Let’s talk about digital identity with Simon Moffatt, CEO and Analyst at The Cyber Hut.

In episode 72, Simon Moffatt from The Cyber Hut discusses what is next for identity and access management – what his recent research has shown regarding passwordless authentication and next generation authorisation, alongside what trends are emerging in IAM and how he sees the IAM landscape evolving in the future.

[Transcript below]

“I think the technology is there today, I think there are numerous different solutions, whether it’s based on sort of biometrics, or perhaps standards, like FIDO and WebAuthn that provide us with the tools and techniques to rid ourselves of passwords.”

Simon MoffattSimon is Founder and Analyst at The Cyber Hut – a leading boutique industry research, analysis and advisory firm focused on identity, access and cyber security technology. He has a 20+ year career within the identity and access management space having worked for consultancies, startups and global software vendors.  He is a published author and contributor to identity standards at the likes of NIST and the IETF.  He is also a Fellow of the Chartered Institute of Information Security.

His long running research is focused upon next generation authorisation and emerging authentication technologies as well as having an interest in the history of code breaking, signals intelligence and cyber warfare operations.

Find Simon on LinkedIn.

Find out more about The Cyber Hut.

We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure!

Let’s Talk About Digital Identity will be returning for Series 4 on Wednesday 17th August 2022.

­Go to our YouTube to watch the video transcript for this episode.

Let's Talk About Digital Identity
Let's Talk About Digital Identity

The podcast connecting identity and business. Each episode features an in-depth conversation with an identity management leader, focusing on industry hot topics and stories. Join Oscar Santolalla and his special guests as they discuss what’s current and what’s next for digital identity. Produced by Ubisecure.


Podcast transcript

Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.

Oscar Santolalla: Hello and thank you for joining. Today, we are going to hear now what is next for identity and access management. And we have a guest who really does a lot of research and training and consultancy about specifically identity and access management. Our guest today is Simon Moffatt. He is Founder and Analyst at The Cyber Hut, a leading boutique industry research, analysis, and advisory firm focused on identity, access, and cybersecurity technology.

He has more than 20-year career experience within the identity and access management space, having worked for consultancies, start-ups, and global software vendors. He is a published author and contributor to identity standards as the likes of NIST and the IETF. He’s also fellow of the Chartered Institute of Information Security. His long running research is focused upon next generation authorisation and emerging authentication technologies, as well as having an interest in the history of code breaking, signals intelligence, and cyber warfare operations.

Hello, Simon.

Simon Moffatt: Hi, Oscar. How are we doing? It’s great to be here today.

Oscar: Pretty good. It’s a pleasure talking with you, Simon. So definitely, we want to hear what’s coming in identity and access management. So yeah, let’s get started. Let’s talk about digital identity. And first, we would like to hear a bit more about yourself, especially what was your journey to the world of identity.

Simon: Yeah, thanks. It’s such a fascinating area, identity. I’ve been fortunate to have been in it for just over 20 years, which is a little bit scary when I say that out loud. But I guess like any technology in any sort of technology trend, 20 years is an absolute lifetime. And there’s been so many changes in actual products that are available, the standards, how technology is used, it seems an absolute world away.

But I started my career back in 2001, working in industry, like most people probably do when they when they start their careers. And I was working for a large insurance company in the UK for three or four years. And I was essentially doing identity by hand. I was creating accounts on RACF mainframe, I was setting up access control profiles, and TSO IDs and job control language stuff, all this crazy stuff on the mainframe. And having to do this by hand, there was no sort of automation involved in account creation and managing permissions and things. And it was quite an eye-opening experience at the age of 20 odd, I guess, you know the starting my career doing all of these, these processes by hand, which were time consuming, really labour intensive, really error prone. And it was a really interesting sort of introduction to identity and management if you like.

And then essentially, from there, I spent a bit of time in consultancy. And then I ended up the vast majority of my career working for software vendors, making software to rid the world of all of those manual processes of having to set up accounts by hand and having to manage permissions and access management and single sign-on and authentication and all that stuff. And really had a good 14, 15 years building software in those landscapes around provisioning systems, governance and compliance, role-based access control, obviously more latterly, on things like authentication and MFA, and zero trust and some of the buzzing words which have become more prolific.

