Episode 59
Joseph Carson:
Hello everyone. My name is Joseph Carson. I am the Chief Security Scientist at Delinea, and I'm really excited. Welcome back to another episode of the 401 Access Denied podcast. And today I'm really excited to have Pamela with me today, who is going to be talking about identity. Pamela, welcome to the show. Tell me a little bit about yourself, what you do, and some of the fun things you get excited about.
Pamela Dingle:
Excellent. Well, hi everybody. Yes, my name is Pamela Dingle and I am the Director of Identity Standards at Microsoft. And what that means is I work with an incredible team that gets to negotiate all of the ways in which the industry connects identity systems together. We'll put it that way.
Joseph Carson:
Okay.
Pamela Dingle:
So those are identity standards and it's a fun and challenging job that lets us talk both internally with all of our engineers and externally to all these brilliant people in other companies around the globe.
Joseph Carson:
Fantastic. And so how did you get into identity? What was your journey? What was the background? Can I-
Pamela Dingle:
Oh yes.
Joseph Carson:
Is this something that you wanted to start your career off or is this something that you kind of like segued into?
Pamela Dingle:
Yeah, this is my origin story. I didn't know anything about identity and I started off in system administration.
Joseph Carson:
Okay.
Pamela Dingle:
I was running Sparc workstations for geophysicists in Calgary, Alberta, Canada, so hello to all Canadians, but I actually started in identity because I went to a conference, not dissimilarly to where we are now. I went to a conference that was then called the Burton Group Catalyst Conference.
Joseph Carson:
Okay.
Pamela Dingle:
Now this was, I think 2001. And so I got there and my eyes were the size of dinner plates.
Joseph Carson:
Okay.
Pamela Dingle:
And I was just blown away by all the amazing things happening, but it was an identity conference. And what I realized was, there were really important things getting discussed and I got really excited about it. And the reason I am where I am now in some ways is because I got excited about it and I started asking questions.
Joseph Carson:
Okay.
Pamela Dingle:
And so I was that person who put their hand up at the end of the talk and asked the question at the end of the talk and did it consistently.
Joseph Carson:
Mm-hmm.
Pamela Dingle:
And what happened was people started to notice that I was both asking questions and asking reasonable questions. And I ended up building an interesting network of people.
Joseph Carson:
Okay.
Pamela Dingle:
Just from those conferences and getting very, very excited about it.
Joseph Carson:
And in 2000, that was a pretty much, I think it was almost the start of the Jericho Forum at the time as well, so that's an interesting time to be getting into identity, especially when it was really a fundamental foundation that was being established at that point.
Pamela Dingle:
It really was. And in fact, the thing that really made an impression on me at the time was that Microsoft had announced a thing called, that was internally called project HailStorm, also known as Microsoft Passport. And I did not work for Microsoft at the time,, I worked for someone else, so it's kind of ironic that I do work for Microsoft now.
Joseph Carson:
Okay.
Pamela Dingle:
But at the time, I mean, I was just a fly on the wall watching as the industry really reacted poorly to the introduction of that technology.
Joseph Carson:
Yeah. They did. But it was kind of really, it was finding itself. It was kind of, you can't all of a sudden when you're starting a new path, because I think in the early two thousands, that's really where identity started really kind of finding its footprint and finding its, how it can change industry and how it can change even governments' interaction with citizens. I think of course you have to start somewhere. It may have meant not been a greatest start and also adoption. I mean it's not dissimilar, I'm based in Estonia. And of course Finland were the first to try and do an identity program back even 1999.
Pamela Dingle:
Right.
Joseph Carson:
Or 98.
Pamela Dingle:
Right.
Joseph Carson:
And Estonia thought, well, we'll try it, but we'll try it in a little bit different way. Finland, wasn't so successful with their implementation, but Estonia was, so you do have to do the trial and error, you do have to find what works and sometimes you have to experiments. But who were some of your idols along the way? Who was the people that you looked up to that were working on some of these finding, kind of in the industry?
Pamela Dingle:
Oh yeah. There were so many amazing folks, so Kim Cameron.
Joseph Carson:
Yeah, Kim Cameron of course.
Pamela Dingle:
Of Course.
Joseph Carson:
Absolutely.
Pamela Dingle:
If anyone wants to learn about the works of Kim Cameron, he wrote the Seven Laws of Identity, which really was a game changer. And part of it came from Microsoft pivoting based on reaction to their original announcement. And so the Seven Laws of Identity are epic. Bob Blakely, a lot of the Catalyst analysts, sorry, the Burton Group analyst at the time, Ian Glazer. Let's see....
