Explore the critical intersection of cybersecurity and society with Jeff Reich on "Redefining Society Podcast," unlocking the complexities of identity security and management.
Guest: ✨ Jeff Reich, Executive Director, Identity Defined Security Alliance [@idsalliance]
On LinkedIn | https://www.linkedin.com/in/jreich/
On Twitter | https://twitter.com/JeffReichCSO
____________________________
Host: Marco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society Podcast
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli
_____________________________
This Episode’s Sponsors
BlackCloak 👉 https://itspm.ag/itspbcweb
Bugcrowd 👉 https://itspm.ag/itspbgcweb
Episode Introduction
In an ever-changing digital landscape, the lines between our online and offline identities continue to blur, raising important questions about identity security and management. On the latest episode of the "Redefining Society Podcast," hosted by Marco Ciappelli, Jeff Reich, the executive director of the Identity Defined Security Alliance (IDSA), delves deep into these themes, offering insights that both enlighten and challenge our understanding of what it means to protect our digital selves.
The Intersection of Cybersecurity and Society
At the core of the original ITSP Magazine's mission lies the intersection of cybersecurity and society—a space where technological expertise meets everyday user experience. This episode, however, shifts focus from expert discourse to the implications of online identity protection for businesses and individuals alike. With Identity Management Day 2024 on the horizon, Reich's perspectives come at a crucial time, underscoring the need for heightened awareness and action in the realm of identity security.
The Analog to Digital Evolution of Identities
One of the episode's pivotal moments involves a discussion on the transition from analog identities to their digital counterparts. Reich suggests that rather than a transition, we are witnessing a convergence of the two. This blending of worlds complicates identity management, especially as we consider the role of identity providers in the digital sphere. From government-issued IDs to social media and beyond, understanding who controls our digital identities is key to navigating this complex landscape.
The Role of the IDSA and Identity Management Day
The episode also shines a light on the IDSA's efforts to rally the identity community—spanning practitioners, providers, and consumers—to elevate security standards globally. This endeavor is epitomized by the annual Identity Management Day, an event designed to foster dialogue and disseminate best practices across continents. Reich's detailed overview of the event's global outreach and its focus on engaging diverse audiences accentuates the universal relevance of identity security and management.
A Call to Action for Digital Identity Ownership
Reich's conversation with Ciappelli ultimately serves as a call to action for individuals and businesses to take ownership of their digital identities. By challenging us to scrutinize the terms of our engagements with technology providers and to advocate for practices that prioritize our security, the episode not only informs but empowers us to play an active role in shaping a safer digital world.
As Identity Management Day 2024 approaches, let's reflect on the insights offered by Jeff Reich and Marco Ciappelli. Their discussion not only elucidates the challenges we face in protecting our digital selves but also champions the collective effort required to secure our identities in an increasingly interconnected world.
_____________________________
Resources
____________________________
To see and hear more Redefining Society stories on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-society-podcast
Watch the webcast version on-demand on YouTube: https://www.youtube.com/playlist?list=PLnYu0psdcllTUoWMGGQHlGVZA575VtGr9
Are you interested in sponsoring an ITSPmagazine Channel?
👉 https://www.itspmagazine.com/advertise-on-itspmagazine-podcast
Navigating the Complex World of Identity Security and introducing IDENTITY MANAGEMENT DAY 2024 | A Conversation with IDSA Executive Director, Jeff Reich | Redefining Society with Marco Ciappelli
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
[00:00:00] Marco Ciappelli: Well, hello, everybody. This is Marco Ciapelli. Welcome to another episode of Redefining Society podcast, where sometimes we talk about healthcare, sometimes we talk about artificial intelligence, because you have to talk about artificial intelligence lately. It's kind of like it cannot go more than two episodes without talking about that.
And I have a feeling that we're going to talk a little bit about that today as well. Uh, just a little bit, but, uh, today we're actually going to focus back on what the origin of ITSP magazine was, which is the intersection of cybersecurity and society. And, uh, instead of talking in a, In an expert kind of way, although our guest today is an expert.
We're gonna, we're gonna present it to what it means identity, online protection identity for the everyday user and business of all sort of all sizes and There is actually a special day coming up about that And we're going to talk about this and much more With jeff jeff rich, which is the executive director of The Identity Defined Security Alliance, is going to tell us what it is.
But first, we're going to welcome him to the show, and he's going to tell us a little bit about who he is, talking about identity, right? How do I know you are who you are?
