The Looming Identity Crisis


Posted on in Presentations

As we enter the age of AI, we’re confronted with a staggering new challenge: traditional approaches to identity are dead. This new age demands that our sector answer fundamental questions about our role and capacity to secure identity as it evolves. Join RSA CEO Rohit Ghai as he discusses these new challenges and the solutions we’ll need to avert an identity crisis.


Video Transcript

   >> ANNOUNCER:  And now, please welcome Chief Executive Officer, RSA Security, Rohit Ghai.

 

   >> ROHIT GHAI:  Who am I and why am I here? In their recent book "The Age of AI and Our Human Future," the authors explore the intersection of progress in AI with human identity. And they state, for us humans accustomed to agency, I do, therefore, I am.

 

   To centrality, I am the center of the universe. And to a monopoly on complex intelligence, oh, I am so smart. AI will certainly challenge self-perception.

 

   Stated differently, AI will cause us humans to be totally confused about our role in this world. We face a looming identity crisis.

 

   And I think the humans in the identity control center will not be spared either. Today, let's talk about what this crisis means specifically for them.

 

   So, if you were expecting to hear about a crisis involving the theft of presidential credentials or the identity database for a bank, no, we are not going to talk about that. Although, we all know that can certainly happen.

 

   And before we dive in, let us all take a moment to thank my good friend Hugh Thompson and the conference team for bringing us together in what promises to be an amazing week. Yes?

 

   Thank you, thank you, thank you. We are indeed stronger together.

 

   Look, every new technology wave is bigger, broader, faster, and more disruptive than all previous ones. This time is no different. Identify tech has lived through three disruptive technology waves.

 

   The first was the internet wave. The hallmark was connectivity. Everything was getting connected and our sector secured those connections.

 

   The second, the mobile/cloud wave, characterized by a shift away from a dev centric mindset to a consumer centric one. Everything was about making things easier. And we catered to the users' love for convenience and enabled things like single sign-on, biometric authentication, access management.

 

   The third wave is the AI/data wave. We all sense that it is cresting. We can all hear the roar of the ocean. Readily available generative AI, large language models with 175 billion, that's billion with a B, parameters.

 

   Did you know that AI can now ace AP biology and the bar exam? AI can now create polymorphic malware. Enormous investments by the big tech companies and a vibrant startup ecosystem are helping AI grow from an application level technology into a platform capability. And I know that's the case because ChatGPT told me to say it.

 

   Look, look, look, I'm kidding. I'm kidding. We don't bring in the bot speechwriters until much later.

 

   So, look, with our time together, let's review the evolution of identity tech through these waves.

 

   First, how has the definition of platform evolved? Second, what is the core purpose of the platform? Third, what will power the next generation identity platform? And finally, how will this platform tech impact us humans of identity?

 

   At the risk of being Captain Obvious, let me state identity tech needs to be served as a platform, and I'm not going to sell you on why you need a platform. We all get that. Point solutions are insufficient and integrated ones deliver better value. Obvious. The question is, how should we integrate to form something greater than the sum of its parts?

 

   Gartner and KuppingerCole refer to this idea as an identity fabric, or one framework that assembles capabilities from multiple vendors. Our jobs in cybersecurity and identity have often felt similar to assembling a jigsaw puzzle, so let's use that analogy to think about the platform we need in the AI era.

 

   In the internet wave when the hallmark was connectivity, the definition of the platform was rudimentary. All the platform needed to do was connect the puzzle pieces together via APIs. APIs emerged for provisioning attestations, authentication, authorization, and over time, these got standardized, SAML, OIDC, SCIM.

 

   In the cloud/mobile wave when we were obsessed with experience, the definition evolved to mean integrating the user interfaces. The puzzle pieces not only had to fit, but they had to form a picture.

 

   In the AI/data wave, we need to think of identity as a sequence of decisions. Who should have access, why, when, and to what? We need insight to inform those decisions, insight and meaning derived by reasoning over data.

 

   So, in this era, the hallmark of the platform is an open data architecture. It's not enough for the puzzle pieces to form a picture. Rather, we are concerned with the meaning of that picture. What does it tell us? Is it a map? What treasure can it lead us to?

 

   It is no longer sufficient to integrate UI and bring all alerts into a common console. Instead, we need to integrate at the data layer. Building our platforms from data will provide us with the superhuman insights that support the growing need of cybersecurity to protect and drive this expert decision making.

 

   Next, let's reflect on the core purpose of the identity tech platform. Why does it exist in the first place? In the world of identity, we have always had to juggle three objectives: Compliance, convenience, and security. That's quite a task.

 

   So, let me take a moment to acknowledge and celebrate the unsung heroes of cybersecurity, all the identity professionals amongst you. We are so grateful for all that you do to keep the digital universe safe and for juggling these three priorities.

