How do you adequately authenticate a person, device, or organization?
In this episode, Plurilock CEO Ian L.Paterson talks with Joni Brennan, President of DIACC, about the field of identity management, the importance of context and risk, and the challenges in blending professional devices, personal devices, and the data that they access.
|Host:||Ian L. Paterson|
Ready to listen in? Click play below.
Ian: Welcome to the Identity in Cybersecurity Podcast. I am your host Ian L. Paterson and in this episode, I’m speaking with Joni Brennan, president of the Digital Identity and Authentication Council of Canada, or DIACC. Joni has 15 plus years of experience in digital identity innovations and standards development. In this episode, we discuss the tools, techniques, and technologies that are being employed today, the perception shift in digital identity, and the upcoming Pan-Canadian trust framework. Let’s get to it.
Ian: Well, without further ado, Joni—thank you very much for being on the podcast. Maybe to start off, how did you get started in cybersecurity?
Joni: Yeah! First of all, it’s my pleasure to be a part of the podcast—so thanks so much for the invitation. In terms of getting started in cybersecurity, I really started my career focusing on developing technology standards. My university was basically located next door to the IEEE (Institute of Electrical and Electronics Engineers) so we did quite a bit of learning about standards and how important they are. So I thought standards was something that I really wanted to do—to make a contribution across many industries and many regions. One of the groups that I came into contact with was a group called the Liberty Alliance, who was focusing on particular security standards for identity management. So, I found myself really drawn to the topic of identity management, more so than any other kind of particular technology or particular area of focus. Primarily, I was drawn to that because it was very easy to see what the human connection was and what the human impact could be there.
Joni: There were also some interesting standards at that time—some groups I was working with as well—like VoiceXML, which have some early biometric characteristics to it. But, not quite there yet (and this was some time ago). So, what draws me to the cybersecurity space is where and how it can improve people’s lives, where and how it can bring efficiencies and create new services and new opportunities. So, I’m drawn to it particularly from the opportunity to make people’s lives better and more secure and more convenient.
Ian: How does digital identity affect a Chief Information Security Officer’s (CISO) job to secure and protect data and systems?
So, what draws me to the cybersecurity space is where and how it can improve people’s lives, where and how it can bring efficiencies and create new services and new opportunities. So, I’m drawn to it particularly from the opportunity to make people’s lives better and more secure and more convenient..”—Joni
Joni: Yeah, so I would say that over time we’ve seen the concept of how digital identity would affect a CISO’s job—I think we’ve seen the perceptions there shift. And so, we’ve seen identity being thought of as specifically a technology issue, we’ve seen it treated as an also as a customer relationship management tool as well. And we’ve moved forward in terms of looking at security parameters, even looking at identity being possibly the new, if not the security perimeter. So I think it’s been very good to see how that role has moved from looking at identity as kind of something unto itself—either to be treated in marketing or treated in cybersecurity—and now we’re seeing identity as one of those identity and identity systems and what goes into, creating a trustworthy identity. We’re seeing that being more treated as a full part of a system, where a CISO really has to look at identity as possibly one of the new perimeters or at least as one of the most foundational pieces for knowing who is interacting with your system—whether that’s internally or externally—and what kinds of privileges they should have, what kinds of resources they should be able to access. So I think we‘ve really seen that effect shift over time to being something that was kind of interesting, identity—that is—to being something that is required. There’s a required kind of knowledge and integration as to what identity means, what authorization and access mean, what authentication means so I think it’s been very good to see that and I think that more and more now, CISOs identity has been something foundational to their role in leadership.
Ian: How do you see things changing over the next 12 to 24 months, particularly within digital identity for the enterprise?
Joni: Yeah. I think over the next 12 to 24 months, we’re going to see shifting of focus, and a more fine-grain focus on data and access to data—the ability to verify data, and ”what is the role or the liability of an actor within a system with regard to that kind of verification of data. So I think in terms of the enterprise—depending on what that enterprise use case is—I think we’re seeing shifting more and more to the recognition of the need for this space when you’re trying to onboard, provision and de-provision new employees, new partners, new collaborators and also, not only the ability to verify those new partners, those new staff into your ecosystem, but also being able to have some verification about who they are, what their reputation is, that they have a history of trustworthiness to operate at different levels of assurance and different levels of security within a system. So I think what we’re going to see is definitely an evolution around kinds of data—whether that’s evidence of your identity or whether that’s evidence of your behaviors or whether that’s different kinds of data. We’re going to see data being more and more classified into different kinds of data that can be accessed in different ways. And so I think what we’re going to see is, as we’re seeing already more and more push up with, what kinds of systems exist today, what kind of data exists today, where that data exists today, and then what is the appropriate use and who decides what’s the appropriate use of that data? So I think we’re going to see that in the enterprise space. I think we’re going to see that in the public sector space, which I would argue is a large enterprise, and I think we’re going to see that same kind of move around, classification, and access and trustworthiness around data—I think we’re going to see that in the consumer space as well.