[00:01:25] Jeff Reich: Well, thank you, Marco, very much. And thank you for having me on. It's a pleasure to be here. Yeah. And yeah, how do you know who I am?
We're connected on LinkedIn, so there's something, right? But yeah, is that enough? So rather than challenging that, we can, let me, let me talk about Kind of how I got here real briefly. Yes, because I have my degree is in science and physics I actually taught in a planetarium. I promise this goes back to the 70s We were talking about the 70s a while ago, which is gonna be before many of your listeners were even born.
I get that It's some work associated with law enforcement, but for about 45 years I've been really focused on what has been called over the decades Information security, data security, cyber, cyber security, identity security, and everything within those realms. And, um, and I've really enjoyed it. I had the opportunity, fortunately, to start the security and risk program at Dell Computers.
I started the security program at Rackspace Hosting, um, at Checkfree and a few other financial services companies. I had the real privilege of being a director of operations for a, uh, a research institute at, at UTSA. Uh, focusing on cloud security. So been coming at it from a few different angles. I've really enjoyed it over the years.
For the past year or so, I've been leading the Identity Defined Security Alliance or IDSA. I'll refer to it that, it's fewer syllables. And what we do at IDSA really, I'm going to transition into that, is really raise the awareness of identity and identity security and what each of, what each of us can do, either as a consumer.
Or as an enterprise or as an identity provider, what we can all do to contribute to the identity ecosystem to make it better. Because although it's pretty good, there's a long way to go before we get to real good or excellent. And I believe we can do that.
[00:03:22] Marco Ciappelli: Yeah, that's really cool. And definitely a lot to talk about.
I'm interested in actually your planetarium past, but maybe I'll bring you back to talk about that, uh, another time. Um, so, uh, So you say something that catch my attention and I'm thinking in the way that maybe the audience may be thinking like identity provider You said that word and somebody may say what do you mean?
I mean identity provider. I am my own identity I am who I am and yeah, sure I have it maybe a driver license the passport to prove that but when we go online, I guess things get a little bit more complicated. So I like to start from the past and how we transition from an analog world to, to a digital one.
Why, why identity is so much more complex now?
[00:04:13] Jeff Reich: It's a really good question. I would offer rather than transitioning from Analog, because we haven't left analog and I don't think we will. No, of course not. And then going to online or digital, there is more of a merger as opposed to a change. And I think, let's come up with a couple of examples.
I think, I like using analogies. And maybe that'll help everyone kind of follow along where we are. I use the phrase identity provider, and Marco, you asked, you know, what is an identity provider? It's going to depend on the context, uh, but you used the example of you have a driver's license. So you did not issue that driver's license.
Very likely, the state, if you're in the U. S., the state you're living in issued your driver's license. So the state government is an identity provider. Now, all that identity does with your driver's license is validate or authenticate your personal identity, which you still own. And I, I would offer most consumers need to start doing a better job of really owning their identity.
And we can talk about what that might mean, but the identity provider that's the state government did provide a way of authenticating. to a level of standard that every other state in the United States recognizes. They'll say, oh, that I'll accept your driver's license as a valid ID. They won't say, well, yeah, that, that came from Texas.
We drive from, we don't accept driver's license from Texas, so you need to have another form of identification. That doesn't happen because, you know, the reciprocity of different organizations say, if you meet this standard of authentication for identification, I'll accept it. So, there's an analogy of, take that into the digital world, and an identity provider could be one of these big providers.
And, and I'm not going to pick on any of them, but I'll name a few. It could be Meta, it could be Google, or Alphabet, it, it could be Apple. Um, so, and there's, you know, there's other big ones out there, and once again, I'm not going to go through the whole list. But, I'm willing to bet at least once you, if not at least been presented with, You did use when you logged into a site to say, I want to use my Google account or I want to use my Facebook account and log in using that.
Now that big provider, Facebook or Google became an identity provider for you because you're using that to access another system. Now, some traditional identity providers that are out there that an enterprise might use might be someone like Okta, or Beyond Trust, or Ping Identity, or SailPoint. Once again, not an exhaustive list.
I don't want anyone to at me because I didn't list their company name. But those are identity providers that an enterprise can use to say, I'm going to take that system or that ecosystem and put it around my digital environment so that when you log in, you can go say to Okta first. Authenticate, and then Okta gets you into the different applications that we have.
