- From: CCG Minutes Bot <minutes@w3c-ccg.org>
- Date: Tue, 16 May 2023 18:56:59 +0000
Thanks to Our Robot Overlords for scribing this week! The transcript for the call is now available here: https://w3c-ccg.github.io/meetings/2023-05-16/ Full text of the discussion follows for W3C archival purposes. Audio of the meeting is available at the following location: https://w3c-ccg.github.io/meetings/2023-05-16/audio.ogg ---------------------------------------------------------------- W3C CCG Weekly Teleconference Transcript for 2023-05-16 Agenda: https://www.w3.org/Search/Mail/Public/advanced_search?hdr-1-name=subject&hdr-1-query=%5BAGENDA&period_month=May&period_year=2023&index-grp=Public__FULL&index-type=t&type-index=public-credentials&resultsperpage=20&sortby=date Organizer: Mike Prorock, Kimberly Linson, Harrison Tang Scribe: Our Robot Overlords Present: Harrison Tang, Richard Bird, Kimberly Linson, Mike Xu, John Kuo, Nis Jespersen , paul murdock, Sandy Aggarwal, Greg Bernstein, Jennie Meier, Joe Andrieu, Will, TallTed // Ted Thibodeau (he/him) (OpenLinkSw.com), Hiroyuki Sano, Sharon Leu, Leo, Andrew Whitehead, PL/T3-ASU, Erica Connell, Paul Dietrich GS1, Dmitri Zagidulin, JeffO - HumanOS, David I. Lehn, Chandi Cumaranatunge, Keith Kowal, Kaliya Young, Jeff O - HumanOS, Eric Sembrat, Marty Reed, pdl-T3 Our Robot Overlords are scribing. Kimberly Linson: Alright hello everybody we are really excited to welcome Richard Byrd to join us today I will run through a few housekeeping items and then we'll get started we're going to talk about identity and security and I know that's a topic that we're all. Kimberly Linson: Very interested in and I think he's got I had a chance to do a little bit of reading up and I think you'll enjoy his presentation style as well so just to remind everyone as we sort of set the intention for today that we are all bound by a code of ethics and professional conduct and that we are all here to better the world of credentials the world of identity in the world of security were all. Kimberly Linson: Working towards the same. Kimberly Linson: Anyone is welcome to participate in these calls but if you plan to be a contributor or you want to get more involved than I really would encourage you to fill out and sign the IPR agreements which links can be found to those in the agenda for today and it's very simple to join in and we definitely want to have your voice cure at the table. Kimberly Linson: They also we do keep a recording of This call and also notes in the in the transcript and chat so please feel free to put notes in the chat and if you would like to ask a question that's how we'll be managing the discussion today so put Q Plus in the chat if you have something you'd like to ask Richard if you or q- if you want to remove yourself from the queue and this. Kimberly Linson: Is the section of the agenda. Kimberly Linson: Get a chance to meet new folks so if you are joining us for the first time and you'd like to introduce yourself and what you're working on and what your interest is in credentials we'd love to hear from you and if you are haven't been here for a while and you just want to sort of give a verbal hello to everyone and let us know what you've been up to we'd invite you to do that now as well so go ahead and put yourself on the Q if you'd like to. Kimberly Linson: Introduce yourself. Kimberly Linson: All right next is announcements and reminders does anybody have anything coming up that they want to talk about something that is important for the community to be aware of and now is the opportunity for you to share that. Kimberly Linson: Dimitri I'd like to put you on the spot if you don't mind to kind of give a little. Kimberly Linson: 30 Second update on the VC edu plugfest discussion from Monday and maybe it also will serve as a teaser for when you all are going to come and talk to this group about it in a couple of weeks. Kimberly Linson: Week we you're very muffled like if you're not not loud enough. Dmitri Zagidulin: One second one second. Dmitri Zagidulin: Is this a little better. Dmitri Zagidulin: Okay so a couple of things so we just had the first pre pre discussion about the third jobs for the future foundation so jmf plugfest which is going to be testing requesting verifiable credentials from wallets so the first one tested display a VCS second one tested issuing this one is going to be testing verifiers requesting multiple credentials from. Dmitri Zagidulin: From wallets. Dmitri Zagidulin: The blood vessel itself is going to be held on October 9th so the day before II w. Dmitri Zagidulin: So we're going to the discussion about the exact details like what we're testing and how is continuing so those are just the broad broad terms of what we're focusing on so we encourage everybody to join the discussion that's coming here to the ccg shortly that can barely mentioned and further calls on the subject on @vc at you how's that. Kimberly Linson: That was perfect and I will grab the link for those of you that haven't there do want to participate in the plugfest I'll grab the link that you need to fill out by think Jimmy choos that is the deadline June 6th June 8th something like that I'll put the it's in the link so I'll put that I'll put the link in the chat and just a moment. Kimberly Linson: Anybody else with ever. <dmitri_zagidulin> I don't remember, re deadline <sharon_leu> deadline is june 5 Kimberly Linson: Thank you Sharon the deadline is June 5th and sure enough you have that link handy you can certainly post it in the in the chat for us. Sharon Leu: https://forms.gle/Nnc2fsgiyaMHbYkQA Kimberly Linson: Right well let's get right to the main agenda which is Richard Byrd who is the chief security officer at traceable Ai and as I Was preparing to have Richard come today I was thinking a little bit about this group and how I feel like and this is just sort of for Richard to know we're group of about 500 folks and as a community group I think we really. Kimberly Linson: One is interested in credentials but one of the things. Kimberly Linson: A part of this community is that folks really come at it with sort of one of three lenses there either like me sort of very interested in credentials and how we can people can tell their story of their life and experience through credentials or they come at it from a security how do we keep these things secure or they come at it from an identity lens and so I think it's really great to have you here at a kind of give us a your perspective on identity and security. Kimberly Linson: Tea and with that I will let you take it away and. Kimberly Linson: Let us know you if you have things you want to share you can certainly