Let’s talk about digital identity with David Doret, Deputy CISO and IAM Manager at BNP Paribas and Founder of Open-Measure.
In episode 45, Oscar talks to David Doret about Open-Measure – the comprehensive, open-source Identity and Access Management (IAM) resource that he created as a not-for-profit initiative. The conversation explores how and why Open Measure came to be – and how anyone working with IAM, in any capacity, can get involved.
[Scroll down for the transcript]
“IAM is so transversal within the organisation – we need to work with HR, IT, security, the full workforce, top management, customers – with everyone, basically.”
David Doret is a cybersecurity and IAM veteran. He worked in advisory services helping numerous organisations strengthen their security posture, held twice the position of CISO and specialised in IAM and risk management. He founded and runs the Open-Measure wiki for IAM professionals. He holds an MSc in Information Security, is certified GRCP, PMP, Lean 6 Sigma Green Belt, CISSP, ISO 27001 Lead Auditor and loves studying MOOCs as a hobby. He is currently Deputy CISO and IAM Manager at BNP Paribas.
Contribute or provide feedback to Open-Measure at www.open-measure.org, or follow the LinkedIn feed at www.linkedin.com/company/open-measure/. The Open-Measure wiki can be found at open-measure.atlassian.net/wiki.
Go to our YouTube to watch the video transcript for this episode.
The podcast connecting identity and business. Each episode features an in-depth conversation with an identity management leader, focusing on industry hot topics and stories. Join Oscar Santolalla and his special guests as they discuss what’s current and what’s next for digital identity. Produced by Ubisecure.
Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.
Oscar Santolalla: Hello. Today’s guest is going to tell us about I would say to me is the most comprehensive IAM, so identity and access management, resource I’ve ever seen and the good thing of this is that it’s open source.
So my guest today is David Doret. David is a cybersecurity and IAM, identity and access management, veteran. He worked in advisory services helping numerous organisations strengthen their security posture. He held twice the position of CISO and specialised in IAM and risk management.
David founded and runs the Open-Measure wiki for IAM professionals. He holds a masters in Information Security, is certified GRCP, PMP, Lean 6 Sigma Green Belt, CISSP, ISO 27001 Lead Auditor and he loves studying MOOCs as a hobby. He is currently Deputy CISO and IAM Manager at BNP Paribas.
David Doret: Hi Oscar. Thank you very much for having me here.
Oscar: You are very welcome. It’s really interesting to hear about Open-Measure and of course about yourself. You have quite a long, comprehensive experience in cybersecurity and especially in IAM. That’s going to be the main discussion point today.
So we would like to hear, before hearing about Open-Measure, a bit more about yourself and how life led you to the world of digital identity.
David: Yes. I think my initial experience with IAM comes back to the early 1990s. So that’s too far away for me to properly collect my memories unfortunately. But yeah, I’m in the business for ages. I’m a dinosaur I would say.
Oscar: OK, OK. So it has been for – probably since the beginning of your career, I guess.
David: Yeah. During quite a long period of time, software development. Also I more or less held nearly all possible positions within an IT department that are possible to hold. My first job was in support. I was doing help desk support. Then I moved into system engineering. But that was decades ago.
From there, I moved into software development and then into cybersecurity. Then I specialised into IAM eventually.
Oscar: Excellent. So now that you are very into IAM, so I’m thinking – as far as I know, less than two years ago you created Open-Measure. So please tell us, what is Open-Measure?
David: The Open-Measure is a wiki. Actually it is first to fall a non-profit association that owns the content that is produced on that wiki and the goal of this wiki is to share knowledge among IAM professionals. So here we consider IAM in a very large manner or with a loose definition of IAM, which comprises anything ranging from authentication, to privileged access management and so on and so forth.
So this is not – we’re not talking about workforce IAM in a limited way, but really IAM in a broad manner. I think it all started in a bar. This was after a conference. It was in Germany two years ago. We were discussing key indicators with IAM colleagues and some of my colleagues were encountering difficulties in designing key indicators for IAM, whether these are key risk indicators, key performance indicators or others and they were frustrated by this situation.
