Identity Crisis: The Give and Takes of Identity-Based Authentication

Steve Maresca 0:18
Hi.Jason Pufahl 0:20
And we have another special guest today, Dylan Marquis, a Security Engineer here with Vancord, who has a long and sort of detailed background in identity and access management. And I’m sure, right, that, identity access management, probably isn’t top of mind for a lot of listeners. So let’s spend a quick second on that because this entire episode will be about identity management, we’re gonna talk a little bit about what we described as the identity crisis, relative to that. But identity management is really pretty fundamentally the creating of usernames and accounts that enable users in your employee base to get access to a set of services when they need them, and specifically, those services that they need. So, you know, it’s usernames and passwords, it is how do you allow people to log in? And once they’re logged in? How do you ensure that they actually have access to the services they need? And we’re going to kick it over quickly to Dylan and say, is that an inadequate introduction, Dylan, or do you want to add to that?Dylan Marquis 1:26
Yeah, no, absolutely. I mean, that’s kind of the broad picture as to what identity access management is. And it kind of is a, like, an umbrella of multiple disciplines, between sort of, like, you know, data science, or data management and kind of technical infrastructure, but I think, you know, just sort of as a generic intro to it, I think that’s a, you know, pretty good picture.Steve Maresca 1:52
At the end of the day, we’re talking about, you know, controlling risk and making sure that people are authorized to do what they’re supposed to do. And those who aren’t, are kept away.Dylan Marquis 2:02
Yeah, essentially, I mean, that’s what it boils down to.Matt Fusaro 2:05
And it’s gotten very complicated over the past few years too, right? With, there are so many services now that integrate with directories- directories that a lot of you are probably familiar with, something like Active Directory, right? Most businesses will run that whether you’re realizing it or not, it’s probably there for you. If you’re on something like 365, it’s there for you up in the cloud. So there’s so many tools at this point. But you know, you hear in security all the time, hey, you know, it’s malware that you got to be worried about, it’s phishing, you have to be worried about, really, a lot of it is coming down to identities these days.

Steve Maresca 2:42
Right, because that’s what an attacker thinks about in terms of what they can access through whatever identities they can steal, through phishing, acquire by compromising a system, or alternatively, you know, breakthrough so that they have power user rights within an infrastructure.

Dylan Marquis 2:57
I think phishing is a good example because it’s sort of it’s like social engineering, it kind of you see that, departure from leveraging a human as an attack vector, to kind of where it transitions over the digital identity.

Jason Pufahl 3:13
So I want to ask a quick question, which is, because when I think of identity, right, it is usually my password. I create those on my workstation, so I can create one for me, it’s really easy to manage, it’s isolated, it can get incredibly complicated, I think, as the definition of management might be, right? So there’s multiple systems involved in sending identities to external providers, and in sort of all the things relative to that. My question really is: why is identity management important? And does it have to be complex? Or, you know, inherently, is it pretty straightforward?

Dylan Marquis 3:54
I mean, it really depends on the organization. I mean, ultimately, its complexity, as complex as the organization kind of is in and of itself. In that way, it’s sort of a reflection of it. Organizations with complex HR rules can have very complex sort of identity infrastructure, but there’s nothing inherently saying that, you know, identity management has to be a complex task.

Matt Fusaro 4:17
So I’d agree with you, but then, you know, we also have the problem of the things managing these identities can be very complex, right?

Dylan Marquis 4:25
Yeah

Matt Fusaro 4:26
There’s only there’s almost that, I don’t want to call it hidden because it’s not hidden, but again, Active Directory is a really good example- it’s actually a super complicated tool to manage identities. We use it very simply a lot of times, but I mean, it can open yourself up to some really bad attacks.

Steve Maresca 4:43
I think maybe what you’re getting at is the perceived simplicity of something that is inherently behind the scenes, exceedingly complex.

Matt Fusaro 4:52
Exactly.

