25 9 月, 2024

EP 62 – The Evolution of Identity

In this episode of the Trust Issues podcast, host David Puner sits down with Jeff Reich, Executive Director of the Identity Defined Security Alliance (IDSA), a nonprofit that provides vendor-neutral guidance on identity-centric security strategies to help organizations reduce the risk of identity-related attacks. They explore the evolution of digital identity, discussing how it has transformed from simple identifiers to complex, multifaceted digital identities for both humans and machines. In today’s threat landscape, the number and types of identities, attack methods and environments have dramatically increased, making it more challenging to secure identities. Jeff discusses the challenges and efforts in creating sustainable, interoperable digital identity hubs for cross-border applications, the future of digital passports and the importance of encryption and multi-factor authentication (MFA) for securing sensitive data. The conversation also highlights the significance of thought leadership and maintaining a vendor-agnostic approach in identity security.

David Puner: [00:00:00] You’re listening to the Trust Issues Podcast. I’m David Puner, a Senior Editorial Manager at CyberArk, the global leader in identity security.

Whether you’re a corporation or an individual working for a corporation, or somehow both, identity is pervasive in all aspects of our business and personal lives. Of course, attackers targeting identities aren’t new. What’s different in today’s threat landscape is the dramatic increase in the number and types of identities, attack methods, and environments.

There are tons of identities to secure. Blink, and there’s another ton. Today’s guest is deeply enmeshed in identity within the tech and security industries. He’s Jeff Rich, the executive director of the Identity Defined Security Alliance, the IDSA, a nonprofit that provides vendor-neutral guidance on identity-centric security strategies to help organizations reduce the risk of identity-related attacks.

Jeff and I discuss the evolution of identity, which has transformed from simple identifiers to complex, multifaceted digital identities, human and machine, and the importance of securing these identities. We also explore how identity affects compliance requirements, cross-border identity solutions, and overall security measures.

Nice guy, good talk. Here’s my conversation with Jeff Rich.

David Puner: [00:02:00] Jeff Rich, Executive Director of the Identity Defined Security Alliance, otherwise known as the IDSA. Welcome to Trust Issues. Thanks so much for coming on the podcast.

Jeff Reich: [00:02:11] David, thank you very much. It’s my pleasure to be here, and thanks for the invitation.

David Puner: [00:02:18] Really glad to have you. I know you’re about to set off for some traveling. We’re recording here at the beginning of September, so great to get some time with you before you go off on your journeys. And maybe we’ll talk about that a little bit later. But many of our listeners are likely familiar with the IDSA. To start things off, for those who do and for those who don’t know, what’s the IDSA, and what does your Executive Director role consist of?

Jeff Reich: [00:02:48] Well, thanks for the question. The IDSA’s mission is to raise the awareness of identity and raise the security of identity, and they can really be two different paths there. They end up merging. But the importance is for everyone to know, whether you’re a large corporation or not, or an individual consumer, that your identity now is used for everything. And as we get through this discussion, I bet we’ll have examples that people probably know but don’t think about.

David Puner: [00:03:19] Mm hmm.

Jeff Reich: [00:03:21] Where their identity is always part of what they do.

David Puner: [00:03:24] Identity is everywhere, that’s for sure. So, the identity-defined part of the IDSA name—the first two words, of course—to set the stage for this conversation, how do you define identity now, and how has that definition evolved over the years?

Jeff Reich: [00:03:42] So, that’s a complicated answer, because identity used to be—let’s just go back 80 years—identity meant one of two things, either what was on your birth certificate or your Social Security number. And even though, and I know anyone at the SSA is going to say, “No, Social Security number is not used for identity.” I’m sorry. Yes, it is.

David Puner: [00:04:05] Okay.

Jeff Reich: [00:04:06] So now that we’re past that, 80 years ago, that’s what identity meant. You also could have augmented that with: you’re in the army. 80 years ago, that was a distinct possibility. You could also say that you live in Iowa or you live in Florida. So, there were a couple of different components to it. But even back when it was simple, there were a lot of ways to augment that definition.

David Puner: [00:04:33] Mm hmm.

Jeff Reich: [00:04:34] Now, if you were to ask someone, “What is your identity?” they may say, “I identify as a male, and this is my name, and I’m also known as this. Oh, by the way, here’s my birth certificate and my Social Security number, or National Identity Number if you’re outside the U.S., and I’m a software developer, and I work remotely, and I live in an RV.” All of those end up being parts of components of your identity, which is why it’s a complicated answer and why everyone needs to recognize that now, everything you do, your identity is embedded within it, and you have to find a way to know what that is and to protect it.