Some other of my colleagues had nice, well-designed performance indicators that they were using and we started sharing on this topic. So during a few months, with IAM colleagues, we were sharing cool indicators and bad indicators and exchanging actively on this topic and at some point, I thought to myself, “Well, let’s go public with this stuff and let’s share it with the IAM community at large scale and let’s build a wiki.”
So that’s what we did and this was actually the initial point of the Open-Measure initiative where we have this – one of the sections of the wiki is this indicator section, where we can find a database of vetted key indicators for IAM.
Oscar: What was for instance one of the main indicators that you remember, the good ones let’s say?
David: Well, we really have plenty of those. But one frustration, but we can talk about it later on, is that these indicators are – I think they are nice. They can be used by the IAM professionals that are listening to the podcast. They can just go to the wiki and use them as is. But the problem is that – and this was one of the conclusion of this project. It was that these were still a bit piecemeal indicators, bits and pieces of indicators here and this does not yet give a full end to end picture of IAM as a whole, which led us to a second project on IAM processes that we can shortly discuss afterward.
But if you want for example a simple indicator, then one basic indicator for example may be the deployment of MFA. Obviously especially in large organisations where you have a history of IT systems, with some legacy IT systems and modern ones replacing the old ones and so on and so forth. Multi-factor authentication is of course one of the key initiatives that you want to pursue to strengthen the security of your information system and for example the MFA ratio is one of our initiatives. But there are of course plenty others.
For example in the field of workforce IAM, when you work on your personnel and the joiner, mover, leaver process. Another example would be the indicator will be the joiner process average lead time, which gives you a sense of how fast you’re onboarding new people in your workforce and how efficient the process is. But these are just a few samples …
Oscar: Yes. That’s why the indicator is where the Open-Measure, the name comes, so why it’s Open-Measure?
David: Yes, exactly, because one of our ideas, the ambition behind this was to get the community, and I do invite our listeners to do that, to invite the larger IAM community to contribute to that and to – in a very open manner, to just come and share their indicators. So anyone who has indicators that are not yet referenced in the wiki. They just can reach out to me. They can subscribe to the wiki and do it themselves and document them themselves or I will do it with pleasure as well for them.
The idea was just like to openly share these indicators together for the greater benefit of the community. One of the ambitions was to do benchmarking and this is still one of my ambitions. But it is something a little bit harder to do because to compare the performance between organisations, it requires caution because if you just throw – we did some benchmarking but more in a – I would say behind the scene way between professionals. We share our stats and we compare some data and like this. We can have a feeling if we’re doing good or bad and compare what our results are.
But if you just make public your benchmarking data, this may mislead a lot of people because it requires very precise definitions. Otherwise, you are not comparing the same thing. So if you just say for example the average organisation has 90 percent of its applications with MFA, then in reality this may be very misleading. If you don’t get precise definition of what the scope was of this statistic, how it has been computed and so on and so forth.
So I still have the goal of doing large-scale benchmarking for IAM professionals on the Open-Measure wiki. But this will require more work.
Oscar: OK, yeah. Excellent, excellent. It sounds like definitely super useful but of course you are still in these building blocks of Open-Measure. So once you have the resources, all the – encyclopaedia also now. You’re working on this, so that will be in – the benchmark will be in the future. Sounds super, super useful.
So I would like to also – to understand better what is the exact audience of Open-Measure. It’s mostly people in IT departments? What kind of roles will benefit the most?
David: So actually we have a bit – I think 750 subscribed users and the audience is mainly composed of CISOs, IAM professionals, IAM consultants, IAM vendors, a few researchers as well because we have a very extensive bibliography of IAM references. So it may be useful for example for masters students as well.
But mainly the core audience is really identity and access management professionals whether they work in PAM, whether they work on the CIAM, customer identity and access management as well. Really the IAM professionals is the core target.
