I first learned the art of asking questions in a classroom, when I was an English teacher. I’m not sure if Matt Stamper has done any formal teaching. Stamper is the chief information security officer at EVOTEK, a consultancy that helps businesses shift from traditional IT to multi-cloud computing. But he is also the co-author of the “CISO Desk Reference Guide,” so I’m sure he’s packing at least an inner teacher. And based on two long conversations we’ve had, I bet he has more than that. He seems to relish wide-ranging discussions.
I gave him a homework assignment before our recent talk. I asked him to read “Decoupling Identity and Authentication: Introducing the INZ Model,” by Ed Amoroso (founder and CEO of TAG Cyber). But the first question I tossed him was a bit of a curveball. I didn’t ask it to trip him up (I knew it wouldn’t). I wanted to encourage him to explore our subject without feeling constrained by Ed’s article, or anything else.
Whenever I email my financial adviser with an order to buy or sell an asset, I told Stamper, he requires me to repeat my instructions over the phone. Is that phone call an authentication or an authorization?
“It’s both, if you think about it,” he said. Stamper quickly added that it would be important for my adviser to verify that he’s speaking to the “authentic David” and not someone trying to spoof me. A minute later he asked if I remembered “Quadrophenia,” the 1975 film based on the rock opera by The Who.
We were off and running. I hadn’t seen the movie. An important theme was “we have very bipolar lives,” Stamper said. “We have personalized our professional lives. Multiple personalities end up showing up in these applications.” That’s where Stamper’s view of the movie’s message intersected with Amoroso’s article about decoupling what he calls INZ: Identity, Authentication, and Authorization.
We covered a lot of ground over the next hour. We talked about the simplest method some hospitals use to authorize the amputation of a leg: marking it with a Sharpie. (Stamper later sent me an article that proved even this method isn’t foolproof.) We talked about the importance of employee training and a book called “The Checklist Manifesto,” by surgeon Atul Gawande. The book focuses on the importance of hospital procedures, but it also extols the preflight checks that pilots use, and credits this approach for Chesley Sullenberger’sability to land a commercial airplane in the Hudson River.
Eventually we settled into a more direct discussion of the topics at hand, including the subject that has a tendency to puncture optimistic predictions of a brighter future: passwords.
The Authentication Smorgasbord
There are lots of ways to authenticate identity these days. Stamper enumerated some. Biometrics allow a company to use a fingerprint, a voice, a face. Multifactor authentication can pair passwords with answers to security questions, or with codes users receive on authenticator apps and then type into a box. But none of these guarantees security, he added. Deep fakes can mimic some biometrics, notably voice. Data centers that store biometrics can be compromised and the data manipulated.
The same technology that protects security can be unleashed in ways designed to do harm. “Having multiple ways, almost an infinite number of ways that we can validate the identity of an individual,” Stamper said, “is going to be the new norm. It has to be.” Legacy approaches are no longer working. “The way we’re handling authentication today,” he continued, “based on the number of data breaches, spoofed identities, Identity theft and the like, is fundamentally failing. We’re in this watershed moment. We do have to rethink this.”
That’s where decoupling comes in. Decoupling components, Stamper said, is “a logical extension of what we’re seeing elsewhere. Modern architectures are fundamentally very modular. You can assemble things a little bit here, a little bit there. Bring them together and you’ve got an application.”
Credential Management and Identity Governance
INZ is “one half of a coin,” he continued. The other side is “broader credential management, broader entitlements.” The identity infrastructure needs to help a company manage least-privilege and need-to-know access. And separation of duties. When auditors are examining a publicly traded company running SAP, or Oracle, or one of the Microsoft Dynamics ERP packages, Stamper said, “you’re looking at the levels of permissions, rights, and entitlements by an individual user.” The quintessential issue in finances, for instance, is: “Does somebody with receivables rights have payable rights as well?” he said. “Because if they do, they can effectively create a nice little closed loop and pay themselves.”
Identity governance has grown more important during the pandemic, because remote workforces often leave personal and professional lives commingled. And that can create problems for companies. Stamper threw out an example. “You’re my boss, and you’re going to fire me,” he said. “And you think I live in five systems or applications within our company. But the reality is I’m in 10 others that weren’t discovered. And so I get marched out the door, but I still have access to these other systems—or I might have remote access.” That’s what makes how we think about credentials, and entitlements, and authorizations so complicated. And so important, he added.
The Problem with Passwords
As we began to talk about legacy authentication, we came to the inevitable subject of passwords. What makes them such a problem, Stamper said, is that cracking a few often gives criminals access to a dozen or more of a user’s accounts, since passwords are so often reused—and multifactor authentication hasn’t been as widely adopted as one might think.
Where does that leave us? I asked. Does he see a passwordless future? Can they be completely replaced by biometrics?
This was where our earlier talk about “infinite ways to authenticate” met a finite reality. It’s not that easy, Stamper said. It’s analogous to the way some people view cloud computing, he explained. “There’s this notion that everything is going to flow into the cloud. But it isn’t.” A lot of data remains on premises, in traditional data centers. “When we look at how we authenticate and manage credentials, we’re going to have a variety of environments. It will be as hybrid as anything else that’s out there.”
You can replace passwords with superior authentication systems like biometrics, he said, but not all. Some legacy systems don’t allow approaches other than usernames and passwords. Not all systems are SAML-compliant or support modern authentication technologies. We can avoid creating them in the future, he noted. Companies can make the old systems a little more secure, he added. But some can’t be retooled and can’t be dropped: “I don’t think we’ll ever see the day when passwords are completely gone.”