What we’re going to see is definitely an evolution around kinds of data—whether that’s evidence of your identity or whether that’s evidence of your behaviors or whether that’s different kinds of data. ”—Joni
Ian: So, given how much work you do within standards bodies, and particularly, I mean, we were, we were talking just before the call about your very busy trade show schedule. What are you seeing as best in class when it comes to digital identity strategies? What are the tools, techniques, technologies, that could and should be employed today—to make for a more robust strategy?
Joni: I think from my view, what I see as best in class, are holistic thinking—holistic design. And so what I mean by that is the ability to see the challenge base as well as the opportunity space as being multifaceted. For example, seeing where we have opportunities to solve, use cases in the enterprise identity space, being able to take those solutions and bring them out to the consumer identity space or to the civic—the government—identity space as well. So I think that best in class is the ability to look at the challenges and opportunities through a holistic lens and I think that’s a place where having flexibility—building flexibility into that view as well. So being able to plug and play different solutions at different times based on different contexts and so that’s going to require interoperability, and standards are going to help with that. Adoption of standards is going to be critical but I think that in Canada, that’s something that we are leading at—particularly when I talk about that multi-context or holistic view, one of the things that we’re very focused on is looking at the identity problem with the, (it’s not the most friendly word, but the user, I feel like the word users is pretty dry) but looking at—whether it’s the employee or the consumer or the citizen, looking at the challenges that they face every day. And looking at them as the center to those challenges and how can we design systems around that solve some of those problems or have the ability to transpose into other domains or other personas to solve other problems as well. So what I’m seeing is best in class around the world is the ability to, look at challenges and opportunities holistically—be flexible, be willing to experiment with new technologies, yet be pragmatic in terms of decision making, and where to invest. And so I think that’s something that we’re doing here in Canada. And I think we’re seeing that in other places around the world too.
The ability to look at challenges and opportunities holistically—be flexible, be willing to experiment with new technologies, yet be pragmatic in terms of decision making, and where to invest. And so I think that’s something that we’re doing here in Canada. ”—Joni
Ian: One of the challenges that we run into, particularly working with regulated institutions—be it a bank or a power plant or something similar, is the intersection between consumer or personal devices and corporate devices. And so I think it was easier five or ten years ago when you came into an office, you sat down, you’re working at a corporate terminal, and all of the work was there. It was done when you left at the end of the day—you left all the work, and all of the data at the office, and then you went home.
Ian: I think now what happens more frequently is there’s a more flexible relationship between, my personal computing devices—which could be my iPhone or it could be a laptop. I come into an office—maybe I’m working remotely and I’m accessing corporate data, I’m accessing corporate systems, and then I may flip between doing that and logging into my online bank account to pay a bill. And so I think the technology is being used in multiple places. And what you’re talking about around the context—I guess I’m curious how you think about this from a standards perspective—and leveraging the tools at the disposal of the user while also being able to accommodate these different environments with which they’re accessing data.
Joni: Yeah, and I think that’s an excellent question. And we do see that more and more I personally lived through that in one of my last roles for sure—where you’re juggling multiple devices and having to use those devices contextually. Or you might be revolting and saying, “okay, I’m going to bring my own device. I’m going to bring my own device to this role, and I’m going to change persona, on this device while I’m working and to try to do that seamlessly. So I think that is in incredibly, challenging space and that space is growing. I think we see that even with—we see that with devices. We see that with the way people will participate in different online forums. So I think we’re seeing that blending of that context and we’re seeing different strategies for handling that.