So, two different, really three different types of identity providers that I just pointed out. They are all really doing the same thing, just in a different context.
[00:07:31] Marco Ciappelli: So to connect the things, what make something an entity, an organization, an identity provider, is the fact that they have enough information, or they cross reference enough information about you that they can clearly and surely say that you are.
[00:07:51] Jeff Reich: Who you say you are. Um, yeah, so I'm gonna, I'm not an attorney, but I'm going to sound like one in
a
[00:07:57] Marco Ciappelli: second. I mean, we're just trying to make sense here.
[00:08:00] Jeff Reich: Yeah, yeah, no, no, it works. But what they're very likely going to say is to the standard that we said we meet, this individual meets that as that identity.
Most identity providers won't say without a question of a doubt, I know it's this person because there are, there are other factors which we can get into, but let's say it's Okta or it's Facebook or it's Google. They can say to the standards that we met and we publish. And to a site that's willing to accept our identity as a federated identity to get into there.
Yes, we, we will attest to the fact that this person that presents themselves as Jeff Rich is Jeff Rich.
[00:08:38] Marco Ciappelli: Yeah. And I like how you started this when you talked about the driver license in different states. You can do the same thing with passports, right? You go in another country that you know that accept your passport and, and it lets you in and there is reciprocity is there as well.
So that's all great. And I think it's part of our. society and our social contract and the way that we live together in a, in a large world. Where does the problem comes in when we talk about cyber security? , We can say there is a stealing of that identity, uh, somebody pretending to be who, who is not, and What is the role of , the organization that you, that you're executive director for to make sure that companies.
Again, agree on to something. I guess it comes down to this, right?
[00:09:33] Jeff Reich: So, so we're not a standards organization. We're not a standards body, although we work with standards bodies because, uh, we look at our job to bring together the identity community, whether it's individual practitioners or the large identity providers or, uh, an enterprise that uses an identity provider.
Get them all together to say, let's determine, let's agree on what's important. Let's agree on what we need to be able to do, and let's become a voice of the identity consumers, which, which is now everyone on that ecosystem, to influence the standards bodies and the identity providers, so that everyone can raise the level, because simply raising the level of one doesn't affect everyone else.
We need to get everyone together so that we can raise that level of security. Um, you know, as an example, let's say that, um, and I'm going to use another analogy, and you talked about stealing an identity, you know, they're in the analog world in pre digital, go back to the 70s again, right? Um, it was relatively easy to steal an identity.
It was not very sustainable, and there were two ways. One, you could take someone's ID and then compromise it, put your picture in, and, you know, the further back in time you go, the easier that was to do, and eventually passports and driver's license became more tamper evident, but still, you could, you could do that, or you could, like many people did in high school and college, depending on when you were.
Peso. Yeah, you're laughing.
[00:11:04] Marco Ciappelli: I was just thinking that, how, when you said how easy it was. I never said I did it, but I know.
[00:11:11] Jeff Reich: Oh no, I'm not accusing you of anything. But, you know, back then there were people would say, hey, for 25 bucks, I'll give you a fake ID and you can get into the club or into the bar and you can go buy some booze or whatever it is you want to do, right?
Um, so identity theft has always been around and, and false identities have always been around. What's changed in the digital world though is, Every, just like everything else you can do with the computer, you can do it faster and better. Now, that means if you're doing something wrong, you'll do it wrong faster.
Just, let's just keep that in mind. Or when the crooks try to steal something from you, when they're effective at it, they can steal it faster, and in some cases, doing it without being noticed for a while. And that's where the real big difference comes in. And for anyone that says, well, that really doesn't affect me.
I dare anyone that's over the age of 18 to say, I've never had my identity compromised either as simple as having a credit card number used improperly or information about you at one of the retailers you use was disclosed. Or a health care provider or, or the multitude. No one is in the situation that I'm aware of that have said that's never happened.
Yeah.
[00:12:31] Marco Ciappelli: Yeah. And with all
[00:12:32] Jeff Reich: the news And if you do say that, you're not paying attention.
[00:12:35] Marco Ciappelli: Yeah, especially, exactly, because all the news of the,, the cyber attacks and, and breaking into large organization. I was just actually reading an article this morning where, uh, target. It's I think it's the first few grades of elementary school where if they get breached and they get information about kids and then they resell it to the black market, that that value of the kid's identity, it's incredible for And dangerous for the future as well.
