WEBVTT 1 00:00:00.299 --> 00:00:02.579 Hi, I'm Tom field Senior Vice President of 2 00:00:02.579 --> 00:00:05.639 editorial with information security Media Group. I'm 3 00:00:05.639 --> 00:00:09.179 talking today about the evolution of identity security. 4 00:00:09.359 --> 00:00:12.719 Really privilege to welcome to the studio Jeremy grant is 5 00:00:12.719 --> 00:00:16.709 managing director with Venable LLP. Jeremy, very good to see 6 00:00:16.709 --> 00:00:16.889 you. 7 00:00:17.490 --> 00:00:19.440 Hey, great seeing you. Thanks for taking the time today. 8 00:00:20.009 --> 00:00:22.829 So Jeremy, it's been five years now, which actually surprised me 9 00:00:22.829 --> 00:00:26.339 since you stepped down from the National Strategy for Trusted 10 00:00:26.339 --> 00:00:29.819 Identities in Cyberspace or n stick. I'm going to ask you, the 11 00:00:29.819 --> 00:00:34.199 Ronald Reagan question. Our digital identities more secure 12 00:00:34.199 --> 00:00:37.259 today better off today than they were five years ago? 13 00:00:38.430 --> 00:00:42.930 So I'll give you a mixed answer to say yes and no. I think the 14 00:00:42.930 --> 00:00:45.270 one of the trends I've been talking about in the last couple 15 00:00:45.270 --> 00:00:49.470 years is when I look where we are today, relative to where 16 00:00:49.470 --> 00:00:52.860 things were back in 2015. I'd say we're more secure in the 17 00:00:52.860 --> 00:00:55.860 authentication space and that authentication is getting 18 00:00:55.860 --> 00:00:58.770 easier. We're sort of on the cusp of the post password world, 19 00:00:59.130 --> 00:01:01.950 but where we aren't as secure as in the identity proofing space 20 00:01:01.950 --> 00:01:05.160 where that's getting much harder. And you know, on the 21 00:01:05.160 --> 00:01:08.430 authentication side, I think there's, you know, some great 22 00:01:08.430 --> 00:01:13.140 progress happening with things like ubiquitous embrace from all 23 00:01:13.140 --> 00:01:15.720 the big platform providers of new standards like the Phyto 24 00:01:15.720 --> 00:01:19.410 standards. We're seeing some interesting tools like behavior 25 00:01:19.410 --> 00:01:22.890 analytics are coming in to augment some of those 26 00:01:23.520 --> 00:01:26.640 certificate based tools like Fido, to do continuous 27 00:01:26.640 --> 00:01:29.730 authentication. Not to say we still don't have plenty of 28 00:01:29.730 --> 00:01:32.970 breaches every year just because people are fishing passwords. 29 00:01:33.180 --> 00:01:38.430 But we've at least got the tools and the standards in place to 30 00:01:38.850 --> 00:01:41.070 start to address that problem, and we're starting to get 31 00:01:41.070 --> 00:01:43.830 widespread adoption. The identity proofing side on the 32 00:01:43.830 --> 00:01:46.440 other hand, that's where we've really got some work to 33 00:01:46.440 --> 00:01:50.880 do. Jeremy, we hear an awful lot today about password list 34 00:01:50.910 --> 00:01:54.150 authentication, and at the time that you stepped down from 35 00:01:54.150 --> 00:01:57.000 instinct, you were quoted as saying that we were near a 36 00:01:57.000 --> 00:02:01.140 tipping point or password replacement Would we progressed 37 00:02:01.140 --> 00:02:01.380 there? 38 00:02:02.399 --> 00:02:05.099 I think quite well, you know, to the point I was making earlier, 39 00:02:05.099 --> 00:02:08.519 things really are getting better with authentication. And to be 40 00:02:09.389 --> 00:02:13.409 something that was a landmark event, just about four months 41 00:02:13.409 --> 00:02:15.269 ago was when Apple announced that they were joining the 42 00:02:15.269 --> 00:02:18.689 Phyto. Alliance and taking the seat on the board. So you know, 43 00:02:18.689 --> 00:02:20.819 Phyto, for those who aren't familiar, it's a way to 44 00:02:20.819 --> 00:02:25.139 basically do a lightweight version of PK AI, you know, 45 00:02:25.139 --> 00:02:27.479 using public key cryptography, which has always been the 46 00:02:27.479 --> 00:02:30.389 strongest kind of authentication we've had from a security 47 00:02:30.389 --> 00:02:33.929 standpoint, but it's also been, in many cases, one of the most 48 00:02:33.929 --> 00:02:37.709 cumbersome and, you know, complicated, and, you know, 49 00:02:37.739 --> 00:02:41.639 Phyto, you know, sort of those PK without the eye, it takes the 50 00:02:41.639 --> 00:02:45.149 best versions or the best elements of it from a security 51 00:02:45.149 --> 00:02:48.179 standpoint, but bundles it in a way that's easier to use. So 52 00:02:48.179 --> 00:02:51.779 that you know, the use case for a lot of people these days is 53 00:02:51.779 --> 00:02:54.809 you know, I mentioned an apple, you know, with my iPhone, I can 54 00:02:54.809 --> 00:02:57.389 have true multi factor authentication where the first 55 00:02:57.389 --> 00:02:59.999 step is to unlock the phone with face ID and then the second time 56 00:02:59.999 --> 00:03:03.869 That unlocked cryptographic key, private key that can log me in 57 00:03:03.869 --> 00:03:08.639 behind the scenes with Apple, Microsoft and Google there along 58 00:03:08.639 --> 00:03:12.179 with other major companies like, like Amazon and Facebook, you 59 00:03:12.179 --> 00:03:15.359 