Joseph Carson:
Ian's amazing.
Pamela Dingle:
Yeah. Jamie Lewis who ran the Burton Group at the time. I mean all of these were epic thought leaders and just very calmly helping people understand that the best practices mattered and that the rigor mattered, right?
Joseph Carson:
Absolutely.
Pamela Dingle:
And you're right. We, before 2001, really, when you think about what was happening before 2001, identity was essentially directories.
Joseph Carson:
Yeah.
Pamela Dingle:
Right. It was, you know, and.
Joseph Carson:
It was a phone book.
Pamela Dingle:
Yeah. And directories were a huge improvement over databases because they had this hierarchical model and they were person centric.
Joseph Carson:
Yes.
Pamela Dingle:
And they also focused on authentication. And then an LDAP was a huge revelation at that time. And then 2001 was really the time where people were starting to realize that their perimeters weren't enough and that they wanted to do business outside of their perimeter. And they needed to be able to introduce people across boundaries. And that's the world that the Passport Catalyst went into.
Joseph Carson:
Yes.
Pamela Dingle:
And certainly the Jericho Forum stuff was a big, big thing there, but also the Liberty Alliance was formed and I'm told I wasn't there, so this is secondhand knowledge, so please, nobody get mad at me if I've got it wrong. But my understanding in a lot of ways is that Liberty Alliance was all about saying, well, what do we want? We know we want a world of identity where domains can have control, right. Where we can control identity, where we can have sharing of identity, but with rules that both sides can participate in.
Joseph Carson:
Yes. Yeah.
Pamela Dingle:
Right. And that's where we got the SAML 1.0 standard, that turned into the SAML 2.0 standard. And that standard is still used today.
Joseph Carson:
Yeah, so I do think 2001 was a pivotal time. Because even that was probably what I remember. I went to so many in 2003 and when I went to Sonia, they had just started their identity journey as well from a digital society.
Pamela Dingle:
Right.
Joseph Carson:
For me, I think that was a kind of really foundation of really kind of realizing that we need a way to do identity verification, digital signature. We need a way to be able to authenticate, provide authorization and really get to make sure that everything is, somewhat having a root of trust as a source and verification and transparency, and also non-repudiation. Kind of along the way, what things do you think have been important kind of let's say moments in the time were identity has really evolved?
Pamela Dingle:
Well, I will say that my experience is primarily in enterprise identity.
Joseph Carson:
Yeah.
Pamela Dingle:
Which is, I think different than even in what you've done in governmental identity or government to citizen, they might call it. But certainly in enterprise identity, there was this definite progression that occurred, right. Directories solved the problem of password proliferation, right. It didn't solve the problem of how many times you had to type a password.
Joseph Carson:
Correct.
Pamela Dingle:
It solved the problem of which password you typed. And so you would type the same password, but now you would type it at every application everywhere you went, because password forms had not gone away. Only the backend database that you checked had now centralized, right?
Joseph Carson:
Yes.
Pamela Dingle:
That was step one. The next step was something called WAM or Web Access Management. And what Web Access Management did was solve the how many times you type your password problem.
Joseph Carson:
Yep.
Pamela Dingle:
And they did that by having a session cookie essentially, right.
Joseph Carson:
Yes.
Pamela Dingle:
And by placing generally, usually agents at every application that could check that session cookie so that you could log in once to a home realm and then you could travel to all these applications and the applications would know who you are because of this token.
Joseph Carson:
Yes.
Pamela Dingle:
Session token and of course, eventually it became an encrypted session token, which is very good.
Joseph Carson:
Which is a good, that's a good move.
Pamela Dingle:
Yes. Turns out it was necessary. And then that was the Web Access Management. And there was a point in time I want to say around 2006 where it was smooth sailing, everyone was happy except the problem was of course that cookies, right. That cookies have domains associated to them.
Joseph Carson:
Yes.
Pamela Dingle:
And so you then ran into actually yeah, it was before it would've been before 2006, so then everything that had been cooking in the Liberty Alliance and in an Oasis, which is the standards body where SAML was created, sort of came to the four, right around 2006, where now this concept of Federation came out.
Joseph Carson:
Yes.
Pamela Dingle:
And because WAMs couldn't get you across those domain boundaries, the Federation had its chance, right. And so all of a sudden you would end up in enterprise having a web access management system for your...
Joseph Carson:
Your domain.