We do have IAM professionals that work in IT and we do have also IAM professionals that work for example in security teams or in compliance teams. This is especially the case – for example, I’ve done most of my career in the financial industry where it is highly regulated.
So like other industries as well, such as pharma and so on. And in these industries, of course we are subject to a multitude of laws and regulatory constraints. So then you will find quite a number of IAM professionals that are working also in the risk or compliance field. I think that’s basically our audience.
Oscar: If you can describe some scenarios or use cases that your research and everything that is done right now and Open-Measure is focused.
David: Yeah, with pleasure. To date most of our efforts are focused on the development of scientific-grade dictionary for IAM. So we have a wiki section that is called “Dictionary”. Pretty straightforward. And here the realisation that started this project was that as an IAM professional, I do spend an awful lot of time working on my communication plans, communicating about my IAM programme, my IAM projects and initiatives, communicating to top management, communicating with my vendors, with my workforce, with the IT, with everyone else – all my stakeholders – and this communication is hard to get right.
As everyone learns with a bit of professional experience, communication is really the key to success. That’s true for IAM. That’s true for any other field. But perhaps a little bit more true for IAM because the IAM industry is known for its failures. It is well-documented in the literature that IAM projects are well-known for being late, to have budget overruns, to have scope failures and so on and so forth.
So we have a bad reputation and I think that one of the key – I don’t have the silver bullet solution to this problem. But one of the key factors or key critical success factors for IAM of course is to have the right communication plan and the realisation is that the building block for a good communication is terms, words for the concepts that we use.
If you don’t have the right definitions for the terms that you use, your communication plan will probably miserably fail. And in the field of IAM, it’s amazing because we have 60 years – more than 60 years of active research and innovation in the field.
I think my oldest bibliographic reference in IAM dates back to 1967. That sounds absolutely amazing, no? So if you want to get your communication right, you better have accurate definitions for the term you use and be able to share these accurate definitions with your stakeholders.
From this, I started first to look online for IAM resources and dictionaries and we do find a number of glossaries. For example IAM vendors tend to publish IAM glossaries but often they are biased towards the product.
We have also a lot of definitions in the scientific literature but this has never been really consolidated into a whole that is nicely presented and usable for the community.
So this is what we are really focusing our efforts on now is to build this super dictionary specialised for IAM professionals. And I think that the typical use case for this dictionary is for both IAM professionals and IAM stakeholders to just get there and find clear and precise definitions for the industry terms and probably learn something because the dictionary entries are not just simple definitions that we publish. But we do extensive actually encyclopaedic articles on IAM concepts with giving extensive references, bibliographic references to our sources.
The thing about building a dictionary, it is really not about convincing others of what terms should mean, you know. People get very emotional about the term’s definition sometimes. They feel that they know what this term means and then they are convinced of that and they try to convince everyone that’s around them about what that term should mean.
This is a wrong way to build a dictionary. The right way to build a dictionary is really not to tell others what things should mean but really to be able to listen, to listen and read of course. How people use the terms, what the authoritative sources state and take it from there. This is what we are doing. So it is a real lexicographic work and I think that it may help any IAM professional to improve their communication plans and, yeah. Anything you can’t find the right definitions for the terms that they’re looking for because the dictionary is yet incomplete. Then they can just reach out to us and we would be most happy to provide the missing definitions.
Oscar: Yeah, definitely. And when you say that the IAM field is known for its failures, like I never heard that and I understand that because people who work with IAM have to communicate with so many different types of people inside the same organisation and outside when buying, when selling. So that’s correct. Communication is critical.
And I have the experience that sometimes, OK, I’m not sure about one term. So I’m putting in a search engine and I find some two-lines definition. Sometimes I found two pages, completely difficult. So yeah, it’s hard. It’s not an easy way to find definitions, so everybody can kind of understand the same terms. Well, until now.