basically have all the major platform and cloud providers, 60 00:03:15.359 --> 00:03:17.459 everybody who's making an operating system, everybody 61 00:03:17.459 --> 00:03:20.939 who's making a browser, all at the table and building in Phyto 62 00:03:20.939 --> 00:03:24.419 support. And what that means for any service provider that's out 63 00:03:24.419 --> 00:03:28.289 there is you don't need passwords anymore. Every more 64 00:03:28.289 --> 00:03:30.599 than a billion Android devices are Phyto certified 65 00:03:30.599 --> 00:03:33.689 authenticators. If you're on a Windows 10 device, and you're 66 00:03:33.689 --> 00:03:37.589 using Windows, hello VITAS built in their windows are sited, our 67 00:03:37.619 --> 00:03:40.979 devices are Phyto certified. And so not to say that we've gotten 68 00:03:40.979 --> 00:03:44.249 to ubiquitous adoption yet. But the flip side is if you're a 69 00:03:44.249 --> 00:03:46.529 service provider watching this, you should take a look at what's 70 00:03:46.529 --> 00:03:52.709 available today. Because the ability to deploy Fido now that 71 00:03:52.709 --> 00:03:55.409 you have this crop clap cross platform across operating system 72 00:03:55.409 --> 00:03:58.799 support is really lightyears ahead of where it was say just 73 00:03:58.799 --> 00:04:01.889 24 months ago Coincidentally or not 74 00:04:01.920 --> 00:04:05.460 after Apple joined the board of Phyto, we sent everybody home 75 00:04:05.670 --> 00:04:09.060 with who was the advent of COVID-19. We did digital 76 00:04:09.060 --> 00:04:12.840 transformation pretty much over a weekend. And since then that's 77 00:04:12.840 --> 00:04:17.700 put a sharper spotlight on identity security. Once we've 78 00:04:17.700 --> 00:04:21.030 changed the boundaries of the perimeter, where would you say 79 00:04:21.030 --> 00:04:24.780 we are weakest with identity today, with this huge remote 80 00:04:24.780 --> 00:04:25.500 workforce? 81 00:04:26.130 --> 00:04:28.110 Well, I'll say, look, we've still got plenty of problems in 82 00:04:28.110 --> 00:04:30.600 authentication. I mean, the number of companies who just 83 00:04:30.600 --> 00:04:32.940 sent everybody home and had them login with nothing but a 84 00:04:32.940 --> 00:04:35.940 password. Well, guess what, you know, the bad guys were looking 85 00:04:35.940 --> 00:04:40.260 at that said, we can do some things here. And you know, not 86 00:04:40.260 --> 00:04:43.020 coincidentally, if you look at the recent earnings statements 87 00:04:43.020 --> 00:04:46.680 from some of the companies that do multi factor authentication 88 00:04:46.680 --> 00:04:49.290 that are publicly traded, they all had some pretty good 89 00:04:49.290 --> 00:04:53.400 quarters, which was, you know, both good to see in terms of it 90 00:04:53.400 --> 00:04:55.590 meant that, you know, plenty people were scrambling to get 91 00:04:55.590 --> 00:04:58.620 that extra layer of protection. But you know, a little 92 00:04:58.620 --> 00:05:00.630 disappointing that it took something like For them to 93 00:05:00.630 --> 00:05:04.140 actually get serious about it. And so I think, you know, 94 00:05:04.170 --> 00:05:07.680 there's certainly a lot of vulnerabilities there. And, you 95 00:05:07.680 --> 00:05:11.130 know, when it comes to, you know, telework guidance, there's 96 00:05:11.130 --> 00:05:14.430 there's just a lot more attack surface that's out there right 97 00:05:14.430 --> 00:05:17.340 now, I think with people being home, but what we're really 98 00:05:17.340 --> 00:05:19.560 seeing issues, you know, getting back to what I mentioned before 99 00:05:19.560 --> 00:05:24.750 about how hard identity proofing is becoming is, you know, it's 100 00:05:24.750 --> 00:05:26.910 really hard to figure out who's a dog on the internet, you know, 101 00:05:26.910 --> 00:05:30.000 we're going to be you know, in June, I think 27 years, it'll be 102 00:05:30.000 --> 00:05:34.980 since 1993. When Pete steiners famous cartoon was, you know, 103 00:05:34.980 --> 00:05:38.220 first published, where the dogs on the computer and says to his 104 00:05:38.220 --> 00:05:41.820 friend, hey, on the internet, nobody knows you're a dog. 27 105 00:05:41.820 --> 00:05:45.420 years is a long time. Those dogs are dead now, because dog years 106 00:05:45.450 --> 00:05:48.960 and their kids are probably gone too. But the problems actually 107 00:05:48.960 --> 00:05:53.160 with us more than ever. And in fact, it's been getting worse 108 00:05:53.160 --> 00:05:56.370 than that, you know, in 1993. It was good for a few jokes about 109 00:05:56.370 --> 00:05:59.400 what it was like going online in the early days. today. It's been 110 00:05:59.400 --> 00:06:03.450 actively working against us, in terms of people impersonating 111 00:06:03.450 --> 00:06:07.980 identities online, to commit crimes, or seeing nation states 112 00:06:08.100 --> 00:06:11.400 look to weaponize anonymity, through social media against us 113 00:06:11.400 --> 00:06:14.460 to interfere in our democracy. You know, the challenges are 114 00:06:14.460 --> 00:06:17.970 pretty significant. I think one thing we've seen with identity 115 00:06:17.970 --> 00:06:22.500 proofing and COVID is, you know, there's a lot of transactions 116 