Recently, our CEO, James Litton sat down with the South Texas chapter of ISSA as part of the organization's podcast series on cybersecurity. Their conversation covered a wide range of security and identity and access management (IAM) topics, including identity and the Internet of Things, the future of passwords, contingent workers, IAM and the cloud, and much more.
In case you missed it, we've got the podcast audio and transcript for you below!
Welcome to the ISSA South Texas podcast where we bring you into our community of cyber security professionals dedicated to advancing individual growth, managing technology risk, and protecting critical information, one episode at a time.
Interviewer: You're listening to the ISSA South Texas cybersecurity podcast episode four. Today, we're talking to James Litton, CEO – so, James tell us a little bit about Identity Automation and a little bit about yourself.
James Litton: Well first of all, thank you very much for having me. A little bit about myself, I've been in Information Technology for about twenty-five or twenty-six years for a variety of different companies, including Coca Cola. I was with a company called Cray – I've also worked for a mortgage company as well. I then founded Identity Automation in 2004, with the purpose of focusing specifically on identity and access management.
And so, the Identity Automation story is really quite interesting – that we started as a consulting services company, implementing solutions from big box vendors, particularly Novell and Sun. But, we also did work around other platforms, such as IBM, Tivoli, and Oracle as well. Then after a number of years of implementing those solutions, we thought "we can do this better ourselves," and so, we converted from a consulting services company to a software company in 2010. Made the decision in 2009, and hired developers in 2010 when we came out version one of our software product.
Interviewer: James, identity and access management is a critical security component and getting more critical. What are some of the changing trends that you see over the next few years?
James Litton: Identity and access management is really – the way that it's being viewed is shifting in a very fundamental way. So, if you look at the traditional view of identity and access management, it's all about compliance and it's all about scalability. And, those two perspectives tend to be based on what industry you're coming from, so if you're a large government agency or you're with a large K-12 school district for example, you tend to be concerned about scalability – very large numbers of users, very small number of people in information technology to handle the need. If you're coming at it from an enterprise perspective, you tend to be more focused on compliance. Things, such as Sox and HIPAA and PCI, and those have been the traditional drivers behind identity and access management.
What we've seen in the last 24 months or so – it's probably longer than that, but it started to really come to a head in the last twenty – is identity and access management play a more fundamental role in helping organizations to be more secure and to be more risk averse. And, that ultimately comes down to leveraging these tools to control who has access to what in a very efficient way. If you look at the security incidents that you've read about in the news – pick any incident – Sony Pictures, we've all heard about that, the Houston Astros incident that made news not too long ago, the office of personnel management, and the list goes on and on and on. Most of these incidents are related to an account being hacked, which is a core identity and access management function. Right? You know, if that account was more secure, the chances of it being hacked would have been far less. So, having better passwords or having multi-factor authentication, for example, or limiting what the account had access to, so that when the account was hacked – that's inconvenient – but if you didn't have access to anything, then it would have been very difficult for the bad guy really to do anything harmful. So, identity and access management really is now becoming a core part of helping an organization to avert that risk.
Interviewer: James, the seasoned practitioner knows there's a difference between identity AND access management, but I think, many security people equate it as the same function, you want to give a few comments on that?
James Litton: Yeah, it's a great distinguishing point because really, identity management is all about identity lifecycle management. What that traditionally means is I'm looking at some core system of authority, like an HR system or a student information system, and I want to take that information and I want to provide some automated functions for creating that account in downstream systems and managing the lifecycle of that account. So, when the user changes their password in one place, that password change is captured and pushed into all the downstream systems. That's a traditional identity management function.
Access management, which is incidentally an area of identity and access management that is very hot these days, gets back to the point that I just raised a while ago – Who has access to what? How did they get that access? And, more importantly, how can you automate the granting and the removal of that access? Most incidents occur because of access management weaknesses. A particular user has too much access or a user has been with an organization for a long period of time, and as you move through an organization, you tend to accumulate access; it’s very rarely taken away. If you implement an identity and access management system properly, as you move throughout the organization, your access changes. And so, it's two very distinct functions within sort of the same realm.
Interviewer: Thank you James.
James Litton: You bet.
Interviewer: James, some people are looking at security and compliance as an either or scenario, what would you say to them?