David: Yeah, absolutely. You are right. I mean IAM is so transversal within the organisation. It touches – I mean we need to work with HR. We need to work with IT, with security, with the full workforce, with top management, with our customers, with everyone basically. This makes communication pretty hard. Me, as an IAM professional, I spend a lot, a lot, a lot of time just trying to improve my communication and ensure that my stakeholders understand what I’m doing, understand where their interest is, where the value of what we’re doing is.
Many people in the workforce will just see IAM as – you know, as a ticking the box exercise because they need to do a recertification control or things like this and they see us as an annoyance rather than a creator of value within the organisation, which is sad.
Oscar: Yeah, yeah, it is. If you can tell us more about this dictionary you are building and maybe a couple of examples.
David: Yeah, with pleasure. So what we did is that first we developed a methodology on how the dictionary would be built and this methodology was taken from lexicographic – well, books on lexicography which is the science and art of doing dictionaries. So this was the starting point because we wanted to do it well.
So if we take just one example in the dictionary, for example we recently published the entry for ‘password spraying attack’. So password spraying attack, this is one example about – among many others. It is one kind of attack that an organisation may be victim to of course. And the problem is that it is already – I would not say an advanced concept but it is still a concept that is probably not super easy to grasp.
So how do we present this in the dictionary? First, we always design what we call a conceptual diagram. This conceptual diagram, they illustrate, so we can’t see the – unfortunately on the podcast so it will be just hard to describe, but it is- the idea is to give all the key components of the concept that we are talking about, to provide all this in a visual manner and this is depicted with these conceptual diagrams.
So if we look at the conceptual diagram for password spraying attack for example, we will see that – well, it is part of a larger class of attacks called brute force attack, which is itself just a class of techniques. Then we can see on the visual diagram the key components of a password spraying attack. It allows the attacker to void a typical or traditional account lookout mechanism for example.
It is used by the threat actor who compiles a database of probable passwords and so on and so forth and he will use a rotation seam to then guess the passwords of a typically large population of identities and so on and so forth.
What we depict as well on the conceptual diagram is not only what is a password spraying attack, but how it may be counted with countermeasures, and we already give a number of – a shortlist of key countermeasures that may help organisations protect themselves from these kinds of attack. So this is of course just one example among many.
On the dictionary, what you will find in addition to that is in detailed – one or several detailed definitions for the concept and then bibliographic references if you want to dig more into the topic and want to see what authoritative authors have said about the subject. Then you can just zoom in the bibliography and directly find the references of the article.
Oscar: Yes. I see. While you were speaking, I was looking at my screen, the page for the password spraying attack and yeah, certainly. This diagram, the conceptual diagram that you mentioned is super comprehensive. It has all these aspects, not just a definition, and that’s often what we find with these definitions. Even if it’s a good definition of several lines, but this brings almost everything that could be related to the concept. So it looks super powerful.
David: And it is never perfect. Really where I do need the help of the IAM community and here all our listeners can really help, it is to give us feedback. I mean whenever people send me critiques, comments, ideas and so on, I am very pleased because this helps me improve our content. So be critical please whenever you find something that is not accurate enough, if you find some other references, some other authoritative references that are missing, if you find some aspects of the subject that have not been properly covered. I’m absolutely super happy to receive this feedback.
It is hard to design a good, accurate definition. It’s really hard work. It’s not something that just falls from the sky. It takes quite a little bit of study every time you need to go through these research papers and there’s sometimes some ambiguity in them and so on and so forth. So I need help and this dictionary at the end will only be as good as the community that will help to build it.
This may be perhaps an opportunity also to say that we are looking for help. I do have a few people who help me on the wiki now. But we really need now to scale it up. So in addition to providing comments, anyone who would like to either work as a reviewer, to reread content and to provide feedback or to become an author as well and to work on the dictionary concepts, then they would be more warmly welcomed on the project.
Of course this is all voluntary work because the idea is to make something completely free of charge for the community. This is a call to people who would be happy to create open-source content for the others.
