Personal Identity Wallet Back in Your Pocket

Richard Bird is the chief customer information officer for Ping Identity. Bird is a well-known, identity-centric security expert, a former CISO and CIO. In addition, Richard served as the global head of identity for JPMorgan Chase’s consumer businesses. He’s also a Forbes tech council member and has appeared frequently in the Wall Street Journal, CNBC, Bloomberg, Financial Times, Business Insider and CNN on topics ranging from data protection regulations to cybersecurity-enabled consumer protection.

In Bird’s evaluation, identity is one of the operational problems that the zero trust framework can’t handle. Since every application has coded its own authentication layer, the security team could do everything right and still see app breaches. Bird succinctly sums up the identity problem:

“The verifiable credentials that are out there in the digital space, have no ownership by the people that they’re actually associated to. And it’s the worst thing that we ever did. … We built an entire digital universe and we completely forgot about empowering the people that are associated with using it.”

In this episode, Bird discusses:

  • How deep the application controls need to go if identity is the new perimeter;
  • Personal identity wallets as a possible solution to the identity and credentials issue;
  • SSO, multifactor and behavioral authentication;
  • The balancing act of privacy and security.

CLICK HERE for a full transcript of the conversation.

Steve King 00:13
Good day everyone, I’m Steve King, the managing director at cyber theory. Today’s episode is going to focus on identity access management and zero trust. Joining me today is Richard Bird, the chief customer information officer for Ping Identity. Richard’s a well known identity-centric security expert, a former CISO and CIO. In addition, Richard serves as the global head of identity for JPMorgan Chase’s consumer businesses. And he’s a sought after speaker around the world having spoken and presented several 100 times over the last five years. In addition, he’s a Forbes tech council member and has appeared frequently in the Wall Street Journal, CNBC, Bloomberg, Financial Times, Business Insider and CNN on topics ranging from data protection regulations to cybersecurity enabled consumer protection. So welcome, Richard, I’m glad you could join me today.

Richard Bird 01:11
Thank you very much for having me. I truly appreciate it.

Steve King 01:14
Sure. So let’s talk about ping a bit. First, what is it exactly that the chief customer information officer does? And how does the ping AI solution differ from everybody else’s?

Richard Bird 01:25
Sure, well, I you know, the chief customer information officer title, I think for the remaining years of my life will always make me chuckle. It’s a great role. I’m a member of the operating team, I am a functional c officer, the position actually resulted as a result of building a friendship with the CEO and founder of ping under Durand, he had seen me I come out of the corporate sector, after 20 plus years being an operator, my view and observations on all things identity, all things data, privacy, tends to skew to the operator seat, you know, what it’s like to actually run it, as opposed to the standards and the details of how we get to there. You know, like, like I said, the other day to somebody, you know, I talk with customers all the time, who their reality is they still haven’t hygiene, their active directory, and folks like us without talking about digital identity, it’s like,