David Puner: [00:05:19] Super broad and multifaceted, that’s for sure. So, I guess then to dig into something a little bit more specific, but where many elements of identity come into play, let’s go to cross-border. So, I understand you’re doing some work on or around cross-border identity. And I guess to start things off then, with cross-border, what is it that you’re doing with it?

Jeff Reich: [00:05:43] Well, there’s a couple of efforts going on. It starts with CD Hub, which is a sustainable, interoperable digital identity hub. It’s a community of organizations, mainly nonprofits and government organizations, but there’s a few others involved. And we have an effort underway to come up with the right use cases for cross-border identity applications. They’re not all technical.

We’ve had some events around different parts of the world. You mentioned I’m about to start traveling in the second week of September. I will have been at Identity Week, and the day before that, we’re having a CD Hub Summit. This is CD Hub Americas. We already had one in the EU, we had one in Africa, we have one coming up in Japan. Next year should be Brazil. And we’re getting input from each area to say, what are the important components for you? The foundation is, let’s come up with what does it take to have a verifiable identity online first.

David Puner: [00:06:55] Mm hmm.

Jeff Reich: [00:06:56] It’s more than just your ID and password, although that could certainly be a component of it.

David Puner: [00:07:02] So just to back it up for a moment then, when you’re talking about cross-border identity, are you talking in the context of travel, payments, other things, all of it? What’s the context of cross-border?

Jeff Reich: [00:07:13] Well, the easy answer is all of it. But once one jurisdiction—whether it’s a city, county, state, country—says, “Here’s how we’re going to manage our digital identities and secure them,” then they have to say, “That’s great. However, if I want to have the equivalent of a digital passport, a digital wallet, or a digital driver’s license, or a digital bank ID, when our citizen wants to go from country A to country B, one, will country B recognize it? Two, how will they recognize it? And three, how will they keep it secure?” Those are the use cases that we’re building on to say, “What’s it take to get there? And then let’s come up with a way to implement it.”

Although there are a lot of technical foundation questions around it, it’s more than a technical issue because it involves people. There are non-human identities too, but let’s save that discussion for now. People are involved, and they’re not simply numbers in a database, even though in many cases, that’s how it’s going to be represented.

David Puner: [00:08:00] Oh, so far so good. Keep it coming.

Jeff Reich: [00:08:02] Right now, if you do any international travel, chances are you have a passport or a passport card, if it’s in North America. You have a passport, and you feel pretty confident that unless you’re going to one of the countries that we don’t want to deal with—say Iran or Cuba, and even then you could find ways to do it—but for the most part, you go to any other country, and you can present your passport. You may need a visa in advance, which gives you permission to do what you intend to do while you’re there, but you still need a passport to identify yourself. It gets stamped and says, “Here’s when you entered this country.” And there should be a corresponding stamp that says, “Here’s when you exited,” depending on the length of your visa and how long you stay. That’s pretty intuitive for most people. A lot of people don’t recognize that happens because of a treaty that exists, that comes out of the United Nations, that says all countries should be able to accept all other countries’ passports. And here’s the standard that must be met. It can’t simply be a piece of paper with a hand-drawn picture and a signature. You know what the components of a passport are.

David Puner: [00:09:00] Mm hmm.

Jeff Reich: [00:09:01] And when you get your passport issued, the reason you have to go through the identification and authentication process, and the time it takes to do that from the government, is because they need to validate that it is really you, to the best of their ability, before they issue your passport. What we’re suggesting is if you take that process and were to digitize it, think about everything that happens right now when you mail in a picture or when you go give your fingerprint to someone. That doesn’t happen digitally. So, there have to be different ways of identifying and authenticating people so that they could have a digital wallet with verifiable digital identity components within.

David Puner: [00:09:45] So, are passports as we know them today, the physical, tangible passports, are they sufficient ID? I think I already probably know my answer there. What is the future of passports? Is establishing this new standard for a digital passport that will be recognized everywhere easy to get to? How long is that going to take, and what’s it going to look like?

Jeff Reich: [00:10:08] So, a passport now, I would consider it pretty reliable. I think we know what goes into it. At a minimum, you need to get it renewed every 10 years. That’s part of that treaty. They’re going to be around for a while. I doubt you’ll see the end of physical passports in my lifetime. Maybe some of the listeners may see it in theirs, but I probably won’t, and that’s okay.

The answer to how easy or how quickly can we get there—I did mention there was a national treaty involved in passports, right? So, if that’s the ultimate answer, we’re probably at least 10 years, if not more, away from that. However, that doesn’t mean that some components can’t exist. Many countries in Africa, many countries in the EU are already developing this because the EU has a digital identity directive that requires countries to keep digital identities of people and indicate what the standards are for their use and how they’re protected. So, that’s already underway. The EU, I would offer, with Australia pretty close behind, is leading the way in getting that done.

