Solving Digital Identity

Steve King 00:04
Welcome to cyber security unplugged the cyber theory podcast where we explore issues that matter in the world of cyber security. Good day everyone. I’m Steve King, the managing director at cyber theory. Today’s episode is going to focus on progress in identity management. And who better than Joining me today is Jeremy grant the managing director of technology business strategy for Venable and the former Managing Director of the Chertoff group. Jeremy’s been a major contributor as a senior executive advisor to the National Strategy for Trusted Identities in Cyberspace, which is part of the NIST identity management, authentication and proofing initiative there. So welcome, Jeremy, I’m glad you could join me today.

Jeremy Grant 00:56
Thanks, appreciate the invitation.

Steve King 00:58
So you’ve been at the forefront of the identity puzzle for for years now. You’ve looked closely at some of the challenges our new disparate workforce pose as we shift from perimeter defenses, can you explain your perspective on how zero trust can impact the way in which our traditional network communications operate? Sure, well, I

Jeremy Grant 01:23
mean, first of all, said, I appreciate being called to the forefront of the puzzle. But you know, I think in many cases, my my role here has been that I’ve just been there earlier than somebody and screwed something up and learn what not to do. And that’s helped inform maybe we’re, where we go from there. But now the question on zero trust, I think is a good one. It’s, you know, certainly a term that’s getting, you know, a lot of buzz these days to the point that, you know, you can almost play drinking games and some cybersecurity events, you know, in terms of how many times somebody is going to actually mention it, that point aside, I really do think it is the most important trend to emerge in years. And that, from my perspective, you know, getting back to time where, you know, arguably wasn’t the forefront of things, it really is finally shifting people to an architecture that’s actually securable. And, you know, by that, I mean, we’ve had, you know, sadly, for so many years, this focus on Hey, if we can just build this really awesome, you know, perimeter defense, it’s going to get people out, and we can trust everybody who’s inside. And, you know, the reality is that as you built walls higher in some places, but basically left a you know, flimsy screen door that you could walk right into the fortress, that being the identity layer, most of the time being a compromised password, you know, the attacker sort of looked at this and figured out what was going on and figure out how they needed to move to identity centric attacks to the point that basically been an anomaly over the last 10 years, when we’ve had a major breach a major incident and identity didn’t provide the initial attack factor. So I think, you know, to me, what’s notable about zero trust, to me, it’s finally shifting that architecture in terms of not just how we secure systems, but how we design them from the start and enable access and, and whatnot, to put identity at the center of it rather than something that’s an afterthought. And, you know, taking that sort of an identity centric approach, you know, first allows you to essentially block those, you know, commonly executed attacks. And second gives you an approach that I think is just more securable in that you’re really reducing the attack surface overall quite a bit and focusing just on a few key controls.

Steve King 03:28
Yeah, reducing the attack services is a big piece of that certain land. You know, this whole business of you know, your attack service has now grown to become the entire universe as should be obvious to folks that you know, you can’t defend the entire universe. But your and your your point about zero trust becoming marketing hype, unfortunately, is not particularly useful and the movement, but I think if we continue to keep pushing, as you say, I think it’s the right thing to do.

Jeremy Grant 03:59
It’s useful except for when you see somebody advertising, zero trust firewalls or whatnot, and then a bit in the realm of the absurd,

Steve King 04:06
we can take you to the promised land, right? Yeah. Healthcare, however, is one of those industries is frequently targeted by cyber criminals for a whole variety of reasons, and now has a new set of complications that I’ve seen, shouldn’t be particularly attracted to bad guys, the new regulations that I’m referring to include those tied to that 21st Century Cures Act, which I think require providers and players to create new API’s to share patient data. Are you aware of that regulation? Can you talk to us a little bit about that? Yeah, absolutely