Richard Bird 02:18
so, you know, a lot of my role is customer facing, obviously, you know, it’s in the title, I spent about 30% or so of my time with customers, not just ours, you know, prospective customers, as well, as you know, folks out in the world that are dealing with really large, hairy, strategic challenges with their identity centric approaches to security. I spend about 30% of my time on on platforms, unfortunately, on zoom, you know, keynote presentations, discussions, leading a great example going to be leading a digital identity summit that I’d been averse with my friends and colleague, Jeremy grant, Mandy hindle. So I get to do that kind of stuff, which is really the, that’s the dream state stuff that all of my former colleagues and friends go, you have the best job in the world, I think that’s pretty much all that I do, which is only about a third. Another third of my time is really getting deep into a space that I didn’t when I was an operator, which is all the issues around standards, all of the issues around changes to customer expectations that are being facilitated by open banking PSD to consumer data right down in Australia, I interact with government agencies, and thinktank organizations across five continents, pretty much on a weekly basis. I love that part of my job, because it’s very intellectually stimulating. And the other 10% of my job is, you know, doing what a what an executive officer needs to do annual plans, you know, budgets, all that kind of stuff. It’s a very rewarding job, especially, you know, from my perspective, having dug ditches for a long time, my career, not just in information security, been a multi security domain control domain seaso. But in my experience is IT operations, an old middle office, back office banking guy, and I take those operational perspectives from that part of my career and apply them to the information security space, which I think we’ll get into a little bit today as it relates to, you know, some things that I think are surfacing relative to identity centric security and zero trust. Ping is a fascinating company, I always tell people, like the identity community is small. I had a choice of companies to go to work for obviously, and I chose ping, and ping chose me. And the reason that I did that is because, you know, the CEO and founder, first of all, as a tremendously inspirational guy, there’s an argument to be made that he’s the godfather of modern identity, you know, starting out with the early days of SSL Federation, when we were all struggling to do it, you know, in Windows OS shops. And we couldn’t get you know, Microsoft to put the pedal to the gas to go faster and that space is obviously morphed and changed over time to grow with the customer demand. So I think the big differentiator Andre said it best, I think, good news on Kramer, the big differentiator For ping solution buyers is some more sophisticated set of buyers. That was his quote, I thought it was great because it’s a nice way to acknowledge something that we don’t like to acknowledge anymore in this cloudify world, which is large enterprises will eternally be hybrid plastic check, they have cloud, but they’re also still running mainframe and midranges, that complexity doesn’t easily bend towards the notion of an easy button. large enterprises know this, right? It doesn’t stop everybody in the market from advertising, and marketing, you know that, you know, choose our solution. And it’s super easy. And we can make your life simpler, because I think that’s a huge disrespect to, you know, the largest companies in the world, because they don’t have the convenience of easy to have too many regulatory demands, they have too many problems that are tied to their legacy debt. There’s an interesting diversification of it from infrastructure and application deployment methods, that isn’t going to stop. And when we have people talking about multi cloud implementations, and it’s three clouds, I anticipate in the next five years, they’re gonna be talking about five or six, right, and none of those cloud platforms actually play well together, which has huge implications for us and in identity centric security. You know, that’s you know, Ping’s differentiator certainly is its history and its its culture, and its longevity in the space is just cool to see, you know, the kind of high fives that you get from customers that say, it never goes down. You know, we go to sleep at night, knowing whenever we’re gonna have to worry about pink solutions. That kind of credibility is hard to come by in the market today. And that’s why I love it. I love this company a lot.

Steve King 06:38
Yeah, sure, you know, and to have an insight like that from a guy like Kramer, who you know, isn’t part of the community. And then you’re, you’re crowded with folks on the sidelines, carping about how big companies contribute to the problem, or it should be so easy to get from here to there. I understand. Yeah, you and I have discussed zero trust with regard to identity access, I think it’s fair to say that identities, the new perimeter, how deeply do the access controls in your mind need to go for applications and data?

Richard Bird 07:14
Yeah, boy, I’m gonna tell you, it’s such an interesting question. You know, you and I had shared I mean, I think I remember seeing john Kander bag, my first time in person probably six years ago. And at the time, it was before the beyond Corp. White Paper had dropped well before. And I remember listening to him, and having been a CSO. And having had responsibility for all of the different components of threat and vulnerability management and network security, everything I was like, Okay, this makes a lot of sense, right. But, you know, as we kind of roll forward, there are some real operational problems that the zero trust framework has currently has. And this is what I think you and I were talking about, like zero trust can’t meet yet. And zero trust will have a demand against to either evolve, or simply go into the dustbin of the last set of efforts for a functioning framework, right. And you and I’ve been around the block a long time, we’ve seen a lot of different frameworks, right? As we look at, you know, the identity centric space, specifically and extending controls and applications. The one problem that never gets acknowledged is, is that we’re seeing a repeat of a pattern. So 20 years ago, authentication was in the wild, like every application negotiated, develop a code of their own authentication layer, and it was bad. Yeah, right. Right. And what do we do we, you know, we as either either homegrown, or through solutions providers, we moved down the path of SSO Federation, we moved down the path of aggregating, you know, accounts in a fashion that gave us better security, probably more, you know, to the business point, it gave less friction for employees to get online and get their workday started. Yeah, and we did a great job, right, we moved everything. Well, not everything. We moved a lot of stuff into authentication as a service. And unfortunately, what we did, especially going back about a dozen years ago, is we said, Look, we don’t have time budget, you know, you know, resources within information security to handle the authorization layer. So, application developers go forth and conquer, put all the authorization logic into your applications. And here we are, right. And the real problem is that the power is becoming very, very clear. The power it is doing everything from differentiating customer experiences, once they are authenticated and acknowledged as being who they say they are, to, you know, routing resources by even job function are titled to the correct resources and assets is that magic happens in the authorization layer. And the authorization layer functionally isn’t accounted for within zero trust, because it is an app dominant perspective. active, right? And so it is all the machinery inside of an application is making these authorization logic calls. And the challenges is that you could do everything right, in the zero trust framework. And you’re still going to see app executed breaches, right? Because the extension of the zero trust network orientation, does not have a corollary within the application space. And this is this has been consistent throughout, you know, it history, right. Like, you know, application, I say this all the time, application developers are 10 years ahead of every security control. This becomes part of our problem. If you don’t start talking about security frameworks with application developers. And if they don’t shoot you, they just simply walk out the door, because they’re not, they’re not oriented to that perspective.

