Techstrong TV: Understanding & Managing Digital Identities
David and Charlene discuss how to effectively manage digital identities and assets in the rapidly evolving digital world. The video and a transcript of the conversation are below.
This is Digital Anarchist.
Charlene O’Hanlon: Hey everybody. Welcome back to Tech Strong TV. I’m Charlene O’Hanlon and I am here now with David Mahdi who is the chief strategy officer and CISO advisor over at Setigo. David, thanks so much for being with me here today. I am just so very excited to have a conversation with you about digital identities, because I know that it’s a very, very hot topic among a lot of organizations as they kind of seek to maybe lock down their systems a little bit more, at least understand what they’ve got so that they can lock it down. So thanks very much for being on tech rung TV and having the conversation with me. I’m very excited. Great to
David Mahdi: Well Charlene, thank you very much for having me. And I – it’s digital identity is certainly an area that I’m passionate about. And I think all of us have our own personal stories, whether it’s getting locked out of account at work or getting locked out of a personal account. It all comes back to that.
Interviewer: Yeah. I can count on one hand how many times that happens to me in a week. So it’s but you know, it can be difficult to manage all those passwords. But let’s kind of start at the beginning. So we’re talking about digital identities and you know, these days there is not a person on this earth I think who doesn’t have some sort of digital identity. But what exactly are we talking about when we do say digital identity?
Mahdi: Yeah. Great question. So digital identity really well, first of all, we have to think of not just humans, right? You are you you’re Charlene, I’m David, and in the traditional physical world, you might have a passport, a driver’s license and all these types of IDs. And that’s how you, you know, when someone says, are you really Charlene in person and you show one of those ID cards, right? But obviously over the last few decades we’ve been doing more and more online, and we’ve kind of danced around ways to do digital identity online for the past several years. But the reality is that in the last couple years with COVID Deloitte McKinsey and Gartner basically have said, the world has leapt forward digitally five to seven years. So now we’re at this point where digital ID is in the spotlight and we can come back to that certainly unpack that more.
But what is it it’s just really think about your physical identities that you might have now today and some digital representation of that. So Charlene’s digital persona and right now a lot of it’s siloed and fragmented. So you might have a version of your digital identity for your corporate world. You might have a version for your social world, whether it’s LinkedIn or Facebook, and then you have digital identities for other things that are pretty important. Maybe government services, maybe banks and so on. Right? So there’s that side. And there’s the other side, which frankly, the market hasn’t really talked about. I mean, if you look at the market and all these insane valuations in the identity proofing and IM space identity and access management, no, one’s really talking about machines, but the reality is that machines are all around us. And I don’t mean just like physical devices. I’m talking also about software. Right. So lots of these things, so anyway.
O’Hanlon: No, no, no, absolutely. And that’s that, I think that’s a very important distinction because when we do think about digital identities, to your point, it’s mostly about humans, but you know, we’re now talking about smart devices that are on the network that need to have kind of their own digital identity per se. And do you think that that’s- I mean, it hasn’t been part of the conversation up to now, but do you think that’s going to be changing?
Mahdi: I do think it’s going to change. I mean, we’re certainly seeing you know, IOT, IOT security certain vendors out there like Armas and Dragos looking ATT OT environments. And even if you look at the Biden executive order that came out last summer, there was a lot of emphasis on cyber physical systems. So not only do you need to know who like, say David is accessing the system, but also what, right. So it could be maybe I wrote a bot and that bot is accessing software or other hardware devices, or I have a device in the field and it’s got intelligent software on it and it needs to access a server to understand what its next job is going to be. You can’t do any of this stuff unless you know who and what is accessing things. And then you tie that back to governance. So it all comes back to that. It really is identity; digital identity is the foundation for cyber security really going forward.
O’Hanlon: Yeah. And I think of it as, you know, if you’re connected to a network, you have a digital identity.
Mahdi: Yep. You should.