00:06:22.500 --> 00:06:25.140 that historically haven't been online because the risk model 117 00:06:25.140 --> 00:06:27.120 such that if you can't figure out who's on the other end of 118 00:06:27.120 --> 00:06:30.240 the transaction, you have to come in in person, you know, 119 00:06:30.240 --> 00:06:33.270 certain bank loans or, you know, government transactions, you 120 00:06:33.270 --> 00:06:36.690 know, certainly stand out there. Well, now, in person is 121 00:06:36.690 --> 00:06:40.050 verboten. So what do you do? Well, from the government's 122 00:06:40.050 --> 00:06:42.750 perspective, you know, the White House put out a policy memo in 123 00:06:42.780 --> 00:06:45.780 the middle of March, basically telling the sub agencies to 124 00:06:45.780 --> 00:06:49.650 suspend citizen facing services that required in person 125 00:06:49.680 --> 00:06:52.740 appearances. Their take was, look, if you don't have a way to 126 00:06:52.740 --> 00:06:55.950 figure out who's who online. If you can't deliver it remotely. 127 00:06:56.400 --> 00:06:59.400 We're not going to do this. Certainly some of the banks and 128 00:06:59.400 --> 00:07:02.040 other you know, service providers I work with, have all 129 00:07:02.040 --> 00:07:04.830 been working overdrive to try to pivot to support role more 130 00:07:04.830 --> 00:07:08.580 robust identity proofing. And, you know, a challenge there is 131 00:07:08.580 --> 00:07:11.400 that the tools we have today just aren't good enough. You 132 00:07:11.400 --> 00:07:14.880 know, we've generally outsourced a lot of the way we do remote 133 00:07:14.880 --> 00:07:18.450 identity proofing, to companies like the credit bureaus using 134 00:07:18.450 --> 00:07:22.470 knowledge based authentication, knowledge based verification. 135 00:07:22.770 --> 00:07:25.020 You know, it's stuff that that worked for a while, but the 136 00:07:25.020 --> 00:07:28.200 attackers have caught up with it. And I think we're, you know, 137 00:07:28.200 --> 00:07:30.360 seeing a lot of people scrambling now to try and figure 138 00:07:30.360 --> 00:07:34.170 out, how do we get to something better? And, you know, do we 139 00:07:34.170 --> 00:07:37.590 have the technology or the tools today to do that? And are there 140 00:07:37.650 --> 00:07:40.800 other things that the industry can do to solve it on its own or 141 00:07:40.800 --> 00:07:41.880 does government need to help? 142 00:07:42.630 --> 00:07:45.180 Jeremy, I read the piece you wrote about the weaponization of 143 00:07:45.180 --> 00:07:48.360 dogs on the internet. Good piece. And one of the things 144 00:07:48.360 --> 00:07:52.440 that jumped out at me was how seriously the US lags behind 145 00:07:52.620 --> 00:07:56.760 other countries in addressing digital identity challenges. Why 146 00:07:56.760 --> 00:07:58.110 are we in such a deficit here? 147 00:07:59.160 --> 00:08:01.440 Well, let me talk about Just about the lag first, and then 148 00:08:01.440 --> 00:08:04.470 I'll get into where I think the issue is. So, you know, the lag. 149 00:08:04.500 --> 00:08:06.600 You know, look, I talked before about the partial government 150 00:08:06.600 --> 00:08:08.940 shutdown, I think everybody's seen the articles around the 151 00:08:08.940 --> 00:08:12.690 government struggles to try and get, you know, $2 trillion in 152 00:08:12.690 --> 00:08:16.440 aid dispersed quickly to people. In many cases, you know, you had 153 00:08:16.440 --> 00:08:19.380 to log into a portal to try and prove you were you and the 154 00:08:19.380 --> 00:08:21.960 identity proofing elements weren't exactly great, which 155 00:08:21.960 --> 00:08:25.410 again, is opened things up to the fraudsters. You know, there 156 00:08:25.410 --> 00:08:28.380 was a contrast of this in Europe, European Commission 157 00:08:28.380 --> 00:08:31.320 published something at the end of March, more or less boasting, 158 00:08:31.350 --> 00:08:33.690 I don't boasting was the word they would use to describe but 159 00:08:33.690 --> 00:08:37.530 pointing out that because of the investments that they've made an 160 00:08:37.530 --> 00:08:41.220 electronic identity, and the Ei das program, which ensures 161 00:08:41.220 --> 00:08:43.830 interoperability of different di D Systems between all their 162 00:08:43.830 --> 00:08:46.830 member states, government was working pretty seamlessly, and 163 00:08:46.830 --> 00:08:49.560 they said, Hey, this is another way we can help support social 164 00:08:49.560 --> 00:08:54.810 distancing. So you know, whether it's investments in Europe or 165 00:08:54.810 --> 00:08:58.770 the UK, Canada, Australia, a lot of our peers are, you know, just 166 00:08:58.770 --> 00:09:02.670 focusing on this more than we have been. And I think there's, 167 00:09:04.200 --> 00:09:07.530 you know, at the biggest issue at a high level is just the 168 00:09:07.530 --> 00:09:09.600 level of investment that you've seen in this. So, you know, you 169 00:09:09.600 --> 00:09:12.090 mentioned at the beginning, I used to run the stick program 170 00:09:12.090 --> 00:09:15.870 for the Obama administration. You know, that was a program 171 00:09:15.870 --> 00:09:19.560 that, you know, invested about $16 million a year and trying to 172 00:09:19.560 --> 00:09:23.940 catalyze an identity ecosystem, which I don't want to say, was 173 00:09:23.940 --> 00:09:26.400 an insignificant budget, because I think we did some good things 174 00:09:26.400 --> 00:09:28.740 with it. But when you look at the hundreds of millions of 175 00:09:28.740 --> 00:09:31.380 dollars, that some of our peers have actually invested in 176 00:09:31.380 --> 00:09:35.910 digital identity infrastructure. It's it's kind of a pittance. 