Okay, so yes, I am what's referred to as a research fellow here at KuppingerCole. I was the CTO at SailPoint from its founding, was there for 12 years, and now I float around in the investment community, hoping to bring to market the next generation of identity control solutions.
Now, I wanted to kick off here with something interesting, so I asked the LLM, I asked the great chat GPT in the sky, a summary list of the three best ways to open a 20-minute presentation. Interesting. And it said to start with a story, eh, boring, pose a provocative question.
Eh, I haven't really got anything. Use a shocking statistic. How about that?
So I said, well, how could I do something even more interesting? And chat GPT said I should start by entering the stage naked and handing out money to the audience, or I should bring a large musical instrument and play the anthem of my host country, or do a hand puppet display or something strange.
Obviously, I'm having fun, but I think the most important thing is that chat GPT can make mistakes. So you'll be glad to know that I did ignore that advice. And I'm just going to start with a much more boring, but more perhaps interesting to me statement. And that is that identity really is still the centre of observable security. And I'm very fortunate that I've been in and around this movement for many, many years, more than I care to mention.
And if you did look me up before the session, you will see that I've been in identity management for, well, it wasn't called identity management when we started. And I've watched the industry grow and change and inevitably conclude that security really does begin and end with how we configure and monitor authentication and authorisation, identity as it's usually called. And no surprise that authorisation, authentication and authorisation are the very central core of that beating heart of identity.
And so how we identify, how we authenticate and how we authorise that's security, pretty much, period. And with the increases in capability, we can do a lot now with deepening sophistication that we see in authentication and authorisation. It's amazing what we can achieve with dynamic authentication, all these great spaces that we're investing in. But you know, it's a very obvious thing to say, I guess, but you still can't manage the access that you can't see.
And for all that intelligence, all that policy, and all that smart stuff, if you can't see it happening, and you can't verify how it's functioning, then you just don't have security. So observability, I would say, is what we're going to focus on. And I'm going to make a case that observability is the key frontier for investment and research around the evolving world of identity security. And I plan to show, I hope, that the field of open telemetry, which we'll describe here in a moment, holds some good hope that we can get a more effective and really affordable future.
Now, if you did look me up, you will have noticed up in the top right corner there, that I'm an IGA guy, right? And it's true to say that I've spent my entire career looking at this. I helped write the book, you might say, on how to create identity security. And I've spent that entire career really looking at this simple triangle, and that is who currently has access, currently has access, so that's the actual state, who should have access, more complicated, the desired state, and then desperately struggling to gain insights into how that access is being used.
So the true behavior, still really a frontier. And I'm quite relieved to say that through that process, the four I's, the four goes of identity, authentication, authorization, administration, and audit, they're the core disciplines in just about every security program these days, in just about every industry, vertical, and that's great. But I've also come to realize and appreciate more recently that just about everything that we do in identity is the art of the known known.
And that's to say that the programs that we fund, and the tools that we buy, and the controls that we deploy, that all focused on the resources, and the gaps, and the vulnerabilities that were already known. They're known, right? We're going to fund them. And today authentication and authorization really is the art of the known known.
Now that term known known, as many of you will know, was first used most famously when Donald Rumsfeld, he was then the US Secretary of Defense, in 2002, used the term in a speech where he was talking about information intel around the Iraqi weapons of mass destruction. And he said that the known known, the things that we know, and there was the known unknown, so they were the things we know that we don't know, and there was the unknown unknown. And so the things that we don't know, that we don't know. Quite simple.
And his point was that for all the things that we know, and however smart that we are, our biggest vulnerability and possibly our largest concern is likely the things that we've got absolutely no visibility into. Now it's worth noting that Rumsfeld actually stole this from a psychologist. It's actually part of self-awareness and communications training inside many organizations. And it's actually called the Johari window. And it's used to help people understand how other people see them, basically.
And I'm highlighting it here because in the real model, there's actually a missing area that's called the unknown known that Rumsfeld missed out, obviously didn't suit his purposes. And I want to use that a little bit today. So if we rename this methodology, the Identihari window for authentication and authorization, it looks a little bit like this. And up in the top left, we have the known known. So these are the things we're sure we know about. And that's funded IAM agenda, the things that we're already paying for.
And it's where we know that the IAM is working, or at least we know what it is, because we've already deployed IGA, PAM, and access management into that quadrant, you might say. And so here is where the managed identities live. And here's where we've onboarded the resources and we're managing them. It's where we've defined our policies. Great. And it's where we have a managed IAM lifecycle. So awesome. But as everybody knows, identity programs are huge, costly, long-running things.