Steve Maresca 4:53
Like, who are you? What is your identity? What does that actually mean? In terms of electronically using application servers, cloud services, and so forth. There’s a huge spectrum, it might be you, Matt Fusaro, your username, or it may be, “Hey, you are an individual who happens to be an engineer”, right? Or an age or you’re located in the state of Connecticut, there are many, many, many pieces of metadata that may, in fact, describe you and be used in different contexts. And that’s where things get interesting, to say the least.

Matt Fusaro 5:27
And these days, it’s even moving beyond that, right? Now, machine identities are really important. Service identities, right? You can go on and on, there’s so much more than just username and password, now.

Steve Maresca 5:38
Biometrics thinks that you hold, aspects that prove who you are, when you say you are, and those that might disprove it, you know, there are different aspects in that neighborhood, as well.

Matt Fusaro 5:49
So Dylan, do you think that a lot of people that manage this infrastructure, think this isn’t a sexy topic? Because it’s complicated? Or, you know, what’s your thoughts on that?

Dylan Marquis 5:59
I mean, that’s definitely one of the reasons. I mean, it’s not only complicated, but it’s kind of purpose-built technology that’s existed for, you know, a fairly long time this space has obviously been around. Since, you know, very early on in the birth of the Internet. So I mean, it’s very purpose-built technology that kind of requires, you know, discipline-specific people to manage and, implement it. Also, I just say it’s generically infrastructure, right? It’s, one of those things that if it’s, working, then no one notices it, if you do a good job, you know, implementing it, then, yeah. I like to use the analogy: It’s like, playing a concert, and no one claps when you do it correctly. But you know, everyone notices when someone makes a mistake. I mean, that’s kind of what this is. And unfortunately, it’s not in the forefront of people’s minds when looking at, you know, profit generation technologies that they might be employing.

Matt Fusaro 7:01
Yeah, that’s a good analogy,

Steve Maresca 7:03
I have an opinion that a lot of identity infrastructure is more directly influenced by the applications and services that need to be used instead of necessarily the business and its structure. And that that tension, tends to mean that there’s a bias toward simplicity, rather than describing things, you know, as they are, and therefore, you can’t identify people in a granular way.

Dylan Marquis 7:31
Yeah, actually, kind of touching on that. I mean, some of the complexities kind of inherent in identity access management, comes from the fact that growth in the space for organizations tends to be completely organic. It is reactionary, we bought this product, how do we integrate it with our directory? And then sort of, you build technology around that to do the integration, and then, kind of, you’re left with bits and pieces of technical debt, that then kind of is not a holistic approach to identity within your organization. So really, kind of road mapping and looking at the long term and kind of, you know, supportability and, and your security around your technology. And, what are you looking to do? What are your actual goals surrounding identity? You know, that’s very important to consider.

Jason Pufahl 8:22
So you actually just touched on that a little bit, Dylan, which is, obviously these systems house incredibly important data, in terms of access and roles, etc. How important is, then, securing these systems, and how big a challenge is that? I feel like we run into it with Active Directory regularly. That has to be something people are thinking about.

Dylan Marquis 8:42
Yeah, I mean, they certainly- they can- I mean, one aspect is that can house data that can be extremely sensitive, just to kind of, you know, reflect some of the things that Steve was touching on before with attributes, attempting to describe someone’s actual identity, digitally. So you can have things like PII, social security numbers. The other thing is that obviously, kind of, when you’re centralizing access and authorization, you’re grouping all of your – you’re putting all your eggs in one basket. So you’re then kind of- you have a lot of risk in one location, and certainly can be a challenge to security systems that can be highly complex, they can certainly, just in kind of adding roles, adding accesses, they can kind of build up a lot of technical debt, you know, just very quickly and things can become stale, then you know, to audit and then maintain can be very difficult. So, you know, part of it can be configuration. Obviously, their directories can be leviathans, in terms of what their configured configurations can be. And also, you know…