But it’s just been quite an interesting journey to go from doing everything by hand and doing it manually to sort of working on automating that stuff, really. And it’s just been good to see identity now become a really accepted part of the enterprise landscape. I think 20 years ago, for example, it was something which it wasn’t particularly automated, it sat within IT operations, and it was just something organisations had to do.

Whereas I think today, in 2022, identity is so pervasive, and it powers the consumer identity lifecycle, it’s integrating with IoT and privacy and a whole host of other things around defence and cyber warfare and all host of with the different angle’s identity is now taking. So, it’s been a bit of a privilege to being in a sector for so long and seeing all those changes.

Oscar: Yeah, it’s quite interesting when you say that doing identity and access management by hand, right? It’s hard to imagine today. It will be crazy if someone does still by hand today. We have now, of course, the standards, we have the software who does that. Yeah, interesting. And also, one of the last things you said is that it started with IT, right? You were an IT manager or IT specialist when you are doing this by hand, but today, actually I think a lot of the identity and access management is not done anymore by IT, correct?

Simon: I think that’s a really, yeah, really good observation. I think when I started, it was definitely within the IT, the infrastructure operations part of the business. And I think, today, even in the B2E, the employee identity infrastructure, it’s very separate, it’s very different. There are their own identity specialists, identity architects, identity leads, maybe even Chief Identity Officers, perhaps in some organisations, but it certainly has its own domain. And I think with that brings responsibilities that there are new and different metrics around what success looks like for identity and access management. And then clearly, then we have this whole brand-new area, or more recent area around, things like consumer identity or the identity for devices too and that’s, I guess, driven these needs to have identity as a separate playing field really, it doesn’t just sit within IT anymore.

Oscar: Exactly. So now let’s explore some of the research that you have been involved recently. So, tell us about that, what did you discover.

Simon: Yeah, I mean, so at The Cyber Hut we work on, on looking at, emerging patterns that are happening in the broader identity and access management space. And it’s a pretty exciting space to be because there are so many new emerging themes, standards, use cases, vendors, solution providers, and there’s so much happening in there. But there’s a couple of interesting topics that we’ve been researching over the last sort of six or seven months or so. And one of them we released a report last year, looking at passwordless authentication.

And I think it’s an interesting topic, because we all hate passwords as end users and as consumers and as employees. But yet we use passwords every day. Every day of our lives, we log into to all of our web services, websites, our employee directories, our laptops, everything is still dominated by passwords and shared secrets. And this age-old way of authenticating. It’s been there since the mid ’70s when computing started its commercial journey. And I think we’ve been desperately trying to move away from passwords ever since, the best part of 50 years, I guess. And we still haven’t quite got there.

We started to look at this space and try to look at some of the vendors, and some of the use cases, and the technology that is now available and really trying to understand, are we really getting close now to being able to rid the infrastructure of passwords in its entirety? And it was a fascinating journey, really. And I think the technology is there today, I think there are numerous different solutions, whether it’s based on sort of biometrics, or perhaps standards, like FIDO and WebAuthn that provide us with the tools and techniques to rid ourselves of passwords.

But clearly, there’s a whole host of other factors involved, be it sort of psychological acceptability, the security angles, the integration angles, and so on. So, it was a fascinating journey. I think we are getting closer to killing the password. But unfortunately, we’ve all probably got stories of how we logged in today using the old way of doing it.

Oscar: Yeah, indeed, we’re hearing all the time of technology for getting rid of passwords. And yeah, hopefully in the near future, we would really be completely rid of passwords. Another topic I think you were exploring was authorisation, correct? Like, next-generation authorisation, so tell us about that.

Simon: Yeah, authorisation is a fascinating area. I think, on the authentication side, many organisations, that they do invest heavily in authentication technologies, login processes, and biometrics. And it’s interesting, the authorisation, you know, what happens after the person has logged in often was a little bit neglected. It wasn’t necessarily an area which received lots of investment from the enterprise, the number of start-ups involved. It wasn’t particularly huge. It wasn’t a particularly large market.

