Steve: Richard, it’s great to have this opportunity to sit down for a conversation and talk about modern identity with you. Not only do you have great taste in bow ties, you have quite a distinguished background in the identity world with a variety of roles, and most recently as Chief Customer Information Officer at Ping. Is that CCIO for short? I love it!
Richard: [laughs] Yes, it is.
You are a crossfitter, a supporter of breast cancer awareness, degreed in political science and risk management, and serve on several boards.
Richard, the pleasure is truly mine today.
So, you recently joined Ping Identity, 4 months back?
Richard: [laughs] Yeah, running into about 5 months at this point.
Ping has been the darling of the identity industry for many years now, so the answer to this question is probably an obvious one. But, why did you join Ping Identity? Did Andre twist your arm? I mean, you had a great gig at Optiv, the world’s largest SI and most trusted advisor for IAM and cybersecurity on the planet. So why the move?
Richard: Oh, it’s a great question. It’s one of those where, I’m super thankful for all the scars and bruises that I’ve accumulated over my life that gave me enough experience to finally have this many options. Andre and I had struck up an intellectual relationship a couple of years ago. I had spoken at a Cloud Identity Summit before the name was changed to Identiverse and we just started talking. He started drawing my operational experiences and background out and asking me tons of questions about what’s it really like to run the [IAM] function? How easy or difficult was it to work with different solutions? So, through the course of that, I appreciated the fact that he was willing to listen to me complain about how many solution providers just didn’t understand the long-term operational consequences and cost-consequences of their solutions. And then we kept in contact with each other. Last year I spoke at Identiverse again for a very well received keynote. A few weeks later, just in the course of an email exchange, said “Hey, if you are interested, why don’t you come work for me?”
He brings the perspective of the entrepreneur and long-time innovator, and I feel like I’m the opposite side of the same coin just with the perspective of the operator and the customer.
It was a little difficult for me because when joined Optiv, I left the corporate world and I was burnt out after 20+ years in IT executive roles and IT cybersecurity roles. Almost from the moment I walked into Optiv I had this great set of opportunities presented to me personally by CEO (Dan Burns) and I really do owe him a personal debt. He gave me the permission and the opportunities to speak – which I did about thirty times or so – and in the course of speaking that introduced me to wider and wider audiences. Bringing that around, that introduced me to Ping Identity as a company. Of all the different choices that were out there for me relative to solution providers, Andre and I are like-minded on where the industry is going. He brings the perspective of the entrepreneur and long-time innovator, and I feel like I’m the opposite side of the same coin just with the perspective of the operator and the customer.
Steve: That’s great! Yeah, it’s awesome to have the opportunity. A lot of people end up being career IT people or career entrepreneurs and don’t always get a chance to switch tracks and try out other types of roles.
Okay, my ears perked when you said that “solution providers don’t understand the operational and cost consequences of their solutions…” This is a subject that is near and dear to me, as I too spent over a decade in the trenches managing complex global IAM implementations. Now in your thinking, how do you frame the issue and speak to this at an executive level? And I’m sure, based on my own experiences, that breaches are a result of gaps in operating procedures, not always the fault of technology itself. (E.g. think Deloitte breach and not having 2FA enabled here) Can you speak to this?
Richard: Yeah, I think it’s a super timely question. In the course of any given day I’m plowing through twenty different news feeds around cybersecurity topics, and privacy and all that good stuff. Somebody has to read it. One just came across the wire today that I think is so relevant to the question that you just asked. The CEO of Tenable, Amit Yoran, headlined “Tenable CEO blasts ‘smoke and mirrors’ of cybersecurity industry” at RSA and that makes me so happy. It makes me feel that some folks are really starting to get it. He raises, in the course of that interview, this question about if you keep buying the next coolest solution with the blinking lights and the ‘easy’ button, and you’re not doing the basics correctly – which is something if you are a practitioner in an organization – you beg for your executives and your board to listen to you on. I thought that was fascinating. He was blunt in saying that the vast majority of the cybersecurity space was ‘smoke and mirrors’ and that feeds right into the operational and cost consequences of these solutions.
It’s fascinating how many solutions were pitched as platforms but were really single point solutions, and now I’ve got to buy ten different ones and I’ve got to hope that they all integrate together.
