Narrator/Host (0:02)

You're listening to the Cyberwire Network powered.

Sponsor/Advertiser (0:04)

By N2K risk and compliance shouldn't slow your business down. Hyperproof helps you automate controls, integrate real time risk workflows, and build a centralized system of trust so your teams can focus on growth, not spreadsheets. From faster audits to stronger stakeholder confidence, Hyperproof gives you the business advantage of Smarter compliance. Visit www.hyperproof.IO to see how leading teams are transforming their GRC programs. And now a word from our sponsor, ThreatLocker, the powerful Zero Trust Enterprise Solution that stops ransomware in its tracks. Allow Listing is a deny by default software that makes application control simple and fast. Ring Fencing is an application containment strategy ensuring apps can only access the files, registry keys, network resources, and other applications they truly need to function. Shut out cybercriminals with world class endpoint protection from Threat Locker.

Tim Nodar (1:31)

The word is iam, spelled I for identity, A for access, and M for management. A set of solutions for ensuring that the right users can only access the appropriate resources. Example sentence Identity and access management is critical to an organization's security program because it stands between users and sensitive information, origin and context. In 1993, the New Yorker's Peter Steiner published his famous on the Internet, nobody knows you're a dog cartoon. The single panel, now a famous meme, shows a dog sitting at a keyboard in front of a monitor and talking to his dog Buddy sitting on the floor. Unfortunately, almost 30 years later, this joke is still true. Today, the concept of Identity and Access Management, or iam, is fascinating, complex, and exponentially difficult to administer at the corporate level and personally in your day to day life. How do we know if the entity logging into my system as the company's CEO is really her, some nefarious ransomware hacker, or indeed my dog Dexter? How should I, as an individual, convey the appropriate identity for the right context for a particular task I'm trying to accomplish as either an employee, a volunteer advocating for the Political Action Committee of Underwater Basket Weavers that Love Sunsets, or to my Dungeons and Dragons Reddit forum, where I'm known as Abigail, a level 47 chaotic neutral tifling warlock. Admittedly, we didn't really think it through back in the 1960s when the late, great Dr. Fernando Corbeto, one of computing's founding fathers, needed a way to keep researchers and students out of each other's files at mit. This is back in the day when mainframe computers ruled the world and we all had to share the same computer. As a stopgap measure, he created the user ID password system that we all mostly still use today. It's astonishing really if you think about it, that in a world where the hardware and software, computer and engineering Paradigms shift every 18 months or so, that the dominant way we all still identify ourselves and gain Access is over six decades old. That's 60 years. The mind boggles. But that doesn't mean that there aren't better systems out there. There are. They are just harder to use by the typical user, difficult to implement and manage, and expensive. But if the community any hope of deploying a zero Trust strategy, IAM is the key and essential component. You can't deploy any zero trust policies unless you absolutely know who or what wants access. In other words, I need to know unequivocally that it is indeed the CEO trying to log in, or that it is her iPhone connecting to the MA database sitting in aws, or that it is the Concur app trying to connect to the CEO's profile. If I have that, I then can deploy rules designed to limit access to material data and systems to only the essential entities that require that access and nothing else. That is zero trust. One of the problems with IAM Today though, in 2022, is that our current systems are site centric. Users have to present credential information to multiple digital silos like Amazon, Netflix, ebay, and our corporate system, whatever that is. These silos typically don't talk to each other. If I routinely use Amazon and Barnes and Noble, I can individually log into each separately, but I can't ask Amazon to share the books I purchased on their site with their Barnes and Noble competitor, even though it's my information, because they are both walled gardens. That's starting to change though, with a concept called single sign on, you log into a broker, say Google, Amazon or Apple, just to name three, with your first cup of coffee in the morning and then later that day when you want to log into Twitter, you ask Google to log into Twitter for you. Twitter and Google do the authentication dance themselves and you don't have to remember your Twitter password. Twitter trusts Google as being the authoritative source for your login information. For authentication, we have several two factor authentication methods at our disposal that range in capability from being slightly better than Dr. Cobrito's user ID password system to being exponentially better. Things like SMS verification, email verification, authenticator, soft tokens like Blizzard's Battle.net, google's iThenticator, ID Me, and LastPass push authentication from companies like Apple, Google, Microsoft and Twitter. And finally universal second factor authentication or U2F, an open standard that uses a Universal Serial Bus or USB or NFC near field communication devices as the second factor. But for corporate environments, the trick is to find or build an IAM system that works seamlessly with all the data islands where you store your data and run your key services. Ideally, you want your CEO to log on once in the morning and have the IAM system orchestrate the identity and authorization dance according to the company's Zero Trust policies for all the places she connects to during the workday, SaaS, apps, multi cloud environments, and any homegrown apps still running in the data center. IAM is a key piece to any organization's identity fabric that also includes Identity Government and Administration or iga, Privileged Access Management or pam or pam, and Customer Identity Access Management or CM ciam. One last thing. A potential future of IAM might be a 180 degree flip of who or what is the authoritative source for your identity Today, as I said, we might use a broker like Google, but in the future you might become the authoritative source and every app that you want to authenticate with will do the IAM dance with you because you will hold the credential, something called a digital id. The second factor would be your phone or other mobile device, and your credential would be your cryptographically stored key. Instead of the CEO logging into Twitter with her user ID and password, Twitter would interrogate the CEO's credentials stored on her mobile device. This architecture is not quite available yet, but it is probably just a few years away. Canada and the European Union are already experimenting with the concept Nerd Reference. In a perfect example of a failed IAM program and a flawed zero trust deployment, I give you the 1982 movie Star Trek, the Wrath of Khan, arguably the best Star Trek movie in the canon, and I will die on that particular nerd Hill. I look forward to your cards and letters. Captain Kirk, the commander of the USS Enterprise, played by the indomitable William Shatner, is trying to take control of the USS Reliance Industrial Control Systems because Kirk's nemesis Khan, played by the fabulous Ricardo Montalban, has taken control of the ship and has crippled the Enterprise's combat and navigation systems in a devastating attack. Two things to note in this clip. 1. The Federation's zero trust policy that allows every ship's captain to possess the password and to every other ship in the fleet, that's probably not a very good idea. And their password policy to allow only five digit passwords. I'm just saying. In this clip you will also hear from Christie Alley, Judson Scott and the late, Great Leonard Nimoy.