Secure Identity and Access Management
January 14, 2019 • Zane Pokorny
Our guest today is Robb Reck, chief information security officer at Ping Identity. With nearly 20 years of experience in IT security, compliance, and systems and networking, Robb has witnessed the evolution of the space. He shares his professional journey, his management style and philosophy when it comes to hiring, and where he sees the intersection of identity management and threat intelligence.
We’ll hear about his role with Ping Identity, protecting the organization and its customers, and where he sees identity management and access control heading in the future, as sensitive data flows more freely between organizations, individuals, and third parties.
This podcast was produced in partnership with the CyberWire.
For those of you who’d prefer to read, here’s the transcript:
This is Recorded Future, inside threat intelligence for cybersecurity.
Hello everyone, and welcome to episode 90 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.
Our guest today is Robb Reck, chief information security officer at Ping Identity. With nearly 20 years of experience in IT security, compliance, systems, and networking, Robb has witnessed the evolution of the space.
He shares his professional journey, his management style and philosophy when it comes to hiring, and where he sees the intersection of identity management and threat intelligence. We’ll hear about his role with Ping Identity, protecting the organization and their customers, and where he sees identity management and access control heading in an increasingly connected world. Stay with us.
I’m one of those guys who did not start out with security in mind. I actually was a history major in college. I got out of school and six months into my academic career, realized it was ridiculously boring. I ended up getting a job as a video game tester and a tech support person for Electronic Arts, helping people get their video games working, and doing testing for Madden Football and some other games.
Now, had you had an interest in tech from the get go? Are you one of those kids who were following consoles, and computers, and all that stuff?
Yeah, I was a child of the ’80s, so I did an awful lot of PC work. I was one of those guys who bought magazines and copied the code out of the magazines to make your own games. And change the code as you figure out what the different things do, and use that as the real first opportunity to learn how software works. I programmed in BASIC and really had the chance to play with computers as a kid.
It wasn’t a clear career path as I grew up, so I didn’t think of it as a job. It was just kind of a hobby, stuff that I was always good at. In the dorms in college, I’d be the tech support for the other folks around me. It wasn’t until I got out of school and realized I didn’t know what I wanted to do that I thought about my hobby becoming my profession.
And that’s how I got into tech support and then used that as a way to get into formal IT. I became a network administrator. And then took that into security over probably a decade or so later. So, we’re talking late ’90s that I got into IT. By 2006, I was firmly a security guy running a security program for a software company here in Denver.
Now, did you pursue any of the formal training? Any certifications or anything like that? Or was that not necessary for the path that you were on?
No, I do really believe in certifications, and not so much for the sake of getting certified, as that could mean nothing or everything, but for the process of studying. I mean, I got my CISSP in the 2007 time frame. That whole process was fantastic. And while I knew a lot about systems security and telecommunications security, I didn’t know much about physical security at the time. I didn’t know much about risk assessments. It gave me that freshman-level knowledge of all the different disciplines of security.
There are still things that I think about, going back to that certification from over a decade ago, back to where I learned about crossover error rates. That’s where you start to really get some of those concepts that maybe you don’t use on a day-to-day basis in your job, but it’s often nice to know them when they do come up. So, I have a CISSP, I got a CRISC certification. Later on, I got that CSA, the Certified Cloud Security Knowledge certification, as well.
It’s interesting to me, because I too came up in the ’80s in the eight-bit computer era. And I think those of us who took that path, I can’t help thinking that we have, maybe, a different fundamental understanding of how these systems work just by virtue of how basic the systems were back then.
Yeah, it’s funny. It was kind of like a car, right? Where a car today, you can’t just open the hood and find the parts. Same thing with computers. Back when we learned about them, you can get your hands in there and you can change out the parts easily. You understand what the different things do. I think as things become more complex, it is a lot harder to get those fundamental concepts.
What are your recommendations for students who are coming up and looking to get jobs in the cybersecurity era? Do you have any tips or words of wisdom for them?
