In this episode of the Trust Issues podcast, host David Puner sits down with Jeff Reich, Executive Director of the Identity Defined Security Alliance (IDSA), a nonprofit that provides vendor-neutral guidance on identity-centric security strategies to help organizations reduce the risk of identity-related attacks. They explore the evolution of digital identity, discussing how it has transformed from simple identifiers to complex, multifaceted digital identities for both humans and machines. In today’s threat landscape, the number and types of identities, attack methods and environments have dramatically increased, making it more challenging to secure identities. Jeff discusses the challenges and efforts in creating sustainable, interoperable digital identity hubs for cross-border applications, the future of digital passports and the importance of encryption and multi-factor authentication (MFA) for securing sensitive data. The conversation also highlights the significance of thought leadership and maintaining a vendor-agnostic approach in identity security.<\/p>\n
Whether you’re a corporation or an individual working for a corporation, or somehow both, identity is pervasive in all aspects of our business and personal lives. Of course, attackers targeting identities aren’t new. What’s different in today’s threat landscape is the dramatic increase in the number and types of identities, attack methods, and environments.<\/p>\n
There are tons of identities to secure. Blink, and there’s another ton. Today’s guest is deeply enmeshed in identity within the tech and security industries. He’s Jeff Rich, the executive director of the Identity Defined Security Alliance, the IDSA, a nonprofit that provides vendor-neutral guidance on identity-centric security strategies to help organizations reduce the risk of identity-related attacks.<\/p>\n
Jeff and I discuss the evolution of identity, which has transformed from simple identifiers to complex, multifaceted digital identities, human and machine, and the importance of securing these identities. We also explore how identity affects compliance requirements, cross-border identity solutions, and overall security measures.<\/p>\n
Nice guy, good talk. Here’s my conversation with Jeff Rich.<\/p>\n
David Puner: [00:02:00] Jeff Rich, Executive Director of the Identity Defined Security Alliance, otherwise known as the IDSA. Welcome to Trust Issues. Thanks so much for coming on the podcast.<\/p>\n
Jeff Reich: [00:02:11] David, thank you very much. It’s my pleasure to be here, and thanks for the invitation.<\/p>\n
David Puner: [00:02:18] Really glad to have you. I know you’re about to set off for some traveling. We’re recording here at the beginning of September, so great to get some time with you before you go off on your journeys. And maybe we’ll talk about that a little bit later. But many of our listeners are likely familiar with the IDSA. To start things off, for those who do and for those who don\u2019t know, what\u2019s the IDSA, and what does your Executive Director role consist of?<\/p>\n
Jeff Reich: [00:02:48] Well, thanks for the question. The IDSA’s mission is to raise the awareness of identity and raise the security of identity, and they can really be two different paths there. They end up merging. But the importance is for everyone to know, whether you’re a large corporation or not, or an individual consumer, that your identity now is used for everything. And as we get through this discussion, I bet we’ll have examples that people probably know but don\u2019t think about.<\/p>\n
David Puner: [00:03:19] Mm hmm.<\/p>\n
Jeff Reich: [00:03:21] Where their identity is always part of what they do.<\/p>\n
David Puner: [00:03:24] Identity is everywhere, that’s for sure. So, the identity-defined part of the IDSA name\u2014the first two words, of course\u2014to set the stage for this conversation, how do you define identity now, and how has that definition evolved over the years?<\/p>\n
Jeff Reich: [00:03:42] So, that’s a complicated answer, because identity used to be\u2014let’s just go back 80 years\u2014identity meant one of two things, either what was on your birth certificate or your Social Security number. And even though, and I know anyone at the SSA is going to say, “No, Social Security number is not used for identity.” I’m sorry. Yes, it is.<\/p>\n
David Puner: [00:04:05] Okay.<\/p>\n