And then parents don't think like, Oh, what are they going to do? They're not going to open a bank account with my kid name. Well, think again, right? Yeah.
[00:13:25] Jeff Reich: And more than a bank account, they're very likely going to take out a loan. Right. Yeah. So, and you know, when that starts and I'm here not to chastise anyone either.
But for parents that are very proud of their children and post everything they do and their name and information and the school they go to and everything else, you know, on, on Facebook or Instagram or, or tech talk. The more you do that, the more likely the situation you just described is to happen.
Right. Because you're putting all that information out and exposing
[00:13:55] Marco Ciappelli: it. Yeah, and it's complicated for the everyday user. I mean, we are in cyber security, we talk cyber security, we think about that kind of stuff. And I feel it's true. It's still hard to keep your eyes open on everything, but everyday people that are not in this business, it's, it's a taunting, taunting job, even to understand that.
So with this, I'm going to. A double, uh, a double question, which is the same, but applies to two different parties. So on one side, I want to talk about, again, what the IDSA does, but also the importance of having a day dedicated to Talk about this. And I know that you guys talk about this with companies. So at a business level and you talk about that as an informational tool for for the consumers.
So what is the different angle that you use to talk to the business and to talk to the consumer?
[00:14:58] Jeff Reich: So our, our main constituency is business. So that's where the majority of our statements are, but we know that the, the value exists with, when you get down to identity, eventually you render identity down to a carbon based unit that has a birthdate and a name, that eventually identity gets to that.
Now, I'm going to say that because there are a lot of non carbon based unit identities out there. Let me give you the quick example, then I want to talk about how our message gets out, and then you refer to identity management date, which I definitely want to talk about here, um, because that's coming up very soon.
So I'm assuming Marco, you have a smartphone?
[00:15:39] Marco Ciappelli: No, I don't
[00:15:40] Jeff Reich: You don't? You have a flip phone?
[00:15:41] Marco Ciappelli: Okay. I have a rotary phone. .
[00:15:44] Jeff Reich: Oh, you have a landline Rotary phone. Okay.
[00:15:47] Marco Ciappelli: No, we had smartphone. Who doesn't? Of course you do.
[00:15:50] Jeff Reich: Most people, most people do now. So there's an identity embedded within the chips that are inside that smartphone that identify the device and you associate your identity with those silicon based identities while you own and use a phone.
And that's good because you have a relative level of security, although we'll talk about why I think that may not be as secure as you think when you use a phone, right? Now at some point you're going to get rid of the phone. You may give it to a nephew, you may sell it, There's a, you may just actually destroy it.
There's a lot of things you can do when you're done using that phone. If you are taking the right steps and follow a good practice, you delete all of your information and you ensure all of your information is no longer associated with that. You can't delete those Silicon base identities. And those are identities that are used to access systems, just like your user ID is.
But you have to disassociate yourself from that. When you don't. then someone could steal your personal identity by having your phone. So not all identities go back to people. And as each day goes by, that proportion is changing. And the number of people identities proportionally grow smaller because think of how many, you have a computer.
I, I have three computers, an iPad, um, a sound system, um, a phone, and a smart tablet, another smart tablet. I have at least that many silicon base identities here. That are associated with this in different ways. So I have to find a way to manage that and then disassociate when I'm done. So that's a consumer part of it.
All right. And, and there are good practices that each manufacturer will give you before you sell your device. You should always look for that before you sell your device page from the manufacturer and go through that. I recommend going through it twice just because I'm paranoid before. So, um, that's really the consumer part of it.
Part, part one of the consumer. Part two of the consumer is delivering the message to the retailers and, and websites that you deal with. Let's say my identity is important. I'm not simply going to click yes, I accept everything, whether it's cookies or use of my private information, whatever. Read those and consider if you're not comfortable with what it says, don't accept it.
Because you're being asked to say, give up some of your privacy or part of your identity so that you get a 5 coupon, or you get access to the site, or whatever the benefit might be, do the risk benefit analysis. I'm not saying the answer is wrong, but you should never just do it without thinking. And most people do.
Most people click OK, right? They never read it. Take a look at some, especially some that you think are going to be a website of importance. And the message we want to get to all of the identity providers and the enterprise websites are you are a custodian of individuals consumers identities. You should treat that with the level of security and respect that it deserves.
And that's not done enough. I can, I didn't, but I could usually if, if I have a speaking engagement that morning, I just go online and say, what's today's data breach? and find out which one happened within the past 24 hours. You can do that. It's, that means that not enough identity custodians are taking the right steps to protect your information.