Dave, I think we do ourselves a little bit of a disservice when we talk about ourselves as security people. A security person doesn’t mean much to me. Are you a penetration tester? Are you an applications security person? Are you a policy person? Are you a trainer? Really figure out, even if you’re a systems security person, well, what systems are you good at? And what can I really put you on?
Because it’s very unlikely that the person who I would want to hire to be my Windows security person is also the one I want to have for my AWS security. And the point there for me is, it’s not so much about becoming a security professional, it’s about figuring out what technology you want to work with. What technology is it that you really want to dive in deep and get to know well enough that you can not only implement it, but you can implement it securely and you can give guidance for other folks to implement it securely?
So figure out what that is, right? Go play with different technologies. Go play with Linux, and go get into networking, and maybe learn how to program it. Figure out what it is that you want to do around security and start to do some programs and play some games in that area.
Yeah, it’s interesting to me that you mentioned that you started out studying history. I think I hear that a lot, people starting things and they end up working with computers or tech. I wonder, what’s your take on how having that background makes you perhaps more well rounded than you otherwise would’ve been?
It helps a lot with those softer skills. Being able to put together a presentation, being able to do research, being able to go present, talk about those things. Later on in my career, I decided I wanted to go back and get my masters, and at that point, I probably had 15 years of experience and I strongly debated, “Do I want to go get my masters in computer science, or do I want to go get an MBA?” At the end of the day, I chose to get an MBA based on the fact that the skill sets that are most important are not about what technology I know at this point.
It’s not that hard to create a really good, maybe even nearly perfect, security architecture. It’s not that hard to create the architecture, but it’s incredibly difficult to implement that architecture. To get an organization to be willing to give you the money, and really, more importantly, to let you prioritize the work to implement that architecture versus all the other things that are on their plate.
I thought that going after an MBA would give me the language … To speak in the language of the business in a way that would be much more effective. Coming out of it, I really do believe … It’s been over five or six years since I did that. I believe it’s been a really big help. I can talk to finance in their language. We can talk about EBITA, and I can talk to the HR folks in their language. And these things that I learned through that process make me a whole lot more of an effective security person, even though there really wasn’t any security content in that MBA program.
I think that’s a really interesting point. I hear from many people about the importance of being able to communicate across those disciplines within an organization. Particularly, when it comes to communicating with the board, with the higher ups, of convincing them to buy into the programs you’re developing.
It’s not reasonable to expect the board to come in understanding my language, right? They’re going to go talk to the acquisitions person, and they’re going to talk to the HR, and finance, and product people, and the sales folks. All of those folks, all of us need to walk into the board able to speak the board’s language.
Fortunately for us, the board, they think in risk. They understand risk, they understand, “Hey, you have to make decisions around what you want to mitigate, what you want to accept.” So, as long as we’re able to talk in the language of risk and the language of what makes your business successful, I think the board’s really receptive. But if you come in talking about vulnerabilities, if you come in talking about which web applications haven’t been patched, or whatever more tactical stuff, I think that’s when you lose them. And while they care, they just can’t understand. And they lose their respect for you as a business leader if you can’t come in and understand what’s important to them.
Now, you’re the chief information security officer at Ping Identity. Can you take us through what sort of stuff do you do at Ping? First of all, what sorts of products and services does Ping provide, and what’s your day to day like?
Sure. Ping is a provider of identity solutions, both software and SaaS solutions for a gambit of things. We do single sign-on federation. We do access security, so that runtime authorization security. We do multifactor authentication. We have directory services. We also do API monitoring and security. Those are the top things that we do. My job at Ping is threefold.
Number one, I’m making sure that the corporate environment at Ping is secure. That’s going to be just like any other company — we’re 750 employees, make sure they’re working in a secure environment. I’m also securing our SaaS environment, where we operate our identity-as-a-service products. We’re also making sure that the secure SDLC is followed through all of our products. So, I’d say my priority is thinking about cloud security, product security, and software security as the most important things.