Jeff Reich: [00:04:06] So now that we’re past that, 80 years ago, that’s what identity meant. You also could have augmented that with: you’re in the army. 80 years ago, that was a distinct possibility. You could also say that you live in Iowa or you live in Florida. So, there were a couple of different components to it. But even back when it was simple, there were a lot of ways to augment that definition.<\/p>\n
David Puner: [00:04:33] Mm hmm.<\/p>\n
Jeff Reich: [00:04:34] Now, if you were to ask someone, “What is your identity?” they may say, “I identify as a male, and this is my name, and I\u2019m also known as this. Oh, by the way, here\u2019s my birth certificate and my Social Security number, or National Identity Number if you\u2019re outside the U.S., and I\u2019m a software developer, and I work remotely, and I live in an RV.” All of those end up being parts of components of your identity, which is why it\u2019s a complicated answer and why everyone needs to recognize that now, everything you do, your identity is embedded within it, and you have to find a way to know what that is and to protect it.<\/p>\n
David Puner: [00:05:19] Super broad and multifaceted, that\u2019s for sure. So, I guess then to dig into something a little bit more specific, but where many elements of identity come into play, let\u2019s go to cross-border. So, I understand you\u2019re doing some work on or around cross-border identity. And I guess to start things off then, with cross-border, what is it that you\u2019re doing with it?<\/p>\n
Jeff Reich: [00:05:43] Well, there\u2019s a couple of efforts going on. It starts with CD Hub, which is a sustainable, interoperable digital identity hub. It\u2019s a community of organizations, mainly nonprofits and government organizations, but there\u2019s a few others involved. And we have an effort underway to come up with the right use cases for cross-border identity applications. They’re not all technical.<\/p>\n
We’ve had some events around different parts of the world. You mentioned I\u2019m about to start traveling in the second week of September. I will have been at Identity Week, and the day before that, we\u2019re having a CD Hub Summit. This is CD Hub Americas. We already had one in the EU, we had one in Africa, we have one coming up in Japan. Next year should be Brazil. And we\u2019re getting input from each area to say, what are the important components for you? The foundation is, let\u2019s come up with what does it take to have a verifiable identity online first.<\/p>\n
David Puner: [00:06:55] Mm hmm.<\/p>\n
Jeff Reich: [00:06:56] It\u2019s more than just your ID and password, although that could certainly be a component of it.<\/p>\n
David Puner: [00:07:02] So just to back it up for a moment then, when you’re talking about cross-border identity, are you talking in the context of travel, payments, other things, all of it? What’s the context of cross-border?<\/p>\n
Jeff Reich: [00:07:13] Well, the easy answer is all of it. But once one jurisdiction\u2014whether it’s a city, county, state, country\u2014says, “Here’s how we’re going to manage our digital identities and secure them,” then they have to say, “That’s great. However, if I want to have the equivalent of a digital passport, a digital wallet, or a digital driver’s license, or a digital bank ID, when our citizen wants to go from country A to country B, one, will country B recognize it? Two, how will they recognize it? And three, how will they keep it secure?” Those are the use cases that we’re building on to say, “What\u2019s it take to get there? And then let\u2019s come up with a way to implement it.”<\/p>\n
Although there are a lot of technical foundation questions around it, it’s more than a technical issue because it involves people. There are non-human identities too, but let’s save that discussion for now. People are involved, and they’re not simply numbers in a database, even though in many cases, that\u2019s how it\u2019s going to be represented.<\/p>\n
David Puner: [00:08:00] Oh, so far so good. Keep it coming.<\/p>\n