Joni: So, around the blending of the context, particularly looking at devices, I know that one of the movements looking at this—gosh, probably starting maybe 10 years ago, maybe a little less—with the BYOD, (bring your own device) movement that was happening. And leaning toward systems that could be flexible, platform-based, cloud-based, that policy could be applied, role-based policy and other policy can be applied via the platform—which is one way—certainly not perfect—I don’t think there’s a perfect solution than I’m seeing yet. Although, I do think the concept of, “the identity of things”, is something that is, more and more prescient and more and more important to understand. And particularly in the context of this question, I would say, what we have to look at is that—yes, the identity of the thing, we have to know who is performing the function, on the thing or with the thing, in this case. And so, my work is in the field of identity, so of course, I do tend to look at the space in the lens of identity, although there could be other ways to look at it—for sure. But I would say that, when we look at the identity space, we have identities of people. Now those people could be identifying themselves to make a purchase, or they could be identifying themselves to get a government service, or they can be identifying themselves for work for their employer. Those are just a few and there were many others. Then we have identities of organizations. And so how does the organization authenticate itself? How does an organization prove to me that they are who they claim to be or that this employee actually does work for that organization? So, we have a massive platform for that today—LinkedIn, which I’m definitely a user of, but I’ll be the first to note that we don’t have assurance necessarily on something that comes through LinkedIn—that that person actually works for that company or that the way that company profile was established—that it’s actually somebody on behalf of that company.
Joni: And then we have devices, which are interplaying on both of those fronts, the identity of people and the identity of organizations. And I would say that one thing that I think we see—at least when I’m looking at this particular space that I see as a commonality—is that both organizations and devices are performing transactions on behalf of people, and people may be performing transactions on behalf of organizations. So I think that we need to look at—always—the context of what’s happening and when, or where more authentication is needed. I think some degree of friction—for me at least—some degree of friction is actually a good thing where security is concerned. You know, the degree of friction is something to be determined based on your organizational risk profile or kinds of transactions you’re trying to perform. So that may be very low friction or maybe a little bit, a little bit of friction just to make absolutely sure that it is the person that you expect, at that device, and again, like you said the device, is not necessarily on a desk in a cubicle anymore. I mean, the device can be on the counter in the kitchen, in an employee’s apartment and anybody could be interfacing with that.
Joni: So, I think we have to look at the identity layer of the people, the identity layer of—and the security layer of the organization and what their risk profile is and then, match that with the risk profile of the kinds of machine that they’re using or the way that the platform that they’re using is deployed. And then we definitely would want to layer it again, contextually different types of authentication, and different means for authentication, depending again on the risk and the context of what transactions are trying to be performed. And so maybe a little friction is good or maybe no friction at all, but I think context really is the key priority. It’s important to look at context and risk when you’re deciding what kind of authentication or how strongly a person, or device, or organization needs to be identified.
Both organizations and devices are performing transactions on behalf of people, and people may be performing transactions on behalf of organizations. So I think that we need to look at—always—the context of what’s happening and when, or where more authentication is needed.”—Joni
Ian: I’m wondering about identity portability within this concept of BYOD because—historically, we’ve had multiple sources of truth for “who is the person”. And so going from a consumer, environment and then going into a business environment, I have my Gmail account that says, “yes, Ian is Ian, and here’s all of Ian’s email”, and then as soon as I go work at a corporation, then we have an active directory instance somewhere that says, “here’s Ian’s record.” And the relationship between that Gmail account and the active directory instance that the corporation—there’s not a strong relationship there right—they’re distinct and they’re separate.
Ian: But I’m wondering, because we now have this device that sits in our pocket and we can open the phone with fingerprint biometrics or facial recognition, or we throw a pin code in there and that it has such good contextual sensors: it knows my location, it knows the ambient air temperature, humidity—I mean, there’s all sorts of things—I’m just wondering if we get to a point where from a standards perspective, we can have enough trust in that device in our pocket where we can say, “Well, we actually don’t need a centralized management or store of corporate identity, we can just leverage the fact that everybody has these devices in their pocket.” Because so far, it does seem that most standards are still assuming that there’s going to be a corporate master record somewhere, and I’m wondering if we’re going to change that at all.
Joni: Yeah, I think that maybe coming back to the trends that we were talking about—it’s coming back to what I think we’re going to see in the next in the time ahead, around this space. And so, when we’re looking into the crystal ball about where the space may move forward, one of the things that I really believe is that we’re going to be focusing more and more on data, the integrity of data, and who has access to data, and for which purpose. And so I would say that this point around standards being developed for a particular directory or for a particular database—I think that that’s going to shift. And so what I mean by that in terms of “access to data,” we have to look at what question is being asked—for that authentication or for security around that transaction—and so I do think that the shift that we’re going to see—the concept of having one active directory or massive database for users. I think what we’re going to see more and more is reliance on particular data or sets of data that basically create this reputation or these “trust anchors” to be able to verify a person. So I think what you’re talking about in terms of looking at it from a directory-based versus an ecosystem of data—I do believe that’s where the ecosystem is moving toward the ecosystem of data—we’re not quite there yet. And so one of the things that we have to always keep in mind is that, very rarely is there a flick of the switch in terms of how systems move, how networks take shape or take effect or their adoption. And so some of this does take time. And there are still people using passcodes today—for the phone, some people are using the finger identification some are using face identification and so we do see a myriad ways of achieving authentication—third-party authenticator keys as well. So I think that part of this classification—this move towards data strategy, whether that’s for Canada or globally, I think a data strategy and classification of kinds of data and understanding which kinds of data need to be verified for which kinds of transactions—that’s the kind of flexibility that we already have in the physical world.