Whereas I think move forward to 2022, the authorisation has had a huge sort of re-invention, if you like, if that’s not too bold a word, so certainly a pretty extended evolution. And the authorisation aspects, you know, working out what access an individual has, or if the device, what access a device could potentially have, is now suddenly becoming vitally important whether you are talking about the B2E space and employees and how they perhaps operate in a distributed working environment on the back of things like COVID and a pandemic, right through to the consumer angle where we’re talking about privacy and data security there as well.

But authorisation has certainly had a huge re-investment, if you like, or a re-invention over last sort of 36 months, there are numerous different start-ups involved in here, lots of interesting VC funding. I’m really starting to see this emergence of external authorisation platforms and looking at things like adaptive access, contextual access control, and things like zero trust and identity-centric security is, I guess, driving the need to have a strong authorisation platform where you are handling permissions across on-premises systems, cloud systems, APIs, microservices, there’s a whole host of different assets that need to be protected.

And organisations are now figuring out that actually, if they get authorisation right, it allows them as a business to be more agile, allows them to increase the speed that they can deliver applications and services. And clearly, speed and agility are hugely important for most businesses, so they can essentially get to value and get to their customer bases as quick as possible.

So, I think authorisation, yeah, has certainly become vitally important. There is some interest in emerging patterns there around how you protect microservices, leveraging API protection clearly have things like OAuth 2.0 and OpenID Connect, which have been around for quite a while in protecting APIs. But there’s certainly interest in extending that and looking at things like contextual access and more dynamic and adaptive ways of giving access to different assets. And I think that that in itself is suddenly becoming very topical and very important I think for many CISOs and CIOs.

Oscar: Yeah, indeed, and when authorisation is not a word that you hear so much, let’s say in marketing, at least. So, you don’t see them so much mentioned, you don’t see so much on the website. But for instance, you mentioned contextual access, what was that you mentioned just? What is that concept, for instance?

Simon: Yeah, you’re absolutely right. You know, many people, they don’t think of authorisation as an object. They think of the business problem, which is, how do I get my staff or customers to complete a transaction, or gain access to the things that they need to do their job, or maybe perform a transaction online? So, the authorisation aspects, certainly from a contextual authorisation perspective is not just looking at the people involved, the identities involved, and the resources that they want to access. But it’s also starting to look at other data signals as well. So other pieces of information that could be leveraged to help make an authorisation decision.

So, we’re talking about things like the device characteristics, you know, the laptop and the mobile phone, is there anything from those devices that can be leveraged in the authorisation decision, things like device versions, operating system versions? Does the device have antivirus installed, for example, or what type of locking mechanism does the mobile device have? Or what potential apps have been installed on the device? And all of these little, small pieces of context and signalling essentially has helped the authorisation decision process become a lot richer, a lot more informed and allows that process to be more personalised, and more tailored.

And I think this context aspect is now starting to pull in information from the devices but also things like the environment, things like breach credentials, threat intelligence systems, anything really which can amplify the risk analysis process. And I think, if you can pull in more of that context during the authorisation decision, the authorisation output can be much more fine grained as well. And I think we’re certainly starting to move away from this very black and white allow and deny sort of model which we’ve had for a number of years, where, if something is slightly erroneous, or looks slightly risky, there’s a big block and deny comes down, the big 403, or a big interruption into the user journey.

Whereas I think actually, what we’re starting to see now is much more subtle degradation of the service. You may be allowed access, but some of the service may be removed, or perhaps you’re allowed access, but it’s only read only, or perhaps you are allowed access, but perhaps certain fields of the database have been removed, or certain attributes in a payload have been removed, because perhaps you’re on a public Wi-Fi and that has a high level of risk or something similar.

So, I think we’re certainly starting to see this leveraging more information during the authorisation decision. And then the output of that decision is much more fine-grained and much more personalised, I think. It’s just moving away from blocking access entirely to allowing access but… and it’s just having that “but” in there and allowing more personalised experience, I think, it helps the end users and I think it helps the security posture as well.