Jeff Reich: [00:08:02] Right now, if you do any international travel, chances are you have a passport or a passport card, if it\u2019s in North America. You have a passport, and you feel pretty confident that unless you’re going to one of the countries that we don\u2019t want to deal with\u2014say Iran or Cuba, and even then you could find ways to do it\u2014but for the most part, you go to any other country, and you can present your passport. You may need a visa in advance, which gives you permission to do what you intend to do while you’re there, but you still need a passport to identify yourself. It gets stamped and says, “Here’s when you entered this country.” And there should be a corresponding stamp that says, “Here\u2019s when you exited,” depending on the length of your visa and how long you stay. That’s pretty intuitive for most people. A lot of people don’t recognize that happens because of a treaty that exists, that comes out of the United Nations, that says all countries should be able to accept all other countries’ passports. And here’s the standard that must be met. It can’t simply be a piece of paper with a hand-drawn picture and a signature. You know what the components of a passport are.<\/p>\n
David Puner: [00:09:00] Mm hmm.<\/p>\n
Jeff Reich: [00:09:01] And when you get your passport issued, the reason you have to go through the identification and authentication process, and the time it takes to do that from the government, is because they need to validate that it is really you, to the best of their ability, before they issue your passport. What we\u2019re suggesting is if you take that process and were to digitize it, think about everything that happens right now when you mail in a picture or when you go give your fingerprint to someone. That doesn\u2019t happen digitally. So, there have to be different ways of identifying and authenticating people so that they could have a digital wallet with verifiable digital identity components within.<\/p>\n
David Puner: [00:09:45] So, are passports as we know them today, the physical, tangible passports, are they sufficient ID? I think I already probably know my answer there. What is the future of passports? Is establishing this new standard for a digital passport that will be recognized everywhere easy to get to? How long is that going to take, and what’s it going to look like?<\/p>\n
Jeff Reich: [00:10:08] So, a passport now, I would consider it pretty reliable. I think we know what goes into it. At a minimum, you need to get it renewed every 10 years. That’s part of that treaty. They’re going to be around for a while. I doubt you’ll see the end of physical passports in my lifetime. Maybe some of the listeners may see it in theirs, but I probably won’t, and that’s okay.<\/p>\n
The answer to how easy or how quickly can we get there\u2014I did mention there was a national treaty involved in passports, right? So, if that’s the ultimate answer, we’re probably at least 10 years, if not more, away from that. However, that doesn’t mean that some components can\u2019t exist. Many countries in Africa, many countries in the EU are already developing this because the EU has a digital identity directive that requires countries to keep digital identities of people and indicate what the standards are for their use and how they\u2019re protected. So, that\u2019s already underway. The EU, I would offer, with Australia pretty close behind, is leading the way in getting that done.<\/p>\n
David Puner: [00:11:00] And that’s today? Or are we talking about the EU Digital Identity Wallet that’s supposed to roll out by the end of 2026?<\/p>\n
Jeff Reich: [00:11:09] That\u2019s going to be the 2026 one. And like everything, just like GDPR was, there will be a question of potential delay for enforcement. We will get there, though.<\/p>\n
David Puner: [00:11:17] Mm hmm.<\/p>\n
Jeff Reich: [00:11:18] And once that happens, I think you’ll see it, just like what happened with GDPR. You’ll see that start to spread to other areas because it’s a practice that makes sense. The reason it makes sense for the EU to start with this is a number of reasons, but I think a primary one is it wouldn\u2019t happen in the United States because you can freely travel from one state to the other in the United States without even having identification. It would be a big effort in the U.S. to make it internal without having to put in new enforcement mechanisms that really aren’t necessary. But with the EU, there are distinct sovereign countries that may want to protect some levels of identity and entry and sovereignty around that. So, I think it’s a good place to start this off, and I think they’re smart for doing it.<\/p>\n
David Puner: [00:12:00] It\u2019s really interesting. I want to get back to the EU Digital Identity Wallet in a moment, but first, what human and technology components are needed to validate a person’s identity, and how is that data then stored and used securely?<\/p>\n
