My name is Steve Hutchinson. You can call me Hutch. I'm the director of security architecture for Mitsubishi Bank of Tokyo, north America. Among other things, oh, now I'm concerned that this isn't the right tech.
Okay, nevermind. We'll go with it. If I have any chance of getting through this presentation in 20 minutes, we're gonna have to skip quickly through a lot of stuff at the beginning. So first off, MUFG says they, I don't speak for them. Id Pro is a wonderful organization you should join today. I normally have like a little bit about me. We're gonna skip like through that. Nobody cares.
Oh wait.
20 17, 1 of the top 100 influences and identity I work for, again, Mitsubishi Bank of Tokyo. I go to a bunch of presentations. So Dungeons and Dragons. How many people here know what Dungeons and Dragons is? Awesome. How many people play Dungeons and Dragons Sense? Not quite as many you should. I play it a lot and I spend probably way too much time on it, but it's a fantastic collaborative storytelling game. It causes you to leverage strategic thinking, interactive gameplay. You have to use your imagination to create characters that exist in a fantasy world.
Achieving goals with your comrades, hopefully a group of your friends and forming really strong relationships as you go.
I just finished a multi-year campaign with a group of friends and it just happened to be right about the same time I was finishing a multi-year identity governance program. So I thought it would be fun to compare and contrast the two, especially since I gave a presentation last year and people told me I was mean to architecture. So this is the opposite of this. This is just fun. This is just windy.
So it's always good to define things we talked about with Dungeons and Dragons was identity governance administration. This is a a a definition that I like to use the policy-based centralized orchestration of user identity management and access control.
So the first thing you need to do when you're building a little adventuring party and you're gonna have your own d and d session is you need to define the boundaries of the world that you're going to exist in. So it's important. So the dungeon master can define the rules for the players.
He can explain to them the environment that they're gonna be in so the players can understand what skill sets they're gonna need to include in their characters. And it's a good way to level set everybody on the, on the rules and level set everybody on the goals so that you reduce group conflict later on. Usually you do this by getting a big map. This one is for the the continent of phon on the planet. Toral a familiar site for D and D players, but you define the map, you explain to them where they're gonna be playing the different races that they're gonna be dealing with.
We also come up with a map for our IGA program. So we took identity framework. This is one that we originally designed at General Electric. We donated it to Id pro for them to use, but it also helped us define a scope of the things that when we said identity governance and administration, what was it that we were gonna cover? What were the systems and the fields in that identity framework that we were gonna be touching? So now we're all set. Now we need to get a team together.
So when you have an adventuring party in Dungeons Dragons, you need to get a really diverse set of people and you can't just have a bunch of frontline fighters who are going to get up close and do combat. You need people who are gonna be farther away shooting arrows from far away. You're gonna need the badass rogue, which is what my character is, the guy who's going to use stealth and sneak into the background and disarm traps and cause chaos among the the enemies.
You're gonna need a cleric who's going to heal people on the battlefield.
You need wizards who can change the environment that the team's playing in basically a solid set of diverse skills that are gonna bring the greatest chance of success for those players to achieve their goals. Similarly, when we put together our IGA program team, we did the same thing. We pulled in people from IT security, from compliance from hr, from the business operations team. We made sure that we had people who had it analytical skills, especially for the identity systems that we were gonna be bringing into the fold and who understood the identity data that was in there.
We also wanted to make sure that we pulled people from the farthest reaches of the enterprise to make sure that we were getting a diverse set of business requirements as well as a diverse perspective on the program. We needed to, excuse me, we needed to get a program manager who was gonna keep us on track and keep us on budget.
And finally we needed a group of people who we were going to bring in every once in a while to kinda level set us to make sure that these were people who understood user experience really well to make sure that the thing we were building was actually useful to the population that we wanted to have come. Otherwise the project was not gonna be successful.
I also get accused of, I don't like reading like big wordy slides, so I end up just having pictures, but then when I share the deck out with people they go, I, I can't remember what you were talking about 'cause it's all just pictures.