Pamela Dingle:
Your soft chewy center with your hard perimeter. And then you would run your Federation server only to make hops across into other domains. And a lot of what at the time people were doing was it was a lot about contractors and a lot about.
Joseph Carson:
Third party suppliers, temporary employees.
Pamela Dingle:
That's right. Exactly right. That was sort of the age of Federation, which has continued.
Joseph Carson:
And even it was the time like BYOD was also coming out where people bringing their own devices in and still wanted to have access to corporate services.
Pamela Dingle:
Yes.
Joseph Carson:
And that was, it was almost considered like a contractor device in the scenario, but it was still an employee who using their own personal equipment.
Pamela Dingle:
Yep. Yep. And that was also sort of the Web 2.0, right. When Web 2.0 came out and so that's why a single sign on worked so well was the SAML profile was all about web redirects and that worked great until it didn't. And the point where it didn't was really at the point where cloud platforms and native applications accessing APIs came out, right.
Joseph Carson:
Yes.
Pamela Dingle:
And that those are the glory days of Twitter really where...
Joseph Carson:
You wanted application integrations, so rather than having to import and export data, you wanted to have that natural data exchange.
Pamela Dingle:
That's right. Exactly. And at the time, I don't know if you remember this, but what happened was the way that people would originally try to call APIs was to take your username and your password Base64 encode it, and then included on every single API fetch that you made.
Joseph Carson:
Yes.
Pamela Dingle:
And this still happens today.
Joseph Carson:
It still happens today. If you go to Bug Bounty, it's still quite a common problem that we actually find all the time.
Pamela Dingle:
That's really distressing, but I'm not surprised. But at the time what was happening was that Twitter was quite revolutionary in its time. And it also had this third party model, right. App model where you could have a proliferation of apps in the smartphone app stores and smartphones were pretty new at that time. And what was happening was those apps would just ask people for their usernames and passwords, because that was the only way that they were able to access the APIs.
Joseph Carson:
That was the only way.
Pamela Dingle:
And there was something called the password anti-pattern that developed, which was basically users were being trained to enter a username and password for a service, for anything that asks for it, right.
Joseph Carson:
And they became the password reuse.
Pamela Dingle:
That's right.
Joseph Carson:
Yeah. Which again, then you end up with one compromise means that all the other accounts that you had had to go through this password rotational reset.
Pamela Dingle:
Right. Right. Exactly. And so there was a very strong pressure to find a solution for that. And that's really where OAuth was born.
Joseph Carson:
Yes.
Pamela Dingle:
Was not in the enterprise world at that time, it was really in this new emerging consumer cloud platform market. And so OAuth 1.2, and then one, sorry, Oauth 1.0 and then 1.0a, because they found a flaw, came out, but was really for consumer use. And then the pressure came from enterprise to do the same thing because now the enterprises wanted to have their own platforms.
Joseph Carson:
Absolutely. And it's the same time that we were actually doing a lot of cloud migration as well and using SaaS applications.
Pamela Dingle:
Yeah.
Joseph Carson:
And it became important to make sure that you didn't have people having to have like multiple accounts everywhere.
Pamela Dingle:
Right. That's exactly it. Exactly. And cloud, it was cloud, cloud, cloud. You didn't have to say what cloud was, you just had to say cloud.
Joseph Carson:
Yeah.
Pamela Dingle:
Right. And this is my test by the way, my test for how real something is. Is if somebody says a buzzword and you say, what about that buzzword is important and they can't answer you, then it's not mature yet.
Joseph Carson:
Yeah, absolutely. For me, I always laugh because that assumption of cloud is like something magical.
Pamela Dingle:
Right.
Joseph Carson:
We just have to realize it's another computer in another place that you might not have access to or not have ownership or visibility over.
Pamela Dingle:
Right. I mean, I think that the buzzword of the day at this point, at least in my world is ZKP or zero-knowledge proofs.
Joseph Carson:
Okay.
Pamela Dingle:
They're real, like don't get me the wrong. They're real. It's just that most people want them without knowing, exactly why they want them.
Joseph Carson:
Okay.
Pamela Dingle:
They just know it's good, but they don't know why it's good.
Joseph Carson:
Let's fast forward to today. Kind of there's a lot of things happening around identity today. And I really like it because even though here at an RSA security conference, I was just saying, is I really enjoy going to identity conferences because it's less scary.
Pamela Dingle:
Yeah.
Joseph Carson:
Because here you get the fear of the scary part, but when you go identity, it's more about enabling, and integration, and making it easy to get services.
Pamela Dingle:
Right.