Jeff Reich: [00:12:15] What it takes for identity and authentication to occur right now digitally is not very different than what it takes in person, except you need to find a way to digitize it and secure it. So, without question, encryption is going to be involved.<\/p>\n
David Puner: [00:12:29] Mm hmm.<\/p>\n
Jeff Reich: [00:12:30] There\u2019s also very likely going to be multi-factor authentication required, at a minimum, before anyone can access it. And then there are going to have to be rules around, “If I\u2019m managing the whole system, can I actually change anything in that database?” Now, technically, that\u2019s always possible. Anytime someone says\u2014and this is for people outside the security community, because those inside security know this\u2014anytime someone says, “This is immutable, no one could ever change this data,” they\u2019re either ignorant or lying because anything on a computer can be manipulated. Anything.<\/p>\n
David Puner: [00:13:00] Right.<\/p>\n
Jeff Reich: [00:13:01] That being said, putting in the right audit trails for, “Hey, something was changed,” or “I see the condition is different,” you can always at least identify when something was changed. But it\u2019s going to be very important to determine how do we take the different components and different fields that we need, which may be at some point someone put in their fingerprints on a digital reader, or it could be that their birth certificate was scanned in and validated by a county clerk. Each jurisdiction can come up with its own ways to verify it and vet it. The key is going to be what components are we willing to accept, which ones do we not want to accept, and how do we protect all of them.<\/p>\n
David Puner: [00:13:43] In your focus with the IDSA, and identity obviously being a very strong focus, as the name suggests, how much are you taking into consideration security when you’re looking at challenges like creating new digital passports and other projects like that?<\/p>\n
Jeff Reich: [00:14:00] That’s very important. So, identity is our first name, but security is our third. So, it’s right in the middle and it\u2019s very important. And keep in mind, being an alliance, we are a nonprofit made up of member organizations. The majority are identity and security vendors. And we have some partner memberships, organizations that may do consulting or recommendations but don’t sell their own security products or identity products. Then we have corporate members as well, and these are the users, the corporate consumers of all those identity and security products. We also have individual contributors who are not part of a vendor but certainly are either in this space, maybe an individual consultant, that sort of thing.<\/p>\n
So, when you look at all of that involved, the security of what we\u2019re doing for digital identity is vitally important. But from an IDSA perspective, that\u2019s not all we do. Mainly what I\u2019ve been talking about to this point is CD Hub, of which IDSA is a member. That community. Now, IDSA, as a nonprofit organization, focuses on raising the level of security, of identity awareness, and security awareness around it.<\/p>\n
David Puner: [00:15:00] Mm hmm.<\/p>\n
Jeff Reich: [00:15:01] So, we do things focusing on security, such as facilitating webinars from our members to say, “Here\u2019s how we need to be able to secure what we\u2019re doing with identity.” We also have a pretty large focus on identity and access management (IAM) so that organizations that say, “How do I get my arms around 50,000 employees having to access millions of different data components, and I can\u2019t possibly even draw a mind map of how those are all connected?” There are a lot of tools that our members offer that can do it. Now, we\u2019re not in the business of selling those tools on behalf of our members. However, we raise awareness of what the problem is, how severe it can be when you don\u2019t address it, and what sort of practices you should follow to address it. So, it’s thought leadership, it\u2019s vendor agnostic when we do this, both in our webinars. We also have blogs. We also amplify social posts on behalf of our members. So, there are a lot of different ways to get the word out from an IDSA perspective to say, “This is a big issue,” and in all honesty, even the ones that are doing it really well don\u2019t quite have their arms around it yet.<\/p>\n
