Implementing a Secure Identity and Access Management Program

Intro  0:01  

Welcome to the She Said Privacy/He Said Security Podcast. Like any good marriage we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.

Jodi Daniels  0:22  

Hi, Jodi Daniels here. I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant, and Certified Information Privacy professional providing practical privacy advice to overwhelmed companies. And I’m joined by

Justin Daniels  0:39  

Hi Justin Daniels. Here I am a technology attorney who is passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I am the cyber quarterback helping clients design and implement cyber plans as well as help them manage and recover from data breaches.

Jodi Daniels  0:57  

And this episode is brought to you by Red Clover Advisors. We help companies to comply with data privacy laws, and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, SaaS, E, commerce, and b2b service providers. In short, we use data privacy to transform the way companies do business together, we’re creating a future where there’s greater trust between companies and consumers. To learn more, visit redcloveradvisors.com. I think my coffee from this morning has somehow magically gotten through to you as the non coffee drinking high energy.

Justin Daniels  1:39  

Okay, well, I’m, I’m excited for this particular topic, because we’re going to head to one of my favorite places.

Jodi Daniels  1:46  

I can’t wait to the blockchain. I can’t wait. At least

Justin Daniels  1:51  

it won’t be nfts today, maybe

Jodi Daniels  1:53  

you never know.

Justin Daniels  1:55  

Anyway. Well, let me introduce our guests today. So we have with us today, David Chan. He is a managing director within EY’s cybersecurity practice with over 16 years of experience within the space. He is currently focused on security reviews of web3 and blockchain implementations at large organisations. David, welcome.

David Chan  2:16  

Thank you both. Glad to be here.

Justin Daniels  2:18  

And before I dive into our first question, it might be helpful if David, could you give us in our viewers just a simple definition, what is web3 that everybody is talking about?

David Chan  2:29  

No, it’s definitely a buzzword out there. And there’s no shortage of that. But it’s a new paradigm in which the evolution of the Internet has gone through web one, web two. And then now web three, and web three, the premise is that the ownership is placed in the user. So it’s a democratizing paradigm. And the simple way to have heard explain is that web one was read, web two is Read Write, and then web three is read, write and own. So the ownership piece is the difference here in the web two world that a vast majority of our technology solutions are currently running as a centralised entity that owns and operates the infrastructure. For example, in a four, an identity, if I use a social identity, it’s typically a large tech company or a single entity that owns my identity. And versus web three, I possess the private keys to my identity, strictly speaking in a self sovereign or decentralised ID model, and the identity is something that I control, and no one single entity can control or cancel. And so the difference between web one, web two versus swift three is really web three places the ownership back in the hands of the user.

Justin Daniels  3:54  

Well, thank you for that, because I think that will help inform our discussion. But we’d love to start off by asking you just tell us a little bit about how your career evolved and how it got to where it is today.

David Chan  4:06  

Sure, yeah. I’ve been in this cyberspace for a long time coming up on my 17 year anniversary. So I graduated college from Purdue University. And then I’ve been in this space ever since. I started off my career early on as a network pen tester focusing on identification and remediation of vulnerabilities and now clients environments. And from there, my career evolved into helping my clients with identity and access management transformations across a variety of industries, retail, health, financial services, just to name a few, and more recently have been focused on emerging technology, like blockchain and how it enables Iam and how do we use blockchain to drive portability of an identity through verifiable credentials and D IDs which I can dive into a little bit deeper. But yeah, I’ve been in the space for 17 years, I’ve always been a client serving professional. Never a dull moment. But yeah, the journey has been quite a fun, right?

Jodi Daniels  5:12  

It’s always always a fun journey. And congratulations on your anniversary as you come up on 17 years. You mentioned identity management, can you share a little bit of the different types of identity access management programmes that you’ve worked on and that you believe are helpful to organisations?

David Chan  5:32  

Yeah, so different types of I am. And I like to think of it as three eras. So it’s b2b business to business, B to E business employee and b2c business to consumer, or in some, in some cases, B to B to C. So it’s you go through a business, and it’s the customers of our customers that we have to serve. So the first two elements is B to B, and B to E, and we can group those together in that it’s a work workforce identity, right? This you’re at work identity, and many large enterprises need to manage the authentication or authorization to assets that they manage in the environment. And identity is a foundational element to enable that. So rolling up solutions, such as identity governance administration, those will be the types of engagements that I help my clients with in the in the workforce space. And then on the consumer aspect of it. That’s a consumer identity. So me as a consumer, versus me as an employee at a company. So consumer identity is more around how do we think about the lifecycle of a customer, right, from registration, to proofing to the first login authentication, and then on the back end support and when cases need for recovery of my identity. So as the full lifecycle of the customer, I am that our clients need help with and it’s a foundational element to enable digital services online. So an example would be if for a cruise liner, find in order for me to order a margarita on the ship. And for that Margarita to find me on that ship anywhere in the ship, there needs to be an identity that’s established to enable that use case. So there’s the at work components. And then there’s a as a customer of component of IBM that I helped my clients with.