O’Hanlon: I don’t know if that’s, if that’s a very simplistic way to say it, but you know, my car is a digital identity and you know, my, I don’t want to say it because it’ll put it off, but you know, my smart speaker shall we say is a digital identity. And so there are so many different things that do need to have a digital identity, but what, so what is it about digital identity specific that, you know, we need to know about that because you know, it’s nice to say, okay, I have a digital identity. What does that mean to anybody? And how is that important and why, why should we consider it when we’re talking, especially about networking and infrastructure and cybersecurity and all of the things that go along with it,
Mahdi: It all comes back to digital trust at the end of the day. I mean, even again, if I refer back to that five to seven years, leaping forward digitally, everything is digital business now, right? Even you look at any UPS or FedEx package that comes your way or Amazon, they’re going to scan it with their device. And they’re going to, you know, get into the system and do all this. Even when I had landscapers over at my house last summer, they’re there with iPads and they’re logging everything in their online SAS based service. And they need to know that anything that they’re inputting in there, once it’s saved that it’s trusted, that a bad actor doesn’t get in and add another zero or funnel the money somewhere else, or funnel the package somewhere else.
So we have to know in this digital world, if you’re going to create content or access content or access a server you have to have that trust. So digital business is everything now. And really the second line under that is every single digital business needs, digital trust and then what we need as that foundational layer for digital trust is digital identity as we talked about before. But to answer your question monthly, it’s anything, whether it’s in the network or you’re talking about consumer security, device security, all this stuff it needs digital trust.
O’Hanlon: Okay. So digital trust is it something you earn like regular trust or real? How is it, you know, how does digital trust kind of play into the conversation? I mean, when you say digital trust what exactly does that mean for anybody or any organization?
Mahdi: Yeah. I mean, again, if we draw some parallels with the physical world, right? I mean, if we think about, you know, Cheers the bar, you know, you go in, everybody knows your name, they see your face. It’s not like Charlene. If we meet in person, hopefully one day we get to do that. You’re not going to ask me for my passport and everything. We look at each other and we go, okay, I can trust. I can trust that you’re David and we can move along. We have these nice human ways of doing it. We’ve evolved to recognize people, right. But in the digital world, we don’t have those queues. And like we said, if it’s machine to machine or application to application, they need ways of establishing trust with each other.
Now we know that with, in the PKI space, right, SSL, we have this with websites, with certificates and setting up a TLS tunnel and doing all these kinds of things. We have that there, but as more and more use cases come out, as you see more vehicles and devices in your house and in corporations become more interconnected and have more rich software and services, all that stuff needs to be secured. And so whether it’s using, you know, let me get a little bit geeky here for a moment, cryptography to digitally sign things so that you can validate that Charlene actually did do this transaction at this time because she presented a biometric and it was digitally signed by her. All of that is really important. So those are ways to kind of bring in trust.
But let me link to something that’s very buzzy, zero trust. Many of us have heard about zero trust. Now I’ll be honest. I have like a love, hate relationship with zero trust and the reason why is like, I’m like on one hand, I think it’s a great framework. Great approach. But on the other, I feel like in, in many of the organizations I talked to over the years and I talked to, well over 6,000 in my previous role, as a, as an analyst, you know, it sometimes creates lazy logic, you know? And so say if you’re a bank, well, you have to do something called KYC. Know your customer. I can’t just say, well, you know, Charlene, just give her a credit card. right. Let’s a loan her $10,000, right? No, you need to validate that. So zero trust isn’t it creates my fear was zero. Trust was creating the zero of the, sorry, this lazy logic because, you know, and what I always said to say, banks and mobile network operators and others, you can take a zero trust as a first step, right. And use that as your mentality, but it is your responsibility to establish and maintain that trust. That’s where it gets hard. Doesn’t get so much hard on, on not trusting anybody. It gets hard when I say, oh, David brought in this new pixel device, I’ve never seen it before. I’m going to take a zero trust mindset. And then we have to build up trust right back to your question. How do we build up trust?