David Puner: [00:16:00] So then, coming back to cross-border identity and all of the data and security involved in all the various components of any particular kind of transaction, how does a cross-border transaction\u2014whether it\u2019s travel or an online purchase\u2014how does that make all of this more complicated than if you’re just making a simple transaction, again, either travel or an online purchase domestically here in the U.S.?<\/p>\n
Jeff Reich: [00:16:28] Okay. So, I\u2019ll start with the basics. If you were to walk into a store and buy something of relatively low value and gave $5 to the clerk, that\u2019s about as simple as we can be for a transaction. And they don\u2019t care who you are as long as the $5 is valid, and you’re not doing anything else to them. They don\u2019t care who you are. All right? So, identity is not really important then, unless you’re buying alcohol, in which case, yeah, you need to show some identity.<\/p>\n
Then we go to a simple online purchase. You want to go to my website because I sell widgets, and you want a widget, and you say, “I want one widget. It\u2019s going to cost $10. Here\u2019s my address, here\u2019s my credit card number and information.” Even though people don\u2019t think about it, you just gave your identity, which may or may not require an ID and password. My site may not require that. But you validated your identity with your credit card information. When I do a credit card authorization, it\u2019s going to look for that name. So, if someone stole your credit card and they present themselves as you, they just got some free stuff.<\/p>\n
David Puner: [00:18:00] Right.<\/p>\n
Jeff Reich: [00:18:01] But, you know, I\u2019m going to ask for the CSV on the back. By the way, that\u2019s not how I would do it, but that\u2019s how many websites do it. I\u2019m going to ask for your number, your CSV, and I validate, “Yep, that\u2019s David.” I\u2019m going to let that happen. So, I\u2019ve identified you. Once again, we\u2019re going up in steps of complexity. Now, let\u2019s say you want to buy something, and you’re a member of a large organization that has a service\u2014I\u2019m not going to get into a name\u2014that has a service where when you subscribe to it, you get free shipping, and you get free videos, all those sorts of things.<\/p>\n
David Puner: [00:18:41] That sounds great. Where can I get that?<\/p>\n
Jeff Reich: [00:18:43] Yeah, wouldn\u2019t it be great if someone came up with that?<\/p>\n
David Puner: [00:18:45] Yeah.<\/p>\n
Jeff Reich: [00:18:46] I think they can make a lot of money.<\/p>\n
David Puner: [00:18:48] I think we just came up with a great idea. Let\u2019s hit stop and start that up, get ourselves a URL.<\/p>\n
Jeff Reich: [00:18:52] Yeah, they can make a lot of money doing that. But in any case, in order for that to work, you had to sign up first with an ID and a password. And in some cases, now they’re requiring a second factor of authentication, whether it\u2019s an app on your phone that says, “I\u2019m going to present you with a code. You have to enter what it is.” So, that will occur. There\u2019s a level of authentication that\u2019s higher there. But by doing that, once you leave and come back and authenticate yourself correctly, you don\u2019t have to do that again when you buy something. And they already know your address, although you can change it, but all that\u2019s stored for you. So, they\u2019re keeping a lot of components of your identity. And you have an expectation that that\u2019s going to be one, private, and two, secure, right? Well, it can\u2019t be private if it isn\u2019t secure, so maybe I should reverse the two of those. And whatever your expectation is, it\u2019s actually guided by the privacy statement, which you very likely clicked through when you signed up and didn\u2019t read. And I\u2019m not accusing you, David. I\u2019m sure you would have read it.<\/p>\n
David Puner: [00:19:52] I\u2019m a big reader. So, yes, I read them all.<\/p>\n
Jeff Reich: [00:19:55] But a lot of people, most people, don\u2019t. So, the level of control you have is mandated by that. That\u2019s something people should be aware of. So, another level of heightened identity. Now I\u2019m going to do something with the U.S. government. I\u2019m going to pay my taxes. Now, you have to sign up with an ID and password, and you have to validate who you are. And they\u2019re going to send a code to you, and you have to, in some cases, enter for the\u2014if you’re doing it for the first time\u2014what your previous tax payment was for the previous year to validate that you have that information and that it is you. Once again, another way to validate who you are, a heightened level of identity and validation for you to pay your taxes or do many things with the government.<\/p>\n
