Let’s talk about digital identity with Richard Slater, Head of Managed Services at Amido.

In episode 63, Richard fills us in on the latest developments in the UK Government’s Identity strategy; how the public sector should be approaching IAM in 2022; how organisations can ensure IAM implementations are successful/top mistakes to avoid; and creating a successful identity user experience (UX).

[Transcript below]

“There is absolutely no reason in 2022 to be looking at on-prem environments for hosting IAM.”

Richard SlaterRichard Slater started writing code on a second hand ZX Spectrum before he was 10. Today, Richard works as Head of Managed Services at Amido, a London-based start-up working on identity and microservices projects for some of the largest companies in the UK. He lives and breathes DevOps which means he is a vocal proponent of best practices for their software development teams, focusing on continuous-deployment, systems thinking, reducing feedback cycles, configuration-management, infrastructure-as-a-code and cybersecurity.

Find Richard on Twitter @richardslater and LinkedIn.

We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure!

 

Subscribe to
Let's Talk About Digital Identity

Or subscribe with your favorite app by using the address below

 

Podcast transcript

Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.

Oscar Santolalla: Hello and today, in this episode, we’re going to talk about identity and also identity and access management, what is happening in the UK government and also in the public sector of this part of the world. So, for that, we have a very special guest.

Richard Slater started writing code on a second hand ZX Spectrum before he was 10. Today, Richard works as Head of Managed Services at Amido, a London-based start-up working on identity and microservices projects for some of the largest companies in the UK. He lives and breathes DevOps, which means he is a vocal proponent of best practices for software development teams focusing on continuous-deployment, systems thinking, reducing feedback cycles, configuration-management, infrastructure-as-a-code and of course, cyber security.

Hello, Richard.

Richard Slater: Hello, Oscar. Thank you for inviting me on.

Oscar: It’s a pleasure having you Richard and well, let’s start talking about, let’s talk about digital identity. So first of all, I would like to hear a bit more about yourself, if you can tell us about yourself, and especially your journey to this world of identity.

Richard: Sure, yeah. So, over the course of the last, I don’t know, 20 odd years in the IT industry, I’ve kind of written my fair share of login pages. At one point in time, I was a dotnet developer, before that, I was a systems administrator. So that kind of gave me interaction with enterprise IdAM solutions, like Active Directory. But then also, as a developer, you know, consumer IdAM, from the point of view of login pages are required for the vast majority of applications that I’ve ever written in my time.

And then about 10 years ago, I joined Amido, and had the opportunity to deliver over that time, about half a dozen identity platforms for kind of big and small companies, both public and private sector. And then I started to move my career over time much more towards the cybersecurity side, and really enjoy the kind of IdAM side of it. And that kind of led me into cybersecurity.

However, I then really realised that cybersecurity was the thing that kind of got left behind in DevOps. And actually, that’s the area where the innovation needs to happen to really kind of change the world, change the way that we approach IT, including IdAM, including cybersecurity in general, and kind of shift left on that thinking. And IdAM is a huge part of that.

Oscar: Yeah, absolutely, absolutely. Yes, as I read from your bio I found on Stack Overflow, yeah, you said, you live and breathe DevOps. And of course, yes, security, cybersecurity is something that is super important there. So, thank you for sharing your interesting story.

We’d like to hear you and Amido who are working very tightly in the UK, of course, I’d like to hear what’s the latest development in the UK government’s identity strategy?

Richard: Yeah, absolutely. So, I think we’re probably at a point now where most people have realised that GOV.UK Verify is starting to kind of wane a bit, it’s starting to sunset, so that it’s starting to become old news. And in its place, there is various kind of proposals floating around.

However, predominantly, what we’ve seen is our DCMS, Department of Digital Culture, Media and Sport, really been pushing this idea of a trust framework. And they’ve had a couple of public consultations on it so far. It’s just a really interesting approach. It’s a really kind of innovative way of looking at identity from a government perspective, in a way that enables privacy, but also creates that rich ecosystem of identity solutions.

And it’s been adopted elsewhere. And it’s still in its infancy. I know, Canada is a little bit ahead. The UK, and there’s a couple of other Commonwealth countries like Australia and New Zealand, who have been trying to approach government identity in a way that is less tied to being a single identity for a department and then having a different identity entirely for a different department actually creating an ecosystem.