Oscar: Yeah, absolutely. So the ways to help to contribute is to go to the website Open-Measure and you can register yourself there or tell us a bit about the process.
David: Yes, exactly. We have also the wiki and there is a linked website at the address, Open-Measure. So it’s www.open-measure.org. There is a subscription page. People can subscribe here. They can also find us and subscribe via LinkedIn and as soon as you subscribe, then I provision an account under wiki for you.
The initial profile that you will have will just allow you to comment online on all the wiki pages and ask questions and so on and so forth. Then if you would like to become an author, just let me know. You will receive all my contact details during Open-Measure subscription and then I will be most happy to provision for anyone and account with contributor access right and they will be able to just create new wiki pages, modify existing pages and so on and so forth. Of course I will be there to help and provide support.
Oscar: Excellent. Well, definitely you have convinced at least myself already. So I will go and register myself there and contribute as much as I can. So fantastic job you are doing. Before going to the last question of this interview, do you have anything else that you would like to say about Open-Measure, future plans or something that is right now going on?
David: I try to keep the pace of publishing one dictionary entry per every one or two weeks. So if you’re interested, you may just subscribe to the LinkedIn feed that we have and then like this, you will receive them on an ongoing basis. I think that now we have quite a few hundred subscribers to the feed. This is quite popular for I think most of our listeners who don’t necessarily want to get involved into voluntary work, but just want to receive the information and take it from time to time.
So I think that this is the key message today and of course if among the audience, there are people who would like to dig further, then they will be happy to provide more help.
We had also a number of other wiki sections on Open-Measure that may be of interest to some people. So for example we have this processes wiki section where the ambition was to do a mapping of IAM processes within organisations.
So as of today, this section is OK. It is quite comprehensive but this will probably need some more work in 2021 to get it at the level where I would like it to be. It is not yet as comprehensive as I wish and the last section I would like to mention is the best practices section.
The best practices section here is – just comprises a few documented IAM best practices. As of today, it needs a lot more work. But the idea is to openly share best practices within the industry and to document them from there and let the other community members share their views on what went right, what went wrong and so on and so forth.
So I have quite some hope that the best practices section eventually may become very useful for IAM professionals if we can get some more contributions from the field.
Oscar: Yeah, definitely. A final question, thinking of people who are in the decision-making seat, mostly business leaders. So what is the one actionable idea that they should write on their agendas today?
David: So decision makers, they should become a patron of Open-Measure. I finance the project with my own private money and there – yes. I am looking a little bit for financial support. We don’t have big financial needs. But we still need to buy more books. Unfortunately quite a number of academic work needs to be purchased and that costs money as well.
So decision makers, they should write a cheque for us and give us a little bit of support. Then we would be most happy if they have some particular questions on some IAM topics. Then I would be most happy to prioritise those key performance indicators, best practices or IAM concepts that they are most interested in. This would be with most pleasure.
But I think that for decision makers, perhaps one aspect that they may be more interested in is the indicator sections because here, you should find information on how to design nice IAM key indicators to monitor the performance, risks and control that are related to IAM within the organisation.
If today you are frustrated about getting this feedback in terms of proper statistical indicators, run IAM within your organisation, then this may be not the full answer to everything but a good initial answer to your questions.
Oscar: Yeah, absolutely. I think we have to support this initiative. I think that, yeah, everybody will benefit, all organisations and ultimately people will benefit by having this resource, that has all the knowledge that we need and it’s going to reach more and more people. So fantastic – more professionals.
Thanks a lot David. It was really interesting and inspiring hearing about this project Open-Measure. Please let us know. Remind us how we would find Open-Measure and what other ways to get in touch with you or learn more about this.
David: Yes. So either through www.open-measure.org or via LinkedIn as well. Well, on both sites you can just subscribe and you will find us easily from there. Thank you very much for having me on the podcast, on this show, Oscar. It was a great pleasure.
Oscar: Thank you very much, David. All the best.
Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episodes at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.
[End of transcript]