Jeremy Grant 04:44
not. We’ve done quite a bit of work here actually, on this front and that you know, a lot of the work we do is you know, with with healthcare organizations along with some of the vendors who are trying to help them comply with this and you know, the Cures Act, it’s a five year old law now it passed back in 2006. 16 really strong bipartisan support, which you don’t often get in Washington these days. And, you know, the easiest way to think about it, I think, you know, certainly, we’ve been dealing with what I would, you know, call challenges around data portability in banking and financial services for years with things like open banking, this is looking at a similar model, how do you essentially, you know, enable what I would call open healthcare. So, you know, I might, you know, go to, you know, four or five different health providers, between doctors, specialists, hospitals, whatnot, I, you know, might change insurers every few years, I got a couple different pharmacies, I go to my health information is all over the place, how can I, you know, essentially access any of that through a secure API, and have the ability to take control over my health data and decide to share it different places, it might just be him going from one doctor to another, and I want to let them access that information from the first doctor very quickly, it may be that I want to use you know, like a health tech app, you know, perhaps tied to, you know, a wearable device that’s going to, you know, go back to something that’s going to aggregate information from a few different sources, you know, give me some, you know, additional information or perhaps, you know, give my doctor some information in terms of, you know, how I’m doing, start thinking about, you know, you know, whether it’s, you know, wearables or you know, home blood pressure devices, or different things like that, that you may want to be able to share across multiple providers. So what it’s mandating, essentially, is this whole creation of an API ecosystem across both providers and the insurers to enable sharing of patient data. And, you know, I think that the biggest concern, certainly among a lot of the healthcare clients, you know, the cisos, and their staff that I’m working with is, Hey, this is a really great vision. But given that year after year, when you look at what the most valuable data, is that stolen in breaches, that it’s healthcare information, we’ve got a few concerns here, in that if people are basically, you know, able to easily impersonate somebody online, or just, you know, how would I say it, you know, steal a password, like we’ve seen in every other breach to then steal health data, putting this information online is going to make people patients more at risk. And so there’s a real effort right now, to try and figure out as you’re creating these API’s, how do you have a robust identity layer for consumers for patients that can protect that? And I think that’s where there’s, you’re seeing, I think, an initial focus on compliance, because the regulations say you have to have an API. But beyond that, I think you’re starting to see people focus a little bit more on the security aspects as they’re looking at some of this data they’re putting out there and going, Oh, Holy smokes, we’ve actually got a real risk here if we don’t take care of things.

Steve King 07:33
Yeah. And I, you know, we’ve been trying to make progress on the electronic health record front for years, it seems to me anyway, and, and I’ve recently had an experience with a couple of different providers that universal access kind of isn’t, doesn’t exist, because we kind of go through the same process every time you go to provider, a provider B provider C, API’s in particular are not not the most bulletproof barriers to, to threat actors. Would it seem, it seems to me that there needs to be some sort of a federation or something of providers that can create kind of an ecosystem that maybe nobody owns? Or is that a government level thing in your mind? Or is private industry somehow going to be able to work that out?

Jeremy Grant 08:21
Yeah, you know, it’s interesting. I mean, in terms of actually having a federation, I think the regs really, you know, call for something that’s much more open, which is just there’s API’s there. And as a patient, you have the right to pin your ensure and, or your provider and send the data wherever you want. And so this is actually one of the concerns is that there isn’t that sort of Federation or trust framework that’s out there. It’s more the patients have rights, and everybody’s got to comply with them. And I think where you’re seeing a focus now is saying, Okay, well, again, that that sounds like a great model. But how do you secure it? And you know, that’s where there’s continued challenges these days, as we don’t quite have, you know, the layers of security in place that I think most people would want to see, there is an interesting effort in the healthcare space, particularly on the identity side of that with a group called the Karen Alliance ca ri n, which is looking at creating, essentially a federation of different firms on the healthcare on the identity side, so that you could have, say, a single patient ID that you could use in all of those places. And, you know, the idea is if you’ve got this Federation in place, this trust framework of different providers that can help to provide that layer. And you know, there’s some new pending guidance from the Department of Health and Human Services called Kefka, the trusted exchange framework and common agreement that would call for the use of you know, what my old colleagues at NIST define is, you know, identity assurance, level two, authentication assurance level two, basically pretty robust identity proofing for a patient combined with, you know, pretty robust MFA with that, you know, they’re, they’re hoping that they can, you know, maybe create some of that, you know, Federation infrastructure, But it’s, I would say early stages in fact I you know, to I have concerns right now, you know, with the rush toward different firms standing up these API’s that if many are doing it without a security layer, you’re going to see the attackers go there and that they’re always looking for where there’s ways that they can steal something of value be money or data in a way that’s not going to require a huge heavy lift on

Steve King 10:24
their side. Indeed, speaking of identity proofing, you have often said that we’re pretty good at authentication, yet, we’re still not so much progress wise on identity proofing. Can you explain why that is? And talk about any progress you see in the near future?