go ahead and should be able to go ahead and share now. Richard_Bird: Absolutely thank you and thank you everyone for the opportunity to be with you I'll talk a little bit about my inspiration motivation to do so in just a second but let me go ahead and get the presentation that I pulled together up on the screen and Kimberly if I can ask and you see it. Kimberly Linson: I sure can it looks great. Richard_Bird: All right fantastic looks like I'm going to have to do a screen here so hang on for just a second. Richard_Bird: So let me say first of all I'm really eager to talk with you all today for a number of different reasons but the most important reason is because of how long I've been associated with identity and I'm going to make some disclaimers first of all I'm not a technical presenter it doesn't mean that you know we can't go in the weeds and JSON and Johnson no. Richard_Bird: OIDC and AuthZ and AuthN. Richard_Bird: Around all of these components and aspects for years and years but my presentation style and my presentation approach tends to be on picking apart myths and misconceptions and misrepresentations that all of us particularly those of us that work in the field of identity you know whether it's in the credential space or verification validation access control that we have to labor with all the time and I think that there's a real. Richard_Bird: the interesting reason why that's the case and has to do. Richard_Bird: The fact that we're one of the few security domains that really doesn't know much about our history which I'll talk about a bit today I do like interactive you know conversations versus me just verbal vomiting all of this information out and and I will say as we as we get to the close of the presentation it's another day which means it's another airport and another Sprint to a different city for me. Richard_Bird: me and I'll give some background on why that's the case. Richard_Bird: As we wrap up I'll definitely be looking to tie things up let you get back to the remainder of the meeting inclusion and I'll be hitting the road so I've subtitled today's discussion as a problematic history in three acts and I think for folks that have you know like 33 C zg you know people that have a specific interest in credentials and have a specific interest in the association of credentials to decentralized. Richard_Bird: entity and other you know. Richard_Bird: I think that it's really important to understand the distinction of the three acts of the history of identity now if I if I dive in a little bit first of all why even listen to me I always think it's important to have at least some kind of credibility statement you know it may not be as much credibility as I would like but you know I hope that you know I give you some reason to think about something in a new way today and the reason you know that. Richard_Bird: that I. Richard_Bird: To do that and most of my presentations is just simply because of where I've come from a my experience now when I say I go but way back and identity I do remember that my first identity Project without even recognizing it was an identity project back in my late twenties was a Novell edirectory to Microsoft active directory migration that wasn't actually this the thrust of my it career at that point I was you know working for. Richard_Bird: a company that was just simply. Richard_Bird: Raishin they didn't have anybody else to do the job and so I put my hand up and said I do it about the first part of my it career was actually in it technology management I spent 20 plus years actually 24 years in the corporate world my first track was an IT operations so middle office and back office in the banking industry's so I did a lot of application development release management qau 80 in all of those you know fun Parts the good thing for me. Richard_Bird: I'm a security standpoint. Richard_Bird: Is that I was the guy that used to break all the rules actually remember my first information security head before we had anything like cisos oh came to me one day and said hey we got to you know stop your production code deployment because you've got security vulnerabilities and I can distinctly remember saying and this is terrible but it's Tinker remember saying you didn't pay for this application the business did will go to production and will know your will note your findings as. Richard_Bird: opportunities for. Richard_Bird: Your features and enhancements wrong thing to say Obviously then but we weren't as knowledgeable about the bad outcomes as we are now certainly the wrong thing to say today unfortunately I wish I could say it's changed but it really hasn't changed as much as we'd like to or like it to change I was actually brought back in after a CIO to be in a role that I think is helpful for this conversation the role that I'm most known for in my career is not my city services. Richard_Bird: bio position the Royal I'm most known for. Richard_Bird: Largest centralized identity function back in the day at JPMorgan Chase I ended up leaving chase after 11 total years is the head of global or the global head of identity for all of the consumer businesses about 350 thousand employees 72,000 contractors to point something million functional machine accounts and those are the only those are only the identities that I sort of find every quarter as who I know there's numbers well all these years later so obviously spent a lot of time. Richard_Bird: in banking most importantly for for me on the professional side. Richard_Bird: I was pulling the cord and getting out of the corporate world and that liberated me actually gave me freedom to speak which I've now done six hundred some odd times in the last seven years and I've held multiple see positions now in solution side of the equation caveat about my presentation please forgive the traceable template I am this presentation is not about traceable this presentation is about identity unfortunately I keep all of my work on a single work laptop. Richard_Bird: and I didn't want to grind out. Richard_Bird: You know a brand new template for this presentation I have been quoted extensively and globally for years now you know New York Times Wall Street Journal dark greeting you know kind of all of the interesting media Outlets both on the business and the technology side and also for this group you know I do have some background in having sat and served on standards committees that associated with nist been associated with open banking Accords in the UK. Richard_Bird: a as well as EU and Australia. Richard_Bird: It's a tan and a back committee years and years ago so I've definitely spent a lot of time in this space now