James Litton: I think really when it comes to access controls management as being a tool to help an organization to limit its risk, looking at something, such as continuous access certification as a component of that strategy. You know, traditionally, when we look at access certification, it is a campaign-based model where – pick a date and time. February the fifteenth, we're going to go through and send emails to all of the business owners to validate the users that have access to their particular system. So, I as a business owner come in on Monday morning, and I have 480 messages to approve access for all of these users. Human tendency is to feel overwhelmed by that, right? So, what do you do? You log into the system, and you say approve all because that's how you make that go away.
A better strategy, and one that Identity Automation advocates, is not only being more secure, but really a best practice is doing what's called continuous access certification. This is where the certification is spread out over a twelve month period, and it's based on when the access was granted in the first place. So, if I was granted the access on March 1st, my recertification would come back up March 1st a year later. If Elizabeth was granted access on September 3rd, her request for recertification would come on September the third. And so, what you end up with is a trickle effect, so it's much less overwhelming. The business owners are more apt to focus on the individual requests, which means that the whole campaign is more likely to be more accurate. And so, this idea of compliance, this idea of security – they're not mutually exclusive, they really work together.
Interviewer: Interesting James, just a follow-on question, there – I'm sure you know as a practitioner in this area – that granting access as you said is loose, not well controlled, etc. How do you see the acceptance in the industry of gaining that – let's call it review – of access?
James Litton: It's been interesting because the ramp up, in terms of automating access controls, has been fairly easy. Most people are interested in automating those functions because it takes some burden off of them. The process of doing access validation, however is not something that comes quite as easily. Usually, it's been driven by a requirement of some kind, whether that's an external requirement or maybe a Chief Security Officer that's demanding that these things occur. However, we're starting to see a shift getting back to the theme that I mentioned earlier about risk mitigation. Really, the best way to mitigate risk is to control access, and so a lot of organizations are seeing that now, and that has really heightened the interest in automating the whole process of doing access certification and making sure that you have eyeballs looking at who has access to what on a regular basis.
Interviewer: Next question, James, is around the dream of all users that there being no password and of course security practitioners think that the thought – what's your view on how close we are to that being a reality?
James Litton: You know this truly is the sort of ultimate destination when it comes to accessing applications for users. An interesting statistic is that the average number of passwords for an individual is somewhere around 18 or 19. That's a lot of accounts, that's a lot of passwords to have to manage. The users oftentimes tend to use the same password or they'll resort to writing passwords down or using very unsecure passwords in order to try to make it easy for themselves to be able to get into the systems. But, the specific questions about how close we are to getting to the place where there are no passwords is that we're getting very close.
Identity Automation has access technology today that actually makes that a reality. The way that ends up looking in the real world is the user logs into a system, and rather than being presented with a box asking for a password, instead, what you'll see is a notification on your phone, and that notification might say something to the effect of "You are trying to log in to Salesforce.com from this location. Is this correct? Yes or No?" If you say yes, then you see on your screen that the log in process completes, and so, it's a reality today. It's still very early days, but I think we're definitely headed down a path where you're going to see that type of authentication becoming very, very common.
What's really great about that is we're also able to pair that with multi-factor authentication. So, at the same time when that screen pops up on your phone, in order to click okay, you might first have to provide a thumbprint. That provides a biometric that says I am who I say I am. That's method number one, right, so its factor number one. Then, I click the yes button; that's factor number two.
Interviewer: So James, you've talked a little bit about contingent workers as a security threat to all companies. First off, what are contingent workers? And second, how are they exposing companies to an increased risk?
James Litton: Contingent workers are workers that are not full-time employees, and you know, they can be contractors of various types. In the world that we live in today, a lot of organizations try to control costs by bringing on temporary workers or contingent workers. They might have these workers for long periods of time or short periods of time, but either way, these users are given access to various systems that, at many times, are giving high levels of access to these systems. That ultimately creates a risk for the organization.
The biggest challenge with contingent workers is that they don't oftentimes have a single source of authority. So, full-time employees will live in the HR system. Students, if you're talking about schools, will live in a student information system. The challenge with temporary workers and contingent workers is that there is no system for them to live in, and so, that creates the biggest challenge for an organization. How do you manage those users? A company, like Identity Automation, deals with that problem by providing out of box functionality in our RapidIdentity product that actually does that. It gives the organization a way of managing these workers that are somewhat fluid, coming in and out of the organization, granting access and then automatically removing that access. Thus, reducing the risk to the company.