Joseph Carson:
And making the experience much better, so I always enjoy sometimes jumping out of the security and going in the identity as side. But what's really happening, what's exciting today? We've heard a lot about... I mean, from my view I've had a lot of discussion around things like Passwordless and I think sometimes the context get lost in Passwordless, because it's more of a password less experience.
Pamela Dingle:
Yes.
Joseph Carson:
There's still a secret somewhere that's being exchanged.
Pamela Dingle:
Yes.
Joseph Carson:
I would say, I think I've got to using Passwordless experience as the proper term because for the user that's experience, it's moving it more into the background where the exchange happens, so what are other things, Passwordless, what other things are exciting that you are seeing in the industry that's really evolving today?
Pamela Dingle:
Yeah. I mean, I think the focus on secrets.
Joseph Carson:
Yeah.
Pamela Dingle:
The great thing about it is it's moving beyond just users. And so in the enterprise world, again this concept of secrets management.
Joseph Carson:
Yes.
Pamela Dingle:
It's very funny because we've always had secrets. We've always had many secrets, but what we've never had is a rigorous process applied to how they get managed, there's never been expectations necessarily.
Joseph Carson:
Provisioned, migrated.
Pamela Dingle:
Right, so it's the whole idea of the life cycle and of that life cycle being tracked centrally, right. And of risk detection occurring upon all of these things. Like all of that that's a sort of a new pioneering land, right. And that's so much a case of identity and security colliding.
Joseph Carson:
Yeah.
Pamela Dingle:
I mean that is just so much of what's happening right now is identity and security colliding.
Joseph Carson:
Exactly, it's the convergence and it's also, you still have to think, I mean, what we don't want to get into is bringing it all in together and merging it too much.
Pamela Dingle:
Right.
Joseph Carson:
Because you end up just having a complex, big problem. I like to, because I learned years ago, it was one of the things that in the study I learned that they had the mentality of having not at the time, it was all, we were talking about software defined networks and they were like, no, no, no, no. It's about service defined networks. It's all about services. And that would've made the realizing that you had to go through and have microservices along the way and make sure you have that segregation of duties, so when you get into, for example, single sign on and then separating, making sure you have the continuous verification, whether it being multifactor, or two-factor, or whatever type of additional controls for security.
Pamela Dingle:
Yep.
Joseph Carson:
Then you've got the authentication side, then you have the authorization side, so it's always a point for me is to make sure that you at least have some control and let's say independence across all of those. Is that something you're seeing, the convergence happening across both the security and identity, that's bringing those more together?
Pamela Dingle:
It is. I mean the other one, you talk about buzzwords, right? The other big interesting one right now is multi-cloud.
Joseph Carson:
Okay. Yes.
Pamela Dingle:
Where, you're not only now managing resources in one cloud, you're managing resources in two clouds and frankly you were probably already managing on-premises resources also, right? All of a sudden you have this set of maybe as many as four, maybe even more environments and you are trying to manage resources across them. And so at this point permissions management Becomes important.
Joseph Carson:
Yes.
Pamela Dingle:
And we've had lots of role management stuff occur before, but now it's really moved much more into the infrastructure as a service side of the house, right. You as an identity professional are now starting to look at all those resource types and trying to apply policy consistently across all of them.
Joseph Carson:
Yes.
Pamela Dingle:
It's a big job, but the industry is pivoting to help make it possible.
Joseph Carson:
Yeah.
Pamela Dingle:
The other one that's definitely less in the security world. I mean, because I know you probably talk about for example, Passwordless all the time.
Joseph Carson:
Yeah.
Pamela Dingle:
The other big one is on the governance side. And so there's a lot of stuff going on right now, it's one of the favorite analyst cautions right now is around orchestration.
Joseph Carson:
Yes.
Pamela Dingle:
How do you take your workflows and make them intuitive, not only for the people who are running them or who are using them, but for the administrators that are trying to implement them.
Joseph Carson:
Okay.
Pamela Dingle:
Right. Which has a security angle because if you can't understand how your workflows work, that's when you know there are cracks that can happen, right. Understanding sort of what is your life cycle of getting a user into an org? What is your life cycle of having that user escalate privilege?
Joseph Carson:
Yep.
Pamela Dingle:
Right. All of those things are getting much more baked and there's a lot of time and energy going into making them easy, but also making them auditable.
Joseph Carson:
Okay.
Pamela Dingle:
Right. Running risk detection, all of that.
Joseph Carson:
Yeah. And especially across that multiple clouds as well.
Pamela Dingle:
Exactly.
