Identity is replacing the password: What software developers and IT pros need to know16 min read
Identity and access management is pushing application security past single-factor authentication (a password) and even multi-factor authentication to a risk management model says Ping Identity CEO.
Identity and access management systems are making it easier for software developers to secure their applications, for employees and customers to access the tools and services they need and for companies to protect their systems and data. On a recent episode of
, I spoke with Andre Durand, Founder and CEO of Ping Identity, about how the changing landscape of identity and access management are affecting software development. We also talked about what it will take for us to reach a “passwordless” world.
The following is a transcript of the interview, edited for readability. You can listen to the podcast player embedded in this article, watch a video above or read a transcript of the interview below.
Bill Detwiler: So before we get started really talking about identity and access management, for those listeners and viewers who don’t know Ping Identity, give me a rundown on the company.
Andre Durand: Well, Bill, so this whole identity thing has become really important and it’s because you can’t secure what you can’t identify. And all of our lives now are being driven largely digital in a way. And all of these digital interactions involve us interacting with apps on our phone, in the cloud, at companies all over the place and identity’s role is to make sure the right user is accessing the right thing. So it really is kind of the foundation of this highly decentralized mobile world we live in and the need basically to tether together this whole concept of appropriate access.
So for large enterprises, large complex enterprises have very sophisticated multi-generational IT landscape’s going in some cases all the way back to the mainframe and pretty much everything in between. And now they have data centers closing, apps doing the lift and shift to the cloud. And they’re adopting new
applications now in multiple clouds. So, and they’ve got users now through COVID working at home. So for this notion of how do you enable frictionless secure access for employees? Identity is pretty much the linchpin. It’s the steel thread that is now holding together this new paradigm where identity has become the new perimeter.
So what Ping does in this equation is for the global enterprises, really the largest 3,000 companies around the world, we help those companies set up a centralized, what we call authentication and authorization set of capabilities to allow users to authenticate to the enterprise and then gain access to any application or resource, no matter where it’s at. And for the enterprise to have control over what is appropriately authorized for them to access. So it’s this whole notion of identity security.
And we do that for employees, meaning workers who day in and day out have to strongly authenticated, if you will, the enterprise to gain access to everything that they need to do to their jobs, as well as we do it for customers. So great customer experiences, how do end users register and then authenticate to all these products and services through their mobile phone, through websites, really through the omni-channel. Securing that identity and enabling frictionless experiences for all of these different identity types. Workers, employees, partners, and customers. We do that for 62 of the Fortune 100. We protect about two and a half billion accounts globally, where likely here in the US, 13 of the largest, 15 banks here in the US, all trust Ping to a secure identity, secure their interactions.
SEE: Top 5 programming languages web developers should know (free PDF) (TechRepublic)
How should software developers being thinking about identity and access management?
Bill Detwiler: It used to be that enterprises would set up Microsoft Active Directory and server. They would throw that out there. And that’s the way that their employees would authenticate to the network and then they might have passwords for various systems and applications, but with the move to the cloud, and you alluded to this and the move to everything as a service, the landscape as much more complicated. And especially when you’re trying to integrate legacy systems, like you said, mainframes with new modern cloud-based systems, that gets really complicated.
So you kind of touched on this, but I’d love to drill down on it a little bit more, which is how should those people who are looking at either building enterprise applications or looking at how they integrate all these applications together, how should they be thinking about identity and access management to today?
Andre Durand: Well, the world was a little simpler back when everything was Windows and Active Directory was kind of like the default location that we stored employee identities and passwords. And you would essentially authenticate through Windows Active Directory. And in an all Windows on-prem world, we had single sign on invisibly. It was called Kerberos back at the time.
But now the world is more distributed than that. And the control plane has shifted, or the foundation has shifted from being kind of like a on-prem network-centric, AD-centered view of how we manage identity to, Hey, this identity thing. It really is larger and more central in a highly distributed world where all the things that we do kind of on our desktop, if you will, and the apps that we have on our desktop are now being mixed with lots of applications that are SaaS and in the cloud.
