Security Market Segment LS
Saturday, 22 August 2020 15:40

In conversation with: Mike Kiser, SailPoint Featured

By


Kiser is Senior Security Strategist and Evangelist at SailPoint and had some interesting thoughts on the impact COVID-19 has had on IT security and the future of employment.

iTWire took a moment to sit down (metaphorically, in these interesting times!) to chat with Mike Kiser about the impact of the virus on what might euphemistically be called business-as-usual. SailPoint  specialises in Identity and Access Managemebt solutions.

iTWire: COVID-19 notwithstanding, does the 'perimeter' still exist? I suspect you think it doesn't. Sure, we have VPNs and the like, but clearly we're expecting home-based computers to be in two places at once, and one of those places is broadly controlled by company IT security policy while the other clearly is not. Cat videos are the least of your problems!

Kiser: Well, someone will always be able to define a boundary point, right? Technically, either resources are owned and controlled by a business or they're not. That's your perimeter right there. I don't think that there's a formal "network perimeter" any longer, certainly, I think that wherever people or bots or anything is accessing resources on behalf of the organisation, you have a demarcation line.

To your point, though, I think it's more about associating the device as part of the person's identity; it's now an easy benchmark against their normal behaviour patterns. Assuming that the pandemic fades at some point, that association will not fade easily; the people have had a taste of freedom and they won't be ceding it back without a struggle.

iTWire: Where are the 'COVID-19' security gaps that need to be filled? Are they something new, or merely (?) an amplification of existing problems? Yes, I realise that the sudden imperative of sending 90% of your workforce home is unique, but surely it's not an unexpected problem – I discussed exactly this with Patrick Hubbard of SolarWinds and he opined that any IT team worth its salt would have resolved the problem over multiple lunch breaks


Kiser: Well, I think the reality of whether or not they've done due diligence is hitting people square in the face, isn't it? I know quite a few organisations that are thankful that they put in the scale testing that they did, for instance. In terms of security, it's shining the bright light of truth on people who claimed to have not relied on only a few factors in access decisions in the past. Organisations are finding themselves waist deep in a real-world demonstration of the value of a system that learns, that adapts, that can be flexible as needs change.

 

iTWire: So, with all this in mind, I'll give you an opportunity to explain to my audience why you think you might have a solution.

Kiser: Anyone who says that a technical solution alone will fix the problem is selling something. The real world is way more complicated than any single solution, or even a platform. In fact, assuming that there was an easy, technical fix to security in the past is what has boxed organisations into a perimeter-focused corner in the first place.

The key is to see investment in depth in all areas of an identity-focused security strategy; historically, that's been about defense or prevention, but deeper values are also starting to emerge as priorities. Privacy and the ethical use of algorithms are both in the ascendancy, for instance, as people see the importance of identity and the need to defend its misuse in any form.

iTWire: On the other hand, who benefits from this new attitude? I hate to get all 'mercenary,' but every time there's a new business angle, someone wants to 'win.'

Kiser: There's always more than enough money to be "captured" in the security industry. Along with the rise in "bring your own devices" that we've seen recently, I think that we'll begin to see progress in the "bring your own identity" arena. Now that people are at home all the time, their lives have blended; just as there's no commute between home and work any longer, there's not as much division between how you use identity for work, leisure, or really anything else these days.

Over time, people will tire of having to fragment their lives, and whoever can capitalise on that blending of consumer / business identity and make it easy to use will see their fortunes rise rapidly. (Note that this is much easier said than done. It's a large problem, and difficult to simplify.)

iTWire: In an attempt to address the problem of security in all its forms, I have to ask, do we have enough 'good guys?' A casual observation would suggest that there's a lot more money, with minimal risk, in being a bad guy. Sure, COVID-19 is the 'cause-du-jour' but it's hardly unique.

Kiser: Interesting question, and I expect that it would be difficult to measure. One could argue that the headlines generated by the "bad guys" keep the "good guys" in demand and provide job security.

But, rather than trying to focus on balancing the respective forces for good and evil, maybe we can take a different task: making identity data and compromised information more difficult to sell; identity and identity data needs to be the new Vermeer:

The Gardner Museum in Boston was robbed in 1990, and it was the biggest art theft in history. No one has ever been arrested for the crime, there are no suspects, and the statute of limitations has already run out. The most interesting part about that heist is that the art has never been returned. This is particularly odd since art heists are a short-sighted crime: the stealing is easy, but the selling is nearly impossible. The art is instantly recognized as stolen, and so no one will buy or sell it.

Privacy legislation is attempting to do just that—to make identity data the new Vermeer—and I'm all for it.

…and don't get me started on the whole "data ownership is a property right" put forth by Andrew Yang and will.i.am. Identity and identity data ownership is a human right, one that needs to not be sellable. But that's a different conversation, of course.

iTWire: Changing tack slightly, is COVID-19 simply heralding the oft-held philosophy that the 'employee-for-life' is finally dead? Sure, it's demise is well-described, but we still see career criminals (sorry, employees) serving out their days with the employer they joined fresh out of education. Will this finally herald the rise of the genuine ad hoc team that is formed to address a problem and dissolved once the task is done? Given this, how do we trust these new temporary teams?

