IAM at the Front of the Cyber War - are we Able to Beat the Bad Guys?

Good afternoon everybody, and it is a pleasure to see such a full room. I can remember when I started years ago talking about more business related topics that I had three people in the room. So it's good to see that it's now a little bit more full. This is my 10th year anniversary at C Coal this year. So I think that that is really nice. And this is the second time that I'm speaking here on stage as well. So a little bit about myself. I have a super long title. Basically I try to help our clients to remain safe by leveraging identity and access management solutions.

So I work with IAM teams, I work with CISOs and I work with boards to help them to figure out the right approach, to do digital identity and to keeping their organizations safe and enable the business processes to be in the appropriate way. And I'm also on a mission because I'm not only this person that you're standing here in front of you, but I'm rep that's representing a couple of thousands of clients, roughly 4 billion identities from a customer perspective and also over 5 million of workforce identity people. Besides that, I'm also an employee.

I'm a father, I'm a son for my mother, I'm a husband and I'm a brother and I'm a nephew for many people. And the reason that I'm on the mission is because I came into this space because I want to keep the internet safe so that our kids and generations behind us can also participate in the digital world. And quite frankly, I don't think that it's going into the right direction. And that's why I want to give you a little bit of a paradigm shift today to help you to rethink all the presentations and all the content that you're going to absorb in the next couple of days.

Also in the light of cyber warfare and what that means for us. So digital identity is a core business to pwc. But besides that, we consult CISOs around risk and governance. We do threat intelligence. We help our IT and OT security to help to re, to remain safe in the digital assets perspective. And we do the IM topic as well. And that's not getting unnoticed. We're doing this together with a lot of our technology partners to help implement the systems and the processes to keep organizations safe. These are a couple of them.

We have a lot of smaller vendors as well that we work with to, to support that. And the work that we're doing is not getting unnoticed. So we see that from many vendors. We are in the top right corner of the quadrants to help our clients to remain safe and secure. But enough about us. I'd already said it two years ago, I was on the stage as well. That was right after Russia invaded Ukraine. And I think that the world has changed in the last two years and I'm working very closely with our threat intelligence teams to understand what this means for identity.

And already two, three years ago, they were starting to talk about everything is related to identity. So either it's makes your password safe, keep your credentials safe, make sure that you're doing it in the right way. And how we see that that has been quite dramatically changing in the last couple of years. So what happened? Ukraine and the Gaza conflict intensified Finland and Sweden decided to join nato. Covid stopped. It's not entirely gone yet, but it's stopped impacting our lives in a, in a very hard way.

But it also changed our society in quite distinctive matter towards more digitalization. Gen AI has been democratized. It's now available for the MO cloud. And digital is now all that organizations are thinking about. How can we move to the cloud with our sensitive workloads? How can we digitize our processes? And because of all of these changes and new legislation from the European Union is also on the rise. And I'll touch upon that a little bit later.

The gist of this is that our digital or our society has become very dependent on our digital assets that we have and that we are providing as organizations. So some illustrative examples. So last December, a hack knocked out the services of one of the largest telco providers in Ukraine causing 24 million people not being able to access their digital services. And this was one of those things we, we, we had a supervisory board meeting with supervisory board of our clients. And you see that there's a big change in how things are being perceived throughout Europe.

So in Western Europe, we're debating, you know, should we cover this two yes or no? What does that mean for us as an organization? If we're looking at countries in central Eastern European and the military intelligence services comes testing every regularly to validate whether or not you're on par. But it's not only there. Also Sweden, and last, actually last week this news came out that Sweden runs the risk that all the liquor shells run empty because of a ransomware attack in one of those third parties. That that is providing the, the transportation for those, for those services.

Well that's, that is something, but just to put it into perspective. So when Sweden was starting to join nato, the two months upcoming to joining nato, they saw a rise in cyber attacks of 239%. And I think it's, you know, very important to realize that because many of those attacks are actually aimed at digital identities and at our IEM stacks and it's not only in Sweden. So Europe saw cyber attacks in the European Union rise almost to double already in 2024. And we're halfway through the year.