David Puner: [00:11:00] And that’s today? Or are we talking about the EU Digital Identity Wallet that’s supposed to roll out by the end of 2026?

Jeff Reich: [00:11:09] That’s going to be the 2026 one. And like everything, just like GDPR was, there will be a question of potential delay for enforcement. We will get there, though.

David Puner: [00:11:17] Mm hmm.

Jeff Reich: [00:11:18] And once that happens, I think you’ll see it, just like what happened with GDPR. You’ll see that start to spread to other areas because it’s a practice that makes sense. The reason it makes sense for the EU to start with this is a number of reasons, but I think a primary one is it wouldn’t happen in the United States because you can freely travel from one state to the other in the United States without even having identification. It would be a big effort in the U.S. to make it internal without having to put in new enforcement mechanisms that really aren’t necessary. But with the EU, there are distinct sovereign countries that may want to protect some levels of identity and entry and sovereignty around that. So, I think it’s a good place to start this off, and I think they’re smart for doing it.

David Puner: [00:12:00] It’s really interesting. I want to get back to the EU Digital Identity Wallet in a moment, but first, what human and technology components are needed to validate a person’s identity, and how is that data then stored and used securely?

Jeff Reich: [00:12:15] What it takes for identity and authentication to occur right now digitally is not very different than what it takes in person, except you need to find a way to digitize it and secure it. So, without question, encryption is going to be involved.

David Puner: [00:12:29] Mm hmm.

Jeff Reich: [00:12:30] There’s also very likely going to be multi-factor authentication required, at a minimum, before anyone can access it. And then there are going to have to be rules around, “If I’m managing the whole system, can I actually change anything in that database?” Now, technically, that’s always possible. Anytime someone says—and this is for people outside the security community, because those inside security know this—anytime someone says, “This is immutable, no one could ever change this data,” they’re either ignorant or lying because anything on a computer can be manipulated. Anything.

David Puner: [00:13:00] Right.

Jeff Reich: [00:13:01] That being said, putting in the right audit trails for, “Hey, something was changed,” or “I see the condition is different,” you can always at least identify when something was changed. But it’s going to be very important to determine how do we take the different components and different fields that we need, which may be at some point someone put in their fingerprints on a digital reader, or it could be that their birth certificate was scanned in and validated by a county clerk. Each jurisdiction can come up with its own ways to verify it and vet it. The key is going to be what components are we willing to accept, which ones do we not want to accept, and how do we protect all of them.

David Puner: [00:13:43] In your focus with the IDSA, and identity obviously being a very strong focus, as the name suggests, how much are you taking into consideration security when you’re looking at challenges like creating new digital passports and other projects like that?

Jeff Reich: [00:14:00] That’s very important. So, identity is our first name, but security is our third. So, it’s right in the middle and it’s very important. And keep in mind, being an alliance, we are a nonprofit made up of member organizations. The majority are identity and security vendors. And we have some partner memberships, organizations that may do consulting or recommendations but don’t sell their own security products or identity products. Then we have corporate members as well, and these are the users, the corporate consumers of all those identity and security products. We also have individual contributors who are not part of a vendor but certainly are either in this space, maybe an individual consultant, that sort of thing.

So, when you look at all of that involved, the security of what we’re doing for digital identity is vitally important. But from an IDSA perspective, that’s not all we do. Mainly what I’ve been talking about to this point is CD Hub, of which IDSA is a member. That community. Now, IDSA, as a nonprofit organization, focuses on raising the level of security, of identity awareness, and security awareness around it.

David Puner: [00:15:00] Mm hmm.

Jeff Reich: [00:15:01] So, we do things focusing on security, such as facilitating webinars from our members to say, “Here’s how we need to be able to secure what we’re doing with identity.” We also have a pretty large focus on identity and access management (IAM) so that organizations that say, “How do I get my arms around 50,000 employees having to access millions of different data components, and I can’t possibly even draw a mind map of how those are all connected?” There are a lot of tools that our members offer that can do it. Now, we’re not in the business of selling those tools on behalf of our members. However, we raise awareness of what the problem is, how severe it can be when you don’t address it, and what sort of practices you should follow to address it. So, it’s thought leadership, it’s vendor agnostic when we do this, both in our webinars. We also have blogs. We also amplify social posts on behalf of our members. So, there are a lot of different ways to get the word out from an IDSA perspective to say, “This is a big issue,” and in all honesty, even the ones that are doing it really well don’t quite have their arms around it yet.

David Puner: [00:16:00] So then, coming back to cross-border identity and all of the data and security involved in all the various components of any particular kind of transaction, how does a cross-border transaction—whether it’s travel or an online purchase—how does that make all of this more complicated than if you’re just making a simple transaction, again, either travel or an online purchase domestically here in the U.S.?