Now, let\u2019s hop over a border somewhere\u2014whether it\u2019s Canada, Mexico, wherever\u2014because we have a treaty there that lowers the scrutiny level. It\u2019s not quite as high as if you went to any other country in the world. Let\u2019s say you’re going to buy something from England. The UK is going to not only have the same sort of level where you need to identify who you are with a password, maybe a multi-factor authentication, or something on your phone where they send you a code, but in addition to that, you have to have a credit card that\u2019s going to be accepted there. They may use that as an additional identity. You\u2019re going to have protection.<\/p>\n
Let\u2019s skip from the UK and go to Ireland instead because you\u2019re going to have GDPR protecting you there. The equivalent exists in the EU, but I\u2019m sticking with Ireland. GDPR is going to protect your information, and you have rights there that actually you don\u2019t yet have in many states in the U.S., where you could say, “I\u2019m no longer doing any transactions with you, and I\u2019m requesting you to forget me,” which means that organization has to delete every record associated with you, except for the one record that says you requested to be forgotten. So, more identity, more protection to it.<\/p>\n
But now, if you want to get something that\u2019s only available in Ireland, they\u2019re going to say, “Well, based on your IP address, it looks like you\u2019re not here.” So, you try to say, “Oh sure, I\u2019ll just get a VPN and I\u2019ll get an Ireland IP address.” They\u2019re still going to say, “What\u2019s your address? Where are we going to ship this?” All components of identity, and what\u2019s your credit card? All of that will tie you to either the U.S., where you are, or to Ireland.<\/p>\n
David Puner: [00:23:00] So then, in this digitally interconnected world, where we can, in a moment, be wherever we want to be, just from behind a keyboard or a screen, what are the challenges or hurdles to coming up with a standardization or normalization of this kind of data so that other jurisdictions, specifically other countries, can accept and use this data?<\/p>\n
David Puner: [00:25:00] Mm hmm.<\/p>\n
Jeff Reich: [00:25:01] The same even if it was domestic, by the way, without cross-border, you should be able to do that and not have to worry about storing your password somewhere. It\u2019s part of your payment method. It\u2019s in your digital wallet. So, let\u2019s expand that now to\u2014you want to travel to Ireland.<\/p>\n
David Puner: [00:25:18] Okay.<\/p>\n
Jeff Reich: [00:25:19] Right now, I don\u2019t think you\u2019re going to need a visa for at least a couple weeks’ stay. I think it may actually be up to two months, but don\u2019t quote me on that. So, you present yourself to the border agent, an immigration agent rather, in Ireland. You can just say\u2014whether it\u2019s a QR code or some better evolution of that\u2014this is me. They scan it. That\u2019s all they need to do. And they either let you in, or based on something they see or don\u2019t see there, they\u2019re going to say, \u201cNo, I\u2019m sorry. You\u2019re going to need to wait and either do an interview or we\u2019ll get you on a plane back to the U.S.,\u201d or whatever the answer is going to be. That\u2019s all you should have to do to take a cross-border journey. But all of the work that\u2019s going to get us there is everything we\u2019re working on now. What components need to be there? How do they need to be validated? How often do they need to be refreshed? How are they stored? How are they presented? And how can one jurisdiction look at information from another jurisdiction without having to have that other jurisdiction\u2019s software? There should be one singular way of saying, \u201cI\u2019m getting your digital identity, and I validate it, and I accept it.\u201d<\/p>\n
David Puner: [00:26:24] And is that something that you think is in our near future, or is that again something that\u2019s way, way off?<\/p>\n
Jeff Reich: [00:26:30] Um, it\u2019s less than 50 years away.<\/p>\n
David Puner: [00:26:32] Okay.<\/p>\n
