The Future of Identity Security with Art Gilliland

Joseph Carson:

Hello, everyone. Welcome back to another episode of the 401 Access Denied podcast. I'm the host of the show, Joe Carson, chief Security Scientist and Advisory CISO at Delinia, and we've got an awesome special edition show for you today. We've got a welcoming Art back to the show. I think this is your third time in the episode.

Art Gilliland:

It is. Thank you very much.

Joseph Carson:

Welcome. You want to give us a bit of background about you, yourself, who you are, what you do, and some fun things about yourself?

Art Gilliland:

My name is Art Gilliland. Like you said, I'm the CEO of Delinia. My background is 25 years or so in the security space. I've worked at super tiny companies. I was actually the 12th person of a startup, I was pre-product CEO of a startup, and then also super huge companies like Symantec and HP, and ran the security businesses of the general manager at both those places. If you look at the CISSP 10 domains of security, worked in every single one of them except for physical. Unless you count my time as a bouncer in college, which I don't.

Joseph Carson:

That counts, actually.

Art Gilliland:

I've got them all.

Joseph Carson:

Fantastic. One of the things I wanted to cover today is that we've been in the identity space, and so really looking at what challenges have you seen organizations face when it comes to identity and where's the status and current industry trends that you're seeing today? What is the state of identity security for organizations?

Art Gilliland:

Look, I think one of the things that's super exciting, at least for me personally, is I think identity security is becoming more relevant for companies. I think it's actually pretty new for companies, to be honest. Even though they've been dealing with identity management and identity historically, it's been very infrastructure-centric, not super security-centric. I think what's brought it to the forefront though is just the shift in what's happening with people's infrastructure.

If you think about the history of security just more broadly, so put security for identity aside for a second, just think about what's happened in the security market as companies have moved a lot of their infrastructure to cloud, more into Amazon and Azure more into SaaS products, what's happened is a lot of the places where they used to put security policy, security controls they don't own anymore. The networks they're renting from these other players, the applications they're renting from other players, the physical servers and systems they're renting from other players. Now those players are basically saying I'm doing these security policies. But if I'm the company, I'm still responsible, I'm still accountable if something bad happens.

What's coming to the forefront for a lot of these organizations is the only place where they can really enforce policy today is on the things that they control; the user, whether that user is a human employee or machine, like system that they own or a software thing that they are responsible for, and the data. The two most interesting parts of security in my mind today are the identity and identities and the security around identities and how you deal with that and the data security side of the business. That's just created a lot of new challenges for companies that candidly, they just hadn't thought about in that way and that's I think part of the evolution.

Joseph Carson:

I've seen the same ever since that digital transformation to cloud started happening and then things like BYOD when people started bringing their own devices in that you don't control, you can't put anything on those devices. You have some limitation, you might be able to apply policies through things like MDM management, but then you get into a situation, what do you really still control? And it's the identities and access.

Art Gilliland:

The device that the user uses, obviously that oftentimes is still owned by the customer or MDM if it's a personal device like what we do for cell phones and things like that, but I agree. I think part of what has accelerated the thinking about this, obviously COVID and mobile workers and people going home to work, the consumption of obviously cloud and SaaS, but also contractors, how many people are outsourcing different pieces and using that.

I think what they're experiencing today, and there was some research out there, 98% of companies had an explosion or an increase in the number of identities they have to think about. You have your human identities, which are growing just because of contractors and whatever, but the real explosion is in these machine identities like-

Joseph Carson:

Yeah, they're non-human.

Art Gilliland:

The non-human connections. I use Salesforce, I connect it to Clary, those two systems talk to each other and share a lot of pretty sensitive important data from the company together, I want to make sure those connections are secure so that someone doesn't try to steal my data. Those are all identities that now I have to think about.

Joseph Carson:

See, it's the API identities almost, basically the glue behind the scenes. Even when you're connecting, I've seen organizations where they might be using intro ID for their IDP and then they're using AWS for their business applications and they're using lots of SaaS based applications, and ultimately what they're now trying to do is get visibility across all of those environments and to get a point where if I'm syncing up roles and resources from one to the other, how do I know it's actually occurred correctly? Do the same privileges exist across those? That's creating a lot of challenge.

In this situation, we're getting into this complexity and identities becoming very important for organizations. What's the challenges the organizations face? What's the risks that they're exposed to if they're not having that visibility, having to apply the right security controls and the auditability, what types of risks are they exposed to?