So many solutions, and I have owned all of the solutions as an app owner, it’s fascinating how many solutions were pitched as platforms but were really single point solutions, and now I’ve got to buy ten different ones and I’ve got to hope that they all integrate together. And then another wave of solutions with a heavier orientation towards cloud [computing] comes and you discover all sorts of information there. But if you ask for any automation, the answer you hear is “Nope, we don’t do that.” Somebody still has to sit in front of a screen and sort through those alerts. The way that I phrase this in previous speaking engagements is that the risk there is amazing because we all know how the analysts respond when they get buried in tons of data that they need to sift through manually. They start creating rules to weed out false positives, and then somewhere in that bucket of false positives is the bad thing. There is so much noise being generated by so many different solutions that are either not integrated or they are single purpose that you have to hire more staff and add more capacity relative to the management of the function. This has been the pattern I’ve seen repeated for well over a decade.
Steve: By the way, my hats off for Amit. I have always enjoyed listening to him speak. At the same time, your partnership with Andre is brilliant as well…combining the deep operational expertise with the visionary and depth of technical background that Andre has.
I didn’t prepare you for this question, but I want to take it on because Andre just posted this on LinkedIn today. He has had quite a few conversations recently with CISOs and one of the recurring themes that he hears is: “Many CISOs see identity as an operations function, not a security function.” Let’s take a few minutes and expand on that, right? [laughs] You laugh, and we all see the humor in it, but it also paints a pretty grim picture of if the CISO can’t see past his nose in terms of why identity needs to be managed in a certain way or see the opportunity to help the business scale safely… what’s your take on that? How are you and Andre taking on that mindset?
Richard: Yeah, so it’s an interesting moment for all of this to come together. I’m glad it took us a little bit to get things on the schedule because between the RSA Conference and some other activities that have been going on over the last couple of weeks, it’s given us some great information to go over and this is one of them. It’s fascinating to me that the CISO insight that he shared, I know the CISO that he’s talking about very well.
Steve: So, that’s not fiction, it really happened? [laughs]
We have companies who have tons of security solutions on-site that they’ve never deployed. They’ve bought them, and they have one OEM out-of-the-box rule running. Or they’ve only applied one application.
Richard: Yeah, we’ve worked together in the past and this CISO is very blunt and very forthright. I was just walking in the hall and had a conversation with Andre about a readback of this conversation, and I said, “There is nothing that I can disagree with.” What I love about the series of quotes that Andre posted is that this is a CISO that has taken personal accountability and leadership accountability. One of the things that I found fascinating, it speaks to what Amit was saying, is that we have companies who have tons of security solutions on-site that they’ve never deployed. They’ve bought them, and they have one OEM out-of-the-box rule running. Or they’ve only applied one application. That, to me, is a reflection of that operations function that particular CISO was talking about.
We’re still not in a place where CISOs are “native born” right? That they are an indigenous species to security. They came from infrastructure. They came from app dev. They came from audit, compliance, etcetera. Myself as well. I came from mergers & acquisitions program management and then moved into IT management for app dev and infrastructure. And so, I’m not a native to information security. There’s this idea that I buy a solution, I implement a solution and then my problems are solved. And that’s still a very operational mindset.
I think the big break here is – and I just posted something about this myself – there is a massive lack of awareness and understanding around why you purchase a security solution. Heads of compliance and CISOs will say that ‘you need to buy that solution to fix this compliance problem’ or ‘you need to buy that solution to fix this audit issue’ or ‘you need to buy this solution to make the DOJ or the SEC happy’ you can go down the line of alphabet soup and regulators.
If a CISO or any company buys an information security solution and they have not first dimensioned what their inherent and residual risk exposures are, and the business problem that they are trying to solve – and after they have implemented, if they cannot articulate how much inherent and residual risk they have reduced, they’ve just blown their money.
The truth is, and the piece that’s hugely missed right now in the industry is that if a CISO or any company buys an information security solution and they have not first dimensioned what their inherent and residual risk exposures are, and the business problem that they are trying to solve – and after they have implemented, if they cannot articulate how much inherent and residual risk they have reduced, they’ve just blown their money. They just wasted it. It’s not a business case that is predicated on how much you spend, how much you spend over time, how much of it is CapEx, how much of it is OpEx, how much of it is subscription, what’s in the cloud, what’s not in the cloud, etcetera. Almost none of that is relevant unless you’re looking at things purely operationally. What’s relevant is reducing risk, right?