Jeff Reich: [00:26:33] I\u2019d like to think it\u2019s less than 25. Once you get to less than 10, my confidence level drops, although there may be some instances of it. But universally, it\u2019s going to be closer to 50 than 10, in my opinion, only because it\u2019s a matter of, \u201cLet\u2019s get the standards in place, let\u2019s write the software, let\u2019s figure out what security issues we\u2019ve just created and fix them.\u201d And eventually at some point, an organization like the UN is going to say, \u201cOkay, let\u2019s come up with a universal standard that says everyone that participates is going to operate in this manner and we\u2019ll accept it.\u201d And, you know, that may be 30 years away, but I do think it\u2019s closer to 50 than 10.<\/p>\n
David Puner: [00:27:14] Okay.<\/p>\n
Jeff Reich: [00:27:15] By the way, David, I just have to say there are people in CD Hub right now, if they\u2019re listening to this, who are throwing things at their computers, saying, \u201cHow dare you tell them it\u2019ll be that long.\u201d I\u2019m just trying to be realistic.<\/p>\n
David Puner: [00:27:30] All right. Well, to that point, with AI and Gen AI, does that sort of change potentially the timeframes of all this kind of stuff, depending on where it is in a year or two or three or four?<\/p>\n
Jeff Reich: [00:27:42] Maybe, maybe a bit. First of all, Gen AI, even though it\u2019s used a lot, it isn\u2019t necessarily universally accepted as, \u201cYes, whatever comes out of Gen AI is something I\u2019m going to live with.\u201d<\/p>\n
David Puner: [00:27:55] Right. Are you willing to say that?<\/p>\n
Jeff Reich: [00:27:57] Not at this point. That\u2019s for sure.<\/p>\n
David Puner: [00:27:59] Okay.<\/p>\n
Jeff Reich: [00:28:00] But how can it potentially expedite all of this?<\/p>\n
David Puner: [00:28:03] So, you just answered your first question with, \u201cYeah, we\u2019re not ready to depend on that yet.\u201d<\/p>\n
Jeff Reich: [00:28:07] I think the use of AI is certainly going to be a component of this. But it\u2019s going to be a component of looking at behavior and seeing where the inconsistencies are rather than finding AI to say, \u201cYes, I\u2019m identifying this person in advance.\u201d<\/p>\n
David Puner: [00:28:22] Okay.<\/p>\n
Jeff Reich: [00:28:23] So, I\u2019m going to give you an example of where it can work. There is an organization\u2014happens to be a member company\u2014that has software that\u2019s in use in a few airports in the U.S. right now. And as long as I register through the airline that I\u2019m using, I put in my driver\u2019s license, I scan it, an image of it, and they validate it to my frequent flyer identification information with the airline. With all that information now, and then I think I actually, if I remember correctly, I took a picture with my phone.<\/p>\n
David Puner: [00:28:52] Okay.<\/p>\n
Jeff Reich: [00:28:53] To finish my registration. Now, if I\u2019m flying, I\u2019m flying Monday. I could say on Sunday, \u201cHey, here\u2019s my flight number tomorrow,\u201d and just type that into the application. I can walk up there. There\u2019s a screen that will scan me, recognize my face, and say, \u201cAuthorized,\u201d and I walk through. I never even have to touch anything or give anything to anyone to get in. I think you’re going to see technology like that start to happen more. There is AI behind it, certainly, to validate, observe, and validate behavior. It doesn\u2019t validate my identity. So, it\u2019s really ancillary.<\/p>\n
David Puner: [00:29:30] So, what you\u2019re talking about is also sort of an easier consumer experience as well. So, presumably, while the security standards are more stringent, you’re still dealing with a better consumer experience and an easier consumer experience.<\/p>\n
Jeff Reich: [00:29:45] I\u2019m so glad you said that. I\u2019m a firm believer that the better the standards\u2014which usually means harder\u2014the less the friction. When you do it right, it\u2019s easier to use. Where the friction comes in is where you’re starting out, you don\u2019t have all the tools yet, you’re not sure what\u2019s going to happen, and so even though there\u2019s, \u201cOh, you can present this, and it\u2019s fine,\u201d but you still need to do this because we\u2019re not quite certain it\u2019s going to do everything you want. And now you’re actually creating more work for the consumer rather than helping them out. But when you do it right, you actually make it easier for the consumer. It\u2019s a nice experience.<\/p>\n
