Hi, I'm John Tolbert, director of cybersecurity research here at KuppingerCole. And today I'm joined by Ian Glazer. Welcome Ian.
Hey, John, thanks for having me.
Ian, tell us what you've been up to.
What have I been up to? So I have over the last year been working for myself. I'm coming to learn myself as a boss, as a different person than I would have thought. But, I've been working with a bunch of technology companies and sort of reengaging with different parts of the industry that I hadn't had the opportunity to previously.
Excellent. What would you say that you've seen over the last year? What are the top concerns that people have been having about digital identity?
I think maybe not necessarily concern, but like a momentum, a feeling is that there's a lot of appetite for change, that a lot of the ways we've been doing things like access management and access governance haven't changed a lot in ten, 15 or more years in some regards. And there's now a legitimate feeling like there's got to be other ways to do this, if only because, the analogy I use is, drilling the same well may not give us any more water. And and so I'm starting to talk to people are saying like, well, what if... And then it's an interesting hypothesis about how something should function. You know, what if we're processing real time events to make considerations about authorization decisions? Oh, wow. That's that's really neat, right? And I'm usually very, very cynical about this kind of transformational change. I feel like sometimes it's just hype for hype’s sake. But over the last year, I've really started to see people saying like, there's got to be other ways to do this. There's got to be reason to do this. There's got to be an outcome that we want to get to, and this is a means to get there. And I think it's really exciting to see some of those things happen
For sure. You know, one of the drivers that I hear people talking about is fraud. You know, all the different kinds of fraud, account takeover fraud, new account fraud, synthetic identity fraud. A you know, we have had lots of innovation, as you are well aware, in the last 10 or 15 years about authentication, for example. Multifactor authentication, user friendly multi-factor authentication. So it's like a lot of these technologies have been in the market in the digital identity space, but they're just not widely deployed or rightly deployed, it seems to me. What's your experience there?
I think two different things are going on. I think one thing is the focus on fraud. I had the opportunity this year to work with a company that started with very classic transactional fraud. Check out fraud, right. And move into other spaces and just seeing the the richness of that domain. So I found that really just fascinating to learn like, oh my gosh. Like one of the things I learned about was return policy abuse. So people are saying like, well, they, they say they got a damaged good. They didn't. They send something back, which is not the good. It's like a literally a box of potatoes or something. You're like, wow, the people are wow, that's really a thing. So just learning about that space is interesting and learning the concerns of a fraud manager really different than a security practitioner, really different than identity practitioner. Like that's been that's been neat. To your point about authentication, yes, we have, less hateful ways to authenticate users. Like maybe it's the best way to talk about it. And, you know, kidding aside, the growth of Passkeys and Fido related credentials over the last, let's say, 24 months. Absolutely staggering. No argument. I still think, however, that's not the end game. Like the end game is not going to be authentication, especially in the coming world where our traditional techniques around proofing, and sort of validating trust given generative AI are going to be significantly under threat. We've got to get to a world of recognition. I didn't ask you for a password when I first met you in the human world, I recognized you. Now, that recognition is based on literally 15 plus years of each other knowing each other. And we now have an opportunity in the digital realm to use the multiple signals that are out there to actually start formulating recognition systems so that instead of saying, like, no, give me your password every time, or give me your private key every time, we can actually start to have a recognition process, which is a very different kind of experience, and one that I believe, that is a hypothesis, is more, resistant to fraud because of the multiplicity of signals and the varying types that there are.
Yeah, yeah, I really like that emphasis on recognition. I mean, I think for too many years we have lumped everything in identity under the umbrella of authentication. And you said, you know, another one of the A-words a minute ago, authorization, a lot of complex authorization use cases have been sort of covered up by, authentication, you know, so it's finally we're getting to the point where we see that there are lots of very discreet use cases. But with also different kinds of solutions that are necessary to get you both the kind of authentication that you need and then the granular authorization that you need for certain kinds of use cases.