So I made sure this time at the end of kind of every section, I've got a little slide then I'm still not gonna read. But if you wanna take a picture of it, if you want the deck afterwards, just get in touch with me.
Alright, now you've got your team together, you usually helps. Once you've gathered your team in Dungeons and Dragons, if you can find like a royal charter, like a queen of cormier or who's going to, who's going to, you're gonna convince that you possess a unique set of skills that are gonna allow you to achieve the goal that she's has put out there.
And if you can do that, then she's gonna provide you with money and with equipment and with letters of introduction and she's gonna make sure that you don't run into political issues.
Similarly, you need to do the same thing when you're building your IGA program. So you're gonna wanna make sure that you convince a senior leader who can help you, that the, the project that you're undertaking is gonna produce not just a return on investment that makes it financially sound, but that you're gonna provide metrics all along the way that's gonna show that you are increasing security, you're reducing risk at the same time that you're introducing efficiencies, you're making it easier to use so that you don't have the regulatory issues that you have had in the past.
You need to engage those stakeholders early. And another great thing a senior leader can do is they can remove obstacles out of your way. This can be, again, political issues within the organization or making sure that the other teams that you are working with understand the importance of the, the effort to that leader.
Alright, so again, wordy slide.
So now you're ready to go and it's great. It's a sunny day. Your weapons are all shiny, you've got plenty of equipment, you've got money loaded up in your pockets, you've got your team together, everything's great, but you are going to run into a conflict or two along the way. I should have mentioned there's a lot of chat GPT images in this. I use chat GPT to generate images for my d and d campaign a lot.
So let's talk about some of the, the, the conflicts that we see in d and d and how they relate to, excuse me, how they relate to what we see in the IGA program. So an adventuring party oftentimes receives a quest that has vague instructions and it leads them along paths and it makes detours they face unexpected dangers because this wasn't the, the place where they intended to be. Your IGA program is also gonna have to deal with inconsistent or unclear definitions of things like roles and responsibilities, which can lead to confusion and misaligned access rights.
The party as it's going through a dungeon, it's gonna trigger hidden traps and ambushes because they weren't aware of secret passages and lurking enemies. Similarly, as you go through the system, you're gonna find in your legacy environment that there are a great number of unauthorized applications and systems that users access without it's knowledge. And these can also create security vulnerabilities. So you're gonna need to come up with strategies to make sure that they are included in your request.
The party at some point or another is gonna face intricate puzzles that are gonna require multiple independent solving of riddles before they can proceed. This is gonna cause you delays and can introduce more potential hazards.
One of the things that we came across in our IGA program was unintentionally creating complicated and slow approval processes for access requests before we convinced the business that it was in their best benefit.
To remove the 16 layers of approvals to streamline the process, the party is sometimes as you're going through encounters the ghost of previous adventurers who have left behind unfinished business causes unexpected conflicts and challenges, not two, dissimilar from finding a whole bunch of orphaned accounts within the system that for some reason stayed months after the employee left the company posing huge security risks.
Again, now your program has to make sure that you've got strategies in place to find those and hopefully to create automations in the provisioning and deprovisioning processes. So that doesn't happen. Sometimes a party member might grab a magical artifact and it starts to cause him to transform maybe into a different race, into a different class of character. This can change group dynamics and again, cause problems and slow you down.
Additionally, over time, users tend to accumulate more rights than they need to usually because of like a poor role-based access process where instead of creating new roles, they end up modifying the old roles and unintentionally giving people more rights than they need to do their jobs. Also, the DM in the middle of the game, for whatever reason, might just change the rules in the middle of the campaign. This happens a lot. This requires the party to adapt all of their plans, change their strategies on the fly to comply with the new conditions.
Similarly, in our IGA program, because it was a multi-year program, we ran into this a lot. Not just changes within the business organization, changes in the business requirements, but also changes in the regulatory environment itself to handle things that we needed to do at that point.
You might have a wizard who suffers a catastrophic misfire when casting a clone spell on an NBC non-player character resulting in an overwhelming mess of a whole bunch of similar looking.