Steve: I was going to say that on the other side of the coin, those CISOs who don’t have good relationships with the business are probably the ones who are shortsighted to say ‘this is an operational issue’ where identity now is driving the conversation. It’s enabling end-to-end user experiences, help drive cross-sell and up-sell opportunities and generally – for large organizations especially – help customers to feel like the company knows them when they are going from one department or division to the next. Think about from the initial product sale to engaging with the company to get support. There has got to be a smooth transition in that experience.
Richard: Yeah, without a doubt. Certainly, some of this, and we can refer to the Tenable interview, are obligations and responsibilities that fall back on the solution side, weighs back on the solutions integrator side. If we are in the business of stamping and selling widgets that have X% of margin, and we’re not really in the business of reducing risk, I do believe that is what Amit is making really clear.
I need to reel this back. I do feel that I am singularly unique. Not special, but singularly unique in the information security trades because I have been a CIO, I’ve been a CISO and global head of identity, I’ve been a consultant, I actually tried my hand at sales (I was really bad at it) and I’ve been a strategic advisor. So, I’ve really been the full spectrum. The only thing I haven’t been personally is an entrepreneur.
In spending a lot of time with all these solution providers, now on this side of the fence as one of the team for security solution providers, I have been disappointed in how many companies are not in the business of solving problems. They are in the business of getting their multiple. They are in the business of getting their valuation. They are in the business of getting their next trade acquisition. They are not in the business of actually solving the risk equation where risk is reduced.
Andre is not alone on this in the industry. I know several CEOs and CEO founders who still get up every morning and they want to fix problems. But I do think that the vast majority of the universe – relative to security solutions and solutions integration around cybersecurity – is still focused on cranking out the bucks and there has been an endless supply of those for the last several years.
Steve: You’re not missing a lot for not having been an entrepreneur. To be an entrepreneur the right way, and I know you have a lot of scar tissue and experiences already, multiply that [pain] by 10X and you will get to imagine at least what it’s like to be an entrepreneur. You have to really want that badly to go after that kind of experience, just ask Andre. He and I have commiserated over that at times as well.
Richard: Well I know that I’m not built that way, so it will be the one thing that I leave on the table.
Steve: That is why you two make a perfect partnership and because of all of those offices that you have held, I think you are the perfect guy to have on the Nonconformist Innovation Podcast because you can help business leaders see the big picture and drive that value add conversation which is that identity is more than just compliance, right? It’s no longer just about single sign-on and operational efficiency as it used to be. There is a growing list of things that help make identity a profit center and help drive business forward.
So, lets change gears for a bit and go from abstraction to more concrete examples and what you are excited about doing at Ping Identity and address, first of all, the risk side of the equation. There is a rise in the frequency and severity of data breaches in the past 3-4 years. The world has seen the largest breaches of the 21st century in that time. How is Ping Identity thinking about evolving its product and services strategy from one that is focused on managing identities and access, to detecting and mitigating risk?
These regulations (GDPR, PSD2) and demands are driving us towards a world of demand for secure customer identity.
Richard: Yeah, it’s fascinating to me how fast the world around identity control has moved. In the last two years it’s shifted more towards innovation, evolution and change than it did in the prior ten. I do think there are some gears that are driving that. The most important gear that I talk about frequently is that the reality of what’s coming down the road with the European Union’s PSD2 for open banking, and it’s also being adopted in Australia where it’s not just open banking, it’s open banking across all verticals. I was just down in Australia having a lot of conversations with companies and government agencies about that. This reality where these regulations and demands are driving us towards a world of demand for secure customer identity.
SUBSCRIBE TO THE PODCAST
We will notify you about new episodes and important updates.
Back in my day, customer identity – and I had to control and manage some because they were high risk and I had to build a whole set of solutions to do that – but for the most part, if someone came to me and said “I need to secure customer identities” I would have told them to go talk to the Chief Marketing Officer. [laughs] I said that’s all marketing and sales, that’s not my issue.
That’s causing a huge shift in thinking and I do believe that we are on a path where we are going to see – and I’m actively involved in lobbying for these changes whether they be with our own government or other governments – you cannot say here’s all the regulations, go protect customers’ data and then hold the world responsible (banks and insurance companies and government agencies) for protecting that data without extending the same requirement to protect the customer identity. If we say it’s the customers’ responsibility, but it’s the customers’ data – we are going to protect the data, but we aren’t going to protect the customer – we literally just defined the attack surface for man-in-the-middle.