And so the next quadrant is really about the waiting list, the things that we kind of know we should know, but we don't know what's going on there. So there's always a giant great big inventory of SAS that's being waited on. It's where perhaps new custom apps are waiting to be onboarded onto the program. And there's always new stuff being created through mergers and acquisitions and those types of things. Up in the top right, this was Rumsfeld's missing quadrant. We have the unknown known. And for me, this is the realm of anomaly detection.
And if you look at the now very well-funded ITDR section of identity threat detection and response, it's really a recognition that there's big gaps going on in that known known. And all the things that we think we know, there's gaps. There's a pool of issues waiting to find us. So ITDR solutions do a great job at finding missed resources. And they do a great job of looking at misconfigurations, saying your IGA is not configured right. Your policies are out of alignment. Or there's a gap, worse still, between what you're doing in one of the three tiers. So that's kind of interesting.
But it's a very cool space. But just realize that it really is the analysis of the known known. It's kind of cool. You wish that sector was doing it itself, but it kind of doesn't. So like Rumsfeld, what truly troubles me the most is that unknown unknown. And so the authentication that's happening that we can't see, the authorization models that are just too complex for us to understand, and all the things that we just don't know about that are out there. And there's plenty of them. So how are we going to bring visibility to this stuff? A bunch of compute that we can't see.
Well, I think this is where we need to invest more. It's certainly what our funds are investing in quite extensively. I think the observability technologies and the advancement of open telemetry is going to give us a kind of glimmer of hope. And I'd like to explain why. So observability, you don't know, it's simply the ability to detect the internal state of a system by analyzing its external outputs and telemetry. So this means deploying instrumentation. So that's to the resources that we care about. We're going to put instrumentation out there somewhere.
Maybe it's a K8 container or wherever it might be. Maybe it's in the app server stack. And this instrumentation is then going to collect metrics, logs and traces, the lingua firma of observability, and it's going to send them to a telemetry collector. And that's where it's moderated and preprocessed and understood. Many of the solutions here today do do this. This data is then consumed and analyzed by some form of backend server, whatever it might be. It could be Grafana, Loki, Tempo, open source. Maybe it's a commercial solution as well.
But to put that into an IAM context, what that instrumentation, what we want that instrumentation to do is to collect the specifics of the authentication and authorization that's happening in real time. And understand its implementation and how it flows through the system. And that's actually quite complex. The analysis backends behind this can find discovery. We'd love them to enrich that with identity data and find out how things are actually working.
Now, open telemetry, which is the crashed system I've got here, open telemetry is the open source framework that's out there to generate, export, and collect that observability signal data. It's actually the second most popular CNCF project. And that's a pretty big deal to the tech community.
So, it's got a lot of support momentum right now. And open telemetry actually works by providing APIs and toolkits to make that signal generation process easier to implement, embed it in the application, for example. And it delivers all of the server side stuff that you need, the collectors, the receivers, and all that stuff to scale this. Because obviously we're talking about quite a lot of data at this point. And then it adds a super important thing that they call semantic conventions. We like that word semantic. You've used it many times. Semantic web initiative.
I was involved in it in the late 90s. But this is where I personally believe that identity and access management, we need to apply some magic fairy dust. And it's a real opportunity for us in the industry to define an ontology for authentication and authorization context. Something that absolutely doesn't exist.
So, to explain what a semantic convention is, it's part of the OTEL standard that defines the commonly observed patterns, if you like, the concepts, the words, the metrics that are needed for the operations that we do in a particular problem domain. So, if you look at something simple like a file, it's going to define the name value pairs that are going to be passed around this network. And it gives you definitive descriptions to help us bring meaning when some stray process is sending us information about something as complicated as identity and access.
Sadly, there's nothing concrete for authentication and authorization yet. And that's a real shame. And I think it's really important for the future of distributed identity controls that there's a call to action here for all the identity management thinkers, all the identity specific vendors to get involved and help define an interoperable model for all this identity observability data. And we need to do it sooner rather than later, that's for sure.
So, to quickly see how this actually works in the real world, we've got a very good model for the container. So, there's lots of implementations right now. If you're putting out a Kubernetes container, there's standard telemetry you can throw in there to share that information with unknown parties.
So, that's all pretty good. There's not bad coverage for the app server, too.
So, you can get stuff from the application server as a standard, you can just observe it, and it's actually quite interesting. But like I say, there's very limited capabilities for what's really happening in the fine grainedness of authentication and authorization that we actually need to provide identity controls. But there is a new hope. There are some new things happening here.