let's get right into the you know the meat of the discussion I had mentioned that one of the things that I find challenging about making progress in identity as it relates to security is that we are the only domain that has no knowledge of our history and I think this is really important for discussion because. Richard_Bird: Church and it's interesting how thin the the amount of information that about information security is out there nobody's actually done much in the way of academic studies or even popular studies around the history of information security and if I launched a number of dates of probably the most significant breaches exposures or events that have happened in cybersecurity and just mentioned. Richard_Bird: and the date. Richard_Bird: Timing of those events most people even just in cybersecurity have no idea what those events are from historical perspective but it's even worse than the identity side let me give you an example of this is a great picture you know those of us that go back to the days of tape you know know what this is this is a main from operations room probably from the early 60s and I still fascinated by somebody that's doing. Richard_Bird: cute wearing a suit. Richard_Bird: Head because usually it's a Grateful Dead t-shirt these days especially if you're in the Mainframe space but the the situation that we have is is where did identity start and identity did not start at the very beginnings of compute any act as an example really didn't have any concept or a framework of Access Control Beyond physical Keys you know so if you are familiar with the NEX system and. Richard_Bird: late 40s through the early 60s you know the. <kaliya_identitywoman> Seeing SSI in Historical Context - I cover some of this history https://identitywoman.net/topics/my-papers/seeing-ssi-in-historical-context/ Richard_Bird: Food system and you actually accessed it by turning it on or turning the console on with a physical key it wasn't until 1961 or 62 that the construct that we become identity as we know it today would be introduced and this is a really fascinating part of our history because it not only got introduced it created what now has become the dumpster fire that is identity. Richard_Bird: If the Mainframe was the beginnings the current middle state of where we're at in evolution and growth unfortunately is the dumpster fire and I'm going to give you some really specific reasons why that is we go through this presentation that I want to come back though to you know the beginnings of when identity became an ocean within compute it was 1962 in a 1962 and I don't read slides I tend to wave my hand at them and. Richard_Bird: maybe talk about what. Richard_Bird: I'm so you're more than welcome to read the the wired quote yourself but in 1962 IBM has embarked on a massive installation of new Mainframe technology MIT and at MIT The Graduate students that were associated with the the equivalent of what would have been C is today from a degree standpoint but actually was engineering back then they were in a bit of a. Richard_Bird: pickle because. Richard_Bird: They needed a number of hours per week to be able to access the mainframe system and be able to do their coursework right or their research or their studies so this introduce the necessity for CTS s or computer time-sharing system and the CTS s system was actually developed by MIT and it assigned accounts and passwords to the students now here's what I think is really really. Richard_Bird: we important to. Richard_Bird: And about great we introduced account passwords as was the very beginning and identity as an ocean within the digital world it is so persistent as a framework and structure we still use it today no matter how bad it sucks and how about that does it suck well the early days of this particular event should have already given us a lessons that we needed to have done better and by that I mean it took approximately depending upon who's. Richard_Bird: or you listen to it took approximately. Richard_Bird: 11 hours for Allan surer and specifically to figure out that he go scrape the entire password log out of the system and then begin to sell compute time to his fellow students so you know really the foundation of identity in all that we do was shown to be problematic within a half a day of it being introduced as a structure and yet we continue to build on this idea of. Richard_Bird: of identities and passwords and even if. Richard_Bird: The foundational Notions of a directory right it was in the form of an access control log or Access Control list back in 1962 but functionally it was a directory it was a student named assignment to each of these password and account components I was centralized in one location so everything that has come since was built off of a foundation that was understood to be a challenge or a problem from the very beginnings and yet we didn't stop we rushed on towards. Richard_Bird: greatness and building these now I would really. Richard_Bird: I'm going to. Richard_Bird: Jaden I always like to make the disclaimer I am not being paid for any of the the endorsements or recommendations that I make the only book that I'm aware of that produces a fairly decent history of information security I would actually like to have seen it on the threat side as much as I saw it on kind of the standards and laws and different activities that were done around information security which is really where vulnerable system puts its emphasis. Richard_Bird: Vulnerable system a vulnerable system is really a must read for anybody and information security it it gives us a anchor to our history and it helps us understand how things are the way that they are today because of foundational practices or behaviors that we established 20 30 50 even 70 years ago so if I can encourage you to read anything new I'm actually on my second read through on it I would definitely encourage you. Richard_Bird: you to grab this book so let's talk about the 3x. Richard_Bird: We're gonna cover identity and its relationship to Security in three specific acts and it's there also be the next slide will be a bit of a talk about where we're at notionally and from a maturity standpoint against these acts but if we think about some of the things that I just talked about in the Mainframe in the origination of Mainframe access Administration the First Act of. Richard_Bird: access that has lasted a very long. Richard_Bird: Actually continues to persist is access Administration now the important thing here is that these are things that have been continuously and constantly and in accurately associated with security and I think it's unfortunate because if