And the real key to these trust frameworks being decentralised is that it comes into kind of flavours as it were. You have the identity providers, so the people that say, “You are who you say you are.” And those identity providers could fundamentally be anyone. So, it could be the NHS that say you are this person, you have this this NHS number which represents who you are. We’ve done the identity verification for you and thus, you can use an NHS identity to be able to access other non-NHS services.

Equally, it could be the home office that say that you’re a naturalised resident, or that you’re a British citizen. It could be even as far as you know, if you’ve got somebody coming in from- temporarily into the UK. It may be that it’s the foreign office that’s able to provide them an identity that demonstrates the fact that they are that person.

But the other side of the equation really comes down to what are called attributes. And those attributes allow individual government departments, and potentially private sector as well, to be able to kind of enrich that identity, and do it in such a way that it can mask the kind of personal data that can sometimes be encoded in identity.

So, a really good example of that one, if, for example, you were to go into a bar or a pub. At the moment, you have to show somebody some form of photo ID, so it might be a passport, it might be a driving license. And obviously on that it’s got your passport number, your driving license number, your date of birth, potentially your address on it as well. So, you’re sharing a lot more data than you really need to share. All they need to know is your date of birth. And even then, they don’t really need to know your date of birth, what they need to know is, are you legally entitled to buy alcohol in the UK? And for us, that means it’s 18.

And really, you know, what you’re able to do with attributes is create a digital identity that is able to be enriched, so you can present that digital identity. It might be through an app, it might even be through an actual physical ID card with a chip on it, that will then allow the establishment to go, “Is this person allowed to buy alcohol? Are they over 18?” And ask those questions.

Now, the really interesting thing is, is what the government’s doing here is they’re not trying to tell industry how to implement this. They’re trying to create a framework for trust, which is why they call it a trust framework. What they want is they want to go, “Here is the standard. Here is the approach. This is how we secure it. This is broadly, semantically how it’s going to work.”

Now, industry bring products to market that enable us to turn this from something that is essentially a white paper, into a product that enables government identity in a distributed manner. I think it’s a really exciting time because it helps to balance the privacy aspects of identity with the need to actually not have multiple identities.

I mean, I have probably 30 different government-based identity accounts just because I’m a British citizen. I’ve got accounts with the NHS, I’ve got accounts with the passport office, I’ve got accounts with the drive– DVLA. They’re all completely separate from each other. But what this trust framework promises and really, I hope it’s something that can be brought to bear is actually building out that system that means I only really need to have one true identity and all the other attributes are able to be added by the relevant parties.

Oscar: Yeah, absolutely, a trust framework would solve this problem, as you said, dozens of identities you have from some public service institutions in the UK. So, you said that there’s one organisation that is already leading in creation on that trust framework in the UK.

Richard: Yeah. So DCMS is being kind of charged with actually bringing this to bear, they have overall responsibility for both digital policy and cybersecurity policy. In the UK, they’re the organisation that sets policy for the Information Commissioner’s Office. So that’s kind of backing off into GDPR, and other privacy laws.

So really, these are the people, this is the government department that is fundamentally there to drive forward the digital agenda in the UK. And their role is really to help define what that’s going to look like. And then allow other government departments to start working with industry partners to be able to deliver an identity platform that meets this specification.

Oscar: OK. So, we expect to see in the near future results, a more unified identity verification service in the UK. But something that every single public sector organisation, they also have to deal with IAM in their way based on their own needs. So, if you can tell us about – in general public sector organisation, how they should be approaching IAM from this year 2022.

Richard: Yeah, definitely. So, you’re right, it’s great to talk about what’s in the future, but we are a good few years off having anything even in kind of an alpha or a beta stage that was going to be using the trust framework. IAM is not going to go away. It is something that is fundamentally necessary to be able to deliver a product and deliver it securely. So, you’re right, companies need to be looking at this- companies and departments need to be looking at this in 2022.

Amido are a cloud-native consultancy, you know, I kind of want to call that out o maybe I’m a little bit biased here. But the answer for me is really is it’s got to be on cloud. We’ve actually had a number of clients recently, I can’t mention them, unfortunately, who have come to us and asked us, after we built their cloud platform, you know, in an on-prem world, to help them move it into the cloud.

Cloud-first has been on the Cabinet Office agenda for the last five years, it’s something GDS has been pushing really heavily in the UK. And actually, you get so many benefits from cloud. It’s proven now, there is so many IdAM solutions that have been delivered using IaaS, using past components, that actually we’re starting to see government departments adopting cloud more and more as their predominant mechanism for delivering a service. And so, it’s not going to go away anytime soon.