Joseph Carson:
Because that's where the challenge, if you're not having some type of auditability across them, you end up having to keep going into each system individually and you're trying to find what's happening.
Pamela Dingle:
Right. And the attackers just find, they find the dark spots.
Joseph Carson:
Yeah. The ones that you are not looking for.
Pamela Dingle:
That's right.
Joseph Carson:
The ones that you miss are, especially a lot of organizations who are doing digital transformation are moving to cloud. They try to retrofit what they have on-premise and push it to the cloud. And they end up realizing that they have some security by default, are not enabled by default.
Pamela Dingle:
Right.
Joseph Carson:
And misconfigurations which ends up exposing them significantly. You're working in standards. Like how important is standards today? And how long is the process to get a standard? Because I've seen a lot of the, I think years ago we've been talking about some of the standards and I think today we're still talking about some of the standards as well. What's the process, and what's involved, and why is standards important?
Pamela Dingle:
I think standards are more important than they have ever been because we are more connected to our world from a computer to computer perspective than we ever have been. When I talk about standards, I'm really talking about interfaces that anyone can use that operate in a predictable fashion, so you can imagine, if you want to decide you want to go make blueberry muffins, you probably don't try to create your first blueberry muffin from scratch, right?
Joseph Carson:
Make up my own version. Well, I don't.
Pamela Dingle:
Well, and you might, right? You might through trial and error and great time, you might come up with your own recipe, but many, many people just go to a recipe book, right. And really ultimately standards are recipe books for complex technical tasks and often tasks that occur between parties. And so the reason why standards have value is that what you don't want to do is one off integrations. You can imagine, you want to integrate with an app, you write a snowflake piece of code, and then you get to the next one, you have to write another piece of code and you get to the next one. And what happens is your resources just get siphoned into nothing.
Joseph Carson:
Yes.
Pamela Dingle:
Whereas if you can write one time and enable every single partner you have to connect with you in whatever way you need to connect. Then all of a sudden your investment creates a very, very scalable pattern. And so that's really what we do is we create the patterns for things that are very common. The amazing thing about identity is everyone has to manage identities.
Joseph Carson:
Yes.
Pamela Dingle:
And so it's easy for us to recognize that, the things that are in common between all of our different organizations and so examples of standards we were talking before about single sign on, that's a perfect example.
Joseph Carson:
Yep.
Pamela Dingle:
People need to get introduced across domains, right? Whether you're going to a SaaS app or to another cloud platform. And so SAML is a secure introduction, that's really what it is. If you look at something like SCIM, which is System for Cross-domain Identity Management, it's about the fact that everyone needs to call user APIs, right? Like get me the user's name, get me the user username and login, get me attributes about the user.
Joseph Carson:
Their objects and resources that they have, yeah.
Pamela Dingle:
Right. And you need to be able to push users into systems, you need to pull users out of systems, and synchronize the data between systems so that you don't have data diverging because a lot of that data becomes part of a security decision.
Joseph Carson:
Yep.
Pamela Dingle:
And so that's another example of a pattern. SCIM is just a standardized user.
Joseph Carson:
It helps to do de-duplication as well from actually having to have like records in multiple places.
Pamela Dingle:
It does. Yeah, exactly. It creates a relationship between the two companies so that you get a ripple effect yep. In case a user is removed for example, or data changes. And it of course increases accuracy, so in the old days, especially if you're a female and you got married and you change your name in one system and it stayed changed in that system.
Joseph Carson:
In the system. Yeah. Even obviously in people like moving between states or like changing addresses and having car registration, all of a sudden trying to maintain all of that just becomes a kind of administrative nightmare.
Pamela Dingle:
Right.
Joseph Carson:
And actually, one of the things that's what I loved about the Estonia model was always that data lake model where you've got data repositories in different areas and what you do is provide, read access between each of them, so therefore you don't duplicate the data. If it's in one location already, you tell it the metadata location of how to find it. And therefore you can get accuracy, you have one place to keep it updated and maintained. And therefore it just meant maintenance of it becomes so much easier.
Pamela Dingle:
Right. Makes sense. And then I think the other really big trend is decentralization in identity. And there's obviously a consumer angle to that, and a government angle, and an enterprise angle. But generally speaking, the whole idea behind it is, identity these days is mostly accomplished, at least securing messages is accomplished through asymmetric cryptography.
Joseph Carson:
Yep.
Pamela Dingle:
And so the question becomes, today most systems create an account on behalf of a user.
Joseph Carson:
Yes.