Matt Fusaro 9:55
Yeah, so, those, these directories and these systems of access management, we get called them to evaluate them quite often, right? And I think one of the biggest problems, which I hope to see future improvement on is, it’s really hard to actually evaluate where your risk is, right? So you may have just walked in on an infrastructure, you know, hey, you’re here for a week, we have a really complex Identity Management System. Good luck, right? The tools that are there, they’re complex, they’re like you said, they’re niche. There’s even the policy documents that you get for certain systems to like, if you’re familiar with AWS, or Azure, or any of the other cloud systems, they have a pretty mature identity system, but lots of policy behind it, right? So you almost need experts in the field to actually understand what’s going on, it’s really hard to take, take a glance and say “Hey, here’s my problems”.

Steve Maresca 10:53
So what’s the crux of the crisis? Is it that the complexity outstrips the ability of the infrastructure to deliver? Is it that business needs are inherently out of sync with how they’re expressed as identities, groups, metadata, and things of that nature? What’s the biggest set of issues?

Matt Fusaro 11:14
That’s a tough one- I feel like it’s a combination of a lot of that, right? It’s probably going to depend on your organization, and how well, and a lot of the times, it’s just what’s the skill set? Right? I think maybe it comes down to that a lot. Do you have a good skill set of people or a person behind your identity system that really understands how the system works before they decide to build an architecture of “here’s what an identity looks like in my system”? Right?

Steve Maresca 11:43
I suspect there’s also an element of inertia, you know?

Matt Fusaro 11:46
Yeah.

Steve Maresca 11:48
Corporations, institutions, orgs, in general, that have been around for a long time, tend to maintain the status quo, however, it was developed the last time a really skillful team or contractor was in place, and then it just stays that way for a long time. And there’s still a silly example here: A lot of the time security policy is network-driven, like where a user’s workstation sits, and IP address, and firewalls and aspects of other infrastructure, basically use those as gating considerations to allow or disallow access. It’s just sort of assumed that if you have a valid login session: you’re good. As long as you’re from that specific corner of the network. Realistically, in 2022, we don’t need to do that anymore. Right? If, if I’m a user that’s logged in, and I’m from department X, firewalls can now express that as a rule and a policy. But, most orgs are stuck in that older regime. I think that the transition from one to the other is a huge part of the problem that organizations face when trying to cope with risk and constraints.

Matt Fusaro 12:58
Right. Yeah, those capabilities have not historically been there they are now and I think a lot of people just don’t know how to deal with that.

Steve Maresca 13:09
So what are some examples that, you know, practitioners would really need to know about, or should know about as perhaps their next steps to consider?

Matt Fusaro 13:19
So I’d say it would probably depend on where you’re approaching this, right? So, if you’re, if you’re approaching this from you, have the unique ability to start from scratch. Understand the system you’re working with, start there, right? Understand capabilities, what kinds of policies, what kinds of roles, and then move on to what’s the business require? What are the applications required? Right? And then kind of merge those together. But if you’re coming to a system that’s already in place, you’re gonna have to unwind a lot of stuff most of the time. I mean, Steve, Dylan, you guys came from quite a complex identity system, right? I mean, you guys probably have a little bit of story behind how, difficult that can be.

Dylan Marquis 14:03
I mean, unwinding is a good way of putting it. I mean, that’s generally, kind of how you, unfortunately, there’s always some kind of processes in place before you whether that be organizationally driven HR policies, you know, a mainframe that’s back from the 90s. I mean, it’s, you’re gonna see that and that means that you have to kind of decouple and kind of parse out, you know, what’s actually applicable today and what you know how to actually implement that. Within the technology, you know, how to reflect how an organization needs to operate, technically, and that can be very difficult when trying to when you’ve got complex systems that you need to unwind to figure out where you’re at.