And the last thing we do is give assurance to our customers around our security practices. We have SOC 2 and ISO certifications, and we have to be compliant with GDPR and HIPAA. These are the things that I have a team that’s focusing on and making sure we’re answering those requirements from our customers and giving them comfort with what we do.
Can you take us through … What is the process that you use to build your team? What sort of management style do you have?
That’s a good question. We’ve divided the team into three different categories. Based on what we talked about earlier, that security is not just security, right? The skill sets are very different between them, so we try and bucket the similar skill sets together.
We have a product security organization, where they’re all former enterprise developers. All the folks on that team have developed and been part of either the Ping product development or another organization’s product development. They sit with the teams that they’re helping embed security into. So, all the security engineers that sit on our PingOne team, which is our IDaaS offering, they sit in the same office, they go to the same daily scrums, but they report up to my organization so we can make sure that what they’re focused on is embedding security early. And they don’t get pulled into actually doing feature development, which is a risk you see if they’re reporting into product instead. So, there’s that product security organization.
We have our infrastructure security organization, which similarly, they sit near our IT and our SRE, our site reliability engineering teams, making sure that we have security built into our corporate IT and on our IDaaS cloud offerings. And those guys are more like the typical systems and networking-type security folks. They have to know how you secure a Linux environment, how you secure a Macintosh, how you secure the AWS environment. So, different people with different skill sets, but all there in that same team.
And then the third one is our governance, risk, and compliance. And that’s where the policies are written, the risk assessments are done, the folks who work with the auditors on our SOC 2, and they’re the ones who answer questions from our customers who want to know, “What are you doing to keep us secure?” I believe we do have a significant talent gap in security. So any time we have the opportunity, I’d much rather bring in someone who’s new to the field. Someone who’s either in a career change or who’s been in … Someone doing technical work for the technology we’re securing. So if I’m going to hire a new AWS security person, I’d rather hire an AWS expert and teach them security than hire a security expert and go ask them to go learn AWS. Number one, I think it’s more effective to teach security. Number two, it’s awfully hard to find security people right now. I’d rather go find folks who know the technology that they’re securing.
That’s a really interesting insight. I think, obviously, we do have this skills gap and hiring is difficult. How do you stay competitive when it comes to attracting people and convincing them that Ping is the place they want to work?
Well, number one, I’m fortunate to work at a company that is a fun place to work. We’re growing, we get to work with really fun, new technologies. You’re not sitting there working with the same stuff forever. We’re continually moving toward the new versions of everything.
It’s also just a really fun place to work. We get to be in a company that cares about their employees. We try and grow our people pretty aggressively. So, you’re always getting tasks that maybe you’re not comfortable with. We’re trying to move folks up the chain. One of the things about hiring career changers is, there’s a lot of opportunity to teach, and a lot of opportunity to grow, and I think folks see that as they’re here on the team.
I want to switch gears a little bit and talk about threat intelligence. I want to get your take on where you feel threat intelligence fits in with different organizations.
Sure. I’ll say threat intelligence means a lot of different things, right? And in my organization, we use threat intelligence as a part of our day-to-day security operations. So we’re using not only our internal threat intelligence, which tells us what normal behavior looks like, what looks strange, and then what looks bad. We’re also enriching that with feeds where we get to say, “Here’s a bad IP address list. Here’s some behaviors or IOCs that look bad to us.” And we use that to compare against our own internal data to find things that we should flag, we should take a look at. Anytime you see a known botnet doing anything, well, that gives us some insight that we might want to look into that and take some action.
From an identity perspective, I think it’s actually incredibly interesting and something that Ping gets to help its customers with, and I get to utilize as a part of that, identity intelligence — or really enriching your identity with intelligence. It’s all about effective security with minimal user friction. So, the ability to evaluate and understand those factors. Tell us, “Is this person who they say they are? Is their behavior starting to turn into an insider threat?” We want to maximize that security while minimizing the impact. Instead of making people do a two-factor every single time they sign in, well, can we say, “Most of the time when you sign in, we don’t need anything at all because we have all these factors to tell us this is the same person from the same device, same time of day.” However, when you start to do a little bit higher-risk activity, maybe checking your email, you can do without the sign in at all, but when you start to go into the finance system, or into the CRM, well, that’s when we’re going to start to add those other factors and start getting that higher level of assurance.