And so really what’s happening is identity is centralizing, but it’s centralizing not around Active Directory on-prem. It’s now centralizing to a new centerpiece or control plane for all apps across the
. So both on-prem, the legacy stuff, as well as new SaaS and applications that are moving into the public cloud.
So I think the first thing to understand is that from an enterprise perspective, this notion of having identity embedded in apps everywhere is not ideal, right? I mean, so if you’re at a large enterprise you’re responsible for protecting all the crown jewels and enabling appropriate access for every user to everything. What’s the right model? Well, the right model is to have a centralized authentication service that all your users, whether it’s employees or partners or customers, they authenticate to that one thing, if you will. And then they gain access to the applications through standards-based single sign on, new standards that we’ve developed over the past several years.
Without the standards based single sign on, that wasn’t possible. It wasn’t possible to abstract out the authentication to something that was central and then gain access to all the apps. But best practice now is through these federated open standards and things like single sign on best practices to centralize those.
So that’s the theme. Enterprises are now centralizing the services, abstracting them out of the applications so that they can create a consistent user experience for end users that isn’t app by app, so to speak. There’s one consistent experience for authentication and multi-factor authentication. And then it’s kind of invisible as to how that integrates in the backend with all these applications and services.
The same thing will happen with authorization. We’re not quite here yet. We’re still in the process of centralizing authentication. But I think you have to look at it from the perspective, it’s an outside in perspective. It says, what is the user experience that we want employees to have, or the user experience we want partners to have?
And you have to think big, at an enterprise level. Is it a good experience to have lots of fragmented experiences, or is it a better experience to have one? And I think if you look at the digitally native companies, so think Apple and Google and Microsoft and Amazon. You don’t have lots of Amazon accounts to access Audible and Amazon store and Echo and Kindle. You have one Amazon account for all products and services. Same thing with Google. And large companies are looking to recreate that. They want streamlined, frictionless, secure, consistent experiences where users interact with the brand.
So I think it’s to really appreciate the end user experience. We need to centralize this identity set of user experiences and how they interact with applications.
SEE: The best programming languages to learn–and the worst (TechRepublic Premium)
What mistakes do you see companies make when it comes to identity and access management?
Bill Detwiler: Yeah. And it reminds me a lot of trends that we see in IT in general. So we’ve talked about the consumerization of IT for years now, and it really is about bringing the simplicity of that consumer experience into enterprise IT, and that’s what you were talking sort of the digital first employees now really expect. And honestly, myself, I expect that to. We all want simplicity and it sounds like solutions like Ping, what you’re really trying to do is make it easy for the end user, obviously, but also for those people inside the organization who are building those apps as well, because you don’t have to manage that part of it. They handle authentication. They handle identity and access management through Ping, and then they don’t have to worry about that part of the equation.
What common mistakes do you kind of see organizations making right now with identity and access management and how do they avoid those mistakes?
Andre Durand: I actually think, at least in my interactions, it’s a journey, first of all, like to go from the historical world, which was kind of on-prem, AD. And by the way, you were describing mostly the workforce experience. The customer experience wasn’t necessarily centered on Active Directory on prem. Companies have had customer websites and mobile applications that weren’t necessarily tied to Active Directory. They had a whole set of home grown or kind of cobbled together legacy tools in order to do that. So you do need to separate out the workforce identity experience and technology from the customer identity experience and technology.
But I would just step back and say, recognize that we are in a situation where identity is becoming central to security and central to user experience. Whereas before it might have been thought of slightly as an afterthought, or, oh, I need to secure my app and I need to do this.
It’s becoming central. And as it becomes central, and as the technology has become more sophisticated, doing it at the level of sophistication, I mean, “passwordless” is not simple. There’s a number of technologies that go into eliminating the password. I wish there were a simple holy grail, but there isn’t, and there’s different things that you have to use in order to achieve this frictionless experience.