you are an identity practitioner you labor either explicitly or implicitly with the burdens of an. Richard_Bird: Population of people who think that access Administration is access control or security and within that population are people like your own heads of business and you know directors and CEOs and you know all the different people who believe you know what my corporate CIO believed a long time ago when I was asked to take over access at JPMorgan Chase I remember the day that I got promoted and I walked in with still. Richard_Bird: a Young Man. Richard_Bird: At that time and I walked in and my corporate CIO at that time control the two and a half billion dollar it budget and he stuck out his hand and he said congratulations you've got the easiest job in it and I looked at Chris and I said why would you say that and he goes well it's just giving people giving people access to stuff how hard can it be. Richard_Bird: now for folks. Richard_Bird: I saw in this organization are in this presentation today that both sounds absurd and painfully accurate in terms of our interactions with people who have some interesting assumptions and expectations about what access really means from an identity security standpoint so we look at this First Act these are common terms and common constructs that we are all faced with today in managing identity. Richard_Bird: you in. Richard_Bird: In any given organization accounts and passwords obviously or the very root just like we talked about is related to 1962 and MIT MIT and see TSS Along Came Federation and SSO now Federation and SSO or it while directories actually before so I'll get back to that in a second when we look at Federation and NASA so I have spent a good close to 20 years with a lot of conflation of security and Federation and SSO. Richard_Bird: and at Federation and SSO have nothing to do. Richard_Bird: And I think that the disconnect there is fascinating to me because you know even in the identity security practitioner space we push heavily on Federation and SSO but from an operational standpoint Federation SSO yields a better end user experience we all remember the days of 27 accounts and passwords that we needed to remember in order to get into each of the 27 key critical business applications. Richard_Bird: Or technology interfaces that we had to work with right obviously Federation necessary made that a lot easier security obviously comes into play relative to a federation and SSO we can apply security over Federation and SSO right in theory then we're doing a one-to-many application of security to all of the applications and processes there in that F of federation SSO space but there. Richard_Bird: was a time when a lot of people thought that their. Richard_Bird: We're done because they'd already Federated or single sign-on the majority of their you know critical and high business applications unfortunately the reality of the curve of cyber crimes and losses clearly shows that Federation SSO didn't get us to the Nirvana Security State and directories the directories are always fascinating to me because I'm a very very big fan of decentralized identity for a number of reasons that are probably too broad to discuss in today's. Richard_Bird: presentation but I do think. Richard_Bird: At one of. Richard_Bird: A significant hindering factors in achieving identity security is this strong tie that we still have to directory-based directory born systems and it's frustrating because when you look at the way that directories or originally developed particularly for say Microsoft active directory directories will never actually built for identity security active directory and azure. Richard_Bird: Hades primary it. Richard_Bird: To this day after nearly 40 years is simply that active directory was built specifically to share files and give access to printers that is the root history of Active Directory as the root history of directories are set in total which is access to assets not control of the access or to those assets that is really stymied Innovation and. Richard_Bird: growth and it also is. Richard_Bird: Conversations about decentralized identity very difficult because directories are so rooted in architectural Frameworks that when we start to talk about decentralized identity the Assumption by our colleagues and say in architecture or any other technology trades the assumption is that decentralized identity introduces complexity because we're fragmenting the associated components that would. Richard_Bird: it'd be in a hole. Richard_Bird: Great and that's not even going into Deep dive on the security implications of you know the risks of aggregating all of your access has into a single directory format but that's the you know kind of the laundry list of items that were really the core creation of access Administration along with some color commentary on how it's been problematic in terms of our growth in our Innovation and identity for security but then Along Comes access control with Access Control we. Richard_Bird: start to see things like. Richard_Bird: Strong authentication right the rise of two fa to MFA and we're not here to debate whether or not it's strong enough authentication sad fact MFA deployment in the Enterprise is somewhere near 13 to 14 percent we have not yet even crossed the line of 25% of Enterprises using MFA effectively it's been a very slow adoption curve and yeah can it be fished of course it can be. Richard_Bird: he fished. Richard_Bird: The problem is is that I see people arguing not do not to do MFA in the Enterprise because of all this you know conversation about you know it's still can it still could be you know co-opted it still can be taken over I don't care what argument you make it still way better than account and password unfortunately the the 2f M 2f amfa debate has created some interesting problems but there's a reason for it because. Richard_Bird: even if you do an. Richard_Bird: Strong I think that dedication flow for your users from an access control standpoint it introduces at least a small amount and sometimes a larger amount of friction and this is where we begin to see the massive tensions between access Administration and identity and security because the instant that we start talking about introducing friction people freak out now this is inconsistent with security in the. Richard_Bird: higher T of the rest. Richard_Bird: Security in the entirety of the rest of our lives specifically in the analog requires effort right I can't just think about my security system at home turning on when I go to bed I have to engage in some form of action in order to make that security happen however in the