And using intelligent AI, I hate to put that term in there, in expanded capabilities in local host agentry is now actually possible to create signal telemetry that can be retrofitted on top of those applications without the need to rewrite anything. That's really quite interesting. And this technology actually leverages the kind of things that we now see in incident response and forensics analysis.
So, it's the kind of things that the response analyst would do when there's an issue in hand. So, things like checking for port connections on servers, looking at live running code, actually de-byte the code and see what's actually happening. Looking at environmental variables and logs and files, tokens and headers and all that good stuff to actually see what's happening in real time. That's actually quite an interesting thing.
Because when you mix that forensic thinking, you might say, with identity context that can be pulled from the IAM infrastructure, you can inspect and understand a super complex authentication and authorization model in real time without it being pre-instrumented. So, that's kind of cool.
So, let's look at an example of that approach. Now, I don't want to make this about a vendor, so I've tried to hide the names of who it is. It's actually a company that we're investing in. But this is an example of where a blind host level observability agent has been dropped into a container and we're able to visualize a live running system.
So, to give it some feel here, like I say, it's a dissolvable agent. So, it's something that wasn't pre-installed. It can be pushed in real time to the host. And there's no IAM instrumentation in the system at all. And at the top flow, you can see here that the system's observed a connection on port 443 that was using a Kerberos login ticket to do an API auth to a backend server. And then when that was successfully verified, it resulted in a generation of a HMAC session cookie.
So, I was able to see that. It's quite simple. But there's a parallel flow that it observed as well, where a password login form was being used to do the same authentication flow.
Now, everybody thought this was a ticket-based system. Somebody had left a piece of code running that allowed a login to happen via login by username and password. And that was a violation of the current IAM controls, and in that particular instance, may have resulted in a breach of compliance. But you've got to keep in mind that all this is happening without being connected to anything but a lightweight host agent being deployed, which is kind of cool.
Pure, you might say, unknown unknown turned fully known with a zero app rewrite and extremely minimal host footprint. And that's kind of cool. Give you one more quick example because lunch is coming. Pure authentication and authorization context pulled directly from it. And here we can see that same dissolvable service that's identified a SAML to AAD authentication token. That's resulted in two separate flows. I'll quickly break them down. But it's missing MFA and audit logging on both. How could it know that? It doesn't see anything being written. Nothing else is being written by the process.
So, this first resulted in a direct connection to a target host. And the other employed a loop through a known CyberArk instance.
So, it was a privileged flow. So, interesting. With minimal knowledge of that IAM infrastructure, this kind of, you might say, identity smart observability is able to draw in real time. This is happening in real time. The state and the flow that's just invaluable to any of us that worry about how identity and authorization is flowing, being audited over time.
So, that's kind of it in summary. Authentication and authorization observability is emerging, I believe, as a key control in and around not just for IGA, but for everybody who's in identity security. And we just can't rely on the known known anymore. We can't really rely on the things inside our IAM programs to deliver the visibility that we need.
And so, open telemetry just shows some great promise. But we need the IAM focus there. We need the subject matter expertise involved in order to do that. And it can be retrofitted onto existing legacy applications. The kind of code that's running that no one even understands anymore. And we can pull out some really, really interesting things.
So, I would say, interesting solutions are emerging, and watch this space. And with that, that's all I've got.
Thank you, Darren. I know we already went a bit over time, but if you have any questions, we can take one now.
Oh, there you go. Thank you. I'm going to actually split my questions in two questions. The first one is, if we see the triangle at the beginning, we have the actual behavior and the desired behavior.
However, when we discover new unknowns and knowns, we still need time to decide if this is desired or not. We cannot per se say it's not. And what more bugs me actually, especially when I see the demo, when we're talking about real time, we can transfer information real time to the IGR system.
So, there's going to be an action, an immediate action, or at least a decision template. But we both know that IGA and real time are not the best friends.
So, how do we make the connection with the opposite quadrants? I think that's one of the reasons we've seen ITDR solutions emerge, and that they are being consumed and acquired by the existing three legs of the stall.
You know, IGA's acquiring it, PAM's tools are developing it, and the access management tier is doing the same. It's because, really, IGA is an out of band administration plane thing, and this is real time. That doesn't mean you can't pre-process it and get that information there faster.
So, yeah, it's a challenge. But the world of UEBA, I thought 10 years ago we would have it all fixed with UEBA, but it's not happening. It's obviously much faster. And the desired state, that's utopia. That's what we're heading for. If we really knew what the world should look like, surely we could all run toward it. Thanks.
Yes, lunch is ready. Please enjoy. Any questions, come grab me over lunch.