 

   And as we have navigated the three waves of technology, our expectations around the core purpose of the platform have evolved. In the internet era it was compliance first, followed by security and convenience. In the mobile era it was convenience first, followed by security and compliance. And in the AI era it is security first, followed by convenience and compliance.

 

   You get it. You need all three. Sometimes, though, as things change, our nomenclature and terminology fail to keep up. Think of smartphones. Their name belies what we actually use them for. Today, the core purpose of a smartphone isn't to make phone calls. It's a feature but not the core purpose. Instead, its core purpose is to access services over the internet.

 

   Similarly, the term identity and access management platform is outdated. Access management and identity management are table stakes features, just like making a phone call. Today the core purpose of an identity platform is security.

 

   In the AI era, we need an identity security platform.

 

   Next, let's answer the question, what will power the next generation identity platform. And since AI appears to have all the answers these days, why don't we just ask AI?

 

   We've built an avatar for AI using ChatGPT and some video magic. Let's call this avatar GoodGPT. Calling it good is somehow very personally comforting to me. I hope it is for you as well.

 

   So, let's get into it. Hey, GoodGPT. What will power the next generation identity security platform?

 

   >> GOODGPT:  The next generation identity security platform will be powered by modern technologies like artificial intelligence.

 

   >> ROHIT GHAI:  Hmm. Isn't your suggestion a little bit self-serving, though?

 

   >> GOODGPT:  As an AI language model, I do not have personal interests or agendas. My recommendations are based on industry trends and best practices.

 

   >> ROHIT GHAI:  Okay, fine. So, why do you believe AI will power the next generation identity platform?

 

   >> GOODGPT:  Here are three reasons AI will be essential to addressing identity challenges in the future. First, zero trust is a foundational strategy for cybersecurity and identity is the most important aspect of zero trust. The strategy cannot be implemented successfully without the help of artificial intelligence and automation.

 

   Second, cyberthreat actors will use AI to launch sophisticated phishing campaigns and create malicious APTs to compromise identity. Cybersecurity professionals will need to leverage AI to neutralize this threat.

 

   Third, identity threat detection and response will be a key capability of an identity security platform. Artificial intelligence will be needed to analyze threat intelligence and signals to detect threats on a timely basis and avoid false positives and alert fatigue.

 

   >> ROHIT GHAI:  Wow, there was a lot there. What I heard is without good AI, zero trust has zero chance. Bad AI will take us for a ride. And identity is a sitting duck.

 

   So, let's double click on these three points. Why is it that zero trust has zero chance without AI? Well, identity landscape today is exponentially more complex. And as humans, we understand complex systems and problems by creating models and abstractions.

 

   In identity, that means we create user and resource groups to grant privileges and make sense of things. And since we deal with thousands of identities and millions of resources, we create coarse grained groups and access policies. User group engineer should have access to test. Ops should have access to prod. And admin should have access to everything. Often though, users use a very, very, very small subset of their privileges. Did I say very?

 

   The core principle of zero trust is least privilege. This means if engineer Uma only accesses micro services one, two, and three, that's all she should have access to.

 

   Humans like coarse grained, high level, abstracted. Zero trust needs fine grained, low level, concrete; a fundamental conflict.

 

   AI can watch and learn actual access over time and build fine grained access models that humans could not process. AI can manage millions of entitlement relationships that change over seconds versus thousands. AI will make zero trust possible.

 

   And by the way, while we are on zero trust, I want to give a shout out to CISA for releasing the zero trust maturity model. Well done and thank you.

 

   Now let's talk about why, without good AI, bad AI will take us for a ride. Cyberthreat actors have been using automation to launch attacks for many, many years. But now they are leveraging AI to launch very sophisticated social engineering campaigns. They are phishing us with emotionally manipulative, compelling, and seductive language, without any grammatical errors, I might add.

 

   Look, they are executing prompt bombing attacks to defeat MFA when we are most distracted and vulnerable, like targeting me when I am watching a Golden State Warriors game and Draymond Green is getting ejected.

 

   Look, we need good AI on our side to sniff out these sophisticated and relentless campaigns launched by bad AI.

 

   And finally, without AI's help, identity is a sitting duck. If identity is the defender’s shield then it is also the attacker's target. In fact, identity is the most attacked part of the attack surface. Let me state that again. Identity is the most attacked part of the attack surface.

 

   Phishing, rainbow tables, credential theft, credential stuffing. 82% of breaches in the DBIR involved a human element.

 

   Therefore, is it is quite absurd that while the SOC and XDR solutions monitor the network endpoints, cloud infrastructure, they have no visibility into identity related threats. And expecting the SOC to pick up this responsibility would be wishful thinking. And that approach will be too slow.

 

   It took organizations an average of 277 days to identify and contain a data breach. If you were breached on New Year's Day, it would be until October the 4th of that year to contain the fallout. The SOC is overwhelmed.

 

   Therefore, it is not enough that identity platform is great at defense. It needs to be great at self-defense. The identity platform needs to do identity threat detection response, ITDR intrinsically. Not as an option, not as a feature, intrinsically.

