Stephen Hutchinson, Board Member & VP of Security Architecture, IDPro & MUFG
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Hi, great to be here virtually, Virtually unfortunately. Yes, but, but great to have you anyways.
So yeah, if you could do a quick introduction of yourself and then just the stages, your start with your presentation, really looking forward to it. Okay, great. Yeah. I have a little intro as part of the presentation. So as you said, I'm, I'm Steve Hutchinson, please call me Hutch. I'm a member of, of the board of ID pro. I'm also the vice president for security architecture for Mitsubishi, U F J financial group ID pro obviously is the, the organization designed for identity practitioners.
You probably heard all the news about our news certification test, but we're designed to, to help support and foster the, the, the program of identity management, M U F G would like you to know that I don't speak for them that in these presentations, I'm, I'm speaking for myself and a little bit about me. I'm a proud cavalier of the university of Virginia, where I studied history, but thank goodness. I had a minor in computer science, cuz that's, what's paid the bill for the last 35 years or so.
After that I got into programming and moved into networking then into enterprise architecture and from there into enterprise security architecture, that's what allowed me to land a job at general electric in their information security tech center to date still the greatest job ever had one of the greatest collection of super smart people that I've had the, the great pleasure to work with. That's where I really started focusing on the identity space.
In 2016, I stumbled onto a mailing list about trying to start a identity organization for identity practitioners. I also manage to stumble onto a list of the top 100 influence and identity, which is great. Cuz you can continue to put this logo onto every conference presentation you ever do. No matter how long ago that was. I have just completed my first year at M U F G, where we're looking to completely redesign the identity fabric within the organization. I've had the pleasure of meeting a lot of you at conferences.
I am cannot begin to tell you how sorry I am not to be in Munich in person to, to get to, to talk to everybody there. EIC is a fantastic opportunity for me to meet a lot of people in the identity space that we normally don't have an opportunity to. So I hope people will reach out and connect electronically virtually through the app or through any of my contact information. But before I was any of those things, I was the son of a chemical engineer who got his PhD with the sole intention of trying to lab land a job at DuPont, which he did.
And he, and he stayed at DuPont for his entire career. And even though he was involved in the fibers division, making nylon and Lyra and Tyvec we soon learned that, you know, DuPont is a large multinational. They make ton of things. I mean food additives and fertilizers and work with oil companies and anything to do with chemicals. They had a great phrase, which was better things for better living through chemistry, which was a very simple phrase, but it tied together a, a large complex organization behind the scenes in the identity space.
We do something similar with identity governance and administration. It means a lot of things to a lot of different people. And early on in my career, I had somebody tell me we, we can't interact properly with things unless we label them intentionally. So I wanted to start out at least with a definition of what I think it is. This one comes from core security, but I think it's really good policy based centralized orchestration of user identity management and access control and Craig cause that really focuses on the policy aspect, which I think is the important part.
And it's the area where we're seeing a lot of innovation in the identity space. This is the identity framework and that we use an ID pro. This is actually an artifact from a former GE employee Daniel Hedrick. While you can make a case that IGA touches all of these different boxes, we're gonna focus on the ones that are more focused on access control, which you can see here. So what is policy?
And again, another definition, policies and entity that went attached to an identity resource defines their permissions. That's from AWS.
And again, what I think is one of the best definitions of policy when we're talking about in an identity aspect and we have a number of different methods that we use today to, to do this one of course is role-based access control. This is practice that you're probably familiar with where you go through and analyze a number of different users and their permissions. And you start to group them together based on common responsibilities. Those roles can be defined as attributes that can usually end up as some sort of security group.
The, the benefits of this is that it's easy to understand. It's very easy to do a report for an auditor to say, oh, okay. People who have this type of access have this role. And here's a list of the people who, who have that. The problem with it is, is we have an increasing need of granularity and defining who these people are and the different rights that they need.
And if you need to, if you have a, a role defined and somebody comes along and they need an additional permission, just a single additional permission, you're left with two equally unappealing choices, which one is add the permission to the existing role, which suddenly grants that permission to a number of people who never needed it before, or create an entirely new role just for that permission or one that has all the, the permissions together. So we saw the rise of attribute based access control.
This is a more dynamic way to build policy where policies, instead of using more static security groups to define roles, the, the policy doesn't really use well. The policy's built around looking at the, the attributes of the user, the attributes of the environment that they're in. So for example, their devices, their network location, and then attributes about the resource itself.
So there's an example down there, that's pertinent to a bank customers, transactional data can only be viewed via secure device at a bank's us headquarters by an accredited auditor who is from the same country of origin as the customer. And that's while a complicated policy, that's actually an easy policy to write if you have access to all those attributes. So on the plus side, it's a dynamic point. You don't have to define users into static roles. It's more using the collection of attributes about everything, about them and about where they are to determine whether they gain access.
The, the, the downside is the management of it is incredibly complex. You're now a slave to ensuring the taxonomy is always solid and secure and, and replicated properly. And as far as like auditors are concerned, you can't provide like a static group of people that say these are the people have this role. You can only define who has access to this resource at a particular point in time. So something that we're using in the new environment that we're building is something called attribute based. I'm sorry. Attributed role based access control is based off of paper that was developed in 2015.