Steve: And a lot of other things, right? There are folks who think that compliance is synonymous with security. PSD2, GDPR, SOX, HIPAA, these are coming at us. They have been around for a while and yet we see a skyrocketing number of data breaches. I think that these frameworks offer some interesting conversations around what we should be doing and why, because if we don’t do this basic set of things (E.g. hygiene) you are going to feel some pain. You can get fined.
So, looking at this problem through the lens of frameworks. Now there is Zero Trust and Lean Trust (E.g. Gartner CARTA) have become hyped concepts in the past year. Zero Trust calls for a default deny stance for access policies among other things (which is easier said than done) while Gartner CARTA focuses on layering threat intelligence, context-awareness, continuous monitoring, automation and behavioral analytics. Ping has made headlines (within the past year) lately for its acquisition of Elastic Beam, a hybrid cloud solution for protecting APIs with AI. You’ve seen this from the outside in, because you joined Ping Identity prior to this acquisition, and now you are on the inside. How has the acquisition helped Ping evolve its IP and capabilities on and in adaptive security with intelligence and AI? Let me restate the question simply: Demystify ‘Ping Intelligent Identity Platform’ for us if you will.
Zero Trust will run into these same harsh realities on the application side as all the perimeter-based security frameworks did when they came through the traditional routes ten and twenty years ago.
Richard: Sure. In order to do that, I have to bolt together a mini timeline around the points you just made. So, I’ve sat with, listened to and talked with John Kindervag on Zero Trust. We know that the genesis of Zero Trust was networking, right? Which is so historically complementary to everything else in information security because everything started with the network when we first started this business. So, it makes sense that the application of Zero Trust at the perimeter as it relates to packets – which is the way it was built initially – would be that approach. The challenge is, just mechanically speaking, everything in information security, if we look at firewalls, if we look at encryption and keys, et cetera, all of that worked in the perimeter defined world. But guess what? When you try to drive fine grained application control from RBAC (role-based access control) at the OS level for Windows and you try to move into ABAC (attribute-based access control) or fine-grained entitlements at the applications, it failed. Everywhere. App/Dev managers didn’t want to redesign their applications. No one wanted to go to a standard access control framework. Whatever the case may be. So, the truth is that Zero Trust will run into these same harsh realities on the application side as all the perimeter-based security frameworks did when they came through the traditional routes ten and twenty years ago.
So, when we look at what needs to happen, first and this is what I love about Ping Identity, is that identity is not the new perimeter. That has been touted for several years. That’s just a really bad statement.
Steve: I’m glad you brought that up because “identity is the new perimeter” has been used a lot. It hasn’t been until recently – I mean it rolled of the tongue nicely – but people really didn’t really break it down into what does this mean, actually?
If you buy that identity is the new perimeter then Bob in accounting is the new port 80.
Richard: You’ve heard me speak. I’m a little pragmatic and sometimes contentious. I’ve said, “Hey look, if you buy that identity is the new perimeter then Bob in accounting is the new port 80.” Again, if you are an old-school CISO like me, then you think of ‘Do I want 1100 poorly managed firewall configuration rules on my perimeter? Or do I want 24,000 employees and each one of them is a risk exploit for me?’ So now I’ve just multiplied my attack surface by 10s of thousands. This is the problem with this notion. So, with Ping, our focus is identity is the core of security. Now we wrap this back into the the part that API and intelligence for identity plays.
The only way for us to move forward and evolve is to be able to apply intelligence in-stream or alongside of accesses –whether they be workforce, customer, partners, vendors– alongside so that informed intelligent decisions are causing continuous data-driven authentication.
One of the other things that has become a crushing reality as we’ve managed through more complicated use cases and demands for things like privilege escalation/de-escalation in-session, although we have been managing it with rules and policies, and those of us who have been around the block know that rules and policies reach their logical limit in terms of being able to be managed by huge staffs because it’s just too onerous. So, the only way for us to move forward and evolve, and this speaks to where our direction is, is to be able to apply intelligence in-stream or alongside of accesses – whether they be workforce, customer, partners, vendors – alongside so that informed intelligent decisions are causing continuous data-driven authentication.
So, the notion that we’d be able to do a privileged escalation simply based on a series of authenticable items in a global authentication authority would give us a very high confidence that that person is who they say they are, they are doing what they are supposed to be doing and they have what they are supposed to have. Now we can give them an escalated privilege grant for the moment that they need it and extract it without ever changing any of the user’s experience.