Steve King 10:54
Jeremy, he continues to say that, you know, we’re, we’re kind of better at authentication, but we still suck at through identity proofing. Right? Yeah.

Richard Bird 11:06
I think the proofing piece is going to close relatively quickly, you may have seen the EU Commission dropped paper yesterday, right? All of a sudden, here’s my concern. All of a sudden, digital identity is not just a thing. digital identity is big. I saw somebody I mean, I’m like you, I get 150 emails, cold emails a day from different companies trying to get a call with me, right? There was one that popped from a solutions provider just this morning that said something something something digital identity, and I was like, oh, Lord, right, here we go. Right Martin marketing banner, like it, you know, guard RSA time before the last everybody’s banner, whether they were actually in the business or not with zero trust. Yep. Yep. Right. And so you know, the the concern here around around this move and motion, like you said, and verification is, is that we get lost in the muck of a marketing campaign, where this notion of personal identity wallets or whatever, you know, type of wallet type solution, is actually putting verifiable credentials into the human beings hands. That’s what has to happen, right? The verifiable credentials that are out there in the digital space, have no ownership by the people that they’re actually associated to. And it’s the worst thing that we ever did. It was the old saying, the cleverest trick the devil ever pulled, you know, we built an entire digital universe. And we completely forgot about empowering the people that are associated with using it. And in doing that, we’ve now found ourselves in this enormous hole, right relative to breaches, exploits, hacks, and then damages to individual human beings. Right? I mean, the, these damages are no longer within the realm of white collar crime. I mean, there there is destruction of property, people’s livelihoods, you know, human emotions engaged in this and and we built ourselves into this place.

Steve King 13:07
Yeah, no kidding. And we’re gonna see more and more that, unfortunately, as 5g rolls around, and IoT continues to get spotlighted. So and the nation state adversaries are having a lot of fun with that, apparently, from a multi factor authentication point of view. You know, it seems to me that we got I know, folks like community banks in Illinois who refuse to adopt even a two factor authentication approach, because you know, that they don’t want to impose any more friction on the interactions between them and their customers. But until we get away from passwords, it’s going to be hard to get a zero trust strategy in place. Right? How much of a role is behavior analytics playing and in detecting identity fraud today?

