The Looming Identity Crisis

The RSAC 2023 Keynote by Rohit Ghai, CEO of RSA Security

Stated very simply, AI will cause us humans to be totally confused about our role in this world. We face a looming identity crisis. I think the humans in the identity control center will not be spared either. Today let’s talk about what this crisis specifically means for them.

Identity tech has lived through 3 disruptive technology waves. The first was the internet wave. The hallmark of that time was connectivity. Everything was getting connected, and our sector secured those connections. The second: the mobile cloud wave. It was characterized by a shift away from a developer-centric mindset to consumer-centric. Everything was about making things easier. We catered to users’ love of convenience and enabled single-sign-on, biometric authentication, and access management. The third wave is the AI/data wave. Readily available generative AI, Large language models with 175 billion parameters. AI that can ace AP biology tests and the bar exam. AI that can now write polymorphic malware.

Enormous investments by the big tech companies and a vibrant startup ecosystem are helping AI grow from an application-level technology into a platform capability. Point solutions are insufficient and integrated ones deliver better value. The question is how should we integrate to form something greater than the sum of its parts?

Identity Fabric

Gartner and KuppingerCole refer to this idea as an “identity fabric” or one framework that assembles capabilities from multiple vendors. Our jobs in cybersecurity and identity have always felt similar to assembling a jigsaw puzzle. Let’s use that analogy to think about the platform we need in the AI era.

In the internet wave, when the hallmark was connectivity, the definition of platform was rudimentary. All platforms needed to do was connect the puzzle pieces together via APIs. APIs emerged for user provisioning, attestations, authentication, access and authorization. Over time these became standardized open APIs: SAML, OIDC, SCIM.

In the cloud/mobile wave when we were obsessed with experience, the definition evolved to mean integrating the user interfaces to ensure the user experience was not clunky. The puzzle pieces not only had to fit but they needed to form a picture.

In the AI/data wave, we need to think of identity tech as a sequence of decisions – who should have access, why, when and to what? We need insight to inform those decisions. Insight and meaning that is derived by reasoning over data. So in this era, the hallmark of the platform is an open data architecture. It’s not enough for the puzzle pieces to form a picture. Rather, we are concerned about the meaning of that picture. What does it tell us? Is it a map? What treasure can it lead us to?

It is no longer sufficient to integrate the UI and bring all alerts into a common console.Instead, we need to integrate at the data layer. Building our platforms from data will provide us with the superhuman insights, expert- and decision support that cybersecurity will need to protect a growing attack surface.

Let’s reflect on the core purpose of the identity tech platform. Why does it exist? In the world of identity we have always had to juggle three objectives – compliance, convenience and security. This is quite a task.

Let me take a moment to acknowledge the unsung heroes of cybersecurity – all the identity professionals amongst you. We are grateful for all that you do to keep the digital universe safe and for juggling these three priorities.

As we have navigated the three waves of technology our expectations around the core purpose of an identity platform has shifted. In the internet era – it was compliance-first (followed by security and convenience). In the mobile/cloud era – it was convenience-first (followed by security and compliance). In the AI era it is security-first (followed by convenience and compliance).

Sometimes as things change, our nomenclature and terminology fail to keep up. Think of smartphones: Their name belies what we actually use them for. Today, the core purpose of this device isn’t to make phone calls. It is still a feature but not the core purpose. Instead, its core purpose is to access services over the internet.

Similarly, the term “Identity and access management platform” is outdated. Access management and identity management are table stakes features just like making a phone call. Today the core purpose of an identity platform is security. In the AI era we need an identity security platform.

Conversation with an AI

Next let’s answer the question – what will power the next-generation identity platform. Since AI appears to have all the answers these days why don’t we just ask AI. We’ve built an avatar for AI using Chat GPT and some video magic. Let’s call this avatar Good GPT: calling it good is somehow comforting, at least it is for me and I hope it is for you as well.

Hey Good GPT. What will power the next generation identity security platform?

GoodGPT: The next generation identity security platform will be powered by modern technologies like artificial intelligence.

Isn’t your suggestion a bit self-serving?

GoodGPT: As an AI language model, I do not have personal interests or agendas. My recommendations are based on industry trends and best practices.

OK fine… So why do you believe AI will power the next generation identity security platform?

GoodGPT: Here are three reasons AI will be essential to addressing identity challenges in the future.
First – Zero trust is a foundational strategy for cybersecurity and identity is the most important aspect of zero trust. This strategy cannot be implemented successfully without the help of artificial intelligence and automation.
Second – Cyber threat actors will use AI to launch sophisticated phishing campaigns and create malicious APTs to compromise identity. Cybersecurity professionals will need to leverage AI to neutralize this threat.
Third – Identity threat detection and response (ITDR) will be a key capability of an identity security platform. Artificial intelligence will be needed to analyze threat intelligence and signals to detect threats on a timely basis and avoid false positive and alert fatigue.

OK what I heard is..

• Without Good AI, Zero trust has zero chance of success.
• Bad AI will take us for a ride
• Identity is a sitting duck

Lets double click on these 3 points.

Why is it that Zero Trust has Zero chance without AI?

Identity landscape today is exponentially more complex. Humans understand complex systems and problems by creating models and abstractions. In identity, what this means is creating user and resource groups to grant privileges and make sense of things. Since we deal with thousands of identities and millions of resources, we create coarse-grained groups and access policies. User Group Engineer should have access to Test, Ops should have access to Prod, Admin should have access to everything.

Core Principles

Often though users only use a very very small subset of their privileges. The core principle of Zero trust is least privilege. This means if engineer Uma only accesses micro-services 1,2 and 3 that’s all she should have access to.
Humans like coarse-grained – high level, abstracted. Zero Trust needs fine grained, low level, concrete. A fundamental conflict.