That’s really where the future is going to be and it’s “really close” is the way that I would phrase it.
We need to stop investing in security solutions that aren’t yielding risk reductions, and we need to change security architectures to put the human being in the middle instead of the asset.
Now the trick here is when you start buckling all these pieces together, we are going to reach a critical mass and/or a tipping point where the demand becomes: secure customer identity. The demand becomes: we need to stop investing in security solutions that aren’t yielding risk reductions. And we need to change security architectures to put the human being in the middle instead of the asset. Once we start to do that, it will become apparent why we need intelligence. The universe of human beings – and sometimes I get criticized because it seems like I’m leaving out all the machine accounts and functional accounts – my attitude is that if we could solve the human first, we’ll take a big chunk of the risk out of there. How about we attack the problem that we can solve immediately?
Once we start to do that, we understand that the universe of identities – human identities – that are going to need to be protected is going to be massive, and it’s going to require intelligence.
Steve: Totally. You see the identity and access management market estimated to grow 12% annually over the next few years and become a $14 billion industry by 2023. I remember chatting with Andre a couple years ago, prior to the Elastic Beam acquisition, saying “Ping needs a security brain.” You have access gateways, and rules and they are static. You can mend, mold and fashion identity and security how you would like it to be, but then the next data breach happens and it’s like “Ouch! I didn’t think of that one.” So as the industry has evolved, it is great that Andre’s wish came true and now the Ping Identity platform has found its “security brain” if you will.
Now, is there a role that 3rd party threat intelligence plays in augmenting AI and/or ML capabilities on your roadmap? Is this part of the equation? Is their risk scoring already happening behind the scenes or will that entirely come in from a CASB?
Richard: That’s a very observant question. It’s a question that I think every one of the key security solutions providers, particularly those in identity, but certainly those in CASB, in threat and vulnerability management, and a couple of other domains are asking of themselves. We certainly are ourselves. One of the questions we ask ourselves is, “Are we moving into a space where we can no longer be oriented towards only one domain within the security framework?” Yet on the other side, as I’ve talked with colleagues and friends in the CASB space, and in the threat and vulnerability management space, as we’ve all begun to push into cloud and some form of application of intelligence, and those types of analytics, one of the things that is really becoming clear is that in order for you to be effective in reducing risk, you need additional information that isn’t associated with the domain that you manage.
If I want to manage threats associated to identities, then I need data about threats. If I want to do scoring relative to risks represented by the user/entity/company, then I’m going to need that data as well.
This is an interesting revelation for everybody in the industry right now because as we are all looking around, we notice that if I want to manage threats associated to identities, then I need data about threats. If I want to do scoring relative to risks represented by the user/entity/company, then I’m going to need that data as well. And then, if I have a solution, like Ping is capable of functioning both directly on-prem and in the cloud, the most dangerous view of the user is the partial view of the user. So, if I’m Ping, and I have this end-to-end view of a user, that information becomes extremely valuable to the CASB and threat and vulnerability management players and even to the firewall players.
As this has all started to come together, I believe the question that you asked is being asked in board rooms across the country right now, as to do we get into that business? Do we add just enough functionality so it’s good enough? Do we combine forces? Does it become a partnership play? You know this better than I do. But the reality is that virtually no security solutions providers have ever gone down the path of being tightly coupled with another provider in another domain.
Steve: I think that’s key to avoid this situation where once you have checked in you can never leave. If you are tightly coupled, you can be in a world of hurt down the road. There is someone there just not thinking about the future consequences.
Richard: Yeah. The trick is though if there is loose coupling – and you’ve mentioned something similar – I’ve never met a CISO in my life who said I got hacked in exactly the way I thought I was going to get hacked. You always get hit where you don’t see it, and loose coupling creates enough of an opportunity for capitalization for the bad guys. Tight coupling reduces that risk. I think the industry is struggling greatly with how to begin to answer those questions. I’m certain that there are going to be a number of steps that we take because they are going to be oriented towards being a broader set of capabilities from a platform standpoint.