177 00:09:36.120 --> 00:09:39.540 And I think, you know, where we're at now is a point that, 178 00:09:40.590 --> 00:09:43.140 look, industry is doing a lot. It's not as if companies have 179 00:09:43.140 --> 00:09:45.570 stopped doing business. In fact, they're buying a lot of products 180 00:09:45.570 --> 00:09:48.000 that are out there. But even the companies that are making the 181 00:09:48.000 --> 00:09:51.480 product say, we could do this better if the government also 182 00:09:51.480 --> 00:09:54.120 played a role. At the end of the day, the government's The only 183 00:09:54.150 --> 00:09:57.600 authoritative source of identity in the country. And by the way, 184 00:09:57.600 --> 00:09:59.550 don't just mean the federal government, state and local to 185 00:09:59.550 --> 00:10:02.280 all players. Roll. But everything that they're doing is 186 00:10:02.280 --> 00:10:05.760 stuck in the paper and plastic world. And if there's not a way 187 00:10:05.760 --> 00:10:09.720 to address that gap, we're going to be struggling for a while. 188 00:10:10.590 --> 00:10:13.800 Jeremy, you've got the better identity coalition background 189 00:10:13.920 --> 00:10:16.920 right there. We know you're active there. Tell me about your 190 00:10:16.920 --> 00:10:19.680 work with the better identity coalition. What are some of your 191 00:10:19.680 --> 00:10:23.100 fundamental recommendations to address secure identity? 192 00:10:23.759 --> 00:10:26.309 Sure, thanks for the question. And it was a convenient zoom 193 00:10:26.309 --> 00:10:30.029 background I had on from my last call. The actual office I'm in 194 00:10:30.029 --> 00:10:35.939 is it's just it's good. We have a background. But so the 195 00:10:35.939 --> 00:10:38.939 coalition was a group that started a little bit by accident 196 00:10:38.969 --> 00:10:41.969 a couple years ago, and I say by accident, and that wasn't 197 00:10:41.969 --> 00:10:45.719 something I was looking to pull together. But after the Equifax 198 00:10:45.719 --> 00:10:48.059 breach, started getting a lot of calls from people in both 199 00:10:48.059 --> 00:10:50.759 industry and government saying what do we do now focusing both 200 00:10:50.759 --> 00:10:52.739 on the fact that so many social security numbers were 201 00:10:52.739 --> 00:10:56.309 compromised, and also the broader issue of that I 202 00:10:56.309 --> 00:10:59.969 mentioned, we're dependent on companies like Equifax, for 203 00:11:00.329 --> 00:11:03.929 knowledge based solutions for identity proofing. And we're 204 00:11:03.929 --> 00:11:05.789 seeing the attackers catch up with that. And so a lot of 205 00:11:05.789 --> 00:11:08.969 questions were raised. There were also some some policy 206 00:11:08.969 --> 00:11:11.249 proposals that emerged at the time things like let's replace 207 00:11:11.249 --> 00:11:15.539 the SSM with something entirely do or let's ban, you know, data 208 00:11:15.539 --> 00:11:18.479 brokers and credit bureaus for using it. That sounded really 209 00:11:18.479 --> 00:11:20.549 good given the headlines, but probably would have made things 210 00:11:20.549 --> 00:11:24.269 worse. And so the coalition was formed when, you know, after, 211 00:11:24.299 --> 00:11:26.309 you know, we talked to a dozen different companies as well as 212 00:11:26.309 --> 00:11:29.339 folks on Capitol Hill and, you know, the executive branch on 213 00:11:29.339 --> 00:11:32.069 this. We got a bunch of companies together to talk about 214 00:11:32.069 --> 00:11:36.359 this about two months after the branch at the breach. And what 215 00:11:36.359 --> 00:11:39.299 came out of it was the view, government needs to do something 216 00:11:39.299 --> 00:11:42.149 here we're seeing some proposals come out, like replacing the 217 00:11:42.149 --> 00:11:46.289 SSN, that it's sort of the first version of the policies, but the 218 00:11:46.289 --> 00:11:49.469 policies could be a little bit better. Why not actually form a 219 00:11:49.469 --> 00:11:52.109 new group, bringing some leading companies together from 220 00:11:52.109 --> 00:11:54.869 different sectors like banking and payments, FinTech, 221 00:11:54.989 --> 00:11:59.879 healthcare, security, telecom technology and come up with what 222 00:11:59.879 --> 00:12:03.269 the came our policy blueprint that we published on whether it 223 00:12:03.269 --> 00:12:08.429 works zoom, very transparent. So you can see. Anyways, it's a 224 00:12:08.429 --> 00:12:10.589 great document, you can find it on our website at better 225 00:12:10.589 --> 00:12:13.829 identity.org. But it's about 40 pages, it basically lays out in 226 00:12:13.829 --> 00:12:16.739 the agenda for what government should look to do here. And that 227 00:12:16.739 --> 00:12:20.759 actually would be constructive. And, you know, for something 228 00:12:20.759 --> 00:12:23.009 that started as a six month project with about a dozen 229 00:12:23.009 --> 00:12:26.429 companies, we're up to about two dozen members now. We've had 230 00:12:26.429 --> 00:12:30.149 really good bipartisan support from both indices from from 231 00:12:30.149 --> 00:12:32.519 Democrats and Republicans on both, you know, Congress and the 232 00:12:32.519 --> 00:12:36.749 administration for some of our recommendations. And so it's 233 00:12:36.839 --> 00:12:40.109 been, I think, a good guideposts for both industry and government 234 00:12:40.109 --> 00:12:43.079 to rally around as they figure out what should the role look up 235 00:12:43.139 --> 00:12:44.069 to be going forward. 