digital world because we've had access Administration for so long we have simply put our users in a space where they are conditioned. Richard_Bird: and to expect. Richard_Bird: Easy is available to users the downside is as easy as available to the back guys won't belabor that point you already understand exactly what I'm talking about you will see some additional components and access control that are interesting but a burden with some challenges as it relates to operational execution such as step up and step down Dynamic authentication you know specifically Step Up off was a step-up authentication was expected to deliver it. Richard_Bird: a tremendous amount of value and then we found out that it's extremely difficult to execute and the reason is is because. Richard_Bird: Our part of me authentication is coarse-grained security it is not fine grained security authentication begins to tip into fine-grained security and authorization tips fully into fine-grained security and I'm going to talk about that and do it in a second but because it tips into fine-grained security most of our systems have no underlying. Richard_Bird: lying capabilities to. Richard_Bird: Step-up authentication so then we're stuck in a space where we're driving it with rules and policies and if you work in a rules and policies focused organization on the security side you already know what I'm about to say which is rules and policies are tremendous amount of overhead the more and more of them that you have and managing and and controlling those policies becomes not just a full-time job that usually a full-time staff. Richard_Bird: So as we've tipped into finer grain aspects of Access Control we started to see the limitations of act number two and then you know we've seen the beginnings and access control of the conversations around decentralized identity and that's not SSO that's SSI my apologies for the acronym Miss self Sovereign identity I would say that if there's anything that's happened in Access Control that's pushed the. Richard_Bird: verse ation of see. Richard_Bird: Further recently at least with the conceptual interior of the theoretical level within the access control space has been the introduction of didn SSI now that's not to say it doesn't come with some challenges right Deedee a didn SSI are problematic in terms of execution and operation for a couple of different reasons some that I already highlighted which is they go heavily against current. Richard_Bird: eight architectures and. Richard_Bird: Frameworks as it relates not just a security but to Identity as well so it requires a substantial mind shift by people to begin to understand how do you create decentralized identity constructs that service an operational population itself Sovereign identity is even more problematic because I think SSI is been stuck in the basically in a muddy rut recently well not just even recently probably the last four or five years because SSI is gotten. Richard_Bird: a bit off track. Richard_Bird: Back in this world of what I would call not political in the sense of parties and and you know kind of the Dynamics in the United States but political in the sense of who has ownership of their identity how much of their identity do they have ownership of and I'll put a fine point on this I talked to a lot of SSI people and they tell me well you know human being should have complete control over all aspects of their identity. Richard_Bird: tea and Myra. Richard_Bird: So that is usually do you have any family member who is you know perfectly capable and you know in this full-grown and functioning adult but you don't trust them with any significant decisions those are the same people that were suggesting have the capacity and capability to have full control over their own identities and and is problematic as well in that many large parts of our identities are not. Richard_Bird: it defined by us by the way that I like to. Richard_Bird: Walking JPMorgan Chase and declare myself to breathe be a private client customer right A Private Client customer has criteria on the number of amount of deposit dollars you have do you have a private Banker do you have all of these different pieces of your identity that are associated to you by JPMorgan Chase not by self-declaration so like I said access control is really you know kind of where we've gravitated to from maturity there's a ton. Richard_Bird: of access Administration that is the reality for a large part of companies today. Richard_Bird: Especially come especially applications is a can't do Federation SSO but you know we're really kind of firmly in this axis control space and finally the third act which is the act to come and it's the act that we're currently in layer 7 access layer 7 access is where we start to talk about the details of API Access fine-grain Control Ozzy and authentic elimination of implied and persistent trust for identities I'm not. Richard_Bird: I think I have successfully scrubbed all references to. Richard_Bird: Trust and tried to focus specifically on layer 7 because layer 7 is an accepted notion in our in our layered security models but you know the elimination of implied in persistent trust is is obviously a ziti type statement and I'm going to talk about that in some detail as I go forward here so let's talk real quick about the villains in each Act I know that you know I'm burning time here pretty quickly let's talk about the villains. Richard_Bird: you know first of all access Administration is not. Richard_Bird: . it is not security it is a space for 80 90 percent of the Enterprise world is still stuck and where there's this assumption expectation that it is security but it is not access Administration goes back to what that corporate CIO told me it's just giving people access to stuff how hard can it be and in fact giving people access to stuff intentionally or unintentionally is probably one of the easiest things in technology but it's just it's super easy to give people access method. Richard_Bird: fact you know the the correlational theory is probably. Richard_Bird: Space because taking access away from people is extremely hard but giving to them is extremely easy access control is only security when it is implemented across the entire digital estate and is fully dependent on the quality that implementation so access control is strongly impacted by weakest link risk if we think about you know all of the access related breaches in the last 20 years the the Bad actors just simply found the weakest link. Richard_Bird: and now that weakest link is move to the human. Richard_Bird: Is your row. Richard_Bird: To fishing and ransomware and that type of you know