access to data requirements, very strong privacy requirements. The way that gets done is us. But think about it is our peers and security and privacy can go to different organizations to become better professionals to share and to grow. But the funny thing is we don't have that choice. There is no professional organization for identity.
And so in that regard, we are professionals without a profession, not BU me, that's been bugging me for a while. In fact questions, like how did you learn identity management?
So for me, I was handed my employer's vendor manual. I learned access 360 enrolled 2.5 or 3.0, I can't remember. I learned a product. Then I realized I was learning user provisioning. And then I tacked on access certification. And then I learned about Federation. Then I learned about authorization and I continue to learn, but I started with a vendor manual and I bet many of you did the same.
If you think about the time it takes to train new identity professionals. It's an awfully long time. In my case, it's 17 years that I'm still trying to figure this out, but this is true everywhere.
Every organization I talk to, it takes too long to build new identity professionals. And I think we have an obligation to ask ourselves, how do we grow this industry? John Tolbert today was saying that the CIA market is gonna be about 20 billion Euro in 2020. That's great. But there's other kinds of growth. We have to think about how do we grow the pool for everyone? How do we make this a more equitable industry? How does everyone get a swing at solving the problems? The most difficult problems our employers face our governments face.
These were the kinds of questions that we're rattling around in my head, the end of 2015.
And I talked to some friends at Canara about these funny enough, they shared some of these concerns. They shared some of these questions. And so on this very stage last year, I raised this notion of this gap. As we think about professionalizing, our industry, we, this gap for what's next for us. And one of the things I call out is we should professionalize.
Well, we make that announcement. And from that comes something called ID pro it's a professional organization. That's currently being incubated by Canara. We made the beginnings of the announcement then may of 2016. Now in the next couple of months, after that, about 400 people stood up and said, I think this is a pretty good idea.
Well, I'm going to ask a favor. If you have signed the pledge around ID pro. And I know we're a little bit more of a reserved audience, but if you've signed the pledge either then or now, would you stand up because we need to see everyone who's been helping to make this a better industry.
I want to thank each of you for your willingness to support this. The vote of confidence. You could say the vote of confidence is amazing because what this becomes is proof points that we can do more for ourselves through professionalization.
So about a hundred people of that 400 started participating more actively in a variety of activities. We've been working on around professionalization. There's three streams of work. We've been focused on membership services, a code of practice and a body of knowledge. Now from a membership perspective, we're gonna have both individual and corporate memberships. So no matter the shape and size, there's a way for you to become an identity professional.
And from a services perspective, there's a lot of things that ID pro wants to do, but there's some things that can do very quickly upfront things like a newsletter. How do we have a long form way of communicating with one another about good practice?
How do we get a daily news clipping? Here's interesting things going on in the industry. How do we have an online forum, a place that we can collaborate in a safe space so that peers can come together, miles apart. And then as we just learned last week, there is no identity meetup in Germany, like the third largest economy in the world.
Yet we, this room isn't coming together, isn't raising a glass, isn't learning from one another. We can do better there. The second track of work is code of practice and it has two parts to it. Essentially statements about what does it mean to be an identity professional? And what does it mean to act ethically with identity information, personal integrity? I think it's important to have a code that's gonna guide us as we professionalize this industry. And the third stream of work is a body of knowledge.
Now, if you caught, Torsten talk on Monday and you, or you saw tweets about cake, did people see tweets about cake? And we're like, what is the tweets about cake about? It's about our body of knowledge. It's a taxonomy for structuring information because as we well know if I take any two of you and I put you in a room and I give you say a topic of authentication, we're gonna have four to five different, different definitions. It's just how we roll.
We're building a body of knowledge to help structure all of our information around identity so that people can learn this art without having to sort through tweets about my socks without having to read a vendor manual, but learn good practice from the beginning. And this is building towards over time, a certification meaningful certification that can show, you know, your stuff. You're a professional.
So I'll ask you to keep tabs on us. I think I hope by around the middle of June, we should be able to start taking our founding memberships.
So either check out ID pro.org, follow us on Twitter, drop us a note. But again, I want to thank those of you who have already participated in so many different ways for helping this, but there's a second part of the story in our code of practice, there is deeply ingrained in notion of doing no harm. We handle incredibly sensitive information on a daily basis, and we have an obligation, an ethical obligation to do no harm because I think it's fair to say that no one in this room wants to build a system that can harm someone else.
And, and certainly you don't want to build a system that can be used to harm others. So the thing about it is if your identity system is a value to you, it is undoubtedly a value to an attacker.
And who are these attackers?
Well, there's two kinds. There's a bulk attacker and there's a single row. Attacker. The bulk attacker as the name implies, wants all the data. Now why they want all the data. There's a variety of reasons for that. They wanna set up a spear fishing attack. They want to identify everyone who shares a certain medical condition or employer. There's a variety of reasons why they want all the data, but that's what they do. Now. The second kind of attacker is the single row attacker. They are interested in a single data subject.
Again, they have a variety of reasons why they are interested in that data subject, but they're interested in one of them to make their life hell take control of their phone and take control of their two-factor authentication, any number of reasons. But the reality is there's in fact, a third kind of attacker, this attacker, well, let me show you if you're this guy, this third kind of attacker is this guy.
There's nothing funny about that. If you're me, this kind of attacker looks like her. That's Alexa. She's the newest member on my team. She's brand new to being a product manager.
She's reasonably new to identity. Holy shit, is she smart? And with a little more training, a little more time, she's gonna have every skill she needs to replace me. And that's my job as a manager is to make sure she has those skills. You see the third kind of attacker is the person that has your job. Next. I call these successor attackers. You see the thing is they're exactly like you, but they come from possibly a different point of view, a different ethical core, a different set of motivators.