Jeff Reich: [00:16:28] Okay. So, I’ll start with the basics. If you were to walk into a store and buy something of relatively low value and gave $5 to the clerk, that’s about as simple as we can be for a transaction. And they don’t care who you are as long as the $5 is valid, and you’re not doing anything else to them. They don’t care who you are. All right? So, identity is not really important then, unless you’re buying alcohol, in which case, yeah, you need to show some identity.

Then we go to a simple online purchase. You want to go to my website because I sell widgets, and you want a widget, and you say, “I want one widget. It’s going to cost $10. Here’s my address, here’s my credit card number and information.” Even though people don’t think about it, you just gave your identity, which may or may not require an ID and password. My site may not require that. But you validated your identity with your credit card information. When I do a credit card authorization, it’s going to look for that name. So, if someone stole your credit card and they present themselves as you, they just got some free stuff.

David Puner: [00:18:00] Right.

Jeff Reich: [00:18:01] But, you know, I’m going to ask for the CSV on the back. By the way, that’s not how I would do it, but that’s how many websites do it. I’m going to ask for your number, your CSV, and I validate, “Yep, that’s David.” I’m going to let that happen. So, I’ve identified you. Once again, we’re going up in steps of complexity. Now, let’s say you want to buy something, and you’re a member of a large organization that has a service—I’m not going to get into a name—that has a service where when you subscribe to it, you get free shipping, and you get free videos, all those sorts of things.

David Puner: [00:18:41] That sounds great. Where can I get that?

Jeff Reich: [00:18:43] Yeah, wouldn’t it be great if someone came up with that?

David Puner: [00:18:45] Yeah.

Jeff Reich: [00:18:46] I think they can make a lot of money.

David Puner: [00:18:48] I think we just came up with a great idea. Let’s hit stop and start that up, get ourselves a URL.

Jeff Reich: [00:18:52] Yeah, they can make a lot of money doing that. But in any case, in order for that to work, you had to sign up first with an ID and a password. And in some cases, now they’re requiring a second factor of authentication, whether it’s an app on your phone that says, “I’m going to present you with a code. You have to enter what it is.” So, that will occur. There’s a level of authentication that’s higher there. But by doing that, once you leave and come back and authenticate yourself correctly, you don’t have to do that again when you buy something. And they already know your address, although you can change it, but all that’s stored for you. So, they’re keeping a lot of components of your identity. And you have an expectation that that’s going to be one, private, and two, secure, right? Well, it can’t be private if it isn’t secure, so maybe I should reverse the two of those. And whatever your expectation is, it’s actually guided by the privacy statement, which you very likely clicked through when you signed up and didn’t read. And I’m not accusing you, David. I’m sure you would have read it.

David Puner: [00:19:52] I’m a big reader. So, yes, I read them all.

Jeff Reich: [00:19:55] But a lot of people, most people, don’t. So, the level of control you have is mandated by that. That’s something people should be aware of. So, another level of heightened identity. Now I’m going to do something with the U.S. government. I’m going to pay my taxes. Now, you have to sign up with an ID and password, and you have to validate who you are. And they’re going to send a code to you, and you have to, in some cases, enter for the—if you’re doing it for the first time—what your previous tax payment was for the previous year to validate that you have that information and that it is you. Once again, another way to validate who you are, a heightened level of identity and validation for you to pay your taxes or do many things with the government.

Now, let’s hop over a border somewhere—whether it’s Canada, Mexico, wherever—because we have a treaty there that lowers the scrutiny level. It’s not quite as high as if you went to any other country in the world. Let’s say you’re going to buy something from England. The UK is going to not only have the same sort of level where you need to identify who you are with a password, maybe a multi-factor authentication, or something on your phone where they send you a code, but in addition to that, you have to have a credit card that’s going to be accepted there. They may use that as an additional identity. You’re going to have protection.

Let’s skip from the UK and go to Ireland instead because you’re going to have GDPR protecting you there. The equivalent exists in the EU, but I’m sticking with Ireland. GDPR is going to protect your information, and you have rights there that actually you don’t yet have in many states in the U.S., where you could say, “I’m no longer doing any transactions with you, and I’m requesting you to forget me,” which means that organization has to delete every record associated with you, except for the one record that says you requested to be forgotten. So, more identity, more protection to it.

But now, if you want to get something that’s only available in Ireland, they’re going to say, “Well, based on your IP address, it looks like you’re not here.” So, you try to say, “Oh sure, I’ll just get a VPN and I’ll get an Ireland IP address.” They’re still going to say, “What’s your address? Where are we going to ship this?” All components of identity, and what’s your credit card? All of that will tie you to either the U.S., where you are, or to Ireland.