activity but the Bad actors always are able to find the weakest link because access control is not distributed across the entire digital estate work with the gentleman that runs a really well-known pen testing organization and he says all I have to do is keep trying I will always find a way in and that always find a way in is not the same as it's not a matter of if it's. Richard_Bird: a matter of when we get high. Richard_Bird: That's always find a way in because there's always something in our digital State around identity that has not been secured correctly and you know raises the possibility that maybe if we actually secured identities we would see less breaches different conversation different type layers have an access you know much like the dids I statements that I made around Access Control layer 7 requires major rethinking around our security architectures. Richard_Bird: it puts it puts identity. Richard_Bird: In a primary position instead of assets and data and if you look at the the vast majority of security architectures and deployments in companies today they put assets ahead of identity and because they put assets ahead of identity all I have to do is be you and I get your stuff so the rethinking necessary for layer 7 access security is only just now beginning and I'm only seeing movement and handful of companies. Richard_Bird: You know for those of you that are you know in the devops world of the def set cops world this is not my statement this was something that I picked out a very interesting read that I also encourage you to take a look at which is identity is very rarely first in our hearts in the technology world this comes out of a very fascinating paper called The Tragedy of the commons and you know I will read the Red Label part about the introduction of 2fa against open source of. Richard_Bird: Purity registries. Richard_Bird: This simple measure could prevent 99.9% of account takeovers a rising threat to open source security however obvious this measure seems the new mandate resulted in an outcry from the development Community authors of extremely popular objects threatened to quit doing OSS registry updates if they were forced to do oh my God two fa right and this is this is in the last. Richard_Bird: last two years folks this is not. Richard_Bird: Something that goes back a decade ago right this is this is our own technology Community saying if you put as much of a man as of Iota of friction in my experience I am going to just simply not play anymore and unfortunately this is the reality of where we're at with identity today this is the reality that we're at as it relates to credentials as it relates to verification as it relates to validation. Richard_Bird: I introduce anything that improves security we run into a significant percentage of population that not only doesn't like that friction they will find ways to work around it. Richard_Bird: So the tragedy of the digital Commons like I said I definitely in encourage you to read this paper it was actually a fascinating Deep dive into security problems with a strong orientation towards critical infrastructure and law and I'm a big fan of us reading materials that are manifested from places outside of technology and this is one of those so I definitely encourage you to take a read on it. Richard_Bird: I actually did. <tallted_//_ted_thibodeau_(he/him)_(openlinksw.com)> Can we get a link to this deck, plus links to the recommended reads? Richard_Bird: Case directly out of JWT on Json web tokens here's the thing and and you know I hope that I'm not because I put my disclaimer at the bottom I hope that I'm not offending anybody on it kind of relates to the conventional space signatures claims but encryption signatures and claims they are not identity security they are they're very critical component and I'm a big big fan of. Richard_Bird: you know verifiable. Richard_Bird: Will claims but there's a disconnect which is all of the history that I just shared with you right how do we introduce how do we introduce a capability from a credential standpoint that we do not run into a problem that I cannot phrase more elegantly than my mentor and my friend and probably one of the you know the the key personalities and identity over. Richard_Bird: the last 25 years. Richard_Bird: And at Ping Identity Andre said if you authenticate the wrong person you still have a bad day this is strongly Associated to what I'm saying here which is all of the credentials all of the verification components all of the encryption that's associated with an identity that is not the correct identity upon authentication none of that saves us from the Bad Day right and. Richard_Bird: so I think that there's a. Richard_Bird: You know deeper deeper dive that we all need to do around and I love Kimberly the way that you framed up you know what the the three distinct interests are here right the three distinct interest within this organization about what gets you fascinate excited motivated about you know credentials it's the bringing of these three motivations together the begins to put us on the path way to true identity security. <harrison_tang> @TallTed I'll ask Richard to share it after the meeting, and I will share it on the public list. Richard_Bird: I'm very big Vision focused around this because I work in the weeds of identity for so long I operate off of the simple mission statement a personal mission statement which is my job is to make the digital world safer for everybody I believe that that job starts very much with identity you know from day one so bringing you know the three components of Interest together just in this group is exactly what I'm talking about because credentials and their. Richard_Bird: Association do identity. Richard_Bird: How we achieve security is the way that we've got to be building our structures because these things in isolation plus another problem and I'll talk about in just a second these things in isolation do not provide security because they do not have the full context of what we're available to create about identities today but when you apply these capabilities to a fully contextually aware identity then we get security the one thing. Richard_Bird: that I want to said I would mention just second. Richard_Bird: Is about encryption a really strongly encourage you to go look up Dynamic encryption first posited by a professor in Scandinavia in an academic paper in 2015 I believe I'm sorry that I don't have a reference to it I know of two companies currently that are working on Dynamic encryption but look the the the real problem with our dependencies on it's not claims and credentials that are the problem you