Art Gilliland:

Look, if you look at what's happening in the industry, obviously there are a number of identities is growing and so they don't have control and they don't know where they are, they don't actually sometimes know what they are and how many they have. I think what you see then just what they're experiencing now, 87 or so percent of companies have said that last year, they experienced an identity related breach, meaning they broke in or almost all of the breaches include some sort of privilege elevation-

Joseph Carson:

I think all the breaches have an identity related-

Art Gilliland:

The bad guys don't break in really anymore, they just log in.

Joseph Carson:

Yeah, they go on the dark web, they buy a credential for $10 and they validate it still works, and they log in.

Art Gilliland:

They log in and then they try to elevate privileges. Look, the way I talk to customers today or talk to folks today when we're just in my conversations in general with CISOs, I think I break down identity in three big major parts. It's simple, but it works for the conversation. I think the first part of it is authentication.

I am Art and I can prove it. There's a bunch of systems that do that, that's Active Directory, that's the Oktas, that's the Pings, all these companies out there, and also there's a lot of, they bring your own kinds of ideas, like Google, I log into Netflix using my Google account. There's a whole bunch of Identities that are being brought to the organization or third parties or contractor. That's one part of it. There's just a bunch of those types of things. That's authentication.

The second is authorization, and this is what should Art be allowed to do? I've proven I am Art, now give me some rights, tell me what my privileges are. The third one is governance, so tell me all the things that Art has access to, help me check against that, certify that he should have those. When you think about where the big problems are for companies today, what's happening is there's a bunch of diversity that's happening on the authentication side and you're letting other people attest to that. I think that diversity and that Decentralization is going to continue. I think that's going to be very difficult for companies to get their hands around.

Where they need to be spending their energy is the thing that they're actually going to still own, which is the policy enforcement of access to the things they care about, the privileges that they're distributing to the users, those human and machine users. That's where this focus on an authorization or policy database is going to be super critical. What are the risks there? The risks are that you've over provisioned or under provisioned. The risks are that those accounts get compromised and how do you make sure that the rights don't get delivered if there is, and so there's a policy structure around risk and risk scoring.

I think that's a big problem that a lot of customers haven't put their head around because authentication is a very infrastructure centric thing. Authorization is a much more security centric way to think about the business problem.

Joseph Carson:

I think it also allows organizations to move away from this very static type of security approach where they're looking at setting these controls and hoping that nothing changes. Moving to this concept gets into things like adaptive security where it's risk-based, so you can actually do things in real time and starting to determine what is the risk?

It sounds like we're actually really evolving where we talked a bit about bring your own device and we went down into the terms of bring your own office and now we've got bring your own identity. I completely agree with... For me, I think that's definitely the place or the direction we're going. Me being based in Estonia, I've had the government ID system, which has actually really enabled... Where it is a government issued identity, but I'm able to use that identity across multiple enterprises, public and private. I can use the government issued identity to access the banking system, I can use it to do tax returns, I can use it to interact with businesses.

What's happened is that you've really got a... And there's different levels of that identity regards to risks depending on what security controls have been satisfied. From that experience, I do see that moving to where you've got lots of organizations out there, you're providing an identity in some form. The question is where's our mutual trust? Where's the trust that we have from those identities?

Art Gilliland:

How do you federate?

Joseph Carson:

How do you federate, exactly.

Art Gilliland:

It's interesting. Again, this is a little bit of a rant about it. If you look at the US, the US is trying to move towards some of these government centered, more proofed identities. I have what's called real ID on my driver's license. That is another level of identity proofing that they make you go through when you get your driver's license. There's a way then potentially to add a PIN, which would then maybe tie it even closer to me, so someone couldn't steal my license and use it because they don't have the PIN.

There is a way to start to see that evolve in the US too, so it's not just Estonia, Brazil, and some of these other places that have done state sponsored identity proofing. I think there's definitely that way to seeing some of that federated. I think the problem that we see is who's the trusted center? If you look at what's happened in the marketplace, so Microsoft years ago, if you remember Passport, Microsoft Passport, that was their first attempt to create some sort of centralized, federated identity that allowed you to access.

Now, Facebook and Google have done a better job of it for consumer products, but Microsoft is a more trusted enterprise company. They potentially with AD on Azure could start to create that. I was actually super hopeful for Okta, to be honest, that they were one of the companies that could have created this federated identity because enough companies trusted them for two factor and single sign-on that maybe they become the central federated trust where I know-

Joseph Carson:

Which is multi-platform as well because when you tie into the likes of Apple and Google, they're tied to their hardware devices. Microsoft and Okta, they're kind of the independents are separate, so-

Art Gilliland:

I think there's some real interesting potential for that, which you actually don't need that much for identity security. What you really need that for is the information security because if you... Why is identity so critical and why is... When I think about the two things that are so interesting, it's actually the combination of users accessing information that the CISOs really care about. They don't care about firewalls, they don't care about this other stuff.