Steve: I think that inevitably has to happen. I know you’ve been around the IDSA (Identity Defined Security Alliance) for a while now. There are a lot of member companies there within the alliance, that doesn’t mean tight coupling, that just implies cooperation that we are going to work with known standards whether that be FIDO, SAML, OAuth, SCIM or some new emerging standard that is going to enable sharing signals to make sure that there is risk-informed access decisions being made. As the alliance and eco-system gets bigger, tight coupling becomes impossible. Nobody wants to invest those resources up front to make that happen. But cooperation and being directionally aligned adds a lot of value for joint customers.
Richard: Yes. Agreed. And to add to your point, I think we will see more and more of it. The big challenge is that each of us is now recognizing that data is king, and that we may each have data that each of us would want. I do see almost the next derivation of identity proofing. Maybe something along the lines of subscription stores of authenticable data. It could be both anonymized or specific to users so you could see this rise of trusted authentication authorities being one of the next iterations. For us, as we are collecting information and data, we know that we collect tons of information that is relevant to that possibility. So, I think its early days which is fascinating to me. But it’s also a reflection of the fact that – there was ten years of under-investment from an overall innovation and intellectual standpoint and from a money standpoint in the identity space. Most of it was heavily oriented to access provisioning and de-provisioning which is where a lot of solutions still are today, and we are only now moving into the realities of a fully securitized experience from the time of customer adopts the digital point and they leave that digital point.
Steve: With Australia’s data breach reporting law now in full effect, the country recently reported that nearly 75% of all cyberattacks this past quarter involved the abuse of compromised credentials such as usernames and passwords. The issue of compromised credentials is a growing problem that has a lot of people and businesses concerned, and rightfully so. What gives Ping customers the confidence to get a handle on and mitigate the risk of compromised credentials?
Richard: I think that the confidence comes from the statement that I made earlier about who has the most complete view of a user, or a customer/partner/vendor – a human entity. I think it’s a fair criticism for calling me out for not really diving into the topic of non-human entities or identities. We’ve got enough problems managing the human space. We can’t get there yet, and I’m saying that as someone who used to try and manage both aggressively.
It’s still somebody else’s datacenter. Because of that, the rise of a truly designed hybrid infrastructure is going to be the continuous reality for all of us, at least until the vast majority of us are either retired or dead
When we have the proof point that clearly shows in survey after survey, that no matter what people are saying about cloud first – everything cloud – it doesn’t work that way. The first reality is that the cloud is a marketing term for a co-located datacenter. I get that that the software runs faster. I get the clustering and all of that it is a massive improvement of where we were years ago. But it’s still somebody else’s datacenter. Because of that, the rise of a truly designed hybrid infrastructure is going to be the continuous reality for all of us, at least until the vast majority of us are either retired or dead.
We know mainframe. We know Unix/Linux at the local level. We know all of these mechanisms that make it impossible for organizations to leave any less than about 50% of their landed footprint on-prem. So, if you need your identity correlation of your on-prem personas with your cloud personas, you either need to have a solution that does both, or two solutions that handles them (linking and synchronization). That’s where I see Ping’s strength from a confidence standpoint. We were built in the days of on-prem, we focused on that build and we built it for enterprise clients.
I used to be a customer years ago when I was at JP Morgan Chase. Because that foundation was established, what I found fascinating – this is another point to that confidence issue – I think we may have passed a point in time where you could try and go build a brand new an on-prem solution because the architecture is no longer singularly on-prem. So, you have to build in a set of capabilities that would be so much broader then back in the days of Active Directory (LDAP) and how we got started and it would be very difficult to do that.
SUBSCRIBE TO THE PODCAST
We will notify you about new episodes and important updates.
Steve: Well let me blow your mind. I had a conversation with a Sr. Director just last week (from the financial services sector) who informed me that his company has and continues to build their own IAM implementation because of internal resistance to the cloud. Can you believe it? But I think this key of hybrid cloud architecture is very important in terms of having broad view of identities, including having visibility and effective policy enforcement and so forth. As you mentioned regarding identity proofing, because importance during on-boarding and continuous adaptive authentication, et cetera. Yet there are some vendors think that destroying and killing passwords will make a difference.
Password-less authentication seems to get a lot of press lately. But that seems so 2004, when Bill Gates himself predicted the demise of passwords. Some view “killing passwords” an existential threat to volition of their 5th amendment rights, while others (like Microsoft) view it as a state of nirvana. Furthermore, in research conducted by the popular password manager Dashlane, it was found that the number of passwords we use doubles every 5 years. While we would all love to eliminate the risk of compromised and weak passwords, can we really expect to “kill” them? How will this password-less future unfold, and how are you advising Ping Identity customers to prepare?