Jeremy Grant 10:43
Yeah, sure. Well, I think first, it’s probably helpful to just level set because I find, you know, in the identity space, a lot of terms get conflated and thrown around quite a bit. You know, I was just looking at something the other day people were talking about the importance of identity authentication, which, sure it’s important, but do you mean, you know, I tend to break these things down into the identity proofing, which is what you go through when you’re first establishing an account for somebody, you know, how do you know it really is Steve King on the other end of of a device, and that it’s a particular steve King, you know, identity resolution, figuring out, you know, for people of different names is a big deal. And then there’s the authentication element, which is okay, you got already got an account. Now, you know, this is the password problem, essentially, how do you log back into something once an accounts been created. And so when I say identity proofing is getting harder, and authentication is getting easier, it’s that I think we know now, how to solve the password problem, not that we’re not going to have millions if you know, of records stolen once again this year, because of compromises of passwords. But with the emergence of new standards, like those from the Phyto alliance that are basically being embedded in every device, and browser and service by all the big tech platforms, we at least know how this ends, I’m seeing a lot of you know, more sophisticated organizations start to move toward, you know, a post password world, for their employees and their customers through a combination of things like Fido, and you know, paired off in with, you know, what I would call behavior analytics that are, you know, looking at other traits of an authentication event, you know, to try and figure out whether, you know, something doesn’t look right. And that enables what I think a lot of people would call risk based, continuous authentication. So, you know, this is good, we kind of get how to solve this, even if, you know, we don’t have it all in place yet. But identity proofing, you know, that whole issue of, you know, how do you figure out who’s the proverbial dog on the internet is getting harder and harder in that a lot of the tools that we use for years online, with generally knowledge based verification, you know, you get like a quiz from information from your credit report. That stuff worked for a while until it didn’t. And I think what we’ve seen now is the attackers have caught up to the point that a lot of the banks I work with, tell me if somebody passes one of those quizzes too quickly, and they don’t get anything wrong, it’s, you know, generally a sign of fraud, and that most people, you know, usually miss a question and have to stop and think about these things for a while, right here, we’re not really sure what’s next, there’s some good innovation that’s happening in the space, it’s not fully solving the problem. And this is, you know, where I’ve actually been a really big advocate, that this is a place where the government’s gonna ultimately need to play a role in that the government’s The only authoritative issuer of identity. And you know, we have some good private sector solutions that, you know, are essentially trying to guess what only the government knows, which is, again, some of them are helping, I don’t mean to put these things down. But we just have a lot of challenges right now. And that space, certainly when you look at the, you know, the kinds of identity fraud that we saw skyrocketing during the pandemic, whether it was attackers looking to, you know, steal money from government, or from those in the private sector, the numbers went off the chart when we couldn’t do in person transactions anymore, and a lot of stuff was rushed online, often without proper identity proofing control. So I think that’s really where the the new frontier is in the space.

Steve King 13:51
Yeah. And you think that’s even doable in this political climate?

Jeremy Grant 13:56
I do. I mean, look, one of my projects, I run an organization called the better identity coalition that’s, you know, put out a policy blueprint that’s gotten really good bipartisan support. So you know, there’s a bill in Congress in the House of Representatives introduced by Bill Foster, who’s a democrat from Illinois, on the Financial Services Committee really interested in this from you know, how important this is to to FinTech and payments and, you know, all sorts of innovation and financial services, partnering with john katko, who’s the leading republican on the house Homeland Security Committee focused a lot on the cybersecurity concerns. We’re expecting you know, a little later this fall we’ll see a counterpart in the Senate that also be bipartisan and so look, I’ve been in Washington, DC 25 years, I should be as cynical as anybody about the ability to get something done, but I’m actually you know, pretty optimistic.