Joseph Carson:

It's no longer-

Art Gilliland:

Those are all proxies for the thing they really are trying to do which-

Joseph Carson:

Those are the roads. You want to determine who's allowed to drive on the roads and what's allowed on that road. The rest is just infrastructure. It's just the highways of moving things around. One of the things that I've noticed is there's a big emphasis in the EU right now on digital wallets, which is the next phase is about now you've got a wallet that actually now contains all of these things, whether it being your driver's license, it could be your passport, it could be visas, it could be different documents-

Art Gilliland:

And currency.

Joseph Carson:

Your currency, your wallets, and also identities as well, things like pass keys. That really then starts getting the emphasis that identity as being federated has been decentralized and therefore, organizations will provide you a key in order to access certain resources. What do you see the future of digital wallets becoming? Is that something that in the US is happening? I know right now it's a priority in the EU.

Art Gilliland:

I have not seen it that much in the US, to be honest. Obviously real ID is probably the closest thing we've come to centralizing that. I think it's probably more likely you'll see it in the commercial space. It's probably more likely honestly that somebody like Microsoft or others that are more broadly trusted than the government.

In terms of being able to deliver efficiency and high availability, others will potentially do it, but there's not, there's too much state control, it'd be too complicated in my opinion to try to get it done effectively in the US. However, I do think it has a lot of potential to change the way companies do it. If we put ourselves in a world where there is that, let's start looking internationally, let's start looking at a world where there is this digital wall, this digital proof that I am Art, now the only thing that companies actually are going to be able to manage is this authorization. Okay, you've proven you're Art, I trust you're Art because it's been attested to me through a SAML token or some other thing. Now what should I allow you to do?

Then you again really zeroing in on that authorization policy database that says okay, now I'm going to tie these policies, these rights to Art as an entity and then let him interact with the systems I have, interact with the data that I care about.

Joseph Carson:

In reality, what we're really seeing is a identity is... We'll say new, but I think it is been the perimeter for quite a long time. Identity is the perimeter and authorization is the security for that perimeter. It's the ability to provide the security controls and make sure that organizations have control over that.

Art Gilliland:

Yeah, I think that's absolutely right. Look, that's been talked about for the last 30 years since the Jericho Forum, that identity is going to be the new perimeter. I think the world has moved far enough into that future that people believe it now.

Look at Delinia as a company. We use Salesforce, we use NetSuite, we use Workday. The core applications that run the heart of the company, I rent. I don't control the networks, I don't control the software, I don't control the physical infrastructure that they run on. All of the security of that is attested to me. They control the identity like the login even on that. The only thing that I really set policy on is who should be allowed or not. Again, that's the authorization piece of it.

I think that reality that people are connecting in from outside my environment of those systems, mobile workforce, I've got contractors that do, I'm in charge of what they're allowed to do once they get in and everything else is almost managed by those parties.

Joseph Carson:

That's where Keem comes in really important in that area, so you get visibility across all of those because the problem is if you allow your employees to go directly accessing those, you start losing visibility over what controls are in. Consistency as well because not all of those SaaS-based applications and platforms provide the same type of security controls, and by putting something in front of it, allows you to say, let's get consistency, let's make sure you can provision and deprovision quickly when it's no longer needed. You can also do the auditability and put things like multifactor authentication or even stronger passwords and credentials, then some of those systems might be able to take.

Art Gilliland:

Yeah, I think this is the policy... Again, this is the policy enforcement part of it. When you look at the solutions that we're trying to bring to bear, a lot of it has to do with leveraging that authorization database to set policy. Some of that is can I create a secure connection to that system without a VPN? Can I make sure that that happens? Can I do that so the password is invisible and make sure that password gets rotated so if somebody does actually compromise the user in some way, there's not that?

I think you brought up Keem, which I think is interesting. This is the cloud and identity and entitlements management process. That is actually, in my opinion, just a feature of what should have been this... anyways. It's essentially saying look, I have all this other infrastructure that you're used to, and there's new infrastructure. You see this happening a lot in security startups where there there's a new gap that opens up because of invention and a whole company comes in and so I'm going to do that, but the customer's like yeah, that's just my new infrastructure. Why can't that be managed by this other thing?

The reason it is because big companies can't invest in inventing this whole new space because it's so small still until it becomes more mainstream and now it's mainstream, and so that's just a feature. It should be a feature of a larger product versus a standalone thing that you buy and customers have to manage. That's what creates the complexity also for our customers, which is a pain.

