iTWire took a moment to sit down (metaphorically, in these interesting times!) to chat with Mike Kiser about the impact of the virus on what might euphemistically be called business-as-usual. SailPoint specialises in Identity and Access Managemebt solutions.
iTWire: COVID-19 notwithstanding, does the 'perimeter' still exist? I suspect you think it doesn't. Sure, we have VPNs and the like, but clearly we're expecting home-based computers to be in two places at once, and one of those places is broadly controlled by company IT security policy while the other clearly is not. Cat videos are the least of your problems!
Kiser: Well, someone will always be able to define a boundary point, right? Technically, either resources are owned and controlled by a business or they're not. That's your perimeter right there. I don't think that there's a formal "network perimeter" any longer, certainly, I think that wherever people or bots or anything is accessing resources on behalf of the organisation, you have a demarcation line.
To your point, though, I think it's more about associating the device as part of the person's identity; it's now an easy benchmark against their normal behaviour patterns. Assuming that the pandemic fades at some point, that association will not fade easily; the people have had a taste of freedom and they won't be ceding it back without a struggle.
iTWire: Where are the 'COVID-19' security gaps that need to be filled? Are they something new, or merely (?) an amplification of existing problems? Yes, I realise that the sudden imperative of sending 90% of your workforce home is unique, but surely it's not an unexpected problem – I discussed exactly this with Patrick Hubbard of SolarWinds and he opined that any IT team worth its salt would have resolved the problem over multiple lunch breaks.
Kiser: Well, I think the reality of whether or not they've done due diligence is hitting people square in the face, isn't it? I know quite a few organisations that are thankful that they put in the scale testing that they did, for instance. In terms of security, it's shining the bright light of truth on people who claimed to have not relied on only a few factors in access decisions in the past. Organisations are finding themselves waist deep in a real-world demonstration of the value of a system that learns, that adapts, that can be flexible as needs change.
iTWire: So, with all this in mind, I'll give you an opportunity to explain to my audience why you think you might have a solution.
Kiser: Anyone who says that a technical solution alone will fix the problem is selling something. The real world is way more complicated than any single solution, or even a platform. In fact, assuming that there was an easy, technical fix to security in the past is what has boxed organisations into a perimeter-focused corner in the first place.
The key is to see investment in depth in all areas of an identity-focused security strategy; historically, that's been about defense or prevention, but deeper values are also starting to emerge as priorities. Privacy and the ethical use of algorithms are both in the ascendancy, for instance, as people see the importance of identity and the need to defend its misuse in any form.
iTWire: On the other hand, who benefits from this new attitude? I hate to get all 'mercenary,' but every time there's a new business angle, someone wants to 'win.'
Kiser: There's always more than enough money to be "captured" in the security industry. Along with the rise in "bring your own devices" that we've seen recently, I think that we'll begin to see progress in the "bring your own identity" arena. Now that people are at home all the time, their lives have blended; just as there's no commute between home and work any longer, there's not as much division between how you use identity for work, leisure, or really anything else these days.
Over time, people will tire of having to fragment their lives, and whoever can capitalise on that blending of consumer / business identity and make it easy to use will see their fortunes rise rapidly. (Note that this is much easier said than done. It's a large problem, and difficult to simplify.)
iTWire: In an attempt to address the problem of security in all its forms, I have to ask, do we have enough 'good guys?' A casual observation would suggest that there's a lot more money, with minimal risk, in being a bad guy. Sure, COVID-19 is the 'cause-du-jour' but it's hardly unique.
Kiser: Interesting question, and I expect that it would be difficult to measure. One could argue that the headlines generated by the "bad guys" keep the "good guys" in demand and provide job security.
But, rather than trying to focus on balancing the respective forces for good and evil, maybe we can take a different task: making identity data and compromised information more difficult to sell; identity and identity data needs to be the new Vermeer:
The Gardner Museum in Boston was robbed in 1990, and it was the biggest art theft in history. No one has ever been arrested for the crime, there are no suspects, and the statute of limitations has already run out. The most interesting part about that heist is that the art has never been returned. This is particularly odd since art heists are a short-sighted crime: the stealing is easy, but the selling is nearly impossible. The art is instantly recognized as stolen, and so no one will buy or sell it.
Privacy legislation is attempting to do just that—to make identity data the new Vermeer—and I'm all for it.
…and don't get me started on the whole "data ownership is a property right" put forth by Andrew Yang and will.i.am. Identity and identity data ownership is a human right, one that needs to not be sellable. But that's a different conversation, of course.
iTWire: Changing tack slightly, is COVID-19 simply heralding the oft-held philosophy that the 'employee-for-life' is finally dead? Sure, it's demise is well-described, but we still see career criminals (sorry, employees) serving out their days with the employer they joined fresh out of education. Will this finally herald the rise of the genuine ad hoc team that is formed to address a problem and dissolved once the task is done? Given this, how do we trust these new temporary teams?
Kiser: I think both of your thoughts ring true. No longer do people start with an organisation and then spend fifty years working behind a desk, receive their commemorative watch and then retire to someplace warm and sunny. Mobility is unparalleled in the workforce and organisations are adjusting to that as well, hiring people on an as-needed basis.
Still, I don't expect security teams, at larger organisations at least, to be made up of transients. There is too much of a base of institutional knowledge that is needed to do security well, and that skillset is developed over time.
iTWire: Finally, an expansion on that, who do we trust? Even if we hope to maintain 'genuine' employed people, COVID-19 has restricted recruitment of new people and the supervision of existing people. Suddenly, we have a big problem in tracking the insider threat, worse… if we try to recruit, we struggle to assess the new people. Do you think it is a bigger problem than prior to the virus?
Kiser: I think it's the same problem, actually, but now it's more front-of-mind. I don't have to really worry about where my teenager is, for instance, until I catch them sneaking out at night, taking the beat-up old Civic, and generally increasing my threat model. The danger still existed before, though, even if I was blissfully ignorant of it.
Working from home, supervision of employees, and all the other factors that this current cultural shift is highlighting existed before—but it wasn't the assumed pattern. As long as we though that "our teenager doesn't do that kind of thing," we could blissfully ignore what felt like a small threat -- until it wasn't.
It's not the people moving in and out of the system that is the problem: the fact that I have a teenager living with me is not a surprise, hopefully. The surprise, instead, is what we thought the threat was, and what we considered to be 'normal.' Old assumptions of normality have been shown to be insufficient. The problem was still the same, but my expectations must change. I have to do the hard work of realising my error, confronting the culprit, and preventing a reoccurrence of the event.
The best part of this analogy is that *clearly* technology alone is not the answer; parenting, like security, is a journey rather than a destination. A long talk with the offspring will likely be the key to not having my 1998 Honda taken out for a joy ride for a second (third?) time.
Note: Kiser claims to live sans teenagers and Honda Civics (currently). iTWire remains unconvinced.
Kiser: Both songs are excellent, although I rather prefer the Douglas Adams' quote: "I love deadlines. I like the whooshing sound they make as they fly by." I'm hopefully glad you enjoyed the bio – I always forget that it's out on LinkedIn until someone brings it up in conversation.
iTWire: Thanks for your time, it was fun.
Kiser: Thank you. I enjoyed it.