Pamela Dingle:
And the companies control how you authenticate. They control whether you are alive or dead in the system, so to speak, right. And the idea of decentralized identity is what if the user controlled that piece?
Joseph Carson:
This is the conversation I have with Paul Simmons for a long time.
Pamela Dingle:
Yes.
Joseph Carson:
We had that discussion about that. And this got me thinking, after that conversation I mean, I think it was going back maybe about five or six years ago. We were actually here at RSA and I remember having the conversation over dinner or like we were with drinks at a party. And I was talking about the Estonian system and he was talking about decentralized, of course, with the Jericho Forum and everything. And he got me realizing that at that time, I started thinking about if we do decentralize identity and the users the best person at bringing who they are, then it becomes that important part of the root of trust of do we have mutual trust, as I'm first time getting introduced there's a way for me to show that we have a mutual party that can verify that I'm really who I am.
Pamela Dingle:
Right.
Joseph Carson:
And then that started me thinking about, at that time, it was about 2016 about bringing your own identity. And you get into that story about, and this is this conversation myself and Martin had recently just an updated version of my thoughts on this, that you get into well if the user brings their own D that means that really all the organization does, is need to provide enablement and access and give them the permissions they need to. Is that where decentralized identity is going? That scenario or are we still a bit early in the phase?
Pamela Dingle:
Oh, I think that's exactly where it's going. I would say we're mid phase in that we now have, the standards are mostly baked now to be able to send credentials around, so I guess this is the other piece is part of decentralized identity is something called verifiable credentials.
Joseph Carson:
Yes.
Pamela Dingle:
And verifiable credentials are very similar to something like SAML Assertion. It is an assertion, it's a sign document, but the difference about a verifiable credential and something like a single sign on assertion, is that the verifiable credential is meant to be held by the subject of the credential.
Joseph Carson:
Yes.
Pamela Dingle:
And so just like a regular wallet, a credential gets issued to you and then you control it. As the end user you control when you present that assertion. And so that three party model of they call it holder, subject, and issuer or holder, verifier, an issuer. Changes the game, because what it can do is it can allow you to suddenly present a credential that no longer is about establishing who you are, but what you can do.
Joseph Carson:
Yeah. And this get into even the question, so after I remember later, after having that discussion with Paul, myself and Ian had a discussion. Ian Glazer, we were talking about, we were talking about the same thing and I was like curious to what his thoughts was, and it was into where you don't need even the data anymore, you just need to have the right question to ask.
Pamela Dingle:
Right.
Joseph Carson:
Are you old enough to drive? Yes. And that's the only answer you need, and you need to know, verify that this is valid data. Are you able to stay in a hotel? Are you able to drink? Are you able to vote? You need to have the right questions, so you don't necessarily need to look at someone's ID to get those questions, you need to have a source of asking those questions.
Pamela Dingle:
Right. And you have to trust who the person making the statement.
Joseph Carson:
Yes. Or have a mutual trust that actually can say that this data is correct.
Pamela Dingle:
Right. And in the case of, when you think about foundational documents, like driver's license, there is native digital driver's licenses are a thing and they're coming.
Joseph Carson:
Yeah.
Pamela Dingle:
And of course it matters, it really matters who says you can drive.
Joseph Carson:
Absolutely. Absolutely. You want to make sure that it's coming from a very trustable source.
Pamela Dingle:
That's right. That's exactly right. As soon as the lawyers get involved, as soon as somebody's going to sue someone else, then it really matters. And you have to be able to prove it.
Joseph Carson:
Yeah. And is this where, so I remember even recently where we've now got many different identity providers now. Honestly, we used to be like one or two, and now we've got tons of identity providers and depending on what level you come in, you've got different levels of security assurance level, depending on kind of how trustworthy they are. And now what's moved into where all of this is now moving into a digital wallet, so you think the digital wallet is now going to be the kind of central place of data. Let's say like a data proxy or data exchange, is that where?
Pamela Dingle:
Yes.
Joseph Carson:
Becoming transactional as well. Because when you look at current digital wallets, they're very static, but I think it's really important that they do move to a more transactional model and they stay updated.
Pamela Dingle:
Yes. And I mean the amount of opportunity that a digital wallet represents is unbelievable because what it can actually be is your trusted assistant. It can be the entity that's looking across all of your credentials and saying, if you pass this credential, you're going to create a correlation risk, right. Or you have already given this other credential to your website, are you sure you want to do that, right? Because now, because you're in the center as the user, all of a sudden you can check across all of the websites you go to, you yourself can correlate your own data, right. As much as you don't want anyone else to be correlating data, to have you be able to correlate it is incredibly powerful.