When we’re looking into the crystal ball about where the space may move forward, one of the things that I really believe is that we’re going to be focusing more and more on data, the integrity of data, and who has access to data, and for which purpose.”—Joni
Joni: And so, if the question is, “Are you a student?” well we’re going to the authoritative source actually, to make an assertion that you are a student, if the question is, “Are you a resident of British Columbia?” then we’ll go to the authoritative source of that data. So, rather than having a massive database, where the ecosystem is moving is to the ability to have trust or confidence in a particular piece of data in the way that it was created and then the way that it’s issued, so that we can get an ecosystem of verification of data versus, creating monolithic databases for identity management—for identity and access management.
Ian: Yup, makes sense. Shifting gears a little bit, what are you proud of that you never have an excuse to talk about?
Joni: What am I proud of that I never have an excuse to talk about? That’s a fun question! I’m an immigrant to Canada—I’m pretty proud of that. But I probably say that every chance that I get, cause I feel very lucky to have been able to come to Canada and work on something that’s so very important for our digital today and our digital future. But something that I don’t talk about is that I used to be an emergency medical technician. And my job used to be to climb into the windows of crashed cars, and stabilize people who were hurt and have the jaws of life cut the cars open so that we could get people medical attention that they needed. So I was pretty proud to play that role for a number of years.
Joni: I’m a very service-oriented person. I think anytime we can help make people’s lives better or help people who are in need, whether that’s an emergency, like being an EMT and being part of a first aid squad, or whether that’s the long game of helping us to truly become a digital Canada—I’m proud to be of service, I’m proud to help trying to help people’s lives improve.
Ian: That is amazing! You know, one of the things that I see quite a lot about, especially on Twitter, is stress and cybersecurity. Given your background with emergency situations, what advice do you have for people to de-stress in an otherwise stressful situation?
I feel very lucky to have been able to come to Canada and work on something that’s so very important for our digital today and our digital future.”—Joni
Joni: Yeah. I think that’s such an important question but I think, dealing with stress with something that we all have to focus on and really prioritize because we have to be at our best, to help contribute to whatever our mission is and what we’re trying to do.
Joni: So in terms of, dealing with stress, I think that, taking a step back, remaining calm, I think, even looking at the first aid kind of topic, the first thing that we would do is survey the scene, and then decide what we needed to do next. And so I think being able to take a step back from the stress or from the emotion surveys, surveying the scene, understand what the landscape looks like and hopefully why it looks that way, then planning your next steps from there. I think it’s always good to really remain calm, and, then a little further how to do that. I do think, some, some good exercise, meditation, enjoy some art, enjoy some music—I do think we have to contribute to our own wellbeing. And, there are different ways people like to do that—eat the food, cook a good dinner. So I think there are lots of ways that people can do that—they need to decide what’s right for them. But, you know, take care of yourself, invest in yourself, and when that emergency does arise because it will—breathe, remain calm, take a step back and look at the situation and then determine your next steps, with some trusted advisors and just keep, keep marching forward from there.
Ian: Where can people find out more about DIACC and the Pan-Canadian Trust framework the things that you’re working on? How can you support?
Joni: Yeah. Thanks so much. People can find out more about DIACC at DIACC.ca You can find out more about the Pan-Canadian trust framework, which is a one of a kind framework bringing together the public and the private sector to solve these identity challenges and opportunities that we talked about. We are a member-driven organization, so we encourage all kinds of organizations of all sizes—whether they are Canadian or international—the work that we’re doing is meant to have global influence and global impact. So, anyone organization who would like to get involved or would like to collaborate with us, just please reach out to us.
Joni: We’re also on Twitter at my @MYDIACC and we’re on LinkedIn and all the other platforms—so get in touch! We love to communicate and we love to collaborate, so we’d love to hear from you.
Ian: Awesome. Joni thank you so much.
Joni: Thank you so much, Ian. It’s been a real pleasure and thanks so much for all of your contributions and what you guys are doing at Plurilock. We’re really proud to collaborate with you. ■