Interview: A Passwordless Future Starts With A Zero Trust Mindset

Jim Taylor is the Chief Product Officer at RSA, a global leader in identity and access management (IAM) solutions. With over two decades of experience in the IT and cyber space, Taylor is a proven business and people leader, and his various technical, operational, marketing and managerial roles within the software industry have given him experience across the full lifecycle of SaaS and enterprise software, from conception, to development, to product launch. In his role at RSA, Taylor delivers the solutions that security-minded organizations globally need to secure their hybrid workforce, support their cloud integrations, and implement a zero trust mindset.

At RSAC 2022, we spoke to Taylor to discuss some of the biggest roadblocks organizations are facing when it comes to implementing authentication, how businesses can begin the journey to passwordless authentication, and what “zero trust” really means.   

Over the past couple of years, we’ve seen huge changes in the way people work and engage in digital services. What are the big security risks that you’ve seen since the last RSA Conference in 2020, and where are things going?

There’s been so much change in the market over the last two years. All of the patterns around cybersecurity have changed. The first big pattern that has emerged is that everybody is trying to deal with a hybrid working situation all of a sudden. I mean, I have folks on my team that I’ve employed, who I’ve yet to meet, or who don’t go to an office. And this used to be the exception, but now it’s the norm. So, the question is, how do you manage those hybrid work situations? How do you do the initial registration, onboarding and provisioning? How do you verify that somebody is who they say they are? Then, how do you make somebody productive?

Work has become an activity as opposed to a place; you no longer go to an office, you perform your duties, and you may do that on any form of device—a laptop, a phone, whatever it might be—and you do it from wherever you are.

So, that’s created an enormous amount of security challenges. A lot of the customers that we serve are what we would describe as “security sensitive”. They tend to be operating in the more regulated or security conscious type of verticals, like finance, healthcare, energy—all those folks that really care about security. And for them, this has been a real challenge.

The second big trend that we’ve seen is digital transformation and digital experience. That’s a word that we as an industry have been using to describe stuff for the last 10 to 15 years, but it became real in the last two years. Everything is a digital transaction or digital interaction; something like 80% of security teams are now remote. So those people who are responsible for locking the doors and all that stuff, they don’t work in the building either. It’s almost like the guards or the people who guard the prison now work from home, and so do the inmates. So, how do you secure that?

Well, you have to use a whole new way of thinking; it’s a whole new paradigm.

RSA is a global leading identity provider. What sets you apart, and how are you continuing to develop your identity platform to keep up with the ever-increasing challenges in today’s turbulent threat landscape?

Right now, we’re in a relatively unique position. RSA is a company that’s always been there; they’ve always been that trusted name. We have like a 45-year history in this space. But over the last couple of years, we’ve emerged; we’ve become independent, we were bought out of Dell. So, pardon the pun, we’ve reclaimed our identity. And now we’re a trusted identity platform.

I think what sets us apart from a lot of the other vendors in the space is, we’ve always come at everything from a security angle. So, we’re clear about who we are and what we do. There are a lot of vendors in this space, who are what I would describe as “convenience vendors”. Their job is to make getting access easier. And of course, that’s important. But most important to us and central to our mission is security, because the types of folks that we deal with care about that very much.

If your business is large, multinational, complex, or if it’s got a lot of regulation, security is a real driver in your organization. Nobody wants to put their money in a bank that doesn’t have a good vault, right? You have to trust who you work with. And that’s our sweet spot. We really focus on coming from a security angle and bringing that to the new challenges in the industry.

We’re continuing to see identity related challenges—such as compromised credentials—being the biggest factor driving successful data breaches. What are the biggest roadblocks companies are facing when it comes to securing authentication processes?

Interestingly enough, even though it’s been around for a long time, I would say that the industry as a whole and the enterprise as a whole, have not really done a great job of dealing with identity or taking identity as seriously as it should. Referring to Rohit’s Keynote, you almost need a crisis to drive transformation. And we’ve seen that over the last couple of years.

So, with all the changes in this dynamic environment where everything has moved to be remote or hybrid, you’ve seen the rise of this fantastic buzzword, zero trust. Zero trust solves all problems. It’s world peace, it makes the coffee, it’s the best security tool that’s ever been invented. But zero trust is not a product. It’s a mindset. It’s a way of thinking, it’s a philosophy. We really see that as one of those key challenges—ensuring that organizations have that mindset.