Jodi Daniels  7:35  

I really liked how you broke that out. I think so often, people only think about maybe the employee side, and not as much or they only think of the customer authentication side. So I appreciate how you’ve outlined those multiple different buckets. Thank you.

Justin Daniels  7:48  

I think it’s time for you to ask the next question.

Jodi Daniels  7:51  

Oh, no, I don’t want to take away from all your excitement and thunder. You’re like a little kid in the candy store.

Justin Daniels  7:55  

I know. I’m fascinated with this topic. So David’s kind of taking the conversation into the blockchain world with its decentralisation concepts. How do you think the blockchain might be able to make identity access management more secure while also maintaining privacy?

David Chan  8:13  

Yeah, no good question, then blockchain and as as openness and transparency can enable identities to be more secure and privacy preserving two primary use cases where I see blockchain helping enhance and improve identity access management. One is the ability to orchestrate identity verification across multiple trust providers. Right. So in terms of a an identity today, if you think about when I go to a doctor, when I go to a pharmacy, and when I go to my insurance company, those are three separate identities, right? But with the blockchain, we’re we enable the ability to share and make that identity portable across the three and each of those Doctor pharmacy and the insurance company can issue me what is called a verifiable credential to be part of my decentralised ID. So it enables a create once use anywhere pattern. So when I go from the doctor to a pharmacy, I don’t need to reprove myself or Rivera fie myself, because if the doctor has already verified me that identity can be used to receive services from from a pharmacy. So the first part is really the ability to orchestrate and make identity verification portable across different parts of the ecosystem. And then the second part where I think blockchain can help is really with the authentication pieces, right. So today, we’re still using username and passwords. I have, you know, at least a dozen or so passwords that I have to remember that I use across different online services at the bank at log into my 401 K Those are passwords that have to remember. But blockchain enables the bully to authenticate using public private key pair challenge response mechanisms. And without going too deep into how it works in terms of the user experience, it enables a passwordless experience in order to gain access to these relying parties that are using the DI D so, so second benefit of blockchain in short is fewer passwords to remember. And the first benefit is the ability to make our identity portable. So those are the two ways that I think blockchain can help. So

Jodi Daniels  10:39  

does this mean that when I go to the doctor’s office, and they had me register online, and then it go there, and they hand me 400 pieces of paper to fill out again, then maybe I don’t have to go through that terrible process?

David Chan  10:50  

Yeah, absolutely. I mean, that’s the Nirvana. And it’s the ability to save that the form fills, right and save having to go through that each time. Right? When you go to a different doctor, they make you do it again, yes. Verify once and use anywhere. That’s that’s the Nirvana of using di D model.

Jodi Daniels  11:10  

I look forward to that. Because

Justin Daniels  11:11  

remember, Jodi, the other thing that David knows to consider is, if you go to the insurance company, the pharmacy and the doctor, and you have to give them that information. Well, if they have it, now they have to spend money to protect it. So you can save costs by decentralising so that maybe you don’t have to spend as much on security because there’s less to secure in a way we’re talking about having de identified data or not even using PII to verify your identity, which means hopefully, less cost to protect, and hopefully you’re lowering the opportunity for a breach. David, is that a fair summary from your perspective? Or did I miss the mark? Yeah,

David Chan  11:53  

that’s, that’s a fair summary. It’s the how do you move away from a honeypot of information to more of decentralisation and having the user take custody of their private information and share it with with whom and which elements to that they choose? So it’s the ability to really provide the consent back to users as to what they share and with whom?

Jodi Daniels  12:17  

You’re also excited at the same time.

Justin Daniels  12:20  

I like this topic. So David, as a follow up question, from your perspective, what needs to happen to see more use of as you call it a D ID or decentralised ID in the private and public sector?

David Chan  12:32  

Yeah, that’s a great question always comes down to execution. Right. And the way like, I like to think about it is a three part BLT. Like, exactly like the sandwich. So there’s the business component of things. There’s a legal component of things. And there’s a technology component of of things. So the technology components of things are fairly well defined. And there are many vendors that offer this technology. And it basically works. The hard pieces are the business and legal pieces. Right. So doing a deep deeper dive on the business component of things, there needs to be some sort of incentive for businesses to adopt the use of the IDs. Today, the the footprint of AI services, running on centralised or traditional single entity infrastructure. So my bank already has infrastructure around online login, my doctor already has invested infrastructure and infrastructure around maintaining my health ID. So in order for the ecosystem to move towards a D ID model, there needs to be some sort of incentive. And generally, where I see it will be appropriate for a D ID is when there’s a ecosystem play, right? So if we’re using the the identity across more than one domain, or more than one entity, that’s where there’s the ability to share and streamline costs across the different parties, for example, was going back to the Create once use anywhere model. So if if my doctor and my pharmacy and my insurance provider can all agree to have a shirt identity, and split the costs for maintaining and operating that an identity, that’s where the business pieces will get addressed. The costs are shared across the three verses, you know, each paying for it for their own, and then the legal piece. That’s the part that is interesting, as well. And so there is a lack of established legal frameworks and regulatory frameworks to recognise the use of verifiable credentials today, and it’s in his early stages of definition. And the for example, if I if my dad Dirk says, David Chan is who he says it. Yes. Is that proofing or validation, valid and recognisable from a legal standpoint at my pharmacy? Right. So I think we’re still in early days in terms of the legal framework that enables that or recognises that distributed verification. And you know, what happens if, if my doctor makes a mistake in the verification of my identity, and the pharmacy relies upon that verification that can be the pharmacy, turn around and claim that the doctor was liable for making sure that my verification was correct. So So I think the legal pieces need to take place, there needs to be some driving standards, or an entity that takes the leadership in defining some of those regulatory frameworks. And so I would say, in short, the business and legal components, if those two pieces can be improved, I think there will be more adoption of the IDs.