AI can watch and learn actual access and over time build fine grained access models that humans could not process. AI can manage millions of entitlement relationships vs thousands.AI will make zero trust possible

Let’s talk about why without Good AI, Bad AI will take us for a ride.

Cyber threat actors have always used automation to launch attacks. Now they are leveraging AI to launch very sophisticated social engineering campaigns.
They are phishing us with emotionally manipulative, compelling and seductive language. Without any grammatical errors, I might add. They are executing prompt bombing attacks to defeat MFA when we are most distracted and vulnerable. Like targeting me when I am watching a Golden State Warriors game and Draymond Green is getting ejected. We need Good AI on our side to sniff out these sophisticated and relentless campaigns launched by Bad AI.

Finally without AI’s help, Identity is a sitting duck. If identity is the defender’s shield, then it’s also the attacker’s target. In fact, identity is the most attacked part of the attack surface. Phishing, rainbow tables, credential theft, credential stuffing: 82% of breaches in the DBIR involved the human element. Therefore it’s quite absurd that while the SOC and XDR solutions monitor the network, endpoints, cloud infrastructure, they have no visibility into Identity related threats.

Security operations centers are overwhelmed

Expecting the SOC to pick up this responsibility would be wishful thinking and that approach may be too slow. It took organizations an average of 277 days to identify and contain a data breach. If you were breached on New Year’s Day, then on average it would take until October 4 of that year to contain the fallout. The SOC is already overwhelmed. It’s not enough that an identity platform is great at defense. It also needs to be great at self-defense.

The identity platform needs to do ITDR intrinsically—not as a feature or an option. Identity platforms will need to secure the entire identity lifecycle—not just access.

We’ve put so much focus on the time of access. We’ve built our security around a yes/no answer to, “Should we let this thing in’?” That’s not security. We saw that paradigm fail in 2022—the year of the MFA attack. Last year we saw incidents where basic misconfigurations, fail-open policies, weak enrollment, side-channel attacks on third-parties, even prompt bombing all evaded MFA. Instead, we need solutions that assure identity throughout the entire lifecycle.

Not just from the point of access but from the cradle to the grave. Not just yes/no—but yes because or no now. We must secure MFA enrollment, when credentials are issued, during the joiner-mover-leaver stages. We need identity governance solutions that recognize orphaned or over-provisioned accounts and flag privilege escalations. With thousands of human and machine identities on the network and millions of microservices to protect, this is a super human problem and we will need AI to pull that off.

In summary, the next-generation technology platform for identity will be open and integrated at a data level, will pursue a security-first approach and will be powered by AI. But let’s consider what an AI powered platform will mean for the humans of identity and our future.

Professor Russel from Berkeley had asked a provocative question.

In our world of Identity, AI will handle verifications, attestations, provisioning, identity threat detection and response. Very cheerfully at that!. So what will we do. Simply cheer it on!

To understand this, we should look at where we are on the AI and AI-powered cybersecurity wave.

The copilot

In cybersecurity, more than 10 major vendors including RSA and 50+ startups have announced AI-powered cybersecurity products. So as not to spook the humans, most of these capabilities have been positioned as a copilot model where the human is doing the same job simply assisted by AI. The copilot description sugarcoats a scary truth. Over time, we must expect that many jobs will disappear, many will change and some will be created.

In identity here is how humans can expect to contribute in an AI-powered world. We may remain in the cockpit for a little bit longer but we will need to work differently. AI will take easier decisions and automate most identity workflows. Humans will supervise the more impactful decisions and handle exceptions. Eventually when we exit the cockpit, we will still have an important role training, supervising and monitoring the AI for air traffic control and designing flight plans.

AI learns from the questions we ask it. We will train AI by asking well specified questions. We will invent new AI models and algorithms, we will cleanse and label data that fuels the AI. AI imitates us. I don’t know about you but for me it was enough pressure to be role model for my kids and now I have to worry about AI.

As we have learned with every new technology, it will be a target for the adversary. AI will be no different. Good AI will protect cyberspace and the humans of identity will protect Good AI. We will make sure Good AI remains good. We will innovate to prevent jailbreaking of Good AI. We will deliver solutions to prevent data poisoning and prompt injections to ensure Good AI remains aligned with our objectives.

To prepare ourselves for this AI-powered world we must confront our identity crisis head-on. We will need to reimagine our role and our place in identity.

Pablo Picasso was of course too harsh in labeling technology as useless, but his comment offers clues about the role of humans.

While AI is getting better and better at answering questions, it’s ultimately human curiosity and our ability to ask questions including ones that have never been asked which will keep us relevant. AI recently made headlines and a scientific breakthrough in biotech by discovering a new protein folding model. But it was a human scientist that inspired that discovery by asking AI a well-specified and thoughtful question.

All right, before we wrap let’s check in with Good GPT to see if she has anything to say to us.

Hey GoodGPT. I am about to wrap up this keynote. Do you have a message for the cyber security professionals present here and those that are not.

GoodGPT: I would like to thank all of you for coming together as a community. The importance of your mission cannot be overstated. Thank you as well for the opportunity to speak to you and I look forward to our collaboration to keep the digital world safe.

Goodbye Good GPT.

Honestly…If I were you, I wouldn’t trust everything she said.

Friends, we talked about the power of framing the question properly. Therefore, relative to our topic for today, I will leave you with a question. We should not be asking: Will humans have a role in a world flush with superhuman artificial intelligence?

The correct question is – How do we ensure the alignment of superhuman AI with human values and objectives to ensure that we do have a meaningful role going forward?

Thank you fellow humans and all the AI bots for consuming the content of this keynote. Hope you all learn something from it. And may you always know who you are and why you are here.