Steve King 14:44
Well, that’s encouraging. I happy to hear that. It’s just that every time somebody I can’t even get a vaccine identification cards, let alone You know, yeah, a passport for who you are and, and all the rest of it. So it’ll be

Jeremy Grant 14:59
I think, one of the things we’ve tried to do with with the coalition is understanding just how low political everything you know, is right now, and particularly how politicized the identity issue can get is, you know, tried to look at solutions that are both technologically feasible, but also politically feasible. The idea being that, I think there are some ideas that are just political non starters, and let’s recognize that up front and figure out what we could actually do that, you know, would stand a chance of moving forward. And I think that’s one reason the coalition I mean, we’re, you know, 25 members, you know, between financial services, health care, big tech, you know, also some of the vendors in the space, but, you know, largely driven more by those who are the customers of digital identity. And, you know, I think trying to come up with, you know, some pragmatic approaches that can maybe change the thinking on, you know, what we mean, when we’re talking about solving digital identity. So getting behind, you know, beyond some of the, you know, more tired, you know, ideas of why don’t why don’t we just do a national ID card, or, you know, the same things everybody has said for the last 25 years that haven’t solved any problems. That’s really where we are, you know, trying to focus more directly.

Steve King 16:07
Well, best of luck. I’d love to see, we certainly, we can certainly benefit from that in many, many different ways. I’m not one of those people that care whether the federal government knows everything about me or not, I know they already do.

Jeremy Grant 16:23
Yeah, well, I’ll say the way we’ve I think changed the conversation, as we’ve pointed out, whenever somebody says, let’s just do a national ID card, we don’t need a national ID card, we don’t need the fact that one of our problems, we have too many ID cards, we already have them today, but they’re all stuck in the paper and plastic world, and none of them are suited to being used online. And so the proposal we you know, we put out that I think has gotten really, you know, a lot of heads nodding, you know, across the political spectrum is, look, let’s not build new systems, let’s just come up with digital counterparts, the ones we have, you know, whether it’s things like mobile driver’s license apps, or other ways you might be asked able to ask an agency that’s already given you a credential to vouch for you, when you’re trying to prove who you are online, I think it really turns you in some of the old tropes on you know, this is a privacy and security concern. If we do something with digital identity on its head, in that we’re just talking about leveraging the systems we already have today to solve some of these problems, rather than, you know, creating new ones, which look, I have concerns if you talk about a new government database, so let’s just not do that.

Steve King 17:22
Yeah, right. The challenges of the constitutional republic, right? Yes, our listeners have heard a lot about zero trust. Most of it tends to be focused around network, kind of reference architecture, kind of conversations, and some folks are, you know, think it’s a product, some folks think it’s some kind of like, architectural solution, zero. Sure. And I know you’re you and john Kander bag are kindred spirits on the importance of zero trust in both network and identity management, can you help our listeners understand a little bit about how these two realities cross paths and can actually integrate?

Jeremy Grant 18:00
I will say, You’re right, a lot of people have talked about it in different ways, I’ll talk about it, you know, in the way that I’ve always looked at zero trust, which is, you know, it’s it largely identity centric approach to cyber security, and that the three things you care most about, you know, one, it’s device identity. So what do I know about the device somebody is coming in on is the one that’s supposed to be accessing resources on my side, can we tell if it’s been, you know, fully up to date with, you know, operating system updates, and any, you know, closing any other security gaps. So, you know, pay, I know, my device. The second is, you know, personal authentication, you know, with something that is, in fact, getting back to the government is the White House, and there’s zero trust strategy that was just published a couple of weeks ago, pointed out godly phishing resistant multi factor authentication, you know, it’s got to be something like a Phyto key, or PK II, if you’re using something that’s legacy for multifactor, like a one time passcode that’s increasingly getting fished these days, so let’s just not not go there. And then once you know, the device, and once you know the person, then it’s based on very fine grained authorization, which I think is actually probably the hardest part. And that authorization is a tricky topic for a lot of enterprises to manage, and that authorizations are constantly changing. And so, you know, you have to really be able to, you know, keep up on that and have a strong, you know, governance system in place that can manage all of those things. But, you know, to me, that’s, you know, basically saying, you know, for every single Access Request, we’re going to be able to check those three things. Yeah, look, as I made the joke before about, you know, zero trust firewalls and whatnot, there are certainly other product vendors who are saying, you need our thing as well. But you know, I would say those three elements combined with all the data have been encrypted, so that it’s only decrypted. If you know, you can hit those three checks. To me, that’s sort of the core of what we’re talking about when we talk about a zero trust architecture. Right.