David Puner: [00:23:00] So then, in this digitally interconnected world, where we can, in a moment, be wherever we want to be, just from behind a keyboard or a screen, what are the challenges or hurdles to coming up with a standardization or normalization of this kind of data so that other jurisdictions, specifically other countries, can accept and use this data?

David Puner: [00:25:00] Mm hmm.

Jeff Reich: [00:25:01] The same even if it was domestic, by the way, without cross-border, you should be able to do that and not have to worry about storing your password somewhere. It’s part of your payment method. It’s in your digital wallet. So, let’s expand that now to—you want to travel to Ireland.

David Puner: [00:25:18] Okay.

Jeff Reich: [00:25:19] Right now, I don’t think you’re going to need a visa for at least a couple weeks’ stay. I think it may actually be up to two months, but don’t quote me on that. So, you present yourself to the border agent, an immigration agent rather, in Ireland. You can just say—whether it’s a QR code or some better evolution of that—this is me. They scan it. That’s all they need to do. And they either let you in, or based on something they see or don’t see there, they’re going to say, “No, I’m sorry. You’re going to need to wait and either do an interview or we’ll get you on a plane back to the U.S.,” or whatever the answer is going to be. That’s all you should have to do to take a cross-border journey. But all of the work that’s going to get us there is everything we’re working on now. What components need to be there? How do they need to be validated? How often do they need to be refreshed? How are they stored? How are they presented? And how can one jurisdiction look at information from another jurisdiction without having to have that other jurisdiction’s software? There should be one singular way of saying, “I’m getting your digital identity, and I validate it, and I accept it.”

David Puner: [00:26:24] And is that something that you think is in our near future, or is that again something that’s way, way off?

Jeff Reich: [00:26:30] Um, it’s less than 50 years away.

David Puner: [00:26:32] Okay.

Jeff Reich: [00:26:33] I’d like to think it’s less than 25. Once you get to less than 10, my confidence level drops, although there may be some instances of it. But universally, it’s going to be closer to 50 than 10, in my opinion, only because it’s a matter of, “Let’s get the standards in place, let’s write the software, let’s figure out what security issues we’ve just created and fix them.” And eventually at some point, an organization like the UN is going to say, “Okay, let’s come up with a universal standard that says everyone that participates is going to operate in this manner and we’ll accept it.” And, you know, that may be 30 years away, but I do think it’s closer to 50 than 10.

David Puner: [00:27:14] Okay.

Jeff Reich: [00:27:15] By the way, David, I just have to say there are people in CD Hub right now, if they’re listening to this, who are throwing things at their computers, saying, “How dare you tell them it’ll be that long.” I’m just trying to be realistic.

David Puner: [00:27:30] All right. Well, to that point, with AI and Gen AI, does that sort of change potentially the timeframes of all this kind of stuff, depending on where it is in a year or two or three or four?

Jeff Reich: [00:27:42] Maybe, maybe a bit. First of all, Gen AI, even though it’s used a lot, it isn’t necessarily universally accepted as, “Yes, whatever comes out of Gen AI is something I’m going to live with.”

David Puner: [00:27:55] Right. Are you willing to say that?

Jeff Reich: [00:27:57] Not at this point. That’s for sure.

David Puner: [00:27:59] Okay.

Jeff Reich: [00:28:00] But how can it potentially expedite all of this?

David Puner: [00:28:03] So, you just answered your first question with, “Yeah, we’re not ready to depend on that yet.”

Jeff Reich: [00:28:07] I think the use of AI is certainly going to be a component of this. But it’s going to be a component of looking at behavior and seeing where the inconsistencies are rather than finding AI to say, “Yes, I’m identifying this person in advance.”

David Puner: [00:28:22] Okay.

Jeff Reich: [00:28:23] So, I’m going to give you an example of where it can work. There is an organization—happens to be a member company—that has software that’s in use in a few airports in the U.S. right now. And as long as I register through the airline that I’m using, I put in my driver’s license, I scan it, an image of it, and they validate it to my frequent flyer identification information with the airline. With all that information now, and then I think I actually, if I remember correctly, I took a picture with my phone.

David Puner: [00:28:52] Okay.

Jeff Reich: [00:28:53] To finish my registration. Now, if I’m flying, I’m flying Monday. I could say on Sunday, “Hey, here’s my flight number tomorrow,” and just type that into the application. I can walk up there. There’s a screen that will scan me, recognize my face, and say, “Authorized,” and I walk through. I never even have to touch anything or give anything to anyone to get in. I think you’re going to see technology like that start to happen more. There is AI behind it, certainly, to validate, observe, and validate behavior. It doesn’t validate my identity. So, it’s really ancillary.