Now, if you’re familiar with zero trust, I think that all that plays into this idea that we’re replacing the perimeter with security that’s embedded in the resources themselves instead of trusting that, “Hey, because they got through the firewall, because they’re connected to the VPN, we’re going to let them get access to things.” We open it up and say, “Listen, we’re going to do this based on your behavior, based on the device you’re coming from, based on the patterns that we know about you, you’re going to be able to get access to these systems and we’re going to use various step ups.”
So, the first time you sign in, maybe all we require is your username and password. The first level, if you’re really low risk, all we require is that. But then, we can require a biometrics sign in. We can require doing a push notification onto a device. We can require hardware tokens, like a YubiKey. We have all these abilities based on what you’re doing within the resources themselves.
And as you say, you can dial it in based on what perceived risk level there is.
Yeah, absolutely. And so, as we dive into identity more specifically, I do think it’s worth taking a second to talk about the basics. There’s identity, there’s authentication, and there’s authorization. So, what is identity? It’s who you claim to be. You can claim to be Barack Obama right now, right? And you say, “Well, that’s my identity.” And I say, “Well, I’m going to authenticate that.” Prove to me that you’re Barack Obama.
And you need to show me a driver’s license, or a picture of you on CNN, or whatever it is. And then there’s the question, okay, once you’ve proven to me that’s who you are, then there’s the question of authorization. What are you allowed to do as that identity? Barack Obama’s allowed to get into a whole lot more information than Dave Bittner.
So, the authorization tells us what you should be able to do. We can take all three of these things and start adding intelligence to them. What does intelligent identity mean? Well, maybe you don’t need to claim anything at all. Maybe you show up and we say, “Well, we can tell who you are because we recognize your face, we recognize your behaviors.” Whatever it is that tells us, “This is Dave Bittner.”
That also helps us with identification. To say, “Okay, we have a first step of that.” And if it’s a low enough risk transaction, we don’t need you to make any additional authentication steps. But, well, this is a high transaction. This is something we really care about. Let’s go one step further. Let’s require biometrics, let’s require a push notification, or something like that.
For authorizations, it all plays in together, right? You’re allowed to do only what is appropriate to the need that you have. Of course, we’re all familiar with the principle of least privilege, right? We can start to use intelligence to tell us how much we trust this specific session for this user. Instead of saying, “Dave Bittner should have access to A, B, and C all the time.” Well, for this particular session, because he’s logging in from Los Angeles, as you’re in Disneyland, we’re only going to give him this lower level of access until maybe we do a step up, or maybe later we can get more trust.
We have the ability to do on-the-fly authorizations. We’ll often think about identity just as a pre-authentication mechanism. Before you sign in, we want to know who you are. You’re signed in and it’s good to go. Well, authorizations in this runtime aspect gives us the ability to see during your session, based on what you’re doing, do you need more access? Do you need less access? It almost can be like a workflow, where once you’ve started to go through the process of submitting a PO, that tells us that now you’re in the PO process. And that maybe now, at that point, you’re allowed to go in and review other POs, depending on what your workflow is.
Maybe not a great example, but we have this runtime application aware ability to start to do on-the-fly authorizations that lower the risk of a bad guy coming in and immediately doing a bad thing, and hopefully it doesn’t impact the user’s ability to do their job.
That’s interesting because I think there’s this issue with people getting privileges and keeping them — not having them automatically expire. I may need access to this document now, but later on I might not. It sounds like one of the things that you are doing is keeping track of that in real time.