Jodi Daniels  15:58  

You talked about incentivizing companies and part of this process is you have multiple different stakeholders. Can you share a little bit about maybe how you’re seeing companies or organisations work together? What’s working? How are they starting to have those discussions and move towards these solutions?

David Chan  16:18  

I think there’s definitely a number of initiatives out there that are driving the bill of standards and working together in collaboration and cooperation with each other. So standards bodies like W three C, the DI F, are doing great work in driving interoperability, and defining standards around so that also coexists with our current identity infrastructure, and their pilots across different industries and across different parts of the world. And, for example, this there’s a whole open banking initiative in Europe and Asia PAC to really share the identity across different parts of the financial ecosystem. So I will say that, yeah, I mean, there are standards bodies, there are industry consortiums that are doing pilots in this in the VIP space that are really spearheading, and being the pioneers for, for the for the industry and in the space.

Justin Daniels  17:17  

And David, isn’t the isn’t there actually a country that’s already using this as Estonia has a version of decentralised ID because in response to geopolitical tensions with their big neighbour, who’s been in the news a lot, along with the Ukraine, they created an entire system that basically you get some type of decentralised ID at birth, you don’t exist until that that identity has been created.

David Chan  17:41  

Absolutely. I mean, you government and government ID is absolutely a strong use case for for the ID, the ability to have one government ID and the ability to use that across different government services. And government is generally a recognised issuer of identity. And it’s a entity that can be a certified identity issuer and a trustworthy identity issuer. So, yeah, absolutely. Implementations, like in Estonia are ones that are examples of adopters in this space.

Jodi Daniels  18:12  

As someone who has had a lot of experience and seen the evolution of privacy and security issues and challenges. I’m sure you’re quite popular, when people say, Hmm, what should I be doing to protect all of the personal data that I have? So we always ask our guests, what is your best personal cyber or privacy tip that you could offer?

David Chan  18:35  

Yeah, I mean, personal, I would say, in order to catch an attacker, you have to think like an attacker. You know, so really, I think boils down into three components. It’s the realisation of what you have, right? So just to take an example for if someone were to break into your house, where, what are the ways that someone could break into your house? And then once you know that, you got to be second hours, your readiness, right? So how do you secure the front door? How do you secure the your windows that are open and making sure that you’ve closed them at night? And then the third is your resilience, right? So now, assuming that you’ve done everything, and an attacker still gets into your house? What is your response to that? Right? Do you have a procedure where everyone knows to call the police when someone has some of that happens, or if there’s a alarm monitoring company that looks to make sure that you know, if you’re not home, it takes an intruder, that it will call you and call the police. So it’s, it’s the resilience piece and the response piece. So it’s really the realisation, readiness and resilience. It goes back to the whole defence in depth model, but having a comprehensive programme for many of our clients is important in making sure that this adequate set of preventative and Detective controls against potential threats and tackers

Jodi Daniels  19:59  

up Ensign depth is one of your favourite phrases.

Justin Daniels  20:02  

I didn’t make it up out of thin air. I have to be honest. The BLT on NF T I got from David to

Jodi Daniels  20:11  

Ellen’s good. And I like the Triple R. David, you’re just a fun alphabet soup of cool acronyms.

David Chan  20:16  

Yeah, I just have difficulty remembering more than three alphabets in the row. Well,

Justin Daniels  20:21  

anyway, outside of all of the interesting security and blockchain work you do, what do you like to do for fun when you’re not doing any of that?

David Chan  20:30  

These days, I don’t have much time given that I have a 19 month old so that that this taking up a lot of my time, and but before that, I have been known as a serial hobbyist. I like to ski I like to play golf. I also have gotten a private pilot’s licence, all that before my baby was born. But I would say that, yeah, my baby is taking up a lot of my time these days. We hear you, they grow

Jodi Daniels  20:55  

and they still take up. Very much in different ways. Well, David, it’s been such a joy to have you on the show. If people would like to learn more or connect with you. where’s a good place to find you?

David Chan  21:08  

Yeah, find me on LinkedIn. Happy to take direct messages. And so yeah, LinkedIn would be a great place.

Jodi Daniels  21:14  

Excellent. Well, Justin, anything you’d like to add? It’s just one of your favourite topics.

Justin Daniels  21:19  

I have nothing to add. I

Jodi Daniels  21:21  

enjoyed it. All right. Well, David, thank you again. We really appreciate all the knowledge that you shared today.

David Chan  21:27  

Well, thank you, Justin, and Jodi for having me on. It’s been a pleasure.

Outro  21:35

Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.