David Puner: [00:29:30] So, what you’re talking about is also sort of an easier consumer experience as well. So, presumably, while the security standards are more stringent, you’re still dealing with a better consumer experience and an easier consumer experience.

Jeff Reich: [00:29:45] I’m so glad you said that. I’m a firm believer that the better the standards—which usually means harder—the less the friction. When you do it right, it’s easier to use. Where the friction comes in is where you’re starting out, you don’t have all the tools yet, you’re not sure what’s going to happen, and so even though there’s, “Oh, you can present this, and it’s fine,” but you still need to do this because we’re not quite certain it’s going to do everything you want. And now you’re actually creating more work for the consumer rather than helping them out. But when you do it right, you actually make it easier for the consumer. It’s a nice experience.

David Puner: [00:30:24] So, then, obviously a subject which we’ve already touched upon a little bit, but it relies a lot on ease of consumer experience for adoption and lack of friction, which I guess are probably one and the same. When it comes to payments and identity validation, where do things stand with the safety and security of payments and identity? And how does it differ with in-person and online payments?

Jeff Reich: [00:30:52] The challenge we have here with payments is that it involves money. And guess what crooks really like? They like money.

David Puner: [00:31:00] They like the money.

Jeff Reich: [00:31:01] Yes.

David Puner: [00:31:02] Sure do.

Jeff Reich: [00:31:03] And when it’s there and available, especially if it’s easy to get, they’ll try to do that. So, digital payments and the place that identity plays in payments—it’s important in a couple different ways. I’m going to talk about a couple of societal dependencies first because right now if you want to open a bank account—which you’re probably going to need to do in order to have digital payments—you’re going to need to identify yourself. See, we keep coming back to that, to the bank, to their satisfaction.

David Puner: [00:31:31] Right.

Jeff Reich: [00:31:32] So, let’s come up with a community of people, because there’s a measurable percentage of people right now that are refugees. They don’t have a country, they very likely don’t have identification—they may—but they don’t have an address. You know, their address might be tent number 47.

David Puner: [00:31:49] Mm hmm.

Jeff Reich: [00:31:50] And it’s a measurable percentage. It’s not just a couple of people. They want to establish themselves in their new country of refuge. How do they do that?

David Puner: [00:31:59] How do they do that?

Jeff Reich: [00:32:00] Yeah, right now, it’s a multi-month, if not multi-year process to vet and find out. We need to find someone that knows them in their country of origin. And unfortunately, all those people may have been killed.

David Puner: [00:32:13] Hmm.

Jeff Reich: [00:32:14] So how do you validate that this person isn’t a terrorist posing as someone else trying to get in? That’s a big challenge. So, another component of what we’re looking at in CD Hub—and IDSA is a strong supporter of this as well—is how do we deal with a refugee situation? And how can we come up with universal identification for two reasons? One, to validate that someone is who they say they are, and more importantly, once they want to establish in their new country of refuge, one of the first things they’re going to want to do is banking. How can they do that without even having an address? The one thing that most people still have, even in refugee status—although still not everyone— is a phone. A phone may not store the digital identity wallet—in some cases, you think it does now, like with, say, Google Pay or Apple Pay—that’s going to be there. But it’s going to be located somewhere else, and a phone is really the gateway to it.

David Puner: [00:33:00] Mm hmm.

Jeff Reich: [00:33:01] I look at that as—I’d like to see that before we get to passports or cross-border, only because of the problems associated with it. I would like to see that implemented where a refugee can say, “Here’s who I am,” and there’s a pretty easy way to validate that. And now, if they’re accepted as a refugee, you can speed up that process and get them established in a new life much more quickly. And that’s not a political statement. It’s simply a matter of, how can we make the best use of government resources when dealing with refugees?

David Puner: [00:33:29] That’s really interesting. And then, of course, it sort of, you know, goes back to what we were talking about a little bit earlier with the EU Digital Identity Wallet that will, of course, rely on an app within a phone. And through that app, it will rely on identity verification and authentication through credentials stored in that app. So, to you, what’s the significance of the EU Digital Identity Wallet specifically? We’ve already discussed more broadly, just sort of beyond that. And how are security and privacy fundamental to its adoption and ultimate success?

Jeff Reich: [00:34:00] Well, they’re key to its adoption and success. Without both, it will fail. Hands down, it will fail without both. So, when you look at the level of security that we have now over sensitive data, critical data—let’s use a government standard here, at least in the U.S.—because there’s sensitive information, and then there’s classified information. Let’s stay away from classified because as much as people want to say it should be treated the same way, it can’t be, because if your identity were classified, we could not find out who you were.

David Puner: [00:34:29] Okay.