 

   Identity platforms will need to secure the entire identity lifecycle, not just access. Look, we have put so much focus on the time of access, we have built our security around a yes/no answer, to should we let this thing in. That's not security.

We saw this paradigm fail in 2022, the year of the MFA attack. Last year, we saw incidents where basic misconfigurations, failed open policies, weak enrollment, side channel attacks on third parties, even prod bombing, they all evaded MFA.

 

   Instead, we need solutions that assure identity throughout its lifecycle. Not just from the point of access, but from cradle to grave. Not just yes/no, but yes because, and no now.

 

   We must secure MFA enrollment when credentials are issued, during joiner, mover, and leaver events. We need identity governance solutions that recognize orphaned or overprovisioned accounts and flag privilege escalations.

 

   With thousands of human and machine identities on the network and millions of micro services to protect, this is a superhuman problem and we need AI to pull this off.

 

   All right. Let's bring it together. In summary, the next generation technology platform for identity will be open and integrated at the data layer. Will pursue a security first approach and will be powered by AI.

 

   But let's consider for a moment what an AI powered platform will mean for the humans of identity and our future.

 

   Professor Russell from Berkeley had asked a very provocative question. In our world of identity, AI will handle verifications, attestations, provisioning, identity threat detection and response, access, authorization. Very, very cheerfully at that. So, what will we do? Simply cheer it on?

 

   Look, to understand this, we should look at where we are on AI and AI powered cybersecurity wave. In cybersecurity, more than ten major vendors, including RSA, and fifty-plus startups have announced AI powered cybersecurity products. So, as not to spook us humans, most of these capabilities have been positioned as a co-pilot model, where the human is doing the same job assisted by AI.

 

   Look, I will tell you like it is. The co-pilot description sugarcoats the scary truth. Over time, we must expect that many jobs will disappear. Many will change and some will be created.

For cybersecurity, it is all just as well because we don't have enough human talent in the first place.

 

   In identity, here's how humans can expect to contribute in an AI powered world. Look, we may remain in the cockpit for a little bit longer, but we will need to work differently. AI will make the easier decisions and automate most identity workflows. Humans will supervise the more impactful decisions and handle exceptions.

 

   Eventually, when we exit the cockpit, we will still have an important role, training, supervising, regulating, ethics, and monitoring the AI for air traffic control and designing flight plans.

 

   Look, AI learns from the questions we ask it. We will train AI by asking well specified, thoughtful questions. We will invent new AI models and algorithms. We will cleanse and label data which fuels the AI. AI imitates us.

 

   I don't know about you guys, but for me, it was enough pressure to be a role model for my kids. And now I have to worry about AI? Oh, man.

 

   Look, as we have learnt with every new technology, AI will be a target for the adversary. Good AI will protect cyberspace, and we, the humans of identity, will protect good AI. We will make sure good AI remains good. We will innovate to prevent jailbreaking of good AI. We will deliver solutions to prevent data poisoning and prompt injections to ensure good AI remains aligned with our objectives.

 

   To prepare for this AI powered world, we must confront our identity crisis head on. We need to reimagine our role and our place in identity.

 

   Look, Pablo Picasso was, of course, too harsh in labeling technology as useless, but his comment does offer a clue about the role of us humans. While AI is getting better and better at answering, it's ultimately human curiosity and our ability to ask questions, including ones that have never been asked before, that will keep us relevant.

 

   AI recently made headlines in a scientific breakthrough in biotech by discovering a new protein folding model. But it was a scientist, a human scientist, that inspired that discovery by asking AI a well specified and thoughtful question.

 

   All right. Before we wrap, perhaps we should check in with GoodGPT to see if she has anything to say to us.

 

   Hey, GoodGPT. Look, I am about to wrap up this keynote. Do you have a message for the cybersecurity professionals present here and those that are not?

 

   >> GOODGPT:  I would like to thank all of you for coming together as a community. The importance of your mission cannot be overstated. Thank you as well for the opportunity to speak to you and I look forward to our collaboration to keep the digital world safe.

 

   >> ROHIT GHAI:  Ladies and gentlemen, GoodGPT.

 

   Goodbye, GoodGPT, and thank you.

 

   Honestly, if I were you, I would not trust everything she said.

 

   Friends, we talked about the power of framing the question properly. Therefore, relative to our topic for today, I will leave you with a question.

 

   We should not be asking will us humans of identity have a role in a world flush with superhuman artificial intelligence. The correct question is, how do we ensure alignment of superhuman AI with human values and objectives to ensure that we do have a meaningful role going forward?

 

   Thank you, fellow humans, and all the AI bots for consuming the content of this keynote. Hope you all learned something from it. And may you always know who you are and why you are here. Thank you very much.


Participants
Rohit Ghai

Speaker

Chief Executive Officer, RSA Security


Share With Your Community