Kiser: I think both of your thoughts ring true. No longer do people start with an organisation and then spend fifty years working behind a desk, receive their commemorative watch and then retire to someplace warm and sunny. Mobility is unparalleled in the workforce and organisations are adjusting to that as well, hiring people on an as-needed basis.

Still, I don't expect security teams, at larger organisations at least, to be made up of transients. There is too much of a base of institutional knowledge that is needed to do security well, and that skillset is developed over time.

iTWire: Finally, an expansion on that, who do we trust? Even if we hope to maintain 'genuine' employed people, COVID-19 has restricted recruitment of new people and the supervision of existing people. Suddenly, we have a big problem in tracking the insider threat, worse… if we try to recruit, we struggle to assess the new people. Do you think it is a bigger problem than prior to the virus?

Kiser: I think it's the same problem, actually, but now it's more front-of-mind. I don't have to really worry about where my teenager is, for instance, until I catch them sneaking out at night, taking the beat-up old Civic, and generally increasing my threat model. The danger still existed before, though, even if I was blissfully ignorant of it.

Working from home, supervision of employees, and all the other factors that this current cultural shift is highlighting existed before—but it wasn't the assumed pattern. As long as we though that "our teenager doesn't do that kind of thing," we could blissfully ignore what felt like a small threat -- until it wasn't.

It's not the people moving in and out of the system that is the problem: the fact that I have a teenager living with me is not a surprise, hopefully. The surprise, instead, is what we thought the threat was, and what we considered to be 'normal.' Old assumptions of normality have been shown to be insufficient. The problem was still the same, but my expectations must change. I have to do the hard work of realising my error, confronting the culprit, and preventing a reoccurrence of the event.

The best part of this analogy is that *clearly* technology alone is not the answer; parenting, like security, is a journey rather than a destination. A long talk with the offspring will likely be the key to not having my 1998 Honda taken out for a joy ride for a second (third?) time.

Note: Kiser claims to live sans teenagers and Honda Civics (currently). iTWire remains unconvinced.

iTWire: And just for a tiny 'jab,' being a chronoptimist - yes, I glanced at your LinkedIn profile, I assume that you agree with the Rolling Stones, or maybe you're a Steve Miller fan…

Kiser: Both songs are excellent, although I rather prefer the Douglas Adams' quote: "I love deadlines. I like the whooshing sound they make as they fly by." I'm hopefully glad you enjoyed the bio – I always forget that it's out on LinkedIn until someone brings it up in conversation.

iTWire: Thanks for your time, it was fun.

Kiser: Thank you. I enjoyed it.

 


Subscribe to ITWIRE UPDATE Newsletter here

Now’s the Time for 400G Migration

The optical fibre community is anxiously awaiting the benefits that 400G capacity per wavelength will bring to existing and future fibre optic networks.

Nearly every business wants to leverage the latest in digital offerings to remain competitive in their respective markets and to provide support for fast and ever-increasing demands for data capacity. 400G is the answer.

Initial challenges are associated with supporting such project and upgrades to fulfil the promise of higher-capacity transport.

The foundation of optical networking infrastructure includes coherent optical transceivers and digital signal processing (DSP), mux/demux, ROADM, and optical amplifiers, all of which must be able to support 400G capacity.

With today’s proprietary power-hungry and high cost transceivers and DSP, how is migration to 400G networks going to be a viable option?

PacketLight's next-generation standardised solutions may be the answer. Click below to read the full article.

CLICK HERE!

WEBINAR PROMOTION ON ITWIRE: It's all about webinars

These days our customers Advertising & Marketing campaigns are mainly focussed on webinars.

If you wish to promote a Webinar we recommend at least a 2 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site itwire.com and prominent Newsletter promotion https://www.itwire.com/itwire-update.html and Promotional News & Editorial.

This coupled with the new capabilities 5G brings opens up huge opportunities for both network operators and enterprise organisations.

We have a Webinar Business Booster Pack and other supportive programs.

We look forward to discussing your campaign goals with you.

MORE INFO HERE!

BACK TO HOME PAGE
David Heath

David Heath has had a long and varied career in the IT industry having worked as a Pre-sales Network Engineer (remember Novell NetWare?), General Manager of IT&T for the TV Shopping Network, as a Technical manager in the Biometrics industry, and as a Technical Trainer and Instructional Designer in the industrial control sector. In all aspects, security has been a driving focus. Throughout his career, David has sought to inform and educate people and has done that through his writings and in more formal educational environments.

Share News tips for the iTWire Journalists? Your tip will be anonymous

WEBINARS ONLINE & ON-DEMAND

GUEST ARTICLES

VENDOR NEWS

Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News

Comments