know. Richard_Bird: per se. Richard_Bird: That they're still relying on things like a yes which was introduced more than 20 years ago and keys and secrets that are associated with key holder and a key store and there's static right so once I get a hold of these you know these credentials are these Keys then I can just you know simply use them for bad things so I would definitely encourage you to take a look at dynamic dynamic encryption and start thinking about how the world is going to potentially. Richard_Bird: we move that direction. Richard_Bird: Once we solve some challenging overhead problems but encryption in its current state is just simply problematic because all I got to do is steal your keys so I won't belabor the point talk just a little bit I try and put this in the simplest format but this is just a re-emphasis of the statement that I made earlier if I authenticate and I'm not you I get your stuff and if this goes beyond right we're identity description is a thing I you know I work in a pi security. Richard_Bird: we assign a uid to every API right we're treating. Richard_Bird: II as an identity and credentialed thing right I don't like to use of human and non-human actors because actually everything in the digital is non-human your your account and we just had this conversation you know with somebody tried to log on and their credentials or not them right you are not your credentials and and they are a proxy for you in the digital world if they're a proxy for you and your human. Richard_Bird: If their proxy for you and it's a functional account then you're a functional ID right but all of them are still descent dependent upon the same process flow and less authentication is left out it's a fully authenticated and naked and exposed call you know authentication happens for the most part authentication is a one and done right which obviously introduces you know problems with actor in the middle and a number of other issues but when we look at the span of authentication and The NeverEnding. Richard_Bird: during story which. Richard_Bird: Tends to be the implied and persistent Trust of an open session continuously open like I love people telling me you know my identity security shop is awesome then I login to their Wi-Fi system and their guest Wi-Fi and it said would you like to keep this connection for five days the AZT right a persistent session is not zero trust and frankly it's not defense in depth but this idea of a NeverEnding Story or a never-ending session has persisted in our technology system now for decades. Richard_Bird: AIDS why because it's easier for the user go back to what I said earlier. Richard_Bird: For the you. Richard_Bird: It's easier for the bad guys right and there's when I say pretty much nothing it has some ties to organized share in just a second but I do want to kind of put a point on this when we talk about you know the the exposure that our credentials and our verification aspects and our tokens and everything else is associated with our online access has we talked about them look folks the damage is real here like the most attacked information on the web for the. Richard_Bird: last decade has been identity. Richard_Bird: This is not a this is not a anything that that has no explanation to it right the reason why people are stealing all of this data is to create the day that this necessary for them to to spoof identities right another problem on my we don't use security language when we talk about identity we don't stock talk about spoofing and non-repudiation however you if you immediately you know kind of associate all of the kind of data that I'm. Richard_Bird: thing about here and. Richard_Bird: It's used to do password resets and account takeovers and fraudulent account creation and all of these different kind of aspects you immediately you know if you've spent some time in security you can immediately make that connection between you know spoofing and non-repudiation here's a basket of information that creates the possibility to both spoof and create multiple identities associated with a singular user right so these damages are real but I talked to. Richard_Bird: you know about the the you know nothing going on in here. Richard_Bird: Station in The Neverending Story of open sessions and it's you know it's interesting because apis and I'm going to be you know real conscious time here and try and wrap in case there's questions the reality is that the fuel for apis is authorization right so you know there's a you know there's a cursory authentication call for apis today but there's nothing for authorization layer security there are. Richard_Bird: no security solution providers that have built authorization. <kaliya_identitywoman> I'm just arriving at the dentist so may not hear the answer to this question. But here it is...which "SSI people" have you talked to that assert that people are entirely 100% in total control of their identities.? I don't know them - I feel like this assertion has been made by the "convention Identity management" community to discredit the tech/dismiss us. Rather than a real thing people actually say. Richard_Bird: Security specifically if we're doing authorization layer security at tends to be best efforts may be some rules and policies but here's the problem apis are now the universal attack Vector every attack that I used to have to have expertise and you know some amount of tech access to I can now do with apis so this now starts to get into act 3 layer 7 API access. Richard_Bird: and because. Richard_Bird: As you're exploding and because they are an identity and because they are accessing assets think about the problem it creates when we have no authorization layer security and now these apis are in here picking off specific data elements specific microservices specific assets from an access standpoint and they can do so like a laser beam they don't need to in fact you do not fear uncertainty and doubt one of the things that. Richard_Bird: you know my kind of you know put. Richard_Bird: For you I have worked with a customer who had a massive data exfiltration and the bad guys never got to court. Richard_Bird: they see. Richard_Bird: Scrape the payloads in the apis that were unprotected and those payloads were achieved through authorization calls and they aggregated that information walked out without either setting off a single alarm because of this notion of a unit of apis as a universal attack Vector so when we think about this layer 7 access space the thing that I would encourage you to start thinking about as it relates to identity is is good principles around layer. Richard_Bird: on reducing the attack. Richard_Bird: