Q&A: Ping CEO on contextual authentication, intelligent identity

Enterprise security teams are often drowning in mountains of data, but Andre Durand believes some of that data, if used right, will take identity and access management to the next level.

Durand, chairman and CEO of Ping identity Corp., spoke at the 2017 Cloud Identity Summit in Chicago about how the identity and access management space is rapidly moving toward an era of contextual authentication and intelligent identity. Instead of relying solely on usernames and passwords to confirm identities and authorize users, he said, vendors and service providers will soon be able to collect large swathes of data and signals, including biometrics and behavioral analytics, to establish a user's identity.

Once an intelligent identity has been established, he said, vendors can use contextual authentication to find valid identities that are engaging in risky behavior and shut them off, in real time, instead of waiting for the session to end.

"We can't trust identity just at the point of account creation or credential validation," Durand said, during his keynote. "We have to assume bad actors are on the inside. We can no longer afford big, long-lived trust [sessions]."

Durand spoke with SearchSecurity about the move toward contextual authentication and intelligent identity management systems and how companies like Ping can aggregate and process these signals for improved identity and access management (IAM). He also talked about the prospect of a unified identity management system and why legal liability may be the biggest obstacle for it to become a reality. Here are excerpts from the conversation with Durand.

Do you see contextual authentication and intelligent identity beginning to take hold in the internet of things (IoT) space, or are we still a long way away from having IoT devices with intelligent identities?

Andre Durand

Andre Durand: We're still a long way away, and that's a relative term. I think we need to get the security for IoT right first. So let's just start there. Let's make sure the devices can authenticate one another and let's make sure that rightful users and administrators can access the devices. That's the starting point.

Many times, security is an afterthought. IoT was about making the connection, not securing the connection. People are just trying to make the things work; they're not thinking about the consequences of success. And the internet is an example of that.

Where do you see intelligent identity taking hold, then? Personal devices?

Durand: It doesn't have to be with devices. We can make smarter authentication devices with more data and more sensors. There are a lot of biometrics being embedded in devices, for example.

I would start with smarter contextual authentication, and then we can tie that to behavior -- good and bad behavior. Based upon that, we can start the journey toward more intelligent and more real-time access control.

It's not all going to happen at once; it's not a big bang thing. You can make authentication a little smarter, you can start to make provisioning a little more intelligent and you can make the API access control more intelligent. So I would suggest we start slow and build upon success.

Some organizations don't have any real access control. So where do you start?

Durand: I'll give you a simple example. There are a number of services that aggregate compromised email addresses and accounts. If you could connect those signals to new registration forms, then that would be an example of a shared signal that stops a new fraudulent identity from being created in the first place. That's not an overly complex thought, but it would make account registration more intelligent because of the signals that it's receiving.

Are we at the point today where most enterprises have some reasonable access control and identity management systems in place?

Durand: There are a number of companies out there that are very intelligent inside of their own siloes. I would say banks and other financial institutions are pretty good at connecting behavior and a fair amount of data to shared signals and making smarter registration and access control. But industries, as a whole, have a long way to go before it's just common and expected.

Is it a challenge because identity and access management is part of security or is there something specific to IAM that makes it harder to get right?

Durand: Identity tends to be a fairly complex topic to begin with, and it's not as if it was designed with pluggable interfaces everywhere. It's a shift in mindsets to pull identity out of an app and to centralize authentication and identity management. That's not a natural instinct. It requires some retraining for enterprises.

And to go one step further, with plugging intelligence into identity management, there are no standard interfaces for how that is done. As long as this stuff is largely proprietary, I think you're going to find a lot of one-off, vendor-specific technology, but not industry-wide approaches, and there's a difference. But that's okay because that's part of the natural evolution process.

Do you think it's possible we'll see a unified identity system in the near future?

Durand: Yes, I do think that's coming. I do think there will be services that will manage customer and consumer identity that are new and different than today's consumer identity providers, like Facebook. I think it's inevitable.

Is there more risk with having the majority of identities managed and housed by one major provider? In other words, will having all the eggs in one identity-as-a-service basket make that approach inherently more vulnerable to attackers than the disparate systems we have today?

Durand: Yes and no. I think of it this way: Are you more vulnerable with your identity spread everywhere with a bunch of paper thin doors to get through or are you more vulnerable having that stuff aggregated through a really smart authentication system? There are pros and cons.

What are the obstacles to getting to that unified identity service?

Durand: A big part of it is economics. There's also a certain maturity level for identity standards and protocols that we need to get to. But to really change identity is going to require a new business model.

We can make smarter authentication devices with more data and more sensors. There are a lot of biometrics being embedded in devices, for example.

We're not going to give identity away for free on the heels of advertising anymore. We're also not going to manage it independently on a per company basis.

I actually think we'll move more toward a global identity system that can be leveraged by all. But in order for that to occur, we have to get liability and the business model of liability correct. So if a service provider asserts your identity to somebody and messes up, then the service provider should be financially liable to a point. Otherwise, companies are going to say 'No, I'll do identity myself.'

So until that relationship for both the liability and the willingness to pay a provider are figured out, everyone is just going to keep running identity systems themselves. They won't feel comfortable having someone else do it.

How do you factor fault when it comes to cyber liability? If an identity provider messes up an authentication, then that seems to be a clear-cut case. But how do you determine liability when the matters are more complicated?

Durand: I'm living that in real time. As Ping's identity tech becomes more and more central to what these large companies are doing, they're frankly looking for more and more indemnification if we do a bad job. And that takes the form of higher liability for us. They want to see that the provider of the security and identity behind their own systems is willing to stand behind their service.

If Ping suffered a breach, like OneLogin did, then you would expect to be held liable for damages?

Durand: Yes. Who knows what liability provisions that [OneLogin breach] triggered. That was a big deal. But, yes, that would happen. And it would be a big deal for us, too.

And how do you put a price tag on reputation and compromised reputation? If you provide $5 million or $10 million in liability to a multinational corporation and something goes wrong, how can $10 million -- or even $50 million or a $100 million -- do justice there? It's a big question.