We don’t enforce the demands for process change.
Richard: So, there are two parts for me for this password-less equation. There is the first which is this stuff that you see in the marketing pitches, which I find useless. The reason is because password-less is not about security in that pitch; password-less is about a better user experience. And one of the big failing that we had in propagating bad cybersecurity behaviors is that business partners love to say, “Put that security solution in, but what I want you to do is to do all of the custom configuration necessary in order for my people that have to interface with it to have the same exact experience they had with the old solution.” We don’t enforce the demands for process change.
Same with customers. We want to do password-less in this marketing tranche about how sexy it’s going to be because we want it to be easier for that person. The truth is that easy and security don’t go in the same sentence. Never have. I got some push back on this the other day, and they were saying “Well we should make it easy.” I responded with, “No, not really. What we should do is make it frictionless.” I’ve just seen some friction type of presentations popping up recently, but I’ve been saying this for a long time. This comes back to the intelligence piece. We can get to a password-less world when we are able to answer the magic question: are you who you say you are? Which is an authentication function. And if we are able to do that with a high degree of confidence, passwords become irrelevant. We are able to identify you based upon a number of different attributes that we are able to apply risk scoring to your profile. Yep, 99.99% sure that’s you. That would be a huge light-year leap over where we are with most realities today in terms of whether or not we know that person is who they say they are.
So, password-less to me, is almost a secondary function of creating frictionless authentication. And not just authenticating once on entry, and maybe one more time on elevation, but being authenticated multiple times in-session while it’s happening as long as you are inside the digital front door. Then when you exit, that relationship stops. That’s going to be the real advent of password-less, not just simply saying that we are going to get rid of passwords for people.
Steve: Point taken. This whole notion of frictionless is a good one. I would suggest that there is another dimension which doesn’t get a lot of airtime which is regarding human volition. You have already heard about how with TouchID and biometric authentication, by say law enforcement forcing someone who has rights of being innocent until proven guilty and taking his or her phone and force access to a device before obtaining a warrant. I’m curious to hear your thoughts about this. One dimension of this password-less future is, are we also giving up our own volition by having this frictionless experience, and how do we compensate for that?
How do you introduce somebody into a digital economy when they don’t have a digital persona?
Richard: Yeah, the thing that I find the most fascinating about the freedom that I’ve been giving in this position at Ping Identity is the opportunity to do nothing but think about these subjects all the time. I just had a series of conversations when I started. Those conversations were with a friend of mine about his work in Canada trying to figure out how to serve the under served populations when it comes to digital identities. They are the disabled. They are illiterate. They are in a difficult socio-economic status. And everything in Canada is now digitized. How do you introduce somebody into a digital economy when they don’t have a digital persona?
That really got me to thinking, my entire career in identity and all I’ve ever thought about is identity in a corporate setting. I never really thought about digital identity for the people. I never really thought about this notion that if we as an industry decide that MFA is only through a handset, even though there is supposed to be 4 or 5 handsets per human being on the earth, there is still a billion people with no handset and no cell service. So, have we actively disenfranchised those people?
I say all that to come back to the specific response to your point. I believe that we are embarking on a frontier where we are going to need to sort out everything that we sorted out in the analog, relative to rights and privileges and citizenship in the digital space now that identity is becoming a real securitized thing. We are going to have to figure that out from all those aspects. The Miranda reference is a great one because the Miranda reference is related to the analog world. What is the Miranda equivalent in the digital world?
Steve: Yeah, great question! Do you like podcasting, Richard? I would love to trade jobs with you for a while. [laughs] You have obviously put some thought into this. As we are wrapping this episode, your answer leads to my next serious question. I’m going to leave it open ended for you because I’m interested in hearing your response. I don’t work for Ping Identity and I’m not a Ping customer. I sadly don’t track news about your company every day.
But what I can tell from attending Identiverse and observing online, Ping Identity has grown up a bit, and no longer a start-up. I don’t think the killer app is single sign-on anymore. Right? It’s ubiquitous, and is some cases like open-source, it’s free. GDPR, PSD2, and recently California Consumer Privacy Act of 2018… it seems like – and I’m guessing here because I’m not that close to the Ping solution set – that your focus on access and API security, data governance, directory services (through your acquisition of UnboundID) and adaptive authentication, that Ping is positioned very well for the analog to digital future, and the increasing demands of CIAM, European and State of California regulations. Am I imagining things, or is Ping making some great strategic moves and setting itself up for success in the next few years?