We're going apis exponentially and nobody and identity is in control of them nobody insecurity is control of them that is an ever-increasing an ever-growing attack surface so we're not just adding the human user element from an identity standpoint we're adding tens of thousands of actors they're making billions upon billions of calls like imagine how many alarms will go off if One banking customer access to online banking a billion times in a month. Richard_Bird: that's happening today. Richard_Bird: Continuous verification you know not just vacation at the authentication layer but verification at the authorization layer again won't belabor the point based on time and the goal being to stop data breaches at the at the at that data layer at that layer 7 won't spend time on this leave it up so that it's recorded So that you can see it you can see there's a huge amount of identity related Concepts. Richard_Bird: in the dynamic. Richard_Bird: You can see. Richard_Bird: Patience for layer 7 matter of fact one of the biggest questions that I get as Richard after so many years and identity why did you move to a pi security and I said well because in 24 months API security is going to be identity security and that I saw the direction that a that API security was going and it became very obvious to me that we were going to be able to leverage some security control capabilities in particular around authorization that we've never been able. Richard_Bird: to put controls around before so that said I think I met my last slide. Richard_Bird: The top of the hour here so I can drop that and I can stop talking and see if there's any questions. Kimberly Linson: Thank you so much Richard this was really helpful for me I feel like I've picked up a lot of. Kimberly Linson: Uses of security information and how it fits with identity but I didn't have the context that you just gave us and even just the simple categorization of administration and an access control like that was really helpful for me so thank you very much and I believe we have Harrison on the Q Harrison you have a question. Harrison_Tang: Yeah so Richard I just want to say thank you I love this presentation especially the History part of it learned a lot so thank you I actually have two questions so the first question is in regards to authentication I actually do believe that authentication is one of the biggest problem in the identity and security since that you know you want to make sure it's the right physical being that's in excess of the digital identity so my question there is actually what are the most. Harrison_Tang: promising Authentication. Harrison_Tang: LG's have you seen that best balance the trade-off between security and user friction and my second question is a little bit different which is you mentioned that you do believe in decentralized identity and self Sovereign identity and my question is why do you believe that and then also how do you think decentralised identity and self software identity can gain market share in in the security Market in general despite challenges such as the architecture. Harrison_Tang: ER things that you mentioned. Richard_Bird: Yeah yeah yeah so on the authentication piece I think a lot of things that we're seeing in advance Biometrics and as well in the efforts around strong authentication that are password list that are associated to what I would call more behavioral authentication write that as everybody on this call knows there's there's 20 interesting and discrete data points that Apple collects off my cell phone at any. Richard_Bird: a given time so much. Richard_Bird: And I've confirmed this with with folks over at Apple so much so they haven't built this system but if I ever authenticated my cell phone with my left hand using a face can call somebody because I'm dead and my head is in a bag at duffel bag probably on the side of the road because that's not the way that I ever authenticate my phone the signals so I didn't talk much about signals in the the whole effort that's. Richard_Bird: kind of growing on. Richard_Bird: And signals and events which I think is another promising area do run into a bit of a strong authentication problem as it relates to privacy right and that's why we haven't seen much of a growth yet exponentially and all the different ways that we could be improving strong authentication you know things like Biometrics are only the very beginning but there's a lot of problems in the back end and I do a lot of work on the legislative side and the regulatory side on figuring out how do you collect that kind of very very very specific. Richard_Bird: no information and not. Richard_Bird: Current data privacy courts on the self Sovereign and dids I'd do it D ID and self-serving very specifically I believe that every human being should have a right to prove that they are who they say they are right and I think that when we talk about where specifically SSI comes into the equation I think that my ability to bring my own authenticator bring my own verified credentials is absolutely. Richard_Bird: Act in a digital world it is threatening to a lot of people I think this is the problem that we continuously get in and Eid an SSI it's not just the architectural things that I mentioned the ID and SSI is threatening especially to large corporations because even though they may not use that really rich information to create a better security so solution for you on the strong authentication side they love keeping all that information about you and the idea of you having. Richard_Bird: in control of some of that information. Richard_Bird: Is problematic in current business structures so I think that there's a huge amount of tension between corporate business interests and what D ID or SSI means in terms of giving control back to the consumer or the citizen and I think that we're going to see that tension kind of continue to build we're seeing really interesting successful things happening in Africa and Australia as it relates to a society. Richard_Bird: I think that. Richard_Bird: Soap operas going to continue for the next three to five years before we actually start to see some progress in that space. <harrison_tang> Thank you !! <sharon_leu> thanks! Kimberly Linson: Great thank you so much Richard I know we are a time I imagine that many of you may have other questions if you want to send me an e-mail those questions I will consolidate them and get them over to Richard thank you so much for being so generous with your time and I wish you safe travels wherever you're off to and thank you everyone for coming today and we'll see you next week.
Received on Tuesday, 16 May 2023 18:56:59 UTC