Jeff Reich: [00:34:30] Unless you had a matching clearance and the need to know. So, that doesn’t work. But if we treat it as sensitive information appropriately and consistently, we’ll be able to demonstrate that you can have confidence that your digital identity and your digital wallet are not only safe and secure but usable whenever you need to use them. By the way, the example I used of a refugee—just to go back to that with a phone—that information can also be held on a chip, on a card, even if you don’t have a phone, and there can be a reader that says, “I’m going to access the information there.” But in all those cases, you should have a high level of confidence that, one, it’s going to be secure and people aren’t going to break into it and exfiltrate it or change it or use it against you. And more importantly, there needs to be a demonstration of resilience because there will be problems that happen, whether through human error, malicious attacks, or hardware failures—there’s a number of reasons. You work in security long enough and you realize the entire world is against you. Everything that can go wrong eventually does.

David Puner: [00:35:24] Mm hmm.

Jeff Reich: [00:35:25] And what’s most important is being able to be resilient to say, “Yes, I know something can happen, and here’s how I stem the tide of the problem, and here’s how I recover.” And I think the better governments can do that—this is a big challenge, and I issue that challenge to all governments—the more quickly we’ll be able to adopt a secure system that people can have confidence in and, I believe, can make the world a better place. And that’s the reason I do this. I know that sounds very altruistic, and I’m not trying to say I have a cape flowing behind me or anything like that. The world should be a better place. It should be a nicer place to live. And we shouldn’t have to focus on how much effort it takes for me to identify myself to you, and to the next person I talk to, and to the gate agent next week when I travel, and to the hotel when I check in. And I’m going to do all that. I’m not protesting it. That should be so much easier.

David Puner: [00:36:15] So then, speaking in super broad generalities, do governments generally want this to happen, or is there a lot of pushback?

Jeff Reich: [00:36:24] You know, from what I’ve heard so far, clearly the EU does. Of course. I mean, they put out a directive saying it must happen.

David Puner: [00:36:30] Yes.

Jeff Reich: [00:36:31] Other governments—I think—I haven’t heard of one that says, “No, this is dumb. I don’t want to do it. Take me back to 1955.” All right? I haven’t heard that yet. However, the challenge is going to be, how does it get done? So, is it going to get done in a way that, if I’m a member of a legislature, the only way I’m going to support getting it done is to have a company in my district get the business to build a program to do this. Otherwise, I’m not going to support it. And that’s politics, and we’re going to have to get past that. And unfortunately, I think that’s the largest roadblock between now and that, and being able to get the legislations and executive branches and all other forms of governments around the world to a level of competency in technology. Because that’s still fundamental. Most don’t have that right now. If I use the U.S. as an example, most members of Congress—not all—have little technical knowledge. And by technical knowledge, I mean, how do you turn something on and configure it for yourself?

David Puner: [00:37:30] Mm hmm.

Jeff Reich: [00:37:31] Now, I’m a digital immigrant, all right? I’m not a digital native. I grew up before that happened. For digital natives, that’s relatively straightforward. For digital immigrants, it’s a little more of a challenge. Then there are the people out on the island still that haven’t begun that trip—it’s difficult. Unfortunately, most members of Congress live on that island. They may have staff members that are digital natives who do something on their behalf, but it’s still not the people that pass the laws. So, I think there needs to be a level of competence with current technologies at a fundamental level. They shouldn’t have to ask, “How does Facebook work?”

David Puner: [00:38:11] Correct.

Jeff Reich: [00:38:12] That’s an example. And, you know, we’ve seen them ask that or make assumptions and be completely wrong. So, I think we need to get the majority of members of governments to at least that level so that they can get the level of confidence they need that this can work when done correctly. So, there’s a political component, and then there’s the education component.

David Puner: [00:38:31] Really interesting stuff. Jeff, you seem like a realist. I guess to understate it, or maybe it’s overstating it—who knows—you do seem like a realist. What makes you optimistic about the future of identity?

Jeff Reich: [00:38:45] Well, first of all, there are organizations like IDSA—and we’re still around—and CD Hub, Secure Identity Alliance, IDPro, and a whole bunch of others that focus on identity and say, “Let’s all go towards that focal point that says we have reached a point where we can have a level of confidence that identity is secure, reliable, and usable.” As long as those missions all coincide there, all are directed towards that, I feel very optimistic that we’re going to get there. It would be wonderful to say we can get there in two years, but I don’t see that. I think we’re going to take it a step at a time. I think five years from now, you’ll see a big improvement. I think ten years from now, if we could save this and play it in ten years, you’re going to say, “Wow, we’ve come so far from there.”

David Puner: [00:39:28] Mm hmm.

Jeff Reich: [00:39:29] There’s still a journey ahead of us. So, I feel good because as long as that progress is occurring, we’re doing the right thing.