236 00:12:44.640 --> 00:12:48.000 And you've got just a handful of fundamental recommendations. It 237 00:12:48.000 --> 00:12:49.560 starts with creating a standard, right? 238 00:12:50.580 --> 00:12:53.580 Well, standards are part of it. So we think this has more work 239 00:12:53.580 --> 00:12:55.680 to do here. You know, part of it gets back to the point I 240 00:12:55.680 --> 00:12:58.830 mentioned before, that if we're going to solve this government 241 00:12:58.830 --> 00:13:01.440 is going to need to get in the game. That government's The only 242 00:13:01.740 --> 00:13:05.610 authoritative issuer of identity. And so then you know, 243 00:13:05.640 --> 00:13:08.370 when you sort of accept that everything that industry is 244 00:13:08.370 --> 00:13:10.710 doing, and as I mentioned, we've gotten a lot of vendors who are 245 00:13:10.710 --> 00:13:13.350 making you know, some of the next generation ID proofing 246 00:13:13.620 --> 00:13:16.710 products, things that you can use, like, you know, selfie 247 00:13:16.710 --> 00:13:18.990 matching, and you know, take a photo of your driver's license 248 00:13:18.990 --> 00:13:21.180 to try and match to get the odd just some of the knowledge based 249 00:13:21.180 --> 00:13:24.960 solutions. everybody recognizes that, no matter how much you 250 00:13:24.960 --> 00:13:27.750 innovate, because government's The only authoritative issue or 251 00:13:27.750 --> 00:13:30.600 government still has to play some sort of a role. So then the 252 00:13:30.600 --> 00:13:33.330 question is, how do we do that in a way that's not a mess for 253 00:13:33.330 --> 00:13:36.780 security and privacy? Because we can all I think we've all seen 254 00:13:36.780 --> 00:13:40.860 the movies of how we do this badly. And so the answer there 255 00:13:40.860 --> 00:13:44.070 is really nothing to flip some of the concerns about you know, 256 00:13:44.070 --> 00:13:46.710 government playing a role on its head, so we're not calling for 257 00:13:46.710 --> 00:13:50.070 some new national identity card or a digital version of it. In 258 00:13:50.070 --> 00:13:53.340 fact, one of the points we make in the paper, is we already have 259 00:13:53.340 --> 00:13:55.380 a number of nationally recognized authoritative 260 00:13:55.380 --> 00:13:58.560 identity system via driver's license, passports, social 261 00:13:58.560 --> 00:14:01.890 security number, at least as an identity The buyer, they're all 262 00:14:01.890 --> 00:14:05.910 stuck in the paper and plastic world. And so the way to, you 263 00:14:05.910 --> 00:14:09.120 know, do things digitally is to set up a system where your eye 264 00:14:09.150 --> 00:14:12.420 or any of us on this, you know, watching this can ask the 265 00:14:12.420 --> 00:14:15.450 government to vouch for us when we're looking to do something 266 00:14:15.450 --> 00:14:17.670 online where we need to set up an account the first time and 267 00:14:17.670 --> 00:14:21.150 prove identity. And so when you're setting that up in a way 268 00:14:21.150 --> 00:14:23.130 where Look, this isn't the government sharing your data 269 00:14:23.130 --> 00:14:25.950 without your or selling it without your consent. This is me 270 00:14:25.950 --> 00:14:28.530 proactively going to government and saying, I'm trying to do 271 00:14:28.530 --> 00:14:31.320 this thing over here. They don't know who I am. They want me to 272 00:14:31.320 --> 00:14:35.280 come in, if you know who I am, can you vouch for me? And that 273 00:14:35.280 --> 00:14:39.180 has gotten, I think, pretty good, you know, consensus from 274 00:14:39.180 --> 00:14:41.520 folks on the right and left is this is a sensible thing to do 275 00:14:41.520 --> 00:14:44.820 going forward. So we think that that's really at the core of it, 276 00:14:44.820 --> 00:14:47.460 you know, what I would call government validation services 277 00:14:47.460 --> 00:14:50.310 for identity, where they're not sharing your data, but could 278 00:14:50.310 --> 00:14:52.890 give a yes or no answer to say, Hey, there really is a time 279 00:14:52.890 --> 00:14:56.250 field with a particular SSN and date of birth and our records. 