Interviewer: You wrote recently in one of your blog posts about how recent hacks in healthcare have changed how we're viewing security, and one of the things that you mentioned in that post was that we need to increase training on contingent workers. Could you expand on that a little bit?
James Litton: When you have workers that come in and out of the organization very rapidly, and they're not treated the same way as full-time employees, that means they often times miss out on the baseline conversations on how you should behave, right. So, you shouldn't take USB keys that you find out on a park bench, bring them into your company and plug them into your laptop. That type of behavior is what creates the risk because that USB key might have had malware on it. You know, that's how you become infected, and so I think it's really important that an organization educates their users – all of their users – on what are the proper ways to behave. How you can mitigate risk just by following certain baseline behaviors, such as being very careful about where you download information from, what type of information you're loading up onto your computer, what types of devices you're plugging into your network etc.
Interviewer: Thanks James. James, on your resume, you glossed over Cray. Well, Cray is nothing in my opinion to be glossed over, probably one of the most fascinating computer companies and a lot of the newer practitioners probably don't know much about it. Say a few words about the kind of customers and the kind of unique things you had to go through at Cray that most of us have never heard or faced.
James Litton: Cray is a great company, and they've been around for a long time. Incidentally, it's a U.S. based company with computers made right here in the U. S. in Chippewa Falls, Wisconsin, and they make supercomputers. These are the types of computers that are used by government agencies. They're used by research organizations and universities. They are used by media organizations that are doing weather forecasting and that type of thing. They're very, very powerful computers that are used all over the world, and to this day, they continue to remain some of the most powerful computers on the planet. My time there was interesting. It was a lot of fun and a fantastic group of people. I really enjoyed my time at Cray.
Interviewer: Thank you. Okay, next question is concerning the cloud. Now, it's very popular we hear about the models of SAS and PAS and the IAS, but what we don't often hear about the cloud, and I'd love to get your view on this, is IAM or access and identity management as part of the cloud.
James Litton: The interesting thing about the cloud is that there has been a mass migration of users to the cloud. If you look at the traditional company in the past – doesn't matter if it was an enterprise-type organization, a private enterprise, or whether it was a hospital system or an education system – in the not too distant past, all of their services tended to be contained within their own four walls. They were in control of all of their systems, and that meant that they could build a security program that was very much focused on maintaining the security of computers that they controlled. With the movement of services out into the cloud, what organizations have been challenged with is "How do I manage this island that I just created? I just moved all of my users – my email users out into Google. I no longer control that, so how do I provision the users into Google? How do I do that user lifecycle management, so that when a user changes their password, that password change flows to Google?"
Now, take that particular challenge and amplify it twenty times. If I have twenty cloud-based systems, now I have these twenty islands of users that I have to manage. It becomes very, very challenging – things, such as password policies that are different on all these systems, the user provisioning operations themselves. Some of these systems might be SAML compliant, for example, that might make it fairly easy to do the user creation, but even then, the challenge is that SAML, even though there's a standard, it's not implemented in a standard way. So, the provisioning operation, for example, doesn't always work the same. Then, there are also the challenges with the systems that do not have a standard, such as SAML that you still, somehow, have to create the users in those systems. And so, long story short, identity and access management becomes a critical tool in helping an organization to maintain their users on all of these connected systems within a single pane of glass, with a single, unified security architecture across all of them.
Interviewer: Follow-on question, and maybe we are underestimating the role IAM can play. Most enterprises when they go to the cloud, they really mean a private cloud, which is just taking the technologies, the virtualization...blah blah blah and putting it behind the four walls. I wonder if they had more faith in IAM or if IAM could play a bigger role in getting them to actually say "No. No I don't need to do that with those kind of policies and procedures. It's safer to be out in the more public cloud."
James Litton: You know, we've already started to see a migration of these private clouds to public cloud infrastructure, mostly driven by cost. If you look at infrastructure provided by companies, such as Google or Microsoft or Amazon AWS, the infrastructure has become so relatively cheap that it's hard to justify maintaining your own data center with the same types of services. So, we've already started to see that movement into the cloud, which has really caused significant interest in the identity management space in general, as companies begin to grapple with the challenges of "How do I manage all of these users?" Whether I'm maintaining those users on my own cloud, with Amazon for example, but then coupling that with these other services that do not sit on that cloud, Office365 or salesforce.com or the list goes on and on and on.