Oscar: Yeah, I can visualise what you explained definitely also reduces friction because you get logged in with some level of authorisation. And of course, based on the algorithms or the system, it might lead you to a closer level of authorisation that you should have maybe it’s not the perfect, but you are logged in you have some level authorisation, and you can do at least part of your job and hopefully don’t need to contact the IT or whoever is administering that.

Simon: Yeah, exactly. That’s an interesting point as well, it’s allowing people to continue on their journey. And I think that’s become really important, I think, in both the employee space where, in honesty, a lot of people now are working from home, even though that the pandemic is easing. So, you do things remotely, you do things away from a central office. So, it isn’t easy is it to go and speak to the IT helpdesk, for example.

And certainly, in the consumer space as well. Last thing the consumer or the customer wants to do is have their journey interrupted, and they have to go and ring the help desk of their bank or their insurance company, or their, telephone company or whatever. So, I think it’s allowing journeys to continue but applying the necessary friction at the correct time, under the correct risk conditions. I think that that is certainly a winning combination, in my opinion.

Oscar: Indeed. And what trends are you seeing emerge in identity and access management?

Simon: I think there are numerous actually. I think there’s the fact that we have a wonderful podcasts like this and lots of work and research everybody is doing in the community just amplifies that identity is now sort of pervasive. I think it is now the tentacles of identity and now being sort of placed into huge parts of the enterprise, be it data security, endpoint protection, privacy, consumer identity, employee identity, there’s a whole host of research around identity for IoT and identity for devices.

Now, I was at a conference this week in Paris, actually a defence conference. And there’s a whole host of discussions there around leveraging identity and access management and trust and assurance within this sort of space and defence sectors as well. So, under the whole host of research topics to think about. And you know, we talk about ourselves as consumers, and when we think of consumer and identity and consumer interactions, we’re talking about usability, we’re talking about privacy by design.

And these are quite new concepts really if you think about identity and security and that really occurred to most vendors or certainly most systems to think about the usability and the privacy enablement. It was a case of get the system working. And yes, we may think of security afterwards. But certainly now, things like privacy, enablement and privacy by design are vitally important and an identity is a huge part of how that would operate.

Oscar: Yeah, definitely. It seems super interesting that now, it’s yeah, concepts like that are already on their agenda, on their minds of many decision makers, it’s fabulous. And seeing a bit more towards the future, let’s say in the next five years, for instance, how do you see now the identity and access management landscape evolving?

Simon: Oh, it’s a great question, isn’t it? As an analyst, you get asked this sort of question quite a lot around what does the future look like, and which technologies or standards are going to die off and which ones are going to survive and become real? And I think it’s always quite difficult to predict. And I think there are certainly some interesting meta trends, I think, certainly, identity is now hugely important to both the security architecture of the modern enterprise, but also things like usability, privacy, business agility. And then all of the enabling technologies that allow businesses to grow and compete and be agile, and to all the things which allow them to be successful. I think that is quite certainly a different way of looking at identity and identity-based security.

Whereas maybe three or four years ago, it was always leveraging technology to be restrictive and preventing bad things happening and stopping the bad guys from doing so. I think we’re definitely moving towards identity as an enabler for business growth. There’s a whole host of technology areas, I guess, things like decentralised everything, you know, decentralised internet, decentralised identity, and distributed identities. And then I guess, empowering the end user to have more control, essentially, over their identity data, be it things like wallets and ownership of how they share their identity data with governments and third-party services. And we’re certainly starting to see this emergence around decentralised identity perhaps is maybe the next way of handling identity information.

But there are certainly the other interesting areas, I mean, do we need things like Chief Identity Officers in the organisation? Interesting conversation I had a few weeks ago about that, you know, do we need to have a C-level executive who looks after identity? Maybe in three or four years we may see that happening as well.

Oscar: Is there any now?

Simon: I’m not aware of any who have that particular label. I think certainly some of the larger enterprises, there are certainly executives who are leading the charge for identity, really looking to transform how identity is measured, how it’s reported into either the CISO or the CIO. I’m not sure they have the title, Chief Identity Officer, but it would be interesting to see how that emerges over the next few years though.