Joseph Carson:

Where do you see the future going? What's the next steps? What do you see over the next couple of years around things around identity security? There's a lot of consolidation happening, there's a lot of new directions going as well. What's your vision? What's the future being hold?

Art Gilliland:

I just talked about those three big categories, authentication, authorization, governance. Look, I think what you're going to see is more diversification, more complication, bring your own, all that stuff in the authentication side.

I think Microsoft and Google and Okta and those guys fight each other and try to figure out how to commoditize that space and then bring your own comes in and throws a whole wrench in it. I think that's going to be complicated and customers are going to have multiple of those. I think where you're going to see consolidation is around this authorization database. What does that mean? It means that there's going to be folks in the authorization part of identity security, like us, that are going to double down on that.

I also think governance has an authorization database, and so I think you'll probably see more convergence there. It's part of the reason that we acquired a company called FastPath or looking to acquire a company called FastPath, which bridges that and lets you refresh what's going on in the data store.

Beyond just the convergence of those capabilities, the other things that are coming to bear in identity is adding a lot more context into what's happening, so being able to scan the environment, find proactively threats in the identity, watching the behavior of somebody who's using the identity, so being able to do what essentially is it threat detection and response. ITDR is the market name for it now. That context is going to be super important for managing security and security response. Direct connections, so being able to do VPN-less connection and proxying that to the asset you care about. I think that asset will be applications. More, it'll be applications and data in particular, and so you'll start to see the requirement to bring in more data context into it.

Now you're able to say, okay, Art Gilliland has this risk score based on where he is and how he's proved himself. Data has this level of risk to the enterprise, and then policy should be adaptive, like you talked about. How do I make that? I actually think that is the future of zero trust. That's where you start getting into true adaptive policy based on user and information interactions, and then you don't care about what infrastructure it is because you're creating the secure connection yourself, the user is continuously proofed you're getting that connection, you're monitoring all the interaction and you have a real clear sense of the data. To me, that's the holy grail. I think there's still some invention that has to happen to make that work effectively, but we're not that far away.

Joseph Carson:

Yeah, it seems in grasp, but it sounds to me it's almost like we need some type of authorization containerization that you can apply it to applications, to devices, to identities, to assets and resources that basically allows you rather than having-

Art Gilliland:

Policy token.

Joseph Carson:

Policy token. Rather than having to go through some more process, you simply just tie it to the target assets.

Art Gilliland:

The hard part is the data side of it. If you look at digital rights management today, the biggest challenge to be honest is this federated identity problem, where is there a centralized place that does it? Because you can do digital rights management today relatively effectively with Microsoft as long as you're inside the same domain.

Joseph Carson:

In the same stack...

Art Gilliland:

Try to do cross-domain and it's impossible. Until you can do that federated domain, federated identity, digital rights management is kind of useless today. Again, the technology is there to be able to do it. It's looking for companies like us or others to push-

Joseph Carson:

To innovate.

Absolutely. It's been fantastic having you on as always. It's always great to chat with you. Any final words of wisdom you would like to leave the audience? It could be a dad joke, it could be something, but anything you would like to leave the audience with something they take away from this?

Art Gilliland:

Look, I think the biggest thing that I would say companies are struggling with right now is this explosion of identities and how to deal with that. It is actually a political problem inside a lot of companies. That political problem is that identity has historically been owned by the infrastructure and it's about access and throughput. I think the painful reality of the failure of that on the security posture and the ability to protect your data needs to be taken into consideration when you think about the org structure of where this stuff lives.

In fact, identity should be the domain of the security provider or the security entity within an organization because I think until you start thinking about identity as a security asset and a security control point, we will continue to lose as an industry to the adversary. That's something that's outside of the technology that's completely political within a business.

Joseph Carson:

It's a cultural side effect.

Art Gilliland:

It is a cultural shift within a lot of companies, and you see it happening. You see the identity infrastructure moving over to security and now they own the directory and they own the access and they own the tools around it. That must happen, otherwise the security posture of most companies will continue to be-

Joseph Carson:

And we'll continue to see breaches after breach.

Art Gilliland:

We will lose continuously until we have a much more security-minded way of dealing with identity, we're going to lose. That would be the one thing I would leave with people.

Joseph Carson:

Let's say it's wise words for everyone to think about is that they need to be prioritizing this and they need to be thinking about what's their short-term strategy and long-term strategy in order to achieve this. It's been fantastic having you on as always, and I really enjoy our chat.

Art Gilliland:

Thank you very much.

Joseph Carson:

It's been a pleasure. For everyone every two weeks, tune in today, 401 Access Tonight podcast, always bringing you interesting conversations, latest news, and trends. Everyone out there, stay safe, take care, and thank you very much. All the best.