So you need to send a message up. We're working on sending the message in, and in some cases governments are trying to send a message, say you need to do it as well, but unfortunately most governments are five to ten years behind on where they need to be for that. So one way we do this, that we only bring awareness to everyone, see I'm gonna, I had the segue buried in there somewhere, was, is, is Identity Management Day.
And this is our annual conference, it takes place on the second Tuesday of every April. So this year it's gonna be April 9th. And in the past, like last year for instance, we had, uh, almost 1200 attendees. It's an online event. And it was pretty much focused on the Americas within the Americas timeframe.
And we had 93 different countries represented with the attendees. And that made us think that this is not a US only thing. So this year we decided to take on Identity Management Day around the world. And it's starting at midnight UTC, which is around 10 AM in Melbourne, Australia. They actually do have an in person event and they're going to be online as well.
And they're going to have a series of speakers and sessions, and then there'll be a slight break, and then we're going to go into Europe, Middle East, and Africa, coming out of Paris. And they're going to have about 6 hours of presentations and sessions as well. And then we will wrap up the day with about 7 hours in the Americas.
Um, that, in the Americas, it also includes, um, exhibitors in an expo and in sessions and some concurrent sessions as well. So, you know, I, first of all, I, I intend to stay up for 21 hours. We'll see how well I do that. Um, I am getting kind of old for this. Uh, I may have to take a nap somewhere in the middle, but I'm looking forward to, you don't have to stay up for all 21 hours.
All you have to do is register and you can come and go as you please. And any sessions that you miss, we are recording. You'll be able to go back and see that as well. So don't worry about missing out on anything, but we do, I do recommend you register regardless because. In the Americas, not that the others aren't as important.
Well, yeah, no, no, they're not. Um, we're having, uh, we have what's called gamification with, with this event. And, um, you get points for doing certain things. Like if you're in the first 200 people that join the first Americas session, you get a point. If you go to the keynote session, you get, you get 10 points and, you know, things like that.
And we have exhibitor booth. We have three expo times set aside. If you go to different exhibitors, they get points, just like in an in person conference where you have the bingo card and they have to stamp it or, or click a hole or something. It's essentially that, but we track it for you. Um, and if you interact with people in the booth, you get more points, download a, you know, so there's just activities you can take and at the end of day, we'll have a raffle with some prizes, which are nice.
And that went over well last year. That was the first year we did that. But what I really like is, we are taking an international approach of the same exact topic. We made it very simple. Identity management. Period. That includes security. And what's going on within each area in Oceania and Asia. You're seeing a different view than what you're going to see in Europe, which is more digital wallet based.
And it's going to be different than what you see in the US, which is going to be more commercial identity based. So it's good to get all those different views. As always, we've, we co host this with the National Cyber Security Alliance, and it's co chaired by Saviant. Um, now the, the two, uh, co presenters we have, uh, around the world are in Australia, Identity XP will be hosting that in Melbourne, and the Secure Identity Alliance will be hosting in Paris.
We have a number of sponsors. I won't go through all of them here just because it's pretty long list. It's on our, it's on our website. Go register, and you can start at identitymanagementday. org, I do recommend, take a look, register. Um, even if you can't make it that day, you can go look at all the recordings. I won't be able to do damnification. That, that has to be live. I do want to mention one session though.
And that's Caleb Sima, who is the chair of the Cloud Security Alliance, AI Security Alliance. He's also the former CSO of Robinhood. Um, he's a great speaker. He's going to talk about. And you mentioned that we're going to have to say at least once we hear it comes, we're going to talk about the influence AI has an identity and what that really means.
So it's going to be a great keynote session.
[00:23:53] Marco Ciappelli: That's really cool. Um, I have a question for you because you went there and with my background, I always like to look at things from a global perspective. But not to say that. Everything is the same because actually being living in a global society means to be different and still manage to interact as we are commercially, politically, we could do better, but anyway, I'm not going to go there, but from from this perspective, I am, um, you know, originally from Europe.
And so I go there quite often. I've been living in the US for pretty much half of my life. And I know there are differences. The way that we perceive privacy, even identity, we know the GDPR made a difference, then there's the California Act, and one thing and another. I love your opinion on, for someone that is managing these events, starting in Australia, coming to Europe, ending on the West Coast, and Hawaii, and all of that, going around the world.
