This week saw the London edition of Infosec Europe – essentially a smaller version of the RSA Conference a few week ago in San Francisco. There were about 15,000 attendees and 300+ solution providers from a range of cyber and information security areas. Of course my primary interest was to get briefings and understand the viewpoint from an identity and access management perspective and see how far the tentacles of identity were now spreading into other orthogonal areas of security. It didn’t disappoint and I had some thought provoking conversations…
Employee Behaviour Management
I made the above term up (should I claim this as a new category?!), but there were numerous presentations (including a Keynote on Wednesday, by the very knowledgeable Dr Maria Bada, who I had the fortune to be taught a module on Cyber Crime Psychological Profiling when I was Royal Holloway’s Information Security Group) looking at end user behaviour analytics, awareness and incentives to manipulate end user norms. The people aspect of the people-process-technology triad gets the blame for many technology and process failures. Ah “it’s the end user’s fault”. “The end user is stupid”. “The end user doesn’t know about security”. No they don’t and they often shouldn’t. Employees are paid to perform a function in a business workflow. If “security” gets in the way of them doing their job, the security control goes out the window. Employees are incentivised to complete and optimise specific tasks. It is about time solution providers (and the enterprise too) view employees and the end user as a key asset in the protection of information. They need awareness (and training too), but they also need appropriate ways to report incidents, feel valued and be in a position to share what they see and hear to the right teams at the right time. The end user really is the first and becoming the most valuable “firewall” we have.
Immutable Tracking of The Who and The What
As identity professionals and practitioners, we’re also obsessed with the “who has access to what” (when, where and why are important too, but they often come later in the maturity curve). I had a good briefing by emerging vendor RKVST. Their strap-line is about having a “zero trust fabric”. The ZT band wagon we all know about but the “fabric” aspect was interesting – and is essentially looking to create an immutable blockchain based approach of describing the what (be it physical assets like nuclear waste) to the who (an end user in the digital or physical worlds) and more importantly the relations and actions between the two. RKVST are looking to re-enforce existing visibility of what is becoming a very complex supply chain – from devices, their manufacturer, firmware installation and usage, through to users and their runtime activities – by providing an increased level of assurance and provenance. By creating an immutable record of the interactions, audit leaders and compliance teams can start to have increased assurance with regards their asset ecosystem. Essentially left-shifting assurance even further up the supply chain. Understand the provenance, then track that through the lifetime of the asset. Interesting stuff.
Identity for the Hybrid Cloud
I’ve been tracking the hybrid cloud for the last 2 years or so and we’re now at a point where the use cases are stabilising, deployments are becoming repeatable and I think vendors are starting to move away from the market education aspect of their pre-sales process into migration and deployment. A couple of vendors gave me mini-briefings, including Ermetic who wish to “Secure Your Cloud Identity First” with “Holistic protection for AWS, Azure and Google Cloud”. Many organisations are having to contend with multiple different Infrastructure as a Service providers, SaaS everywhere, and then on-premises or private cloud components too. Visibility becomes an issue. Credentials management becomes an issue and all those environments are plagued with mis-configuration. Organisations like Emertic (see Strata Identity and maybe even Valence Security too) are tackling this emerging set of use cases that combines CIEM (cloud infrastructure entitlements management) and CSPM (cloud security posture management). Hybrid cloud is not going away. It seems identity is again front and centre as the new perimeter in how to manage the increasing complexity.
As ever in 2022, it was great to be back on the road at a conference and not behind a Zoom or Google Meet screen. The train strikes in the UK certainly had an impact, but thousands of attendees and some 50+ identity specialist vendors (out of about 300 in total) certainly made it a great conference.
Tune in to “The Week in Identity” podcast this week where we’ll discuss these topics in more detail.
About The Author
Simon Moffatt is Founder & Analyst at The Cyber Hut. He is a published author with over 20 years experience within the cyber and identity and access management sectors. His most recent book, “Consumer Identity & Access Management: Design Fundamentals”, is available on Amazon. He is a CISSP, CCSP, CEH and CISA. His 2022 research diary focuses upon “Next Generation Authorization Technology” and “Identity for The Hybrid Cloud”.