Interviewer: Do you think, related to that, cloud service providers have always been the whipping boy for inflexible policies, not strong enough policies in the area of security, do you think they're making headway in IAM or are they lagging behind?
James Litton: The cloud services themselves–
Interviewer: Yeah, the cloud service providers.
James Litton: You know, some of them have embarked on specific programs to try to put some policies in place around their various services. Amazon is a good example of this where they have identity management – some identity management – functionality around their various services. You have other vendors, I won't call any out specifically, but the vast majority of vendors don't have anything specific. They might have security best practices that you should follow, but by and large, the security around these systems was built around the classic credential based security system where you have to have a unique user ID and a unique password that helps you to control access to a particular account, and the security provided with that credentialing system ultimately comes down to the uniqueness of the User ID, and then, the uniqueness of the password.
Interviewer: So, James, why do you think we're seeing a reduction in the number of points IAM solutions in IT, either through acquisition or companies going out of business?
James Litton: Really what we've seen – probably the biggest driver behind the reduction in the number of companies playing in this space is because of acquisition. If you look at the identity and access management space, that's a very, very broad area. We actually spend a lot of time when we are talking with a customer sort of defining "what does IAM mean to you?" because identity and access management covers areas, such as single sign-on. It covers user lifecycle management, that we talked about earlier. It talks about governance and compliance. It's a really broad area, and so, you're seeing certain vendors, for example, we'll talk about authentication, where you have vendors that focus specifically on authentication, which is one piece of the much broader identity and access management space. We're seeing those vendors be acquired by other vendors who play the broader space, and so, I think that's why you're seeing the overall number of vendors be reduced somewhat.
Interviewer: James, on your Identity Automation blog, you've discussed the Internet of Things. Do you think identity applies to the Internet of Things?
James Litton: This is an area that I'm very interested in, even personally, where my hobby is actually home automation. I play a lot with devices that would fall into that realm of Internet of Things, but the short answer is absolutely. I think identity and access management plays a role in the Internet of Things world. In fact, at the last three or four identity and access management trade shows that I've been to with Gartner, Forrester, and others, you hear a lot of talk about the Internet of Things and how that might look in the identity and access management world in the years to come. A lot of this is speculative talk because we don't know exactly how this is going to look in even 18 months from now, let alone three years or five years from now. But, the one thing that we are certain of is that there are going to be way more devices than there are people. That's already happening.
We're based in Houston; you just look at oil and gas. You have huge numbers of devices out in the field that are sensor devices that oil or gas companies have used to check the health of their pumps and to do general health checks on the wells themselves, etc. These devices connect to the networks. These devices are exchanging data. They're very, very important to the enterprise, and controlling what those devices have access to, how those devices get the access, is very important and very much a core part of the identity and access management realm.
Interviewer: James, related to that, I hope the answer is yes. I'm not worried if they hack my refrigerator, but I am worried if they hack my pacemaker or get the control of my automobile. Are they focusing on that? I hear there's no attention being paid to security or certainly access management. What's going on there?
James Litton: The ability to secure these devices as they become network enabled is obviously an area that is receiving a lot of attention. You just talked about two. Medical devices and automobiles are two areas that are of particular interest. I agree with your point: if somebody wants to hack my refrigerator, that's inconvenient, but it's not life threatening. If it's a medical device, it very well could be life threatening. While Identity Automation doesn't specifically focus on these areas, I will tell you that there are a lot of folks involved in the cryptography world and in developing security standards that are very much focused on making sure that as we move forward in connecting all of these types of systems to a much broader sort of connected world, that we're doing so in a very secure way.
Interviewer: My concern James – and we've come to this – security used to be the last thing people worried about once we get the product out, etc. and I'm worried that in the race for the Internet of Things, it'll be an afterthought, and I think that would inhibit the growth. Do you agree?
