I was invited to give a keynote at the Cloud Security Alliance (CSA) Congress in Dublin recently, on behalf of my EMC colleague Said Tabet. Two years before, I had spoken at the CSA Congress in Rome about the EU-funded SPECS and SPARKS projects and their relevance to cloud in terms of GRC and security analytics. But this time, I felt that I needed to have discussion about the implications of the dramatic changes in identity management over the past several years, particularly in terms of the dramatics changes affecting the trust-related decisions that we as users and organizations make every day: the disappearance of organization boundaries due to cloud, mobile and social, the increased intermingling of personal and professional identities, the resultant expansion of the attack surface and the increased importance of understanding identity-related issues in order to manage risk.
To highlight those changes, I decided to challenge the audience at the beginning of my keynote by declaring “I am an imposter!” This immediately raised for the audience the question of whether they could trust me or not. Was I really an imposter? If so, why would I tell them that I was? If I was an imposter, what was I pretending to be and what was I really? Doesn’t such a declaration deny itself, like the self-referential liar’s paradox of “This sentence is a lie”?
In short, they had to be able to answer the question “Who are you and why should I trust you?”, a question that my colleague Jeff Carpenter used as the title for his EMCworld 2016 session on the critical role of identity in cybersecurity. At the CSA Congress, I addressed this question quickly, since I was an imposter only in the limited sense that I was standing in for Said, whose picture as keynote speaker was in the congress program. But the question did set the stage for my presentation, in which I discussed the increased use of social engineering as the launch vehicle for targeted attacks and the ways in which the cloud has dramatically increased the opportunities available to attackers to engage in social engineering against individuals and organizations.
What can be done to address these new challenges for identity? At the RSA Summit in Dubai earlier in May, I had the opportunity to meet and talk with Commander Sunil Dhaka (retired), who has worked for many years at banks in India and the Middle East. His experience, especially in combatting financial fraud, has led him to go beyond the old model of identity and access management (IAM), beyond the old “Triple A” of authentication, access and audit. He advocates an identity strategy that takes advantage of the rich context available for identity-related decisions, that views those decisions in terms of levels of risk and that responds continuously to the changes in identity characteristic of the dynamic worlds of individuals and organizations. At RSA, we call this strategy Identity Assurance, a strategy that Kayvan Alkani, Senior Director at RSA, has discussed in detail in several recent blogs.
As I mentioned in my presentation at the CSA Congress, one of the first projects I worked on as a software engineer in the 1980’s was an identity and access management capability for VAX/VMS. It assumed a paradigm of static, limited-factor authentication intermittently followed by rules- and roles-based access control. That old paradigm still persists in many IAM solutions. But in today’s world, the question “Who are you and why should I trust you?” can’t be answered effectively by that old paradigm. As Sunil said to me in Dubai, as Kayvan has written in his blogs, we need to evaluate trust continuously for today’s complex, multi-faceted and multi-modal identities.. We need to take advantage of the rich context available from user devices, from behavioral analytics, from shared threat intelligence and many other sources in order to assess risk, determine levels of confidence and establish appropriate levels of trust. This is the strategy that we need in our complex world. This is the strategy we need if we are to discover our attackers, who unfortunately don’t announce themselves by saying “I am an imposter”.