280 00:14:57.060 --> 00:15:00.360 And, you know, in fact, SSA is about to stand up a server Like 281 00:15:00.360 --> 00:15:03.750 that next month, based in some part on some of the ideas we've 282 00:15:03.750 --> 00:15:07.080 put forward. And so we're, you know, we've got an embrace as 283 00:15:07.080 --> 00:15:10.080 other agencies, and both the federal and state level looking 284 00:15:10.080 --> 00:15:13.080 at that as well. We do think standards are needed there in 285 00:15:13.080 --> 00:15:15.270 that there's a lot of bad ways you could do it, as I mentioned 286 00:15:15.270 --> 00:15:18.510 before, and so we've called on this, to spend a little bit of 287 00:15:18.510 --> 00:15:22.800 time coming up with a framework or a playbook that would lay out 288 00:15:23.010 --> 00:15:25.260 not only the technical side, how do you build these things in a 289 00:15:25.260 --> 00:15:27.960 way that they're all interoperable? But you know, 290 00:15:27.960 --> 00:15:30.480 what are some of the other practices you put in place in 291 00:15:30.480 --> 00:15:32.970 terms of how you craft user agreements? And what are the 292 00:15:32.970 --> 00:15:35.610 privacy rules? And where does data go downstream and things 293 00:15:35.610 --> 00:15:39.000 like that? We think they play a role. Some of the other 294 00:15:39.000 --> 00:15:42.300 recommendations are focused on rethinking the way that we use 295 00:15:42.300 --> 00:15:46.380 the social security number. You know, back in 2017, after the 296 00:15:46.380 --> 00:15:49.260 Equifax breach, when people were saying we should replace it, I 297 00:15:49.260 --> 00:15:52.260 first you know, question was, what replaced What? Because it's 298 00:15:52.260 --> 00:15:55.770 two things. It's an identifier. So I'm sure there's, you know, a 299 00:15:55.770 --> 00:15:58.770 few thousand Tom fields in the US but only one has your social 300 00:15:58.770 --> 00:16:02.550 security number. Hopefully And, you know, identifiers are 301 00:16:02.550 --> 00:16:05.940 useful, but we, society needs them for exactly that purpose so 302 00:16:05.940 --> 00:16:09.720 that if you're trying to interact with a bank or 303 00:16:09.720 --> 00:16:12.300 government agency or health insurer, they can figure out 304 00:16:12.300 --> 00:16:15.990 who's who. And they don't have to be secret. In fact, in a lot 305 00:16:15.990 --> 00:16:18.960 of countries, they're not. I've pointed out, you know, my phone 306 00:16:18.960 --> 00:16:21.840 number, my email, my Twitter handle, those are all 307 00:16:21.840 --> 00:16:26.940 identifiers. But knowing it doesn't mean you can control by 308 00:16:26.940 --> 00:16:29.700 them. It is just a way to figure out which Jeremy is Jeremy, 309 00:16:30.090 --> 00:16:34.260 we've really gone South with use of the social security number is 310 00:16:34.260 --> 00:16:36.450 pretending that they're secrets and pretending that they could 311 00:16:36.450 --> 00:16:39.990 be kept secret, and using it as an authenticator. So you know, 312 00:16:40.020 --> 00:16:42.780 if your bank says, you know, what's the last four of your 313 00:16:42.780 --> 00:16:45.720 social and the 2020? The only logical answer is Don't you 314 00:16:45.720 --> 00:16:48.360 realize that the Russians know it? The Chinese know it, there's 315 00:16:48.360 --> 00:16:51.540 about 47 well organized criminal gangs that have it, and then the 316 00:16:51.540 --> 00:16:54.390 15 year old hacker can go on the dark web and get it for 78 317 00:16:54.390 --> 00:16:58.560 cents. Why are we pretending that it's a secret? This idea 318 00:16:58.560 --> 00:17:02.100 that we could have this number We keep locked up. But you have 319 00:17:02.100 --> 00:17:05.880 to give it out eight to 10 times a year because of living. We 320 00:17:05.880 --> 00:17:08.940 were always sort of destined to end up here. So let's come to 321 00:17:08.940 --> 00:17:11.160 grips with the fact that we should treat it like a publicly 322 00:17:11.160 --> 00:17:14.340 available number, stop building systems that ascribe any 323 00:17:14.340 --> 00:17:19.020 security value whatsoever to the SSN. But recognize you need some 324 00:17:19.020 --> 00:17:22.710 identifier that's out there. And coming up with a new one would 325 00:17:22.710 --> 00:17:25.920 probably involve spending 10s of billions of dollars confusing 326 00:17:25.920 --> 00:17:28.560 hundreds of billions of people. And you'd still have the same 327 00:17:28.560 --> 00:17:32.250 security issues with the old one. We also focus on a few 328 00:17:32.250 --> 00:17:35.460 other issues. Since you can't use the SSN for authentication. 329 00:17:35.460 --> 00:17:37.800 And we know passwords are useless. How do we promote 330 00:17:37.800 --> 00:17:40.950 stronger authentication things like Phyto behavior analytics, 331 00:17:41.250 --> 00:17:43.170 we talked a lot about international coordination 332 00:17:43.170 --> 00:17:47.820 asking the US government to work abroad with other countries, 333 00:17:48.150 --> 00:17:51.210 common frameworks and standards. We focus a lot on consumer and 334 00:17:51.210 --> 00:17:52.500 business education as well. 335 00:17:53.790 --> 00:17:56.130 Join them encourage that even though we're in this pandemic 336 00:17:56.130 --> 00:18:00.960 crisis. We're seeing investments in companies about identity. I'm 337 00:18:00.960 --> 00:18:04.710 thinking Jim Clark and Tom German luck standing up beyond 338 00:18:04.710 --> 00:18:07.500 identity with significant investment. What are the 339 00:18:07.500 --> 00:18:10.770 identity security technologies that encouraged you in 2020? 