So this is a thing and it's important and I'm going to share a little bit of insights on what I think that you need to think about from IEM. And in order to help to do that, we first want to understand what are the different threat adversaries that we are looking at and what are the typical business targets that they are focusing on? And you see that we have nation state, we have hacktivists, we have organized crime, and we have insiders. And one of the things that we've learned is that these are not separate tracks anymore as it was a couple of years ago.

These are all working together in order to, yeah, to to gain adversary access to see if they can disrupt our digital society. If to do PY on us, we cannot look at this separate anymore. Organized crime typically is responsible for trying to figure out how to do ransomware attacks in order to fund money for espionage and other things. And I think it's, it's really important that we start thinking about those things as digital identity people as well.

So summarizing a little bit the strategic teams that I'm seeing for cybersecurity as we see that resilience and how can we withstand attacks, but if we are being attacked and we are getting a disruption, how quickly can we respond and recover from that? We also see that there's a new era of, of cyber transparency that is needed. So I'm work working a lot also with a company, a think tank company in the Netherlands, which is the Hague Center of Strategic Studies.

And the way that they are describing this to me is that we are in the fifties of last century when we were talking about nuclear war, this is where we are now in from a cybersecurity perspective. So transparency is key in order to overcome and to help us to secure going forward and making sure that the society at large can remain functioning. There's also a new social contract between businesses and governments taking place not only in cybersecurity but on a variety of fronts.

And you see that and that social contract is really about moving cybersecurity from economic impact to societal impact and human harm and how can we prevent and recover from that? And last but not least as cyber risk is definitely part of of our business disruption. And so we need to take in the business disruption that we are going through as organizations.

We need to rethink how cybersecurity and how identity and access management is playing a role into that in order to recover from attacks, but also to make sure that if we are implementing things that we can attribute cyber crimes to the right adversaries and that we are also understanding what the actual impact is, not only on the economics or on the privacy, but also on actually our society to be able to remain and functioning. So the EU has made a ton of digital legislations that are trying to push through their systems at this point which will reach us.

And so the AI Act is already ratified and is now going to be implemented. We have of course NI two in various stages in the different countries and I've made a selection of this and Dora is specifically not on here because everybody in FS is already working on this. But I also wanted to show that it's not just financial services that are going to be hit with these legislations. It is everybody that makes products with a digital component in it that is serving humans. So I think it's very important to be aware of that.

Now that is all nice, but what stand relevance for digital identity, like I already said, we need to look at cyber warfare as an integral part and we need to look at individual attacks at our organizations in the context of a larger cyber warfare strategy. And I think that is super important because if we're just thinking about ransomware attacks or we're thinking about espionage, sort of how is this going for further and how is this going to create? How is this going to create the next level of disruption within our society?

We see that the attacks surface is increasing dramatically and that identity is at the forefront of that. So everything will get an identity and a lot of these things will have direct internet access so the attack surface will increase and will dramatically increase. And at the same time we are still working with legacy policies, legacy processes, legacy technologies that are, have helped us to get to where we are now. But if we look at this in the context of our changing society, the geopolitical tend tend tensions that we have.

We we also see and we know that yeah, this will not suffice to keep us safe tomorrow. And I think that's the wake of call that I'm trying to also give to everybody is look at your work in light of that and how can you actually help that. And not only that, it's also the dependency on cloud.

So in order to simplify, we are now moving more and more to large cloud identity providers, which in itself are then becoming very interesting targets for these hacker groups as well because once you get in into one of those parties, you are also able to get into many organizations and I think that that's something to consider as well from a resilience perspective. How are you going to make your IAM tools and your cloud providers, how do you make sure that you have a backup plan and being resilient from that as well.

So looking at things to implement today, and I'm actually going to start with yesterday and that is my plea to see if you can move your IEM teams under cybersecurity and also give the chow the right mandate to do the right things within the organization. Because too many times I'm still talking with IM teams or with CISO for an organization saying, yeah, we want to onboard on privileged access, but the application owners just sort of, you know, can't find the time for it and it's very difficult for us to get the organization moving.

I think that's a governance challenge and that that has to do with the mandates that many of our teams has and we really need to start fighting to have the mandate to keep our organization secure. 'cause if we do that, then our society will be secure. And that comes down to a couple of things.