Yeah. We have the ability to do Just-In-Time provisioning, right? You don’t need to have that person have access to the application indefinitely, just when it’s appropriate for what they have to do. If there’s a workflow system out there that says, “Hey, Dave needs to approve this request.” Maybe that’s a way we can provision Dave to have access to the system versus having it perpetually, which is much easier to abuse and gives it these rights that you just don’t need to have.
But getting this Just-In-Time access, getting that real application aware identity, is what makes a big difference. When you talk about having your identity systems as a standalone off to the side of your applications, I think that’s where you run into challenges. They need to have the visibility within the application that they need to be context-aware to get the, number one, best security, and number two, best user experience.
Well, what do you suppose the future holds for identity? Are we moving into an era where the username and password combination are going to fall by the wayside?
That’s a great question. Passwordless, or the user experience of being passwordless, is really on the cusp of getting there, right? FIDO 2 is out and those tokens, which both YubiKey and Google are providing, do allow a passwordless experience. I don’t think we can expect that passwords are going to go away from mainstream use for quite a while, but those applications where user ability is important, where companies are just looking for a competitive edge, right? It can be a competitive edge if your users don’t have to have a password.
I think Amazon did a great job just a few years ago where they don’t even require a password for most orders at this point. They’re willing to take the risk of a bad order and refund it for the enhanced user experience of not having it. That said, in a corporate environment, we’re a ways away from having that perfected. The ability to log in to a workstation is there, but you can now log in to workstations with Microsoft’s Windows Hello, and some other services, without a password, but there’s so many other systems internally that we haven’t quite got there yet.
However, federation, getting the ability to use single sign-on across all these different applications get us a whole lot closer. And those organizations who are really dedicated to doing it, I think, can achieve success in 2019.
Yeah. I mean, it’s interesting. You mentioned this notion of friction, and I think that’s really important because it’s my sense that when you introduce friction, that’s when you start having people come up with their own workarounds.
Yep. I mean, shadow IT, right?
Anytime that we make things harder for users, they find other ways to do it. I’ll tell you, I know from personal experience that having these onerous password policies, where the 12 characters, upper, lowercase, and if you’ve ever used Apple’s complex password, it’s even more frustrating because they say you can’t have two consecutive of the same character. So I couldn’t use the word “hoop — H-O-O-P” because that, as a part of my password, because that would violate their policy.
Those kinds of requirements just make users frustrated, make them look for ways to get around what you’re doing. They’re going to increment their passwords rather than come up with unique phrases, if that’s what they see. We have to be on guard to make the user experience as good as possible. Think of it as a customer service organization, right?
We’re here to serve those customers, and help them keep secure, and do that in the best way we can. I’ll tell you one thing we’ve been working with in security at Ping is to try to get our own NPS score from our customers. Our customers would be the internal Ping employees. How much do they like us? How much are they willing to recommend us as a good partner for them?
That keeps us thinking in a right way, right? Motivates us to be that kind of customer support organization. One other thing I wanted to mention is just APIs. That with what happened recently with Facebook and Google+ and others, that APIs are one of those invisible areas that are just as critically important for a security organization to think about. We see it in the last year or so with Cambridge Analytica on Facebook and the recent Google Plus API issues.
APIs are this invisible access to all of your sensitive data that oftentimes, both IT and security either aren’t aware of, or just don’t feel equipped to deal with. Developers are creating the APIs. They say it’s good enough, and security doesn’t know any better to question that. We need to really think about what API security looks like. And from an identity perspective and an intelligence perspective, it’s really not that much different than a web application.
You need to have authorizations. You need to have authentication. You need to monitor that traffic on an ongoing basis to figure out, what does good look like? What does bad look like? If these other companies had had that kind of monitoring, and been really digging into it, I think that these incidents could’ve been avoided, and it’s a whole lot better to have that visibility and be able to take an action than have that back door open and just feel like it’s out of our control.
Our thanks to Robb Reck from Ping Identity for joining us.
Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.
We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Amanda McKeon, Executive Producer Greg Barrette. The show is produced by Pratt Street Media, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.
Thanks for listening.