If you had to summarize it, The main difference between the way that we give importance to privacy and identity in different parts of the world, what, where do you think you could, you could go with?
[00:25:15] Jeff Reich: So, um, I'm going to, I'm not going to get geeky and, and I, I'll end up becoming political whether we like to or not, because you can't avoid it when you answer that question.
Um, but the, there's a lot of similarity between Oceania, Asia. and AMIA. Now, the different countries are going to need to do it slightly differently, but what they all have in common is they all work on the principle, and maybe with the exception of a couple large countries in Asia, we won't get into who they are, um, but they look at identity as a concept that's owned by the individual.
And you mentioned GDPR, so let me go with that as an example. GDPR states that my identity belongs to me, I determine how you can use it, When you can use it, and I can determine when you need to forget it, and, and forget that I associated with you. Um, so that's a very consumer or individual centric perspective, and I would offer that most of Asia, when you just count the, the, the number of countries, not necessarily volume in Asia, because there are some countries that really look at identity and belonging to the state.
And that's yet another issue. Uh, that's the political part I won't touch. Okay. Um, but in most of Asia and certainly within the EU and a good part of Africa, identity belongs to the individual. Now in the U S in particular, and South America somewhat goes there too, in the U S in particular, even though the identity belongs to you, you give up a large portion of it and rights to it, to commercial organizations, when you either subscribe to a newsletter.
Or, um, or decide to be one of their premium customers and getting points for doing it, or, you know, whatever else you do that gives up part of your privacy and your identity to a commercial organization, when you do that in the US in particular, that organization says you are now on my either prospect list or customer list or lead list.
That's a list that I can manage. Now they're, they should have a privacy policy, it should be posted, you should read it, and they should follow it. There's a lot of places for that to break down. But they pretty much can do what they want with your identity to a degree. If their privacy policy says, thank you for signing up for our website, we're gonna sell your information for, you know, to the highest bidder for 10 per person.
As long as their privacy policy says that, they can do that, and they're not necessarily in violation of any given law. They may be in some in California, but still, for the most part, they're not in a violation of the law because they said they would do that. Whereas in the EU, as a comparison, No organization could say we're going to sell your private information.
That's against the law. So does that give you some of the comparison? Yeah, absolutely. We're commercial centric in the U. S. and not so much in the rest of the world.
[00:28:19] Marco Ciappelli: Yeah, yeah, absolutely. So that goes back to your advice of not just say yes without looking at things. And, and I know it's hard. I mean, we, we make fun sometimes of the, the EULA, right?
The User License Agreement and how Who has the time to go through all of that plus we're not lawyers And I I think there is that that game where the user has become Kind of like not I don't know it It's not into that anymore. It's give up. I mean, I think i'm afraid they they give up hope and say, you know, the The paste is outside of the tube and uh, I don't know how to put it back in and and I don't know How much we can do about it.
I'm usually stay You Positive. But I'm going to end up with the question that we said we were going to touch at the beginning. You kind of went there announcing the keynote. So let's finish with AI, generative AI, AI in general. I know it could be an episode on his own. And maybe I'll bring you back for that.
But if you have to think about a way that he redefined identity, he would redefine security in a way. How is that going to affect us? Um, I know you, I mean, you probably can't read. Uh, you don't have a crystal ball, but, but your thoughts on it, I think that will be very relevant for our audience. So I'm going to
[00:29:52] Jeff Reich: do things I want to start with reiterating.
I couldn't recommend strongly enough. Listening to Caleb's keynote address on Identity Management Day, because you're going to get, this is what he has dedicated close to the past year to. He's a very smart man and, and he took, he just dive into AI. So, he's going to be more well versed than I am. That doesn't mean I don't have opinions on it, though.
There's a couple of things to consider. So, most people have heard of DeepFake. And they think, oh, isn't that cute? It's fun. And, and you see, you know, a deep fake of President Obama saying something or, you know, or some public figure. Um, I, I think there are, there are, um, politicians in the U. S. that are trying to say that should be outlawed.
And, and to your point, I'm not sure how they can put the toothpaste back in the tube. But, um, yeah, the, uh, you know, that's out there. There's two things I want to recommend. Just like any good tool, Depending on the direction it's pointed, it's either really good for you or really not so good for you, depending on the direction it's pointed at.
So, AI should be used, especially by companies and identity providers, to better manage the identities for which they are custodians. Because they could start doing predictive analysis on how is this identity used? And when there's a variance or an anomaly to how it's being used, is that something we should flag?