It drives me absolutely crazy that, even in this day and age, things like multi-factor or strong authentication still very low penetration. It’s 50%. That’s crazy, the fact that we’re still using User IDs and passwords. So, for the last sort of 25 plus years of my career, I’ve been looking forward to the day when we finally kill passwords. And for the first time in my career, I actually believe it’s a reality. We’re finally on the path to solving that challenge, to really implementing strong authentication. That’s great—and we don’t just say that because we provide that strong authentication.

That’s been something that we’ve believed in consistently; the adoption of standards like FIDO. FIDO has been around for a while, but it’s never really had a lot of traction. But over the last 18 months, it’s really gained some attention and it’s become a really relevant conversation. And adopting that least privilege, constant validation, constant authentication—that’s how you get to zero trust. I shouldn’t trust you just because you’re on the network, I should revalidate you.

So, we’re very excited because we feel like there’s this huge disruption and mind shift in the industry that’s moving in that direction. And so finally, we feel a little bit vindicated. Finally, the industry as a whole is now taking a security conscious view and moving in the right direction.

You talk about a passwordless future as being the end goal—what does the journey to achieving that look like for organizations? Can they cut passwords out straight away, or do they need to start by implementing MFA, SSO and other identity security tools?

It’s definitely a journey, but it seems like it’s a journey that we’re now serious about. I would say the first thing that an organization needs to do, is to start to develop a zero trust mindset. Start to think, “Okay, I’m not going to take things for granted. I’m not going to just grant implicit trust.” We need to take all of that away. Along with that goes the concept of least privilege: “I shouldn’t over-entitle; you should have access to the things you need, not the things that you don’t.”

I think the next big pieces that people need to start to think about are strong authentication and access—they really go hand in hand. “I need to develop strong access management policies and practices, and I need strong authentication to go with that. I want to enable the right people to come in and make sure the wrong people don’t.”

As a whole, you’re starting to see the industry move towards standardization and open standards. Those kinds of things really enable that passwordless journey, and all of that technology is available today. Companies can start thinking about what they’ve got and where they want to be, build a roadmap, and then strategically enable MFA. Start strategically enabling access policies, start using FIDO, start moving to tokens and QR codes.

I think it’s a journey. If you went to everybody and said, “Be passwordless tomorrow,” nobody would know where to begin. It’s a journey.

A lot of businesses struggle to get their users on board with the idea of IAM because they find that user authentication adds too much friction to the login process. You’ve recently added a new product to your cloud authentication portfolio that helps address this issue: the DS100 hardware authenticator. How can this type of passwordless authentication improve the user login experience, while helping businesses to embrace a zero trust posture?

So, I want to be clear, it’s not just about hardware tokens. Hardware tokens are an important aspect and I think one of the benefits of the new token that we’re in the process of launching—the DS100—is it’s a combination. It’s not a token, it’s really a container. So, you can put FIDO tokens on it, but you can also have OTP. So, you have a choice. But we’ve also refreshed our software token line for those who want a different experience. There are a lot of folks that will want to use their cell phone to authenticate—it’s the most important device in anybody’s life. If you lose your hardware token, it’s a bit of a problem, but it’s not the end of the world. You lose your cell phone, and that’s a real problem in life! We live on our phones.

So, what we’re really focused on is making it a seamless experience, whatever form of authentication that you want to use—maybe it’s push, maybe it’s OTP, maybe it’s FIDO, maybe you want to leverage the biometrics in the device. The point is to move to that mindset where you have that strong authentication available. I think hardware tokens work really well in specific use cases. If it’s a cleanroom or a factory floor or a hospital, you may not want to have your phone with you and it may not be appropriate to have your phone with you. So, having an independent device that gives you the ability to do that strong authentication becomes very useful in those circumstances.

Finally, what is your advice to organizations struggling with challenges in authentication, access management and identity governance—what are the first steps they should be taking to stay protected?

The reality is, it’s a journey, and everybody is at a different stage. So, our advice is always to step back and think about it. Start adopting the zero trust mindset, and start to pick off things in bite sized pieces. Implement an MFA solution, implement an access policy solution, and then start to knock off the most important apps; maybe the vacation booking system is not as important as that system where you put customer data, for example.

Every journey has a set of steps, so take those little steps. Figure out what the most important things are to your business and start there. Once you’ve implemented in those critical use cases, it gets much easier to then knock off the rest. And once you’ve done it a few times, you start to speed up with automation, and people get used to it. There’s only one way to eat an elephant, and that’s one bite at a time. If you try and swallow the elephant, you’ll choke.

But it’s important that companies actually think about what is important to them from a security standpoint, because it’s different for everybody. So, identify what is critical to you. Focus on that.

Thank you to Jim Taylor for taking part in this interview. You can find out more about RSA’s suite of identity and access management solutions via their website.

Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions with confidence.