James Litton: I agree with you. I think that's exactly right. Sort of the traditional way thinking is that "we'll deal with security piece when we have to." I think where we're at now is that's changing. You have a lot of people sort of between the conception of an idea and the release of a product into the marketplace. They're asking a lot of questions about how secure is this device? Have we really thought through the ramifications of releasing this particular device? Have we ensured that we're not going to create issues for our users or for us as a company by ignoring the security requirements to ensure that the device is safe for use by the users, but also safe for the other devices that it's sitting right beside?
So, whenever you talk about health care devices, and you think about this in your home. Everything in your home now is becoming connected: your telephone, your lights, your telephone systems, your TVs. Everything is wireless and somehow connected to a network. You have to think about how does all that stuff work together as well. I think that in the world that we live in today, there are a lot of people in the middle of these processes that are asking good questions, trying to make sure that we do this right.
Interviewer: Thanks James, that's a little reassuring. You've talked about the need for training on security, and not just for those in IT, but for everyone in the company. Can you talk a little bit more about that?
James Litton: I think this is an area where we have a lot of work to do. The vast majority of security breaches occur because of poor practices. I touched on that a little bit earlier. There was an example very recently of Hollywood Presbyterian Hospital that was ultimately held hostage by some malware. The user plugged something into the network that allowed a piece of software to encrypt all of their files that then, somebody required them to pay a ransom in order to have that information released back to them. Those types of incidents occur because somebody brought the piece of malware into the company, and I think educating users on how these breaches occur is really important.
There's not nearly enough communication on how that occurs, and what users can do to mitigate that risk. So, I think we have a long way to go, and I think the other way that we combat that is continuing to develop software systems that help us to look for these risks and to try to stop the risk or to stop the danger before it has a chance to infect your environment. And so, there is some of that happening today. We see a lot of it on end user devices. Anybody listening to this podcast would be familiar with, you know, McAfee and Symantec for example, that provide end point security. There's also lots of security that runs on back-end systems on servers and routers and that type of thing. You're going to continue to see an evolution in that space that look for these types of exploits and try to stop them, but end user security is a big part of the battle to prevent this type of risk.
Interviewer: Another interesting part of your resume, James is Coca Cola. I don't think most of us even know that is more than one company, but you were there at a very interesting time when SOX was coming around and security was starting to come to the forefront. What were some of the security issues that Coca Cola worried about?
James Litton: My time with Coca Cola was in the late 90's. I was actually with Coca Cola in Europe and in Africa, and we were very much focused at that time on how we deal with the Y2K bugs. We were probably a little bit less focused on security back in those days. We weren't nearly as sophisticated then as we are now, but security was always somewhat of a focus. But really, the big challenge for us was Y2K, so risk mitigation. We spent a lot of time, a lot effort, to patch computer systems across the Coca Cola Enterprise, which was a very, very large network at that time – not only Coca Cola owned computer systems for Coca Cola entities – and there were many of them – but also Coca Cola partners: Coca Cola bottling and other organizations that worked in concert with Coca Cola to patch their systems and make sure that they were ready for Y2K.
It was an interesting time. We were working on computer systems. For me, I ran the Coca Cola Southern Africa division, and we were managing computer systems all across Coca Cola Southern Africa and then later into Europe. I had the responsibility for all of the Western European and Eastern European countries as well. We had a huge task ahead of us back in those days, but the good news is we got through it with very little issue.
Interviewer: So, you've worked in the South Pacific and Africa and Europe. How old does your, I guess, more worldly perspective affect your understanding of cyber security or what have you gained from working in so many different places?
James Litton: You know, I think having the opportunity to live around the world and work around the world has just given me the perspective that people look at the world differently. The perspective that we have in the U.S., it doesn't matter what it is – how you use your computer, your perspective on politics, your perspective on just about anything – is somewhat colored by where you live, where you've grown up. I think in the cybersecurity world, it's probably a little bit less unique. You know, if you're living in Russia or you're living in India or you're living in the United States, the same security challenges exist no matter where you are. But, I think it's always interesting to know that how you go about attacking the problem is unique, and it's based on where you've grown up and your way of looking at the world. For me, the biggest takeaway I think from living in these different places and working with different people is to be open to ideas. There are many ways to tackle problem, and it's always good to listen to different perspectives.
Interviewer: Well, James we really appreciate your time today and particularly your insight in an area that I think is going to be critical to the cloud and is critical to these systems. Thank you very much.
James Litton: Thank you. Thanks for having me.