I think one of the things really clicked for me a couple months ago is the term access management is woefully outdated. The the way we use it in the market tends toward authentication, time, decision and some things and some policy around that. Some evaluations around that. And we're in a world now where I can make access decisions continually and consistently in near real time, not just at session start, not just a random interval checkpoint, but actually continuously. And so once you start moving away from a traditional market definition of access management, you start to see all of these use cases of like, what is the process by which we make a decision. Someone should have production access. While there needs to be an open incident, there needs to be helpdesk ticket. That ticket needs to be assigned to me. I need to have, you know, these other criteria met. And then at that moment and not a moment before, do I get granted what I need? is that access management, is that authorization? I think our market terminology fails us here, but it's a very visceral kind of use case where people are like, yeah, that I need to solve that thing. And that's been fun to watch those conversations start to happen in sort of different forum and start to all sort of dance around one another a bit.
You know, that's really interesting. It's not everything is runtime. I mean, even going back to fraud, like when an account is taken over, when is it really taken over? I mean, when you learn about what cybercriminal gangs are doing, they may get a stash of passwords or something. They may take over the account, change the password, get access to it, and then sit on it for months. You know, so I mean that kind of leaves a question in my mind. If you're running, you know, a big consumer facing organization, and if you've got accounts that you suspect may have been taken over, what do you do about that? In the meantime, do you wait until a transaction comes up? Somebody's trying to transfer €10,000 or something? Or do you know that there are signals that would indicate something is amiss?
Yeah, I think the thing, the analogy I tend to use here is there's a lot of especially in, say, an e-commerce setting, you know, online retail people are saying, well, I've got my transactional fraud engine that's going to stop a bad checkout event. Now, that's true, but that's essentially like, I've got airbags and I use them at every stop sign. Like, why deploy the most, aggressive control in a consistent fashion. Now you're devaluing the control and you're actually sort of overusing that. So the thing that is... in the security space, we're very familiar with the phrase security in depth, right. Like we're going to have this defense in depth kind of notion. We don't have an identity in depth concept in our industry. Like we don't really do that. We have I will drop a hammer on you during authentication. I'll drop a smaller hammer on you during sign up. Maybe I'll proof you, maybe I won't. And then I got a fraud system that's going to hit you at the end during the value transfer. That's a lot of space in between things, right? So it feels like part of that momentum of change is can we make smaller, more discreet decisions with smaller, more, tactical, let's say controls? I mean that like the, the scope of control is smaller and it's very it's used in this setting, but it becomes a better outcome from the individual's perspective. They're not getting like a hard no, hard yes type situation. It's better for the enterprise perspective because you're actually gathering telemetry on a potential fraudster, what you're going to want anyway. And yet you're you're delivering sort of happiness to both parties here. So smaller controls this, you know, deployed kind of more continuously. Now you have this identity in depth notion.
You know, I really like the term identity defense in depth. One of our other analysts who you know very well, Mike Neuenschwander recently did a leadership compass on it for identity theft protection and response. And he claims in that, you know, we should be calling this identity defense in depth. and I thought that was a pretty cool argument. But, you know, thinking about how, you know, we've talked about the consumerization in IT, I think sort of what we're getting at here is a lot of the technologies that we see that are applied in, like fraud reduction for consumer use cases. Also need to come into the enterprise. Just like, you know, things in the authentication world, you know, the more friendly Fido types of authentication. have made their way into the enterprise because consumers as employees know that there are better ways to do this, less hateful, as you said.Sso, yeah, what do you think about identity defense in depth in terms of, you know, an enterprise use case.
Regardless of the term, I think there's an opportunity now to take a page out of security’s book, which is process high volumes of signal across a multitude of inputs to make it outcome decisions. And one of those big signals, maybe like, did they authenticate well or not? Did we see lateral movement of a token? Those kinds of things. I don't think the markets or market terminology has gelled yet. Like I'm not a super big fan of ITDR, first off, because I don't think anyone's ready to do remediation. It's like ITDA, like I'm just going to tell you something went kind of weird and like, you got to go figure it out, which feels like a passive aggressive control to begin with. But I think what's happening is we are bringing this, really it is a page out of security signal processing. I have a dynamic fabric that can respond in a variety of ways. And so the interesting things are the policies that describe what those responses can be, the orchestration to make those things happen, and the data that's the common sheet that everyone reads from.
Sounds good. Well thanks, Ian, of course.
Thanks, John, and thanks for watching.