And you know, as I say, those benefits if you’ve got VMs, on Azure, or AWS, where you’ve got commercial off-the-shelf software, or using SaaS components, it’s a whole lot less work for departments. And in these times of post Coronavirus and recovery – departments, budgets are going to be squeezed and you’re going to have less money to be able to spend on IAM. And that’s really where, you know, adopting the cloud, adopting those best of breed services, you can outsource a lot of their ongoing operational costs to the cloud providers, and focus on delivering that IdAM solution that is specific to your needs.

And, government, public sector, like no other sector has got some very specific needs for IAM. We’ve got one of our clients have to contend with building into the IAM solution a mechanism for identifying conflict and resolution. And like ensuring that segregation of duties is both implemented at the technical level, but also ensuring that there are no conflict of interest between two element, two IAM users in this particular solution.

So, it can be horrifically complicated. But it’s something that actually products are out there on the market, able to support those kinds of rules, those kinds of mechanisms, to protect the privacy of individuals, to ensure that regulatory requirements are being met. Departments need to be focusing on the solutions that are actually going to serve citizens. And by using cloud, you’re just removing all of that kind of underlying, like, let’s look after the VMs, let’s look after the hardware in the data centres, just focus on the actual applications themselves.

And all of the vendors I talked to, we work with vendors across the industry to deliver IdAM for our government clients and private sector clients, everyone has now got some kind of cloud offering. There is absolutely no reason in 2022 to be looking at on-prem environments for hosting IAM. You lose all of the flexibility. You lose all the maintainability aspects of it. Use the vendor’s cloud native offerings to be able to deliver IAM and focus on your kind of unique selling point, the thing that actually delivers value to citizens.

Oscar: Exactly. Yeah, it’s interesting to see that now in the beginning of 2022, these public administration organisations are already asking for that, explicitly asking for cloud.

Richard: Yeah, absolutely.

Oscar: So, given that IAM is core to an organisation’s cybersecurity strategy, how can the public sector ensure that the IAM implementations are successful?

Richard: Yeah, so this is interesting. So, as an organisation, we counted it up a couple of days ago, and we have delivered 37 IAM platforms over the last five years. And I think really, there are two things that we’ve seen most common, that are mistakes that have been made during an IAM implementation. And the first one is a bit of a weird one, a bit of a curveball. A couple of organisations we work with have left IAM to last. They’ve almost forgotten about IAM, or considered it as not part of a greater whole, you know, IAM you know, it’s a login page.

IAM is so much more than a login page. It may be that’s the first thing that people see. But IAM is actually a much wider solution that enables you to implement your cybersecurity controls, that enables you to grant access, grant privilege, et cetera in the relevant parts of your service. And I think this is a bit of a symptom really of a disconnect between security, compliance and technology.

Security is often not involved early enough. And I don’t necessarily mean a security department, I mean, the concept of security. And in reality, all of those elements are important – security, compliance and technology. Each of the standards, you know, I talked about ISO 27001, or cyber essentials, each of those talks about vital requirements for authentication and authorisation. And security is increasingly leading to adopt that shift left mentality that’s required to be able to ensure that InfoSec is really involved from the beginning.

I have this bit of a saying that what I want for my information security teams, what I want when I’m having a cybersecurity is how do we get to saying, yes, because all too often particularly when security is involved later in the project, the answer ends up being no. Like, no, you can’t go live until you’ve done this, this and this.

What I want to be in a position is at the beginning of a project, having security involved and going, what do you need? What do you need from this solution? What are your fundamental non-functional requirements that mean that you’re going to be able to say yes? What tasks do we need to do? What kind of level of pen testing do we need against this solution? So that when the business wants this to be live, the answer is going to be, “Yes, of course, we’ve been involved all the way through. We’re absolutely happy with this. And we have utter utmost confidence in it.”

And I think what often happens is that organisations, both public and private sector, get caught out that thinking IAM is something somebody else does. It never something somebody else does. Even if there is a pre-existing IAM solution in place, for a government department or for the private sector, then half of the effort is going to be involved in actually integrating that into the application or service that you’re building.

IAM is not something that is purely a case of redirect out somewhere and get back a failed or success message. It involves JWT tokens, it involved claims, it involves actually understanding how the IAM solution works across firewall boundaries, how the IAM solution works in terms of gaining access to privileged information.