And what it attempts to do is to try and leverage the benefits of both our back and AAC while reducing the deficiencies of both. So it ex it exploits the, the ability to create roles, which auditors like to see, you know, people who have gotten approved by a particular person for a particular role, but then it allows us to still include those attributes about environment and device and such to give it the still the more dynamic nature at M U F G.
We're actually building these roles to include looking at the, not just the, the static security group roles, but leveraging them with the job code and the department to start to grant birthright access to automatically to a number of different pros. And why are all this focus on attributes important? It's because we're starting to focus more and more on the concept of zero trust. And I know zero trust is a phrase that's been around for a while, and there's a lot of people who will argue with you for a long period of time. I did a talk on it.
I think the last time I was in Munich was talking about zero trust and great conversations, but I think the one thing that we can all come away with it is it's something that we all have to deal with. Now, the dynamic nature of access control is something that zero trust is bringing to all of our world. So this is actually a picture from the N publication 802 0 7. And it's great that N has come along to start that kind of official conversation. It's always great because in this document is something that a lot of people can, can rally around.
It's a, it's at least the, the beginning point of having very substantive conversations about it. This one shows the, just a, a very simple interaction between policy enforcement point and a policy decision point. And it's leveraging all of those different systems and attributes coming in for those systems that can be used to evaluate that policy. The problem is the environment that we all work in. Doesn't look as nice and neat and clean as this one does the environment that you're working in.
The one that I'm working in probably looks a little bit more like this, and this is a wildly simplified version, even of what we're all dealing with. But what I was trying to show was what we traditionally have called identity governance and administration.
You know, usually you have a tool, something like a sale point, a saving a Noma that sits in the middle. That's where your policy is. That's where all your access control rules are. That's where you're defining usually provisioning into security groups. These are becoming more sophisticated now because we have additional tools that we need to coordinate with. So you have an IDAs platform, something like Azure ad, which itself can be communicating to an additional platform like AWS, which can be leveraging security groups from Azure to gain access to the, the root of those systems.
You're probably using a privileged access management system to do privilege access and key management and secrets management. And then other tools to, for an external authorization engine. You have an API manager, you have integration to your, your web applications that you're, your web developers are building. So you don't have one policy decision point. The days of a monolithic like SSO system are behind us.
We're, we're now in a distributing environment and it's good and we should be, but the complexity is for somebody like me, who has to answer to auditors in a highly regulated market. How do you ensure that the policies that you're building are being enforced uniformly within all of these different platforms?
If I'm, if I'm trying to manage access to a financial system that's involved in money movement, then that's something that's being handled by probably, you know, four or five of these different platforms. How do I show my auditors that I'm enforcing all of these uniformly? So what we've done in our system is we're elevating the identity governance and administration tool to be more of a policy administration point rather than a policy decision point. So we're not just pushing provisioning off to each one of these different platforms. We're actually pushing policy out to these.
I'm sorry, I didn't speed up here. So how does this work? So we have our IGA platform. We have some cloud platform, that's performing policy decisions. We have our curated attribute store, which is the key to a lot of those. So the curated attribute store has users from our workforce, from contractors, from other properties. And then we develop a system of tagging. So in that curated attribute store, we are tagging things with the regulatory environment that they're operating in.
Like when not in our GE days, if there was something in the military side that was governed by something called D a S, which is a military regulation, we could group all those together and we could easily see those assets that were, should be governed by that particular policy. On the other side, we have our centralized policy store and within the centralized policy store, we don't just store policies. Now we also store those actual regulations usually coming from an external source. So we can always compare our internal policies to the, the regulations that we have to adhere to.
There's also the inventory of all the users, all the assets, all the resources that we're going after. And then importantly, we have transformation and transformation describes how do we convert the, the policy statements that we have within our IGA platform, to the policy decision points and the different cloud platforms. This is the most complicated piece right now. This is something that we are developing customized code for.
I gave this presentation ID first, and I was really pleased that a couple of vendors came up afterwards and the vendor community is really starting to get more mature into this area. We're starting to see, they are also pushing towards the vision that we have, which is again, a tagging strategy where we're tagging the policies. The regulations are all these things in the inventory, as well as the, the transformation rules, which allow us to push the policies into the cloud platform.
The, the benefits of this is we now have standardized policies that are enforced uniformly across all of our platforms, even though they're multiple PDPs. If you saw Dana Bethlehem's key this morning, where she talked about, there's a lot of times disjoint because of the, the distributed nature of what we we have. This is the way to try and fix that. We have dynamic updates. The tagging policies in the central repository allow us to rapidly group together policy populations to target updates.
Whenever those regulations are updated and we can be ensure that they're updated uniformly, then audit and reporting becomes much, much simpler. We can actually develop a set of standardized reports where we can easily show enforcement across a multitude of different platforms. Just a quick thing about the ID pro professionalizing identity should be our mission so that the next wave can benefit. Our organizations can benefit. And so their customers can benefit that's from Ian. And this is my contact information, and somehow I managed to finish right on time.