Richard Bird 13:56
I mean, it’s one of those it depends type of responses, right, in the space of large enterprises and government organizations that have, you know, more budget available than most countries GDP, right. We do see a lot of higher tier development going on in the aggregation of single signals about the individual, right. So what we’re seeing in the, in this space of all of these different data points being pulled together, is the emergence of of these very personally focused, not personalized, but personally focused risk engines. I’m constantly trying to remind folks that the amount of data that is collected, you know, within every hour about us from from this landscape of devices that we’re surrounded with, like literally, I’m sitting here looking at my Toyota pickup truck, my Toyota pickup truck right now is clocking idle time. Right? It knows when I’m using it, and it knows when I’m not. Yeah, yeah. And that is extremely powerful, right? Because I could actually If you kind of extrapolate that, I can actually use that that signal associated with my pickup truck as part of an authentication scheme. Yeah, right. Making use of telemetry, I can use the gyroscope. Scott, I always tell people like, if I ever, you know, in these higher tiered types of solutions, where we are measuring very, very minute details about user behavior, if I ever authenticate my phone with my left hand, with a thumbprint, somebody called the police, because I’m probably dead in a drainage ditch somewhere, and somebody has my phone, because the really interesting characteristic about human beings is that we are extremely ritual and habit bound. And in fact, when you ask the question about being able to use the user behaviors as for our discovery, the one thing that you find when you dig into the actual results is that you don’t, you don’t find fraudsters using these user behavior elements, because they’re doing what they always do. In fact, fraudsters a bad actor is actually you can find them because they’re doing what they’re not supposed to be doing. Right? Or they’re doing something out of band, or they’re doing something anomalous. And as we get more refined, here’s the tension. Right? How much of this and I’ve been having this conversation with Jeremy and a bunch of other colleagues in the space? Like, how much of this aggregation of this point data does it take to finally equal privacy issue? Right? Is it five points? Is it eight points? Is it is it 10? And one of them is extremely, you know, vital? Like, you know, my, you know, my fitness trackers measuring, I still have a heartbeat. But I don’t, I don’t know the answer to those questions, because I’m kind of back to your point, the space that we’re working in today, where these types of things are being leveraged, is still relatively small, but growing rapidly, right? Because now, you know, with the catastrophic consequences to the financial system here in the US, unemployment benefits being ripped off all this kind of stuff. You know, now everybody from the hill on down to, you know, in the smallest companies are going their smallest companies are going I didn’t get a PPP loan because fraudsters took out $6 billion, where the PPP loans. Yeah. And, yeah, so the real consequences are starting to hit. So we’re starting to see a lot of acceleration around, you know, how do we do this differently? The challenge is, it takes a massive change in thinking anyone on the trail is always heard me say this, all it really takes. Here’s the easy button. All it really takes is, is putting a human being inside of the center of information security architect architecture, and instead of a database,

Steve King 17:44
yeah, there you go. That’s all it takes. That’s all it takes. So a lot of companies rely on single sign on for that, you know, requires a password vault, would seem like federated SSL is a much stronger alternative. Can you help our listeners understand a little bit about the difference and how that works?

Richard Bird 18:06
I think the way that I always like to say this is that, you know, SSO at its root has nothing to do with security, right? SSO is is a ease of use functionality and productivity play. And we look at, you know, the notion of federated SSO, we begin to introduce the notions of a unified authentication layer, you know, that we are applying a controls framework around kind of that bolus of assembled information in that underlying SSO call. And I think that I always find this really interesting because I am shocked today mentioned to FA being a struggle for implementation still level on MFA SSO versus, you know, federated. And I’m shocked at how many companies how many people I talk with where they still haven’t gone on this journey. Right? We were having these arguments in the corporate world in 2006. Yeah. Yeah, I think it’s not new. Yeah. And I think that we were, I think that we were pretty clear on the outcomes of the value of a unified authentication layer crossed a unified set of assembled accounts. And so framework did yield inherent residual risk reduction, you know, so I don’t think that there’s much arguing left about whether or not it yields better security results. Now, I’m going to be cautious here. Because, you know, that I think one of the things that I’ve learned in being, you know, kind of this interesting personality within the identity spaces is that sometimes as practitioners, we’re our own worst enemies, right? We go well, you know what, yeah, you’re right. It does reduce some inherent residual risk. But you need to do this, this and this. And I’ll go back to what I said earlier. I’ve got two people that I talked to to say that they’re they still haven’t hygiene, their Active Directory accounts. You have You know that I think one of the big problems with this solution space in general is that the solution providers, and I’m saying I’ve throwing shade on the solution industry that I’ve now report, this solution providers simply do not remember that there is an obligation to meet their customer base where they’re at. And they’re not all going to be on the upper tier enter the journey, right. In fact, sadly, the percentage of folks that aren’t in the middle tier of the journey is much larger than it should be. Yeah. So you know, I think that the application of a unified authentication call against a group of sign ons, you know, get you both that ease of use, but it improves your security posture. And I think that’s the critical difference.