In terms of administrator access, how is that working? What happens when somebody is trying to log into your application and the error message isn’t instructive enough to say, this is a problem with the login versus a problem with the application? There’s a lot to think about with IAM, so don’t get caught out. Do not think that IAM is something that somebody else better do for you. Embrace it, and like build it into your thought process from day one, before you even start designing anything, thinking about IAM and actually building that into the kind of wider picture is absolutely key to ensuring that implementation is successful.

And then that is related in many ways. The second mistake I really see is, is IAM not really being embedded in the organisation. We see a lot of organisations that try to implement IAM as a team. So, we have an IAM team, they are responsible for IAM for the organisation. Fundamentally, every application developer, every product owner, every business analyst in an organisation needs to understand the basics of identity, the basics of the OpenID connect protocol, the OAuth 2.0 protocol, because those influence how applications are designed and built.

I would actually say it’s 30% of the time for an IAM team should be dedicated to education and knowledge transfer to people who are outside of the IAM team, and the rest of the organisation. Because actually, those are the people that need to integrate. Those are the people that actually are going to be the relying parties. And those are the actual applications that IAM is there to kind of serve and protect.

And there’s a couple of ways of handling this. I really like the Train the Trainer programmes. When I’m working with client teams, I’m trying to make sure there’s a person in each of those service delivery teams who is the IAM champion. They are the person that has kind of put the time in, they’re talking with the actual IAM delivery team. They’re understanding how it works, what they need to do. And they’re championing that within the project.

Every time the sprint goes round, they’re putting their hand up and going OK, well how is this integrating with IAM? How are we handling the fact that something in the IAM platform is changing? How are we handling the changes in the wider ecosystem? And we’ve got additional claims available to us now. How are we managing that? And actually, having that Train the Trainer programme or that kind of subject matter expert embedded in the team is really important.

But then also, you know, it’s increasingly important to have really good training materials. As I record a lot of videos, half of the reason I’ve got a decent microphone and camera is I record videos, I’ll stand there in front of the camera and I will talk about IAM for our clients so that they have material that they can put into their Confluence or their SharePoint or their LMS to be able to educate people on how to interact with IAM as an application developer.

Oscar: Yeah, that is very powerful, what you have just said about training, the Train the Trainer, or just the fact of making sure there is a champion in the organisation and the customer will keep… yeah, training and educating about IAM across several functions. So that’s definitely, definitely a great idea. And I see – it came out you are doing this constantly for a while already. And your first point was that organisations leave IAM to the last. So yeah, it’s…

Richard: Yeah, never leave IAM to last. We have had a couple of opportunities where we have gone into a client to talk about IAM, only to discover that actually it was forgotten about. It was not included in the project plan. And actually, the work has already started on application services. And really just getting to a point where realising that there needs to be a lot of thought to go into IAM right at the beginning, do not leave it to last. It is so important to actually think about IAM from day zero, and build it out as part of your wider technical strategy.

Oscar: Yeah, absolutely. And also, as you said, identity management systems are touching very different also roles in the organisations. What about one that the users will feel directly is the user interface, user experience. So, what about the user experience in government identity systems, how is the sector’s approach to UX? How is it changing? What is the direction it’s heading now?

Richard: Yeah, so this is a really interesting one. There’s a GIF floating around that we have in our company Slack, which is essentially is a cat going through a gap in a door. And successively over time that this gap gets smaller and smaller. And the labelling around it is around security controls. And the very last section of the GIF, it says ISO 27001, where the gap is maybe about three centimetres wide, and the cat just jumps over the door, just goes straight over it. And that’s a fundamental problem.

If you make things so hard to use, people will find their way around it. People are intelligent, people are innovative, if you make it difficult, it’s going to be the last thing somebody is going to want to do. And that really, I think is something that has been influencing IAM over the course of the last five years.

And what we’re seeing is it moving from being a fairly cumbersome kind of login system, as it might have been termed, into a heavily researched, well understood ecosystem of user design principles that enables IAM to really kind of get out the way. I mean, for the most part, IAM is going to be something to an end user that should be transparent. In an ideal world, then you would be able to use authentication mechanisms that don’t require people to remember usernames and passwords.