Joseph Carson:
Yeah.
Pamela Dingle:
And there's a couple of really interesting things, there's a thing called consent receipts. I don't know if you've ever heard of this.
Joseph Carson:
I actually, if I've got in there's a process and study, which was in the loyalty cards, so you end up, you can determine one is basically when you go into the payments loyalty cards, you can determine is it personal or is it tax, tax deductible and so forth. You can start actually starting to do consent and to determine whether I want to pass this already to the tax authority as you purchase the item.
Pamela Dingle:
Nice, nice. Well, so consent receipts is very similar. Imagine a case and the standard exists today, but there are very few implementations.
Joseph Carson:
Okay.
Pamela Dingle:
But the potential is that every time, for example, you agree to a privacy policy at a website, they send you a receipt of what you agreed to, and when, right, so that if they violate it, you can go back and say, this is what I agreed to.
Joseph Carson:
It's almost the contract that's because right now it's all of those are very vague and not very clear to what you've done in the past.
Pamela Dingle:
Yeah.
Joseph Carson:
There's no proper audit trail or transactional model, so I think that's when I'm thinking about the digital wallet implementation and going into the transactional piece, you can actually have all of those consents maintained and verified and make sure they're actually being been held accountable.
Pamela Dingle:
Right. And you could in the future, you could negotiate them.
Joseph Carson:
Yep.
Pamela Dingle:
I mean, you could literally say.
Joseph Carson:
You could monetize them.
Pamela Dingle:
I'm sure you could. I'm sure you could, but that interaction's just never been possible before because you've always been a captive member of every site you're at.
Joseph Carson:
Right.
Pamela Dingle:
And they all think of it differently, they store it differently and all of a sudden there's this one central thing that can make it.
Joseph Carson:
Yeah, sort of like my mind starting to get excited because I'm starting to think about how identity-ing the privacy side and then because I always think that convergence, there's a bit of a... That privacy is starting to become more of a digital rights management scenario as well, that how you monetize it, because other companies are monetizing it without your consent.
Pamela Dingle:
Right.
Joseph Carson:
And now it's important to have that visibility and start maybe, it becomes also an extension of your income.
Pamela Dingle:
Right, right.
Joseph Carson:
What's next? What do you think is going to be like, what's the big thing for the audiences as a takeaway that you're going to see, that's going to be the next big thing that's coming forward?
Pamela Dingle:
There's so many big things. Well, I actually do think that Passwordless, going back to Passwordless is going to be...
Joseph Carson:
A fundamental change.
Pamela Dingle:
It's big and will fundamentally change. And part of that is if you haven't seen the Apple WWDC presentation on passkeys.
Joseph Carson:
I haven't seen the presentation, I've read some of the summaries.
Pamela Dingle:
Yep.
Joseph Carson:
Because I do it's I still thinking of the password experience, what it is doing is that fundamental secret and you get into temporary secrets and temporary keys. And I had a recent episode with Dustin Heywood, EvilMog, who's the password cracking at X-Force red team. And we had the conversation, that was exactly that scenario where you're putting it all in the background where it becomes, the always the still challenges, the provisioning piece and how you migrate devices is always going to be kind of the risks.
Pamela Dingle:
Account recovery.
Joseph Carson:
Yes.
Pamela Dingle:
But this is the sort of the real significance of the Apple announcement. Passkey is a slight different implementation from your standard phyto security key or Windows Hello type of implementation where they are actually allowing the private key to roam.
Joseph Carson:
Okay.
Pamela Dingle:
That's, it's a big deal, right?
Joseph Carson:
It is a big deal because that becomes a risk.
Pamela Dingle:
It does.
Joseph Carson:
And then you get into, well, what's the root, what's the parents, where was it created? Are we going to create a chain of trust? Are they going to be derivatives of that private key? Or is it going to be just duplication of the same key in multiple places? That gets a bit scary for me.
Pamela Dingle:
Yes, yes, I know.
Joseph Carson:
I'm sorry,
Pamela Dingle:
And all of us are like, eh. On the other hand, we have password managers today, which have taken us a huge step forward in security. And our passwords are stored in a password manager that is synced to our consumer world.
Joseph Carson:
Yeah.
Pamela Dingle:
And so this is basically the same idea, the idea that your iOS Passkey.
Joseph Carson:
Yes.
Pamela Dingle:
Right. That key would be available on any device that you own, right. And so now you can lose your device and not lose access.