Steve King 20:43
Yeah, the data privacy folks have kind of gotten in the way as well, right? I mean, we don’t, we sort of, I don’t know, we drink this elixir, and we raft down this path. And then somebody says, Yeah, but what about privacy? And then we screech to a halt and say, yeah, we’ve got to take care of that. And then all of a sudden, we’re back to nowhere. You know, from my humble view,

Richard Bird 21:05
I would just like to mention on that, so I’m always a pragmatist, right, I look at outcomes. When I get in those conversations where somebody wants to whittle at the stick on privacy issues. My responses already is always like, have you read the news lately? We sound like we are doing this very, very badly, universally. And if we’re going to try and solve for this specific point problem that you would like to argue about, can we take into account where the real world really is that the losses, economic losses continue to escalate? The hockey stick is going in the wrong direction? privacy is absolutely vital, important. But if you’re not getting security, right, to begin with, the lack of privacy is a moot point.

Steve King 21:48
Yeah, exactly. Right. That’s right. And you’re on the board of the identity defined Security Alliance, which I think promotes standards and best practices, or at least attempts to for securing our network. A key objective, in that, I think is a drive towards zero trust. Can you tell us a little bit about how that organization promotes the principles? And yeah, analogies that can be leveraged? Yeah, absolutely.

Richard Bird 22:17
I’ve been affiliated with idsa. For I’m trying remember how long I’ve known Julie. And since she took that night, always proud of the fact that it just like almost every other standards body related to identity. Peng was a founder for idsa. And we saw a world where we could have a team of rivals come to the table for something other than the next ISO response period. Right? Yeah, are the next index nice nest reply, we’re like, you know, there’s, there’s a lot of problems that need to get answered relative to operationalization. You start going over the latest ISO specs, you know, with a customer, they’re going to gloss over, right instantaneously. If you come in from a best practices standpoint, and say, look like we here’s this great group of vendors, everybody from, you know, unit can to sailpoint to Okta to cyberark. us, and, and the experiences that we have, you know, seeing across this landscape of every type of implementation you can possibly see, like, here is how this particular industry segment or this particular went, den Jones was still with us when he was at Adobe, like, here is how Adobe did it, right. And those pieces of information coming from a group of me, frankly, a group of competitors, that have come together to say, if we don’t fix these things, it doesn’t matter if you buy our solution or not. Yeah, right. Our solution will not fix your problems, miraculously, without you addressing in the case of zero trust, right? If you don’t have a planful strategy to execute on zero trust that’s inclusive of, you know, taking, you know, taking a stepwise process, right, I always tell people, if you’re still doing account and password, you can’t get from here to there. You can’t get from account and password to zero trust, it will not happen. Right. So laying out maps, guides, frameworks that are operationally oriented and associated to again, this reality, we talked about top of the call, which is, you know, it is an app driven world. And frankly, you know, 5g drops, and it will be less of a network driven world than we’ll ever have been. That’s true. That’s true. Yeah. It’ll be an app functionality driven world. And I know the other thing that you mentioned the top, you know, this notion that identity isn’t the perimeter. I think that when 5g drops, we’re going to move into a world where everything from a identity standpoint is At the edge, right, everything will manifest with CPU and data in a handheld device and tons of transactions will actually be committed locally. And that’s going to change our entire thinking again, on how to manage, you know, against a zero trust environment.

Steve King 25:16
Yeah, isn’t it frightening? Oh, it’s either frightening or it’s career longevity. Career longevity is built in already.

25:28
Trim nature.

Steve King 25:29
So final question here, Richard, I’m conscious of the time here, you you’ve got a background in education. You’re also a member of the 82nd airborne, which is a little weird. And you were I think it was eight years or something. Is that right? Yeah. And so we’re, you know, shameless plug here, we’re about to launch a, you know, very serious strategic initiative that is going to provide the best online education and training experience for cisos and cyber warriors. We create or curate all of that coursework through a faculty advisory board and CEOs who teach at leading universities, many of them, you know, give our listeners your take on what you’ve learned from jumping out of airplanes, and how you think we can we can close the supply and demand gap in cybersecurity?