Richard: Well I’m going to personalize the response to that. I think it will tie well to the questions at the beginning of the discussion. And I say this with humility. Every time I get up and speak, whether its in front of ten people or three thousand, I always remind people that I’m not an expert. I am somebody that was in the trenches, took the beatings and accumulated the scars. My hope in all this is that, as I share these stories and experiences, these pointers and guides on how to navigate all this stuff that I’m able to be a help to people based on that experience so that you don’t repeat the same mistake that I have made.
I think that’s what is so important about IDSA. We are all in the fight, right? We may be pushing each other for market share, but at the end of the day their weakness is my weakness and my weakness is theirs.
But, with that being said, I’ve obviously been able to build up a pretty successful career. I have a certain degree of visibility. It’s like I tell my father, I’m famous with twelve people around the world. I’ve worked hard to get there. I would leave with this relative to Ping’s future. A person like me with the corporate background, and any number of options to have gone back to the Big 4, back to a solutions provider, or gone back into another CISO or CSO role, I chose to be at Ping. I chose to be here based upon what I see in the potential and the opportunity, not just for the solution itself but for the entire industry. There is room for all of us that have been in the fight now for several years. I think that’s what is so important about IDSA. We are all in the fight, right? We may be pushing each other for market share, but at the end of the day their weakness is my weakness and my weakness is theirs.
I’ve chosen to be at Ping Identity because everything that you just described, all those pieces, parts and components is exactly the type of approach that I think is going to be extremely successful in the marketplace.
Steve: That’s great. I don’t think Andre could have chosen a better person for the role for customer advocate. With the breadth of your background, and the opportunity to help Ping customer think through this future, to not have to drink the Kool-Aid but going in with eyes wide open with some real practical experiences with the invaluable support from someone like you.
In wrapping up, I realize that I might not have given you a proper introduction in the beginning, so in the spirit of having fun and getting to know you better, amuse me and the listeners, and let me ask a few personal questions. Is that OK?
What color bow tie are you wearing today?
Richard: I have a favorite that is blue with an old school tattoo pattern on it. So that’s one of my favorites.
Steve: Favorite food?
Richard: Charcuterie. I know that’s more than one food. But that’s what makes it special. Give me some cheese, and fig jam and I’m good to go.
Steve: What CD/MP3 was last played in your car?
Richard: I really don’t listen too much in the car, but I am a huge music fan. I do music festivals. At Bonnaroo this year which I’m going to for the fourth time, The Lonely Island which is an Andy Samburg in joke type of band from Saturday Night Live, I’ve been listening to him quite a bit. I know it’s really inappropriate but very funny. [laughs]
Steve: Favorite vacation destination?
Richard: Really anything along the coast in Ireland. I love it there.
Steve: Favorite Ping thought leader you follow?
Richard: Oh, that’s a toss-up at any given time. Robb Reck. I have a tremendous about of respect for the person who sits in that seat, and Robb sits in that seat. And Bernard, Bernard Harguindeguy. I could listen to him speak a lot, or almost endlessly, but most of the times I only understand about 20% of it. Because he’s that smart.
Steve: What technology/opportunity are you most excited about in 2019?
Richard: I’d say federated blockchain. I’m a skeptic by design, and the notion of an immutable ledger immediately falls flat for me because, if I think about identity, if one of your defining characteristics is marital status, but you’ve been separated for two years because you can’t stand each other, and you definitely don’t want Bob to have access to your checking account, and Sally doesn’t have access to your retirement account, what exactly is your status on the blockchain? You’re married, right? I think that the nuances of real life don’t manifest themselves well in blockchain. But federated blockchain, where there are more opportunities relative to who has and controls the ledger is fascinating to me.
Steve: Yeah, I think it’s only getting more interesting to pure play identity management players like Ping and others. They are all going to have to grapple with this technology at some point. So, the headline from today, ‘Sovrin Network Now Ready for Digital Credential Issuers’ so we will have to save that for another podcast episode, but there is definitely something new and noteworthy happening in this space. It’s coming at us pretty fast.
Richard, this has been fun. I’m glad we were finally able to make the time on our calendars. We should do this more often.
Richard: I agree. I look forward to trying it again. Thanks so much!