Oscar: Yeah, there might be a top executive with kind of similar, very high-profile role in leading identity, especially as you said, in large organisations, but maybe not the CIO.

Simon: Yeah, we already have one of those. Yeah, yeah. Agreed.

Oscar: And what are the main challenges that need to be solved in this next, let’s say five years, on relatively midterm?

Simon: I think there’s some interesting, I guess, obstacles, which are starting to emerge. I think the pandemic has accelerated lots of different things, technology trends, investment trends. And there are certainly some meta characteristics that have come out of that process. You know, businesses want to be more agile. They want to be more responsive to change external change from the competition, or threats such as COVID-19 and other things.

So, they need to be agile. And what does that mean? Well, they’re going to be driving towards agile methodologies, maybe containerisation, APIs, microservices, outsourcing everything to cloud systems and subscription-based systems. And that all brings a whole magnitude of challenges from an identity perspective and having visibility of your identity infrastructure across hybrid cloud, containers, legacy systems, on-premises systems and so on.

And I think that being able to identify threat across that identity landscape is becoming more of an issue, because essentially, the identity infrastructure is becoming more complex. So how do you handle permissions across a multitude of different systems? How do you embed identity into IoT devices and privacy enablement systems? It’s hard to do that unless you have that visibility across that quite complex landscape.

So, I think there’s lots to do but I think equally, there are some good opportunities now. I think identity is well-known. It’s seen now as a really important part of many enterprises’ digital journey. So, I think there’s work to do, a lot of challenges ahead, but I think there are the right people, the personnel, the training, and standards available to make identity a vital part of every organisation over the next three to five years.

Oscar: Yeah, definitely, we expect that will happen. It looks like it’s going in the right direction as you said.

Simon: I think so. I’m hopeful. I’m positive.

Oscar: Simon, we’re almost leading to the end of this interview, I’d like to ask you one final question for all business leaders that are listening to us now, what is the one actionable idea that they should write on their agendas today?

Simon: Oh, wow, wow, can only have one? I could probably give 10 I guess, which probably doesn’t help people, does it? I think it’s just being aware of identity. I think many organisations certainly, particularly, the large organisations probably have identity projects running and technology in place. But even if you’re a smaller organisation, maybe mid-sized enterprise, looking, thinking about things like data security or endpoint security or privacy controls, it’s thinking that identity really is the foundation for those aspects. And just thinking like, thinking about the identity concept, looking at identifying your identity assets within the organisation be that people, permissioning systems, perhaps where you may identify contexts and how you can respond to contextual changes.

But I think just having an understanding of what your identity landscape looks like, I think is a good starting point, you know, where your authoritative sources of directory information are, which piece of context you may need to use, which assets do you want to protect? And I think that seems quite simple, but I think it’s actually it’s quite important because I think a lot of organisations start with a technology first mindset where actually they may want to start with really identifying their identity landscape. And then working out the problems with their identity landscape before they sort of look at technology selection. So, I think like anything just understand your landscape first and that’s a really good, a good starting point.

Oscar: Yeah, I think it’s a great takeaway. Yeah, thank you for this super interesting conversation. I definitely enjoy hearing your passion about identity. I can feel it all the time when you when you talk, and you absolutely know a lot about this field and you are researching so thank you for sharing all this.

Finally, for our listeners who like to get in touch with you or learn more about what you’re doing, what are the best ways?

Simon: Yeah, of course, it’s great to be here. I am passionate, it’s certainly it’s an exciting area to be in. And I guess the best place, I’m pretty active on social media, so reach out on LinkedIn, or on Twitter, or go direct to The Cyber Hut website at thecyberhut.com. We’re more than happy to reach out and then respond to any questions, comments or just interesting conversations people want to have around identity, we’re always open to those.

Oscar: Excellent. Again, thanks a lot, Simon. And all the best.

Simon: Thank you, Oscar. Thank you. Take care.

Thanks for listening to this episode of Let’s Talk About Digital Identity, produced by Ubisecure. Stay up to date with episodes at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.