We’re not quite there yet. I think we will get to a point where actually, that kind of transparent sign in model is going to be secure and it’s going to be friendly to end users. But in the meantime, what most departments are focusing on is the research. Use UX professionals to research into how people use the IAM solution, how people interact with it. Not just from the point of login and registration, but also from the point of how do I make this more secure? How can I implement multifactor authentication or passwordless login? Or, how do I reset a password in a secure and efficient way? Sending PIN codes out in the post, whilst incredibly secure and gives a high level of assurance that that address still matches that person and so there’s a good degree of confidence, it’s a very slow process and it’s not helpful if you’re trying to get something done quickly.

So, actually building those flows based upon research, based upon evidence that this is the majority of the system the population are able to use it. This is particularly important for government departments, because unlike private sector, rather, where you can say I have a demographic, you know, one of our clients is ASOS and so they have a very clear demographic graphic, it tends to be young. So, you can make the assumption there that all of them will have a smartphone, and probably a fairly good smartphone. All of them will be very kind of used to using touchscreens and used to using the internet.

When you’re dealing with a government department, you can’t make any of those assumptions, because the vast majority of departments have to deal with a citizen from either birth or, you know, entering into adulthood all the way through to later life. So, you can’t make the assumption that, you know, I can just test it with a small group of people who are in my demographic. You have to understand it from all aspects.

And equally, the vast majority of the particular governments in the UK need to deal with multiple cultures. London is such a cosmopolitan place. But most of the UK is, if you look at Manchester, you look at Birmingham, there are people with English not as their first language, you have got people coming in from very different cultures, either from abroad or just from community cultures within the UK. So, you can’t make the assumption that, you know, a small group of people is actually going to be representative of your actual end users.

So really kind of doing the research and thoroughly kind of getting into a representative example of all of the people that are going to be using your service, the alphas in front of them, the code base in front of them, or even you know, we’re a huge fan of coffee shop testing. So literally just drawn mock-ups really of a service, and actually go to people and go into a coffee shop and go, “Can I buy you a coffee and show you how I think this is going to work? I’d really like to get your feedback on how easy this might be to use, what you’d like to see done instead, you know, what do you not like about this? What do you like about this?

It’s really important to really get into the heads of citizens to understand like what they actually need from an IAM solution and the wider solution, but particularly from there, how do we get IAM out of the way. And it’s something that that I say with my InfoSec teams, is fundamentally we need to be making the right thing to do, the easiest thing to do. So, it’s the absolute antithesis of that cat jumping over the door. It’s trying to make it so actually going through the door, following the rules, following the controls, implementing the controls is by far and above easiest thing to do, rather than having to try and kind of circumvent it.

Oscar: Yeah, very, very good. You say in a visual way, visual language way with the cat and the door. But yeah, excellent. The key is, as you said, is to do serious research to have success in UX, in user experience. Yeah, so it’s very, very enlightening. Everything you have been sharing about IAM, I can see you also breathe, not only DevOps, you breathe IAM. I can feel it.

A final question for you will be, for all business leaders who are listening to us right now, what is the one actionable idea that they should write on their agendas today?

Richard: Yeah, this for me has got to come down to shift left thinking. So, I’ve talked a little bit about shift left in cybersecurity, but it applies to absolutely everything, so user experience research, cybersecurity compliance. If these are not things that are being thought about at a project level or at a product level from day zero, then they can be shifted left.

The sooner we kind of embrace the fact that we’re part of an ecosystem whereby lots of people are going to get involved in a project and involve those people from day zero onwards, the more effective those products are going to be and the lower risk there is going to be in delivering those proposed projects and products. So really, for me, it’s that if cybersecurity or user experience or compliance is not involved in day one, what one thing can you do this year to move that to the left, to get it in as close to zero as possible?

Oscar: Thanks a lot Richard for sharing all these super interesting things about not only UK but actually also in not only UK, not only public sector, but many of the things you have also shared with us are valuable for any project that requires identity and access management.

Richard: My pleasure.

Oscar: Please tell us how people can learn more about you, get in touch with you, what are the best ways?

Richard: Yes, so I am on the vast majority of social networks, so you feel free to reach out to me I am DevOps Richard on LinkedIn and Richard Slater on Twitter. So please do feel free to reach out. I live and breathe this stuff. I’m always happy to have a chat about it and I enjoy spending my evenings talking to you guys out there.

Oscar: Fantastic. Again, thanks a lot Richard, and all the best.

Richard: Thank you very much.

Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episodes at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.

[End of transcript]