They just wanna do their job, but they may also want to get an extra payment and they can do everything you can do in your identity systems.
Here's the thing. Successor attackers look suspiciously like compromised users. And so this has been bothering me because I figure well, any of these three can weaponize our identity systems that can use our identity systems to cause harm something none of us wants. So I think as a profession, we have to step up. We have to do more.
I think in fact, all of us, our privacy peers, our security peers and us working in concert need to do more because our stakeholders expect it. And I had four ideas here. We'll talk about in a second about de weaponizing our identity systems. How do we get them into a state where they cannot be used to cause harm? So I had four ideas about what we need to do first is we have to defeat all of the attackers, all three kinds. We need to keep the lights on.
So I need to still be productive with my identity system, but I still have to offer better protection to it. That's a tricky balance.
The next two are a little bit of pet projects. I work for a radically transparent organization and there is benefit that could come from increased transparency over the use of identity information. And the last goal I had was to promote data Providence, to promote a world in which we know where the data we are making decisions upon comes from and to do this is going to take a variety of different disciplines for certain.
It's gonna take some identity disciplines, access control, identity governance, not too surprising, but it's also gonna take help from our peers, peers that work in data protection and audit and data management. So what I offer tonight is a maturity model for de weaponizing identity systems like all good maturity models.
It has five levels, like all good arrays. It starts at zero and zero is what you do today in terms of the great controls you put in place that protect every system commensurate to the kind of information.
It's your standard security practices, data protection practices, but we can do more. We can optimize these controls for identity systems. And I think we must. So let's dive into this real fast level one. Let's get our arms around the problem. Essentially, let's do a minimum set of things that help us optimize better. Our security programs for identity systems. I do think this helps us do things like GDPR. It's not a direct sort of compliance thing. It's just an aid in doing that. So the kinds of things we need to do, you are probably doing a lot of these, right?
Two FA for admins, not a big surprise, one of those up there, you know, we get a lot of attention around no developer access to production.
I'm actually more worried about program lead access to production data. This has kept me up at night.
I'm like, ah, I wonder what I can do in production. The answer is nothing and that is the right answer, but we need to go through and actually like, think about how this problem, a little bit more optimized for identity. Couple of these things are, should be very straightforward in terms of what we should be doing today. Like auditing all admin access as of, for instance, okay.
Level two, let's go after the successor attacker. If we do this, I think we can mitigate attacks from rogue admins, good and compromise attacks, compromise accountants for those admins. So it's time to dust off our segregation of duty tools. You thought socks was fun. Let's go after rogue admins, right? Let's go make sure that our admins don't have both read all and modify all they should have.
Neither of those things. I think we need to be very explicit about delegating access for system to system use of information to our identity systems.
I have nightmares of rogue integration users going rogue. And so we needed to do more here, I think. And of course we're going to want to protect information at rest a bit more so selectively encrypting level three, let's go after the bulk attacker here, what we want is visibility into who's using the information and I wanna put just a tiny amount of friction in data use. Okay? So I think we need to do a couple things. One of them is create a two person rule for data extracts. You wanna move 10 million records into the data lake.
I'm gonna wanna see someone else saying this is a good idea, or moving the data anywhere for that matter. I think query governors are useful, right?
If you know the kind of role an individual is, and that role is not appropriate for them to move tens of thousands, hundreds of thousands of records query governor is gonna save you in a low cost way and we should be auditing how all data is used. Level four, let's go after the single row attacker. These are the hardest attackers to defeat because they are data nerds.
They know your mortgage payment down to the sent you at best, know it to the Euro, right? They are obsessed with these details and you're gonna see why a second. The reason being is when we have people accessing the data, sometimes we still use knowledge based authentication. And sometimes we ask questions whose answers live in the data set. This is not good. We need to stop this behavior.
I, for those of you who are following me on Twitter, I'm, I'm really concerned about the right of rectification because I'm not entirely sure how organizations know to proof the individual asking for information about themselves and how to know it's really Ian and not Eve who wants access to my mobile records.
So the last level is flipping the panopticon. This is my sort of data, transparency, Nirvana things get interesting when you start to make public who is actually using information and interesting can be good and interesting can be bad.
But I think the behavioral change we get, whether it's within my enterprise, whether it's whether in my local government of knowing that your queries will be made public changes behavior. And I want to get more towards data Providence binding into the data itself, where it came from in the rise of things like alt facts. It's really important to know where data comes from, but the reality is in enterprise, we often make decisions, not knowing where the data came from. We just that's in the spreadsheet. Sure. Right.
We gotta do better there and we can do better there, but it's gonna take us a while to get there. So this maturity model is notional, right? I've got some ideas on how we can implement it in my, my daily wife. I bet you have other optimizations you can make to it. But this is a start. This is a way of taking what we do.
Well, our security controls for systems and optimizing them for identity systems.
This is a way we de weaponize our systems. This is a way we do no harm. So what do we do next? We have to meet all of our stakeholders expectations. They do not expect information. They share with us to be weaponized and used to harm them. We need to de weaponize our systems. So I think we can get to level one in six months. Most organizations I talk to are on the path already. And I think we can get as an industry to level two in 12 months, don't think that's unrealistic.
Let's see how long it takes us to get beyond that. I'd ask for your kind indulgence to continue to support ID pro. Like I say, hopefully in June we will open our doors to founding members and I'd love to see all of you there. And in doing this by professionalizing, by de weaponizing our systems by using security and privacy and identity and equal measures, we supply the solid platform for all of our enterprises. And with that, thank you so much.