Also, role-based access can also result in a thing called role explosion. That's when you do take the the role and say, okay, well I need this person to have that role, but they need this little additional piece. I'm gonna create an entirely new role and give them that. What you should be doing is access based, attribute based access control or policy based access control. New adventures will end up joining your priority without proper training, making mistakes that jeopardize the entire quest.
Also, if you go through your IGA program and you don't have plans in place to provide proper training for your end users and awareness campaigns to let them understand what the benefits and ease of use are for these, you're gonna end up with misuse of the system and you're actually, instead of making things more secure, you're gonna make them less Secure.
Party sometimes finds that the magical items that they come across are incompatible with the environment, are incompatible with each other, that limits their effectiveness and causes unintended setbacks.
Also, similarly systems that that you come across in applications that don't really integrate to your new platform can lead to data silos and inconsistent identity information. You're also gonna encounter in your adventuring party non-player characters who just aren't with the program and don't care what the goals of your quest are and are not gonna provide necessary assistance that you need to complete your goal hindering the party's progress.
Similarly, you can get organizational resistance to adopting new processes and technologies that can impede the progress of your plan. This is a kind of a nice overview slide of how you overcome of those conflicts, but it's not all conflicts here. There are treasures that you can get along the way.
You might have your adventuring party have a crystal ball of clairvoyance, which allows the user to see have true sight that lets them see what normally can't be seen. In our identity governance program, we used AI and machine learning to analyze the vast amounts of data.
This helps us detect anomalies, predict risk, and automate decision making processes. You might have your wizard cast, an unseen servant spell, which creates a little invisible character that can perform tasks for you until the spell ends.
Similarly, you can come up with robotic process automation that also allows you to complete repetitive processes that can help with user provisioning. Deprovisioning access requests. You get the, one of the best reasons for automating those processes is now you can be assured that without the human involved in it, that policy is gonna be followed.
Every time maybe you're rogue has come across a lens of truth so that when you find an artifact that you don't know, you don't understand what it is, you could use the lens of truth and it will tell you what its magical capabilities are and how it's meant to be used.
An identity analytics program done in conjunction with your identity governance and administration system can provide insights into user behavior, access patterns, and potential risks. You know who loves the identity analytics program?
Your security operations center, who can now use the analytics that you're producing from your IGA program to feed into their notification, their SIM systems. There's the knock spell. This one's great for a rogue. You come up to a door that's got incredible valuables behind it. A knock spell gives you a chance for a limited time to literally just knock on the door and if you have the right spell, then the door will open.
Privileged Access Management also manages and monitors all your privileged access accounts if you use them in conjunction with your identity governance administration system, you can be assured that the the policies that you define for the the risk scores and determine who is allowed to get to what are all maintained. Morde Conan's Private Sanctum spell builds a little cube around your party that is magically secure. Nobody gets in or out, similar to a zero trust security model, which prevents lateral movement within the network.
I'm sorry, I'm running outta time. So I'm running ula. The planes, this group is going from the plane of fire to the the plane of water, similar to your Identity Federation systems, which can move you from one security domain to another security domain with the same credentials. Ring of wing walking. When you put the ring on, it changes you into a gaseous form. Suddenly you're moving at 10 times your normal walking speed.
Similarly, cloud-based IGA solutions
Allow you increased flexibility and scalability, lower upfront cost, faster time to implementation, and the ability to much more quickly adapt to the changing business needs. Mystery key, Mr. Key is a great thing that has a 5% chance of unlocking any lock into which it's inserted. Much like adaptive multifactor authentication, which adjust the authentication requirements based on the context of the user is in the entrance.
Instant Fortress Spell allows a single user without anybody else to put a little cube down in front of them, cast the spell, and it provides a fortress that keeps them safe. Self-service and automated access management allows individual users to request access, manage their credentials, and perform administrative tasks without the need for IT intervention.
Yay, artifacts. Now you're ready to go and defeat the big, bad, evil guy at the end of your quest and reap the rewards for your organization. Thank you.
Wow, Hutch, that was,
I have two seconds left.
Masterwork, and I think if there were an EIC award for most gorgeous creative slides, you would definitely win.
