The Evolution of Authentication and Identity Management: A Q&A with Duo's Wendy Nather
Wendy Nather discusses the evolving consumerization of security and how it affects the future of authentication.
A couple months ago, Wendy Nather, Principal Security Strategist at Duo, joined our very own Global Security Advocate Thomas Fischer and Senior Director of Cyber Security Tim Bandos for a podcast on how authentication and identity management are evolving. For the full podcast, see below or head over to iTunes. Check out an excerpt highlighting some of our burning questions about the future of authentication as people change how they use devices and access data.
What are some of the issues you’re running into that are affecting the security community?
Well, one of them is really the consumerization of security. We have users in the enterprise who are, you know, very tech savvy. They’re young, aggressive, and impatient; they’re not going to put up with the types of security forms and user interfaces that we engineers have been happy with all this time. They’re going to demand better usability and more robust, invisible security. I think that’s going to be a big challenge for us.
How do you think these changing users will impact data protection? Do you think that data protection will be exasperated by this new generation?
I think so. I think the other big issue is that it used to be that the enterprise data you were dealing with was, you know, in a different application that nobody would use at home. The software you used at work was very different, so the data stayed there and you used a different endpoint, and now, everything is interleaved. You’re using Gmail, Box, social media for personal and corporate use. So if you have to identify enterprise data, you can’t do it anymore by where it was created, what was used to create it, what time it was made, and where you were at the time. You have to look at the actual content of the data and make a judgment call, “I think this is business data.” So that’s confused things quite a bit.
Do you think we’re widening the attack surface through these technologies that you’re kind of suggesting that might have to come along for the younger generation?
I think it’s that and it’s also that the enterprise has its own idea of risk that it wants to manage. But if you as a person have your data interleaved with your company’s on the same device, you don’t want the enterprise to have a say in what you do with your personal data. Yet, you’re logging into the same devices. The only difference is your login name that you’re using maybe or where it is on your phone. I think we’re going to see more arguments with enterprise users in terms of them saying, “Well you can put policies around what I do for you but you can’t put policies around what I can do for me,” but it’s the same data and the same containers.
I think the definition of the corporate environment is changing too, especially if you’re in the cloud. You have no data center, you’re all using the same SaaS providers and your users are using the same endpoints. I think we need more identity level tagging to define if you’re doing something as you or doing something as a corporate user.
How does that play into BYOD policies at large enterprises?
Well for example, Google formed their BeyondCorp model where it should matter less where the user is as long as they are using the device that they expect to see that user using and they have identified that device as managed or unmanaged. Even if you don’t think you have a BYOD policy, we’ve had customers at Duo who’ve discovered that their corporate users are accessing applications with unmanaged devices. You can’t see that kind of usage unless you have the right logging and you’re capturing that during the authentication phase.
Do you think containing applications and putting them into virtual environments is a viable solution to reducing BYOD risk?
I think it is if you put the access proxy for example in front the applications and you’re tracking this at the application layer. Like, if you’re logging as yourself personally, we don’t care what you do with your data, but if you start logging in as [email protected], we are certainly going to impose additional authentication measures and additional controls, and we’re going to watch carefully what you’re doing. I think that’s the only way because users don’t want things to be installed and tracked on their personal devices.
What if a person leaves their home in the morning in a rush and they forget their badge or other form of authentication? They’d basically have to call helpdesk and override the two-factor based authentication just for the end user. Do you think we’ve evolved from that? Do you think we could do better than that now that the technology has evolved?
I don’t know if you’d call it an override any more so much as better exception handling. So one of the issues that users do come to us with or the IT staff is how do we authenticate that person who’s calling in when they don’t have the device we use to authenticate them? It really depends on how many other factors you have enrolled and what your own process is for granting those exceptions but it’s all about exception handling.
Google in their BeyondCorp paper talked about how many components you can swap out of a device before it stops being that device and they finally decided that they’re going to trust the certificate they put on the device. You can change everything else about the device but if you have put in the right data tying that device to the user and it can’t be reused anywhere else, that’s the core for assurance.