340 00:18:11.940 --> 00:18:13.860 Well, I say on the authentication side, I talked 341 00:18:13.860 --> 00:18:17.100 about Fido quite a bit. And I'm really bullish there. I mean, 342 00:18:17.100 --> 00:18:20.130 not only because I think the technology is good, but when you 343 00:18:20.130 --> 00:18:23.790 start looking at how you handle solving these problems, it can't 344 00:18:23.790 --> 00:18:25.980 be any one company that does it. It's really got to be the whole 345 00:18:25.980 --> 00:18:29.880 ecosystem. And so when you you look at the Phyto board, it's 346 00:18:29.880 --> 00:18:33.750 between the chip makers and the banks, the payment companies, 347 00:18:33.750 --> 00:18:37.560 the health insurers, the big platform companies, like we 348 00:18:37.560 --> 00:18:40.020 talked about before, and the security vendors all working 349 00:18:40.020 --> 00:18:42.960 together. I mean, there's really nobody who you'd want to see 350 00:18:42.960 --> 00:18:46.650 there who's not there. And so when you, you know, not only 351 00:18:46.740 --> 00:18:49.710 identify good, secure technology, but a standard that 352 00:18:49.710 --> 00:18:53.460 everybody rallies around. You know, there's there's a lot 353 00:18:53.460 --> 00:18:57.270 happening there. I posted a tweet it was about six weeks 354 00:18:57.270 --> 00:19:01.560 ago, I was setting up a new Windows laptop. We'd bought, and 355 00:19:01.560 --> 00:19:05.100 I was signing into my gmail account for the first time. And 356 00:19:05.160 --> 00:19:07.890 I thought I have to go get my yubikey. So I usually use my 357 00:19:07.890 --> 00:19:11.160 Fido security key to login. But I have this iPhone in my pocket, 358 00:19:11.850 --> 00:19:16.770 because I've gotten it set up before. Thanks to the Phyto 359 00:19:16.770 --> 00:19:19.440 standards, this new laptop, maybe, you know, using a 360 00:19:19.440 --> 00:19:23.220 Microsoft operating system over, you know, Bluetooth was able to 361 00:19:23.220 --> 00:19:25.770 tell that this thing was here, which is now basically the 362 00:19:25.770 --> 00:19:28.590 equivalent of Phyto security and the whole thing was half second. 363 00:19:28.830 --> 00:19:31.650 So people wouldn't know what it happened. But it was an Apple 364 00:19:31.650 --> 00:19:34.530 device dealing with a Google browser and a Windows machine. 365 00:19:35.280 --> 00:19:37.530 All with two factor instantly. That's, you know, really 366 00:19:37.530 --> 00:19:37.980 exciting. 367 00:19:39.420 --> 00:19:40.020 years ago, 368 00:19:41.070 --> 00:19:44.310 it's the power of standards that six months ago, you couldn't 369 00:19:44.310 --> 00:19:46.290 have done it. But this is what I'm talking about with how the 370 00:19:46.290 --> 00:19:49.380 ecosystem grew. And it also on the authentication side, lots of 371 00:19:49.380 --> 00:19:51.660 interesting tools with behavior analytics, that we'll look at 372 00:19:51.660 --> 00:19:53.550 stuff sort of in terms of how you're interacting with the 373 00:19:53.550 --> 00:19:57.060 device behind the scenes, on the identity proofing side, you 374 00:19:57.060 --> 00:19:59.280 know, in addition to some of the government services that we're 375 00:19:59.280 --> 00:20:03.870 working to To see, you know, I am encouraged by, you know, 376 00:20:03.870 --> 00:20:06.570 companies that are looking at shifting from what I would say 377 00:20:06.570 --> 00:20:09.630 is knowledge base to possession based, you know, tools for 378 00:20:09.810 --> 00:20:12.690 remote identity proofing. So I mentioned before, there's a 379 00:20:12.690 --> 00:20:14.850 bunch of different companies that are out there a couple are 380 00:20:14.850 --> 00:20:18.660 in a coalition, where you know, you'll take a picture of your 381 00:20:18.690 --> 00:20:20.910 have your driver's license or passport, they use a machine 382 00:20:20.910 --> 00:20:24.720 learning to see if it's real or not. And then you might take a 383 00:20:24.720 --> 00:20:27.450 selfie, and they'll try and do a face comparison between that and 384 00:20:27.450 --> 00:20:32.190 the image on the ID. That's pretty interesting. I'll say the 385 00:20:32.190 --> 00:20:35.040 performance is all over the place on that. And in fact, 386 00:20:35.070 --> 00:20:37.650 separate from its authentication work Phyto. Alliance just 387 00:20:37.650 --> 00:20:40.740 launched a new ID verification workgroup that's trying to come 388 00:20:40.740 --> 00:20:43.620 up with some performance criteria and a independent 389 00:20:43.620 --> 00:20:46.080 certification program for the for those tools that should be 390 00:20:46.080 --> 00:20:49.170 out in about a year. You know, but those are good things that 391 00:20:49.170 --> 00:20:51.870 are out there that I think are augmenting some of the legacy 392 00:20:51.870 --> 00:20:55.830 tools we have today. And, you know, certainly, you know, sort 393 00:20:55.830 --> 00:20:58.050 of the government doing some of the things that I think in the 394 00:20:58.050 --> 00:21:00.570 coalition thinks they should do. They're definitely better tools 395 00:21:00.570 --> 00:21:03.420 that are out there that you might have seen 24 months ago, 396 00:21:04.410 --> 00:21:07.740 Jeremy is we look ahead to the next year and we try to get our 397 00:21:07.770 --> 00:21:10.590 arms around what the workforce is going to look like. I think 398 00:21:10.590 --> 00:21:13.200 there's some acceptance, it's not going to be completely 399 00:21:13.200 --> 00:21:16.020 remote, but it's not going to be completely on premise as well. 400 00:21:16.590 --> 00:21:19.980 What are some of the trends that we should be watching or even 401 00:21:19.980 --> 00:21:23.340 influencing, regarding secure identity with this new hybrid 402 00:21:23.340 --> 00:21:24.030 workforce? 