Welcome to Part 3 of the Keynote Panel recap. Last week we looked at the spirit of cooperation among the identerati community, and how companies attending CIS grapple with competing yet common interests. In the final post of the series, we are visiting a common issue: the compromised credentials conundrum. As Ron said, "It seems like every week there's a breach and it's often related to compromised credentials. You guys are credentials experts. Why aren't we better and why is it the weak link?"
Here are some highlights from the discussion. For more color, watch the 30 minute video here.
"There's some wiggle words in that questions. Protecting credentials. What are we protecting? Are we talking about salted hashed encryption? The individual is the gatekeeper of letting in the good or bad... We're asking.. the individual to make the right decision. So when we say protect our credentials does that means we need to harden the way we actually have password hygiene and everything around that, or are we federating? Or does it mean we're asking the user to be the vanguard to our entire enterprise and protect to their death what we have? So protect the credential is a squirrely space, and without knowing all the nuance of what happens, it comes across as "oh we need longer passwords." We'll that's not the answer to protect the credential. It's much more nuanced than that." - Ian Glazer
"At some level this isn't an identity problem. Both privacy and identity rely on underlying security and security is hard. In some sense that's not our problem as the identity community. But in another sense, it is our problem to design identity mechanisms which depend less and less on security. That is where these behavioral and observational and contextual methods that don't rely on secrets and rely on things that are easily replicable by bad guys are going to be very helpful in the future." - Bob Blakley
"Defense in depth is really what we need. If the thing people want to use again and again for their security and happiness is their password, but the one thing someone can walk in with through the front door, then you have a first order problem. Don't rely solely on passwords. If you are, why are you doing all the other stuff?" - Pamela Dingle
We're clearly in the middle of a time of rapid change which is why the Cloud Identity Summit serves as such a valuable bellwether for security professionals each year. Ping has always viewed collaboration as a necessary step in addressing the problems facing our industry; CIS is a true reflection of that ideal, and the ideas exchanged there are advancing technological and business goals around identity and security with every passing year.