Or should we wait and see if something bad happens? We probably should start flagging it if we know it's an anomalous behavior. So that, there's one case where AI should really be helping us. Um, there is the, the deepfake question that says, you know, there was, uh, not too long ago, it was about maybe four weeks ago, a case where a CFO was on a Zoom call with the CEO, and I'm putting that in quotes, because it was an individual they thought they recognized, when in fact it was a scripted deepfake, it wasn't simply responsive, but it was a scripted deepfake with some response, it was That ordered the CFO to release a few million dollars to this deal that he said he was working on.
Of course, it was a fake deal. The CEO never did it. This is a high profile one, and it's easy to consider, oh, let's make fun of the guy was dumb. How do you get away with that? Nope. I'll put you in that situation, especially if it's not your best day, and you may have done the same thing. So, I really caution people to say, gee, that's not going to happen to me.
Um, let me bring something home, and I don't want to end on a downer, so I'm going to have to come up with something else after it. Um, there's a recent spate, because this is a downer, but there's a recent spate of attacks. It's, I call it digital mugging, and a recent spate of attacks is happening, um, right now, recently, a lot in Atlanta.
And, uh, apparently there's a gang that's doing this. Where they, um, and they're targeting young men. They get men coming out of bars or clubs, and they kidnap them. Now, it's going to be for a very short time, and they find a way to incapacitate them. Whether it's with, you know, gas they put over their mouth, or they hit them in the back of the head.
But they, and I'm not going to get into details because this is not a how to lesson. Um, but they, they incapacitate the individuals. And then use their face for facial recognition on their phone and go into Venmo or Apple Pay and transfer money from that, from the victim to their account. And then the victim wakes up, doesn't really know what happened, and then eventually realizes that they have a lot less money than they did before the, before the incident.
So, I, I call it digital mugging, right? So, this is a case where AI is going to make that easier to do. The bad guys are going to use AI to do that on a larger scale, in my opinion. And, and, and I'd like to think maybe without physically hurting the individuals, um, the victims, but there's a case where AI is not our friend.
But when we use AI appropriately to start recognizing when that sort of activity can occur, We're going to be better off for ourselves and that's only going to happen when governments and standards bodies and organization like ours influence the identity providers enough to say, you need to have these features built in and influence all of the identity custodians, the retailers and online sites to say, you need to use those tools.
And to influence consumers to say you need to not only push up to all of your providers that you need those tools, you need to use them as well. It's easy to say I want to turn off all the security stuff on my phone because it's a pain. It'll be a pain until your identity is stolen or you lose a lot of money and then I promise you will be doing all the things I do now.
And I'm not bulletproof either but I like to think I've reduced my risk. You know, I want to run, I don't need to run faster than a bear. I need to run faster.
[00:34:57] Marco Ciappelli: That's such a pretty famous quote in cyber security, right?
[00:35:01] Jeff Reich: Yes, but it applies to everyone. So, you know, you should make it positive. And I do want to close with Identity Management Day is a good way for you to learn.
What practices are out there and who can you talk to and what tools can you use?
[00:35:16] Marco Ciappelli: Absolutely. And I know that we put a lot of, uh, a lot of stuff on the fire here for maybe people that are not into understanding cyber security. But I think everybody can get it. Something that applies to their life. Maybe they can do something better today.
And I think that overall, this is just the way to start thinking about it. So I say, inform yourself much more. Definitely participate to Identity Management Day, 2024, April 9th. And, uh, and listen to this conversation and Jeff, I want to thank you so much for coming on and don't get too geeky, although I can tell you had to refrain yourself a couple of times, but I think we had a good conversation.
I hope you enjoyed it. And I hope the entire audience did as well. Marco,
[00:36:08] Jeff Reich: thank you very much. It was my pleasure. I look forward to doing this again with you soon.
[00:36:13] Marco Ciappelli: For sure. A lot more to talk about. For everybody, stay tuned because there will be many more conversations either about cyber security or AI, robotics.
I've seen some videos today of uh, Something that has robotics and AI together that blew my mind. So something more to talk about maybe in the future episode, but for now, Jeff, thank you so much. Uh, get in touch with Jeff. There will be notes underneath with links to social media, to the website and definitely to the organization Identity Defined Security Alliance.
Thank you very much again and stay tuned for the next episode. We'll be right back in a few days. Bye bye.