Steve Maresca 14:49
I think the crux of that is that there are very few people in complex organizations that truly understand the flow of data as it describes an identity. It involves HR, it involves contracting, it involves finance, healthcare, you know, if we’re talking about edu, we’re talking about admissions, perhaps grants and development, it’s a huge set of sometimes very independent, but equally authoritative sources of data. And it’s very rare that any one team or individual understands the entire scope of it. Smaller orgs, obviously have smaller problems. And that’s a great thing to say, and it’s a great thing to have. But the truth is that, at the end of the day, you’ll still need to figure out if: Jim changes his name is going to collide with Joe? Perhaps he already exists. So understanding workflow data and understanding how people have access to things is central to all of it, the systems themselves then reflect the business needs. Common technologies that I think are really important to think about if they haven’t been across the mind, some of our listeners include aspects like: federation, identity synchronization from on prem-infrastructure to cloud infrastructure, multifactor elements of that sort, they help businesses to operate flexibly across a boundary that is local to a building local to an office, and cloud infrastructure. You know, other things of that variety, I think, are really, really critical to keep in mind.

Matt Fusaro 16:24
Yeah, I agree. And as more and more applications, especially cloud applications get deployed, unlike before identities move all over the place. Now, they’re not just inside your organization.

Jason Pufahl 16:39
So we’re coming up against our time- close here -but one thing that jumps out to me is something, Steve, that you said a little bit, a little bit ago, which was “we can’t rely on the network anymore, as much as we maybe traditionally could, as a portion of that security control space”. And it seems from everything we’ve discussed here that, you know, managing an identity or understanding what the role of an individual is, and what they have access to, and how it’s provisioned, de-provisioned, and all of that, is much more critical now in sort of the security and controls landscape, maybe than it was before. And frankly, now that we’re, you know, there’s such a move towards remote work, and, you know, the, or the capability of working anywhere, it seems even more important than ever. And maybe that’s just the statement. So I don’t even know that I think I need a response necessarily. But that’s what I hear when I’m listening to everything that everybody said, which is identity is becoming more important than ever. And if you’ve got an infrastructure that has potentially identities that are 40 years old, you need to start thinking about how to really secure those that manage those.

Matt Fusaro 17:42
Yep.

Steve Maresca 17:43
Agree, I mean, identity is now central to any sort of security, truly, and if it’s not a first-class citizen, and instead, you know, security controls use other features, primarily, it’s probably not a great fit moving forward and should be reconsidered. It’s a very broad, aggressive statement, but I think it’s accurate.

Matt Fusaro 18:01
Yeah, it’s definitely you have to pay more attention to it. And like we said, it’s, it’s complex and not sexy. But that’s why you’re gonna see more attackers go after that, versus the traditional routes they’ve gone to before.

Jason Pufahl 18:14
So maybe this is, you know when we were talking about this, right, we all joked a little bit about how this could be a potentially rambling conversation if we weren’t careful. You know, the title of identity crisis feels really appropriate when you listen to this because it is so important to management. There’s so much history and a lot of organizations, that adds a lot of complexity. And there’s a greater reliance on it. I think, as part of that sort of security controls framework moving forward, it’d be really, it feels really critical. Any last thoughts before we, before we look to end?

Matt Fusaro 18:16
No, I think it’s good that we brought this up, mostly because a lot of the assessments and places that we’ve gone into this seem to be a weak spot, and good to kind of call that out at this point.

Jason Pufahl 19:05
Yeah, I mean, that’s fair. And I think, you know, this is, it’s a, it’s a complicated topic, which at its root has some simplicity, right? It’s Can you log in or not to a system that you have rights to, but it’s really complicated. If anybody wants to talk about it further with us, feel free to reach out to us at Vancord on LinkedIn, we can continue the conversation from there. As always, we hope that at least the introduction of this topic, got people thinking a little bit and then you got some value out of this. So appreciate everybody listening. Steve, Matt, Dylan, thanks for joining today. And look for future episodes.

Dylan Marquis 19:40
Stay vigilant, stay resilient. This has been CyberSound.