Richard Bird 26:15
Well, you know, I think that first and foremost, the the two lessons that I learned in my military career, and jumping out of airplanes will enforce them beyond belief that I think that I think are absolutely critical for companies to succeed, I firmly believe we need to stop being in the mindset that it’s not a matter of if it’s a matter of when it is a losing mentality, right? We don’t have a lot of fighting us against the bad guys, which is kind of critical in the military. You’re absolutely right. And, and we create the self fulfilling prophecies of, you know, this, this attack on us, and we need to fight to win. But that’s not the lesson, there were two things that I learned. The first is is intellectual honesty is absolutely necessary. So in the case of the learnings, and you know, the ability to teach people that that you guys are embarked on, you know, it’s like the old AIA thing, right, which doesn’t stand for all Americans, which is the 82nd level, but Alcoholics Anonymous, which is, you have to admit that you got a problem, right, you have to have the intellectual honesty to say, I need to know more in order to be able to do more, so that intellectual honesty is absolutely necessary. But the second that is probably more important than I’ll quickly bore you with a foxhole story. A friend of mine was a range officer, and I was on a firing line. You know, he’s still in charge. But we’re, we’re kind of chewing the fat in between shooting rounds. And he comes up to me and he goes, Hey, bro, do you know who the most dangerous person, you know, on the battlefield is, and I was like, the enemy. And he has now he says, the most dangerous person on the battlefield is the guy that’s in your foxhole that doesn’t have his weapons safe is paying no attention jumps into the foxhole and blows your head off. Right. And I should mention, I can always draw a parallel professionally. I think it’s important to note that the Verizon DBI are once again mentioned that about 30% of breaches are self inflicted. But the lesson there is situational awareness. And I do think that companies today sometimes forget the need for situational awareness, and we do it in surges, right? So JVS, has popped a corner that’s popped. Now, all of a sudden, everyone has situational awareness, and you know exactly what happens to you, right? Like every every Information Security shop in the country, got a phone call from some CEO going, Are we safe on this stuff? Yeah, you go check all this stuff, right. That’s not situational awareness. Right. That’s reactive. That’s reactive action. But yeah, I mean, I think those pieces now as far as filling the gap from an information security standpoint, you know, I’m of an age where I saw the first university programs come online, you know, where there were established cybersecurity programs. It is very obvious, though, that academia was late in acknowledging the needs of those particular types of resources. And in higher ed, and I do think that we are seeing a quick pickup in the technical school space. But I’ve always been, you know, being a graduate in international relations theory with a minor in Japanese language. From too far in the past that I care to acknowledge. I’ve always been a strong advocate for capability and potential, and we need as a practitioner body, we need to start a start acknowledging that we already know the personality traits and characteristics, the work ethic traits and characteristics of great analysts of you know, great network engineers, security engineers. We know what that looks like from a behavioral pattern standpoint. And I think that the only way we stand a fighting chance we’re beginning to fill in, you know, what is it Two years from now $4.7 million 4.7 million unfilled jobs and information security. Yep. You know, we’re going to need to sounds like I’m dehumanizing, but by to build, right and by to build based on the right characteristics and write potential and invest our time and you know the necessary apprenticing and acknowledge that there are more than one pathway. There’s more than one pathway educationally to get to cybersecurity.

Steve King 30:31
Yeah, you’re absolutely right. And it’s so fragmented today. It feels like we don’t, yeah, there’s no sort of North Star here. Or common, commonly acknowledged, at least. So I wanted to stop this at 30. We’re a little bit over. I do want to thank you though, Richard. This was great. And I know you’ve got a crazy schedule. So I really appreciate you taking the time to, to join me here today. Oh, thank you very much. I appreciate it. Let’s do it again. We’ll do Alright. Thanks, Richard. And thank you to our listeners for joining us in another episode of cyber theories, exploration into the complex world of cybersecurity technology and digital realities. Until next time, I’m your host, Steve King, signing out.

Category: Podcast
Previous Post
The Venture Capitalist’s View of Cybersecurity
Next Post
Satisfying the Shortage in Cyber Warriors
Menu