Well, let’s check to see if this has been a known bad device. Let’s check to see if it’s been associated with anything else. So, you know, is it jail broken? And we can do those rudimentary checks. And then we can get David as a human being to do some identity proofing, maybe show his face, use a pin, do something out of band. And then we enroll David’s device. Maybe we provision a certificate to it, and then we can authenticate the device going forward. We can layer in zero trust in that you know, we cannot necessarily assume it’s always safe. But that’s really the notion is we have to establish and maintain that digital trust. And we have mechanisms like identity proofing and using certificates and these types of things a lot more we could talk about, but that would be it from a high level, from a digital trust perspective.
O’Hanlon: Yeah. Okay. So, you know where do you think we are kind of on that continuum then? You know, when we’re talking about digital trust, digital identities and digital trust, do you think that the business community and the IT industry as a whole are well familiar with and are using digital identities and digital trust effectively, or do you think that it’s maybe something that we all kind of need to work on to ensure that there is greater digital trust and maybe an easier way of gaining it or not?
Mahdi: Yeah. I think many organizations are on that journey. You know, there’s demand in things like passwordless authentication, which is a digital trust child, if you will, digital trust is the parent right. Authentication and passwordless authentication would be a child of that identity governance, access management. These are all very big areas if you look at you know, what organizations are doing, certainly with COVID, lots of organizations panicked to do secure access, get people online and do all these things. So people definitely have had these projects, but I think the notion the way in how I was positioning digital trust, I think is a more modern and future view of what it is. I’ll give you an example.
So today we might, it would be very use case centric. Like I need to get Charlene online. Therefore she needs to authenticate to a VPN service, maybe give her some single sign on. So she logs in once and she can access all these things. Okay. That’s great. But now let’s just say Charlene’s inside the network and she wants to share a sensitive document with David, which might go to their corporate lawyers. Okay. If you make any changes to that document, how do I know it was actually you, right. So we need to have other ways of building in that trust. And the mechanics could be using a digital certificate, signing the document, you send it to me, and now that document can hold up in court. And especially if we can’t see each other physically.
So I think the use cases are going to start to, and that’s usually how a lot of organizations think of it. They think of use cases first But I think that the framing and digital trust, I think is more of a newer way of viewing it, but this is going to be highly critical, even if I’ll just mention this really quick, when we talk about web 3.0 and decentralization and NFTs, and the Metaverse digital trust is going to be paramount. Sure. When the world switches over to more of those arenas.
O’Hanlon: Yeah. Yeah. I just experienced the metaverse myself about a half an hour ago actually.
Mahdi: Oh, wow. Is your head spinning still?
O’Hanlon: My head is spinning a little bit. Yeah. But NFTs are definitely an area where I do see digital trust playing a major, major role in digital identities, obviously with the metaverse and digital trust. So I agree. I think it’s going to become a much larger part of the conversation moving forward. And I think it’s going to be more top of mind for organizations and for individuals to maybe kind of keep closer tabs on their digital identities so that they can have a greater sense of digital trust, not only for who they trust or what they trust, but how others are seeing them and their, you know, that they feel, or they are more quote, unquote trustworthy because they, you know, a lot of that depends on the type of information that’s being put out there. So I see digital trust as a very positive thing, but I also see it as something that it could be a target for manipulation in the future. So you know, right from a reputational standpoint, I should say because we’ve already seen obviously cyber criminals taking advantage of digital identities in other ways.
Mahdi: Exactly.
O’Hanlon: Yeah, we could, I think we could probably talk about this all afternoon because it, you’re right. There’s a lot to unpack with this topic and it’s only going to get more interesting I think as the year goes on, as more areas such as NFTs and the metaverse come into play and become a larger part of the conversation. So, David, I’m sure I’m going to see you back here on Tech Strong TV, in the future so that we can have that conversation.
Mahdi: Absolutely. We love it anytime any day and maybe anywhere physically at some point, but Charlene, thank you so much.
O’Hanlon: Fingers crossed. I’ll see you at RSA in June.
Mahdi: Indeed. Indeed. Well, take care, stay safe and thanks again for having me.
O’Hanlon: Thank you. All right, everybody, please stick around. We’ve got lots more Tech Strong TV coming up. So stay tuned.
[End of Audio]