403 00:21:25.020 --> 00:21:28.500 Well, I think you you put a finger on it, and that, you 404 00:21:28.500 --> 00:21:31.320 know, nothing is going to be quite what it was, you know, 405 00:21:31.320 --> 00:21:34.980 there's plenty of companies that have in the past have been set 406 00:21:34.980 --> 00:21:37.500 up to support both sort of a work anywhere approach. So I 407 00:21:37.500 --> 00:21:39.780 mean, look, I'm sitting here on my laptop that I would bring 408 00:21:39.780 --> 00:21:42.780 back and forth between the office every day. Now I don't go 409 00:21:42.780 --> 00:21:45.030 so many places, but it was set up in a way that I could be 410 00:21:45.030 --> 00:21:48.030 secure at home or secure in the office. And I think that model 411 00:21:48.030 --> 00:21:50.460 is gonna you know, gonna have to be where we're at going forward. 412 00:21:51.540 --> 00:21:54.240 You know, I do think some of the zero trust architecture is I 413 00:21:54.240 --> 00:21:57.570 think are going to become more important not to just, you know, 414 00:21:57.720 --> 00:22:02.400 bite hard on that buzzword But you know, when you look at the 415 00:22:02.400 --> 00:22:05.550 model that you get to, you know, with that that's really focused 416 00:22:05.550 --> 00:22:09.270 a lot on device authentication and device security device 417 00:22:09.270 --> 00:22:13.860 health, combined with a strong personal authentication device, 418 00:22:13.860 --> 00:22:16.800 you know, like a Phyto security key or a built in authenticator, 419 00:22:17.160 --> 00:22:21.720 and then leveraging at a higher level, really fine grained 420 00:22:21.720 --> 00:22:24.360 identity authorization, you know, trying to figure out what 421 00:22:24.360 --> 00:22:27.540 are you allowed to do and not allowed to do? It's a much more 422 00:22:27.540 --> 00:22:31.560 lightweight model for security, that bundles you know, really 423 00:22:31.560 --> 00:22:35.400 just a few key tools, but can lock out a lot of the most 424 00:22:35.400 --> 00:22:39.360 commonly executed attacks. And so, you know, I made a joke, you 425 00:22:39.360 --> 00:22:42.030 know, before the RSA conference, when we actually could go to 426 00:22:42.030 --> 00:22:44.880 these things, you know, what was the over under on the number of 427 00:22:44.880 --> 00:22:48.330 companies, you know, claiming that they were zero trust on the 428 00:22:48.330 --> 00:22:52.470 floor. And, you know, I think that's probably going to 429 00:22:52.470 --> 00:22:57.840 continue from here because it's, it's a logical model to evolve 430 00:22:57.840 --> 00:22:59.400 your security architecture. 431 00:23:00.000 --> 00:23:02.490 It's amazing how quickly though people went from talking about 432 00:23:02.490 --> 00:23:05.640 zero trust, to trying to actually practice it. 433 00:23:06.270 --> 00:23:08.580 Yeah, there are still like there's a few vendors out there 434 00:23:08.580 --> 00:23:11.190 claiming they have zero trust that I'm, like a zero trust 435 00:23:11.190 --> 00:23:16.260 firewall, really, you know, but it's become a little overused, 436 00:23:16.260 --> 00:23:19.230 but I think the core concepts, you know, so much of it was 437 00:23:19.230 --> 00:23:22.590 pioneered with what Google did with the Encore project back, 438 00:23:22.590 --> 00:23:26.010 you know, around, you know, 2015, which was, you know, 439 00:23:26.010 --> 00:23:28.890 again, leveraging, you know, Phyto security keys like yubikey 440 00:23:28.890 --> 00:23:33.240 is alongside, you know, mobile device management and, you know, 441 00:23:33.750 --> 00:23:35.520 basically, you know, strong you know, certificates on the 442 00:23:35.520 --> 00:23:41.010 device. It's the building blocks are there. I do get skeptical 443 00:23:41.010 --> 00:23:43.410 when I see more more people trying to layer complexity onyx, 444 00:23:43.410 --> 00:23:46.710 I'm not sure all of its needed, but it's it's definitely 445 00:23:46.710 --> 00:23:49.290 something that I think is here to stay and certainly with the 446 00:23:49.290 --> 00:23:51.360 new way we're working is going to become even more important. 447 00:23:51.930 --> 00:23:53.910 Jeremy, great to catch up. I appreciate your time and 448 00:23:53.910 --> 00:23:55.170 insights. Thanks so much. 449 00:23:55.650 --> 00:23:57.000 Thanks for the time today. Well, 450 00:23:57.450 --> 00:23:59.430 again, we've been talking about the evolution of identity 451 00:23:59.430 --> 00:24:02.340 security. I'm speaking with Jeremy grant, managing director 452 00:24:02.340 --> 00:24:05.580 with Venable LLP. For information security Media 453 00:24:05.580 --> 00:24:08.160 Group. I'm Tom field. Thanks so much for watching.