David Puner: [00:39:36] So, as far as your next immediate steps go, this episode is most likely going to come out toward the end of September or the beginning of October. What’s next? What are your next steps? What does the IDSA have going on? What do you have going on? What are we going to see?

Jeff Reich: [00:39:55] So, IDSA has a couple of major things every year. Our showcase event is Identity Management Day. It’s always the second Tuesday of April. So, in 2025, it’ll be April 8th. What we started this year with it was expanding it from an eight-hour event to a 21-hour event. And it is Identity Management Day around the world. It starts in Australia, which covers the whole Asia and Oceania time zones. And there are about six or seven hours of presentations there. Now, last year in Australia, there was an in-person one as well as streaming it. Most of this is online, though.

David Puner: [00:40:30] Okay.

Jeff Reich: [00:40:31] And then after about a 45-minute break, we move to the EMEA section—Europe, Middle East, and Africa time zones—where there are presentations. And we had speakers from different parts of Europe and from Africa talking about what’s going on with identity and how we’re going to make it better. And then after another, actually close to a 15-minute break, the Americas start. That’s the traditional Identity Management Day as well. So, you’re seeing that expand. It’s going to be expanding more next year. So, I’m really looking forward to that. Now, you will start seeing some things about that in October. That’s when we officially start our planning for the April event.

David Puner: [00:41:00] Okay.

Jeff Reich: [00:41:01] The other major deliverable we have is our annual research paper, which focuses on the trends in digital identity security, which is exactly everything we’ve been talking about so far today. And just as an example, some of the things we see in that report—this is now the fifth year—are the gaps between what the CEOs think is happening in their organizations and what the CISOs think is happening in organizations. Up until a couple years ago, they were just nowhere close to each other.

David Puner: [00:41:32] Hmm.

Jeff Reich: [00:41:33] They’re still not next to each other yet, but they are getting a lot closer because, unfortunately, of the pain of data breaches, which involves identity. So, it’s helping that education process I was talking about. That research paper, by the way, we create a level of abstraction. We have an organization that does the surveys for us, so we don’t know who’s answering. All we get are the demographics about it. So, we can see what are CEOs saying, what are CISOs saying, what are security architects saying—whatever the different category is. So, that’s another major deliverable we have that we’ll have again next year.

And the third thing, in addition to blogs and social posts that we have, we host webinars—on average, a couple per month—that we facilitate but our members deliver. And that is a thought leadership session. It’s not marketing or sales for the vendor members, but it does allow them to say, “Here’s what’s important if you’re starting an identity management program. Here’s what’s important if you know nothing about identity.” We also have some that say, “Here’s what’s important when you’re really in the weeds, and you need to use some new tools to help refine it.” And we really like that. Our members like it, and we get a good response. We have over, I think, about 8,000 people that subscribe to our webinars. We’ve had over 1,000 people at past, and then 1,200 registered for Identity Management Day. So, it’s growing. The word’s getting out there. That helps me feel good about what we do. And that’s what we have going forward. There are clearly going to be a couple more events that we’ll probably participate in next year. But those are the big deliverables you see coming out of IDSA.

David Puner: [00:43:00] You’ve got a lot going on, that’s for sure. Is there anything from that paper that came out this year, one of the findings perhaps from, let’s say, the CISOs—like one big thing that totally caught you by surprise and has maybe shaped your focus a bit in the last months since the paper came out?

Jeff Reich: [00:43:17] There is one set of facts, and it’s CISOs and CEOs. This is why I mentioned that earlier. It’s gotten better, but last year’s report, the CISOs said, “We’re doing either a good or better-than-good job of securing identities.” They also said that about 92% of organizations suffered a breach with identity information and had negative consequences from it.

David Puner: [00:43:43] Right.

Jeff Reich: [00:43:44] So, something that I think is interesting that I challenge people on all the time, since I don’t know who actually answered the survey, is: how can most people say, “We’re doing a good or better-than-good job,” and at the same time, most people say, “We had a breach that actually caused a measurable negative impact on what we do”? I’m still trying to resolve that.

David Puner: [00:44:10] Really interesting stuff, Jeff. There’s obviously a lot that we can talk to you about, identity, moving forward. Hope to have you back on the podcast sometime in the near future. Wish you well with all your travels and endeavors, and thanks so much for coming on to Trust Issues.

Jeff Reich: [00:44:26] David, it was my pleasure. Thank you.

David Puner: [00:44:28] Thanks for listening to Trust Issues. If you liked this episode, please check out our back catalog for more conversations with cyber defenders and protectors. And don’t miss new episodes. Make sure you’re following us wherever you get your podcasts. And let’s see… oh, oh yeah, drop us a line if you feel so inclined—questions, comments, suggestions, which come to think of it, are kind of like comments. Our email address is trustissues—all one word—@cyberark.com. See you next time.