Steve King 19:46
Okay. That helps. I’m conscious of the time here. Jeremy. I know we got to go. Final question. You’ve been around DC as you’ve said for a long time, you know, some of the folks in the new sees the organization and have visibility and the progress there. What’s your assessment of the potential impact of these recent executive orders and sort of, you know, call them quasi mandates that are coming out of the Fed? Well, I

Jeremy Grant 20:15
think they’re going to be pretty impactful, not just because I think they’re sensible approaches, but also, you know, to be blunt, I’m seen Congress looking to fund them. And I mean, this has been a huge issue with federal cybersecurity in the past is that you’ll see these policies come out that, you know, look great on paper, but, you know, actually ask the agencies, you know, what are your plans to implement? And their answer has been, well, this is a great mandate, and I don’t have any additional dollars to to make these changes. So you know, how is that going to change anything. And I think what you’re seeing now is that, you know, there’s actually a follow up in Congress to look to put additional dollars in place to accelerate the, you know, the adoption of zero trust architectures. We’re recording this at the end of September, earlier this month, you know, three documents that came out in response to President Biden’s may executive order, which mentioned zero trust one was sort of a, you know, strategy from the federal CIO in terms of how you’re going to do this, which was really prioritizing things like phishing resistant authentication, I actually pointed to the Phyto web authentication standards as part of that, which was, from my perspective, great to see. And then two additional guidance documents from sissa. That pointed out more Look, here’s how you can actually go step beyond to is to build these things. So I think between being decently crafted policies, but then if it’s going to be followed up with dollars, to the agencies to actually, you know, help them pivot away from trying to secure some of these legacy systems, I think it’s going to be impactful. I also think it’ll be impactful from the perspective of the private sector. You know, one of the things we’ve been pointed out to our clients is, look, this is only a mandate for for federal systems. But you can bet if this works, you’re going to start to see in regulated industries, some of these regulators looking at some of the same concepts. And so you know, some of our advice to clients has been, you may want to contemplate ways to try to get ahead of some of these things. Given that, you know, it’s quite feasible in a couple years, you’re going to see, you know, this start to roll into some regulated industries as well.

Steve King 22:08
I hope you’re right about that, I think it’s where, you know, long pass through, and I’ve seen now, budget allocations in the last couple of weeks, like turn three or four additional several 100 million over this is as well. So that’s all that’s great,

Jeremy Grant 22:23
nothing’s gonna move, you know, right away, but it is, it’s pretty notable, I think, in terms of, of the impact and where, you know, it’s gonna, I think, start to change some things. I mean, there’s a lot of this dated back to discussions, you know, two administrations ago, remember, you know, I won’t say who, but, you know, senior officials in 2015, dealing with the aftermath of the Office of Personnel Management breach where, you know, people like me, and, you know, who had clearances suddenly had their, you know, personal information, and their fingerprints, you know, basically in the hands of China after a, you know, pretty brazen, you know, breach. And, you know, I think there’s a realization at the time that one of our big problems here is we’re trying to bolt on security to, you know, architectures that in many cases, you know, are 2030 years old, and we’re just never really meant to be around this long. They weren’t built for security. And so I think with that, you know, you’re seeing this realization that, you know, the sooner we can start moving people to more securable architectures, you know, namely in the cloud leverage, you know, things like zero trust architecture is to secure all of them. That’s ultimately how we’re going to put an end to this epidemic of breaches we’ve seen is, you know, let’s make it harder for the adversaries, let’s start raising the cost of attacks beyond just something as simple as having a compromised password. And so I’m bullish these days that we’re at least on the right path, even though I expect we’re still going to have some challenges, you know, for the next few years as we’re looking to get there. And of course, the attackers never stopped innovating either. So we’ll make things hard for them. And they’ll find, you know, other soft spots to go after.

Steve King 23:55
Of course, they will. And I’m an optimist, too, so I’m hopeful as well. Thanks, Jeremy. It was great having you on the show today. I appreciate you taking time out of your schedule to join me. I think this was a pretty interesting exchange on this subject. I hope to be able to have you back maybe in the fall, kind of talk some more about what’s happened between now and then.

Jeremy Grant 24:16
Thanks for I really appreciate the time welcome the chance to do so. Thanks again.

Steve King 24:20
All right. And thank you to our listeners for joining us in another one of cyber theories unplugged reviews of the world of cyber security. And until next time, I’m your host, Steve King, signing out. Thank you for joining us for another episode of cyber security unplugged. You can connect with us on LinkedIn or Facebook at cyber theory will send us an email at social at cyber theory.io. For more information about the podcast, visit cyber theory.io forward slash podcast Until next week, Thanks again