David Puner: [00:30:24] So, then, obviously a subject which we\u2019ve already touched upon a little bit, but it relies a lot on ease of consumer experience for adoption and lack of friction, which I guess are probably one and the same. When it comes to payments and identity validation, where do things stand with the safety and security of payments and identity? And how does it differ with in-person and online payments?<\/p>\n
Jeff Reich: [00:30:52] The challenge we have here with payments is that it involves money. And guess what crooks really like? They like money.<\/p>\n
David Puner: [00:31:00] They like the money.<\/p>\n
Jeff Reich: [00:31:01] Yes.<\/p>\n
David Puner: [00:31:02] Sure do.<\/p>\n
Jeff Reich: [00:31:03] And when it\u2019s there and available, especially if it\u2019s easy to get, they\u2019ll try to do that. So, digital payments and the place that identity plays in payments\u2014it\u2019s important in a couple different ways. I\u2019m going to talk about a couple of societal dependencies first because right now if you want to open a bank account\u2014which you’re probably going to need to do in order to have digital payments\u2014you\u2019re going to need to identify yourself. See, we keep coming back to that, to the bank, to their satisfaction.<\/p>\n
David Puner: [00:31:31] Right.<\/p>\n
Jeff Reich: [00:31:32] So, let\u2019s come up with a community of people, because there\u2019s a measurable percentage of people right now that are refugees. They don\u2019t have a country, they very likely don\u2019t have identification\u2014they may\u2014but they don\u2019t have an address. You know, their address might be tent number 47.<\/p>\n
David Puner: [00:31:49] Mm hmm.<\/p>\n
Jeff Reich: [00:31:50] And it\u2019s a measurable percentage. It\u2019s not just a couple of people. They want to establish themselves in their new country of refuge. How do they do that?<\/p>\n
David Puner: [00:31:59] How do they do that?<\/p>\n
Jeff Reich: [00:32:00] Yeah, right now, it\u2019s a multi-month, if not multi-year process to vet and find out. We need to find someone that knows them in their country of origin. And unfortunately, all those people may have been killed.<\/p>\n
David Puner: [00:32:13] Hmm.<\/p>\n
Jeff Reich: [00:32:14] So how do you validate that this person isn\u2019t a terrorist posing as someone else trying to get in? That\u2019s a big challenge. So, another component of what we\u2019re looking at in CD Hub\u2014and IDSA is a strong supporter of this as well\u2014is how do we deal with a refugee situation? And how can we come up with universal identification for two reasons? One, to validate that someone is who they say they are, and more importantly, once they want to establish in their new country of refuge, one of the first things they\u2019re going to want to do is banking. How can they do that without even having an address? The one thing that most people still have, even in refugee status\u2014although still not everyone\u2014 is a phone. A phone may not store the digital identity wallet\u2014in some cases, you think it does now, like with, say, Google Pay or Apple Pay\u2014that\u2019s going to be there. But it\u2019s going to be located somewhere else, and a phone is really the gateway to it.<\/p>\n
David Puner: [00:33:00] Mm hmm.<\/p>\n
Jeff Reich: [00:33:01] I look at that as\u2014I\u2019d like to see that before we get to passports or cross-border, only because of the problems associated with it. I would like to see that implemented where a refugee can say, \u201cHere\u2019s who I am,\u201d and there\u2019s a pretty easy way to validate that. And now, if they\u2019re accepted as a refugee, you can speed up that process and get them established in a new life much more quickly. And that\u2019s not a political statement. It\u2019s simply a matter of, how can we make the best use of government resources when dealing with refugees?<\/p>\n
David Puner: [00:33:29] That\u2019s really interesting. And then, of course, it sort of, you know, goes back to what we were talking about a little bit earlier with the EU Digital Identity Wallet that will, of course, rely on an app within a phone. And through that app, it will rely on identity verification and authentication through credentials stored in that app. So, to you, what\u2019s the significance of the EU Digital Identity Wallet specifically? We\