So when you step back and say, we’re on a journey where identity is becoming more central to security and experience, it’s also becoming more sophisticated. And the bar on user experience at a company level is very high, meaning consumers expect a simple, elegant, singular user experience with a brand. They don’t want a fragmented experience at the product level. Meaning what would it be to engage with Amazon if every company Amazon acquired, they just left the user, log on, registration, everything else about it separate? You see what I’m saying? That would be a really poor, fragmented, and siloed experience.
So I think it’s just appreciate. It’s about a simple experience that needs to be centralized for that large enterprise. And just appreciate that you’re on that journey and really not make as many siloed decisions which have been the history. There’s been a lot of siloed decisions where let me optimize for my one app or for my business unit. Right. And not think about the end user experience that might be interacting with your particular line of business, your web property of your app, but then simultaneously has to interact with all the other aspects of your company.
So if you’re a small company with one app, it’s not a problem. But if you’re a large global enterprise that consistent, secure user experience, I would suggest you need to think bigger. That’s really the point. You need to think bigger.
What are companies that get identity and access management right, doing?
Bill Detwiler: You talk to a lot of companies as they work through this process, right? You talk to CSOs and you’re talking to CXOs and you’re talking to CEOs of companies and trying to help them through this process. What do you see? I guess, how did the successful companies break down those silos? Because if you’re running hundreds of systems internally and then dozens of systems externally, like with your customer facing systems and your employee facing systems, what are the companies doing that are successfully doing exactly what you described, which is thinking holistically about their security landscape and not just saying, well, we’re going to secure this one app, or we’re going to secure HR, and we’re going to secure this one this way, because I know personally I have at least 10 different passwords and 10 different systems that I have to work on on a regular basis. And it’s frustrating for me. And I can totally appreciate to that customer experience as well, wanting one sign in one identity that allows me to access everything. So what are the successful companies doing?
Andre Durand: Well, this is where function follows form, right? And I know you can twist those the other direction. So what I mean by that is they’re recognizing that as identity is central or foundational. They’re recognizing that user experience is paramount and they are organizing themselves and their identity teams and the span of those identity teams to cover a singular user experience across multiple products and services.
So really what it is, it’s a recognition that status quo of call it siloed decision-making is not achieving the best user experience. And they are redefining the organizational structure to get the output that they want. And the organizational structure is identity teams are now being formed. They are now reporting up into security, whereas they used to just kind of maybe be a little bit more generically in the IT group. And now they report to security because identity is the foundation of the future of security.
And there’s these digital now officers at companies who are responsible for the digital programs and the digitization of a lot of the brick and mortar business models, and those individuals who now have the new mandate to create new digital channels for their products and services are saying, user experience is paramount. People vote on user experience.
And so really what’s happening is there’s a concentration occurring where organizations are redefining the centrality of the role of identity in their digital properties. And they’re coming in with these requirements, really these goals that say let’s create a singular experience and they’re getting into, I mean, frankly, there’s politics involved in a lot of this stuff and organizational construct of who has the power and do I have control to do this, or it is some central organization with a higher mandate. And what we’re seeing is companies are saying user experience is paramount. And so we must break down the silos and they’re organizing to facilitate that outcome.
SEE: A guide to The Open Source Index and GitHub projects checklist (TechRepublic Premium)
When can we stop using passwords?
Bill Detwiler: Yeah, I think that’s a message that I hear for a variety of issues, whether it’s low code, no code development, whether it’s security, whether it’s processes around development, is really how you break down those, really, companies that are being successful are breaking down those silos and trying to think holistically. So let’s jump ahead a couple of years, because you touched on it a little bit when you were talking about a “passwordless” future. Where do you see identity and access management going in the next few years? And are we going to get to a place where we at least the password is minimized, right. Or those authentication measures, it’s you, like we’ve talked about biometrics for a long time, but it’s not just you, something you are, something you have, like a two factor authentication system or a key token. But it’s also something you know. How has identity, like a password. How has identity and access management changing over the next couple of years?
