Jim Taylor On Identity Threat Detection And Response, FIDO, And How AI Can Help Secure Identities
Expert Insights interviews Jim Taylor, Chief Product Officer at RSA.
Identity and access management continues to be a top priority for CISOs and security teams looking to secure their workforce. “In cyber, identity is one of those unique things where I can honestly look you in the face and say it hasn’t changed at all,” says Jim Taylor, Chief Product Officer at RSA, the decades-long market leader in secure authentication. “The problem we are trying to solve is still the same problem. You could go back a thousand years, if you’re a knight on a horse, riding up to a castle, they’ll make you lift up your visor so they can see who you are. That’s identity.”
Taylor is a lifelong tech-lover, who is responsible for all of the technology developed by RSA, including the strategies, the vision, and research and development – as he puts it, running the factory behind the RSA product. Taylor has been in the identity and access management space for over 25 years, joining RSA 18 months ago following the company’s acquisition by STG. Expert Insights caught up with Taylor for an exclusive interview at the 2023 RSA Conference in San Francisco, to discuss trends in the identity space, and the direction that the industry is headed.
While the fundamental challenge of proving identity to enable secure access remains constant, what does change is the environment in which teams have to solve that problem. Taylor explains, “just as we think we have solved it, the environment changes, but the problem stays the same.” During the pandemic, for example, organizations using secure tokens to authenticate access to the office, suddenly found they had 20,000 people working from home, almost overnight.
“We do a lot of work with folks like NASA. When the pandemic kicked in, NASA gave us a ring and said, ‘Hey, we have a problem. We can’t drive the Mars Rover! Engineers aren’t in the control center; they have to work from home.’ That’s a real-world problem. The problem remains the same, but the environment has changed.”
Identity Is A Data Problem
Security practices are constantly evolving to keep up with both changes in environment, and changes in threats. “This year, the number one headline from the conference is AI,” Taylor says. “And we’ve really coalesced around this idea that identity has become a data problem… the volume is huge.”
Threat-actors are already starting to use AI as an attack vector, to execute targeted, identity-based attacks. “I can set up an AI-bot to go and learn everything there is to know about you, or initiate attacks that are specific to you” Taylor says. “As the attacks get more sophisticated, the defence needs to get more sophisticated.”
RSA is a big proponent in using AI technologies to help manage the volume of data, as well as helping human teams to search and understand identity data in order to more effectively secure accounts and prevent compromise. “I want my security analyst looking at the right thing, not looking at everything, because there’s too much. Humans can’t keep up. Machine learning, these technologies help me narrow that data, take a lot of the noise out, and makes sure my human responder is focused on the right thing,” Taylor says.
Last year, RSA launched Risk AI, an automated intelligence solution, offered as part of their unified identity platform. This tool uses machine learning technologies to provide contextual risk analysis, including device threat assessments, to provide contextual information to help teams make better security decisions. RSA have also made a recent acquisition of a data and identity analytics technology which can help teams to better manage access privileges and entitlements, looking at areas to help improve security.
The overall vision, Taylor says, is for AI tools to become a co-pilot to the security analyst, keeping control with humans, but with the ability to offer recommendations and adjustments based on real-time data analysis. “Our view is you won’t be replaced by AI, you’ll be replaced by a person using AI. Subtle difference. We’re very much in that co-pilot mode. How do we use it as a tool for good, to combat people using it as a tool for bad?”
Zero Trust And The Move To FIDO
Alongside AI, the two other top identity themes at RSAC this year have been Zero Trust and passwordless authentication, which has centered around FIDO; the passwordless authentication standard driven by the FIDO Alliance, of which RSA has been a member since 2014. “Last year was the year of Zero Trust, we were in the definition stage” Taylor says. “That’s matured. It’s now actionable. Passwordless…has been a big topic. There’s been an immense amount of work put into FIDO. The industry as a whole has decided FIDO is the way to go. I think you will see dramatic adoption of FIDO.”
However, while Zero Trust and phishing-resistant passwordless authentication represent the best ways to protect accounts from compromise and identity risks, it’s important to remember that adoption of MFA itself is still relatively low – with data from Microsoft suggesting adoption is still at just 28%. “It’s a critical point,” Taylor says. “One of the first, and easiest steps to Zero Trust is strong authentication: it’s MFA. If you have two or three different channels you are authenticating with, it’s not 2x or 3x harder to compromise, it’s 10x harder.”
The technology has now matured to the point where it is also convenient, Taylor says. It’s easy to implement MFA, whichever vendor, or option you choose to use, and on-device biometrics such as TouchID and FaceID allow users to easy accept and authenticate push notifications securely. “The technology is available, it’s compelling, it’s easy…. we’ve removed a lot of the barriers to adoption.”
Improving awareness is an important step to improve adoption of these security controls, Taylor argues, both in the enterprise itself, but also in wider society. “When are we going to start teaching kids in school digital security tips? We invest in education programs because we think it’s better for all. If we act as a community and collaborate, a rising tide lifts all boats.”
Identity Threat Detection And Response
Looking to the future of the identity and access management landscape: “We’re truly at the point of time of platform,” Taylor says. Identity vendors are now viewing identity as a holistic issue, rather than just focusing on a specific feature, such as single sign-on or authentication. The key issue for businesses is that they want to solve every aspect of identity, he explains, rather than having to think about the different aspects of that.
The openness of identity platforms is also critically important, Taylor argues, to ensure identity data can be built into wider security strategies. “Core integrations with the SOC, the XDR, the endpoint… collaborative data is going to be critical.” This means a standards-based approach will be key, likely driven by consumers forcing vendors to move away from a proprietary approach. “Things work much better when they’re integrated together in a seamless fashion.”
There is also an interesting twist with a move to a new model of identity threat detection and response, Taylor says. “It’s no longer just okay to secure the identity. We now need to secure the infrastructure of the identity platform. Identity itself needs to be threat aware. It needs to be threat responsive. My access management infrastructure needs to be secure – how many security companies have you seen had a compromise in the last 12-18 months? They’re not just attacking the identity; they’re attacking the identity infrastructure. So, identity has to pull it’s socks up and become more of a security concept.”
About Expert Insights
Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions. You can find all of our podcasts here.