Joseph Carson:
And not lose access, so because it's going back to the same discussion I had with the Estonian government, because we had the issue back in 2015 where the weakness in the encryption, and ultimately it meant that it was about 800 and something thousand cards.
Pamela Dingle:
Right.
Joseph Carson:
And there was the discussion that time because your ID card in Estonia was the parent and your SIM card or eSIM, or the card in your phone was a child. You would actually use your parent to sign that and they get into the discussion because of that issue about actually, well, let's make this one also equivalent, let's duplicate it.
Pamela Dingle:
Right.
Joseph Carson:
And I got into that. I was like, are you sure we want to go that path? Because it creates a management challenge.
Pamela Dingle:
Yes.
Joseph Carson:
It's also the security concerns, but does create a management nightmare. But where is that pyramid anymore? Because now we're moving into a rectangle and now we have multiple of those.
Pamela Dingle:
Yes, yes. And it is a very different calculation for enterprise than our consumer, right. But the consumer problem is a huge problem.
Joseph Carson:
Yes.
Pamela Dingle:
And the question is if we don't do something, if we keep these keys heavily bound to hardware for consumer use.
Joseph Carson:
Yes.
Pamela Dingle:
Then are we just creating technology that no one's ever going to adopt, right. So, you know the thing...
Joseph Carson:
Yeah, that's the challenge. We want to make it usable. We want to make people be able to easily pick up another device and just continue where they left off.
Pamela Dingle:
Right. And if we can actually move people away from passwords, I mean, that's the trade off.
Joseph Carson:
Yes.
Pamela Dingle:
If we can get a hundred percent penetration because we literally make it easier for someone to pick up their smartphone, use their biometric and gain access to any website on the web. Then we have moved the ball in a very meaningful way.
Joseph Carson:
Yep.
Pamela Dingle:
And then we can always tune what happens after that, we can tighten it.
Joseph Carson:
Yeah.
Pamela Dingle:
We can address fraud.
Joseph Carson:
So this means that everyone's going to have to have a password manager.
Pamela Dingle:
I, you know, it's going to be, yeah.
Joseph Carson:
If you want to securely sync that across multiple devices, you're going to have to have the way to securely transfer it.
Pamela Dingle:
Right. And right now it's just the cloud platforms are going to take care of it.
Joseph Carson:
Yeah.
Pamela Dingle:
But that doesn't mean it'll, I mean, it's a very, I think once people really see the potential to have every single person out there be able to use Passkeys.
Joseph Carson:
Yeah.
Pamela Dingle:
Instead of passwords then who knows what will happen.
Joseph Carson:
Yeah.
Pamela Dingle:
But it's really important to note that the high assurance use cases are not going away, so the standard is not changing, it's not loosening, right. It's enveloping this, this secondary use case, but you can still drive your credential down to hardware, if you choose to. And device bound keys are still part of the specification.
Joseph Carson:
Which has been the whole evolution in eSIMs and being able to kind of have multiple devices that people have and be able to use one as the same thing.
Pamela Dingle:
Right, exactly.
Joseph Carson:
This has been fantastic.
Pamela Dingle:
I know.
Joseph Carson:
And I literally could keep going for hours for this topic.
Pamela Dingle:
Me too.
Joseph Carson:
For the audience, I mean, I think for a lot of our listeners this is going to be so exciting to really get to better understand identity, the history, about you and kind of your ideas, and I think the future is, for me I love these types of conversations because I can just be kind of like I've got my ideas going. Again, many thanks for joining the show and the episode. This is going to be so much fun, the audience is going to learn a lot about identity and where it's came from and where it's going, so any final comments or words that you would like to share with the audience?
Pamela Dingle:
No only turn on NMFA, but I suspect anyone who's listening to your podcast already knows that.
Joseph Carson:
They know it, but I'm hoping that they have done it. There's no way of me knowing that they put it in place.
Pamela Dingle:
That's right.
Joseph Carson:
But definitely multifactor authentication. Don't let passwords be the only thing that's keeping you safe.
Pamela Dingle:
Yes. And you know, if you can't turn it on for everyone, protect your admins.
Joseph Carson:
Yeah.
Pamela Dingle:
Step one, protect your admins.
Joseph Carson:
Absolutely. Again, many thanks everyone for joining us. Pamela Dingle, who is an awesome identity knowledge that we've had in the show, so stay safe. Tune in every two weeks for the 401 Access Denied podcast. I'm your host for the episode, Joe Carson. Again, many thanks for joining us and stay safe and have fun. Take care, bye.