Andre Durand: Well, you talked on “passwordless”. So let me just hone in the conversation to the evolution or journey in authentication and that old mantra of it’s better to have kind of three factor, something you know, something you are, something that you have, for example, and you combine all three and that’s hard to spoof. The truth is we’re well beyond three factor. We’re into N-factor now.
There’s dozens of risk signals now, passive signals, that we have access to like behavioral biometrics, like leveraging all the sensors in the devices we’re using, that allow us to essentially recognize people without any explicit user action. So a biometric or say pause for a second, hold the camera in front of you, we’ll do a face ID, would be an explicit multi-factor authentication event. A push notification to text message that then either has a link or ask you to reread a secret, basically a pin, to ensure. So the device that you have is being used as a factor of authentication.
The future of frictionless security as embodied in this concept of “passwordless” is going to be a combination of risk signals, passive signals about our behavior, about the environment, about the context and the devices and other things that were coming out, of which like I said, there’s dozens now. And explicit MFA events, if you will. One of those events could be let me check your biometric, like a face ID. And companies will be mixing and matching these things in different ways for different user populations, for different scenarios, meaning the trust level must be much higher if I’m doing a wire transfer than if I’m doing something. Maybe it’s higher from doing an e-commerce transaction and the address is new, for example. So that would be a condition under which, Hey, you want to really pay attention.
So we will achieve in the next three or four years, more security and less friction in the future. 100%. We’re going to get there. But the answer to achieve the higher level of user experience and the higher level of security is going to require more sophistication under the covers. We’re going to go from the ubiquity of passwords are kind of easy, but now we’ve become the bane of our existence because they’re too complicated and can’t remember them, to in essence, all of these other technologies are going to fill in the gap and they’re going to create a higher security model and a more frictionless experience. But there’s not going to be one size fits all.
Going “passwordless” won’t be a one-size-fits-all solution, it’s about risk management
Bill Detwiler: I think that, it reminds me a lot of what I see banks doing and have been doing for a while now with credit transaction risk analysis. Right? So looking for patterns. Is that what you kind of see? Like you talked about using all the sensors on a device or looking at signals coming back into the system. To not just say, okay, look, we’ve got this authentication that this action that’s taking place, but is this action happening at a right time? Is the geolocation data showing that this device is where it’s normally at? Is there something out of bounds, right? Did you go to another state and try to buy gas at a gas station that you normally don’t go to? Right. And that raises a red flag. And how do we do that? That’s what I’m hearing you describe. Is that accurate? Is that the system you’re describing that we’re getting to?
Andre Durand: That’s 100% accurate. We have to go from what I’ll call a static and manual identity control plane, where say one size fits all. Back in, it’s everyone has a password. It’s like one size fits all. Like it didn’t matter if you were doing a wire transfer or something. It’s like, you got a password. Where now, there’s many shades of gray in the authentication experience. And many of those shades of gray of how we’re going to recognize and ensure we’re interacting with the right person. That authentication. Many of those shades of gray are now signals, intelligence that we can glean and aggregate to help us make a good authentication decision.
Is the trust high and the risk low. Okay. Do X. If the signals have changed and we think, oh, this now looks, I haven’t seen this before. This it’s risky. Maybe we need to step up authentication. Maybe we need to deny access, for example.
So what you’ve seen in credit card transactions is now being applied to the entirety of the identity control plane. From the moment you go through a verification of identity, to the registration of an identity, to the authentication, to the authorization, that entire login to log off. And by the way, even before that, when you hit the website, you haven’t authenticated and you haven’t verified and you haven’t registered. There’s a whole suite of signals that would allow us to understand, are we talking to the same individual, or are we talking to a bot, for example.
So making identity intelligent. That’s the reason I said, it’s getting more sophisticated, which means having that level of sophistication embedded in every app makes no sense. We need to centralize the identity control plane. We need to make it intelligent, and we need to reconnect it to our applications through open standards, ideally.