It comes down to zero trust test, strong continuous out authentication mechanisms for both initial access as well as challenges when you are trying to get more access when you looking at standing privileges across the hybrid environment and a good journey move leave process for both accounts as well as an identity level. And there's a difference between those two things because an identity is something that you are or that a machine will be and the account is actually the thing that they use to credentialize to authenticate themselves against something.

And if we're sort of, you know, splitting these things and we're able to then put privilege access management and just in time proficient for privileged access on top of that, it'll help to save lateral movement for example. But also it gives us more opportunity to do stronger and integrated capabilities with identity threat to detect and respond for people like me that have been in the IT industry for more than 20 years. It used to stand for it disaster recovery. And I think that sort of, you know, that's part of the response as well.

How do you recover from this and how do you make sure that your, your, your IEM solutions remain functioning for your, for your organization ongoing revision cycles for policies, processes, new ways of working, your business is changing quite rapidly. So if you are considering your policies to be updated maybe every two years or every four years, that's not enough, right?

You need to be in the front of that also to help your organization to provide guidance on how to implement their business solutions, relying on digital systems in an appropriate way for identity and access management, getting control of the cloud. Because I think that within many organizations I still see that the cloud is sort of a wild west that nobody really wants to touch because it's super complex and super difficult and considering risk instead of compliance. I've already shared that I think.

So look at the adversaries that you need to look at what type of business functions do they are, are they targeting and why? And what can you then actually do about that? And last but not least, agility, speed of implementing cyber technology to increase your response times and resilience. I see many, many companies still struggling with updates, upgrades, sometimes I see upgrade path that lost more than 12 months within large organizations to upgrade their entire stack.

So by the time that you are done with your upgrades, the attackers, the adversaries will already have come up with three or four new ways to get into your organization and you're not capable of putting your resources where you need to put them, which is agilely defending your organization against those attacks.

So that's a little bit to think about today, but there's also tomorrow, and I think that we already touched upon this a little bit with amongst others with wallets, but I also think that if we look at tomorrow, we need to consider biohacking and how a lot of people are now trying to rely on biometrical authentication. And there's nothing wrong with that. It makes the, the, the worlds faster.

It's, it's better, it's smarter than, than than passwords, but it's also risky because your biometrics cannot be changed from a people perspective. And if you then put quantum computing into the mix and we are also realizing that there, how China for example, is the furthest in quantum computing in the world at this point in time. We also have to think about are those solutions that we are are building, are they safe? Are they safe in a post quantum era?

And so we also need to start thinking about quantum safe IM solutions, thinking about encryption, authentication and key distribution of these, of these solutions to make sure that we are also ready and we keep the humans that we are protecting being your brothers, your sisters, your children, your father, your mother, your uncles, your coworkers, your customers. Keeping them safe because ultimately it is up to us as identity team and as an identity community to make sure that our digital world can remain ready for the next generations to come.

I hope this was a little bit inspiring and thank you for your time and looking forward to see and to discuss with you on our stand, but also looking at more implementation type of presentations on how to consider certain things from a zero trust perspective, from a cloud perspective as well in the breakouts that we have as pwc. Thank you so much and have a great conference. Thanks so much.

If we, certainly cyber war is not something that we want to talk about, but in our normal day job, the one question that I have here for you is based on PWCs research, what aspects of IAM are most organizations struggling with and what best practices can you recommend for enhancing IAM effectiveness? That's a very, very broad question.

Yeah, thanks for that. So I think that if you look in the lights of cyber warfare specifically, that we need to look at the continuous authentication part in, in, in the most sense.

And I think that a lot of organizations are still struggling with that, not necessarily in their traditional IT landscape, but more in the cloud area where that also gives of course adversaries the most easy access to, and I always compare this to being in the parking lot of a retailer and so the parking lot is the cloud and the retailer is providing you that parking lot, but that does not mean that you still can leave your back in there with the windows open, right?

So you still need to put the appropriate hygiene in there in order to make sure that the stuff that you park in your car, in the retail parking lot is remaining safe. And I think that we're trusting too much still on on, yeah, we're going to the cloud so you know, this is safe because the cloud vendor has our back and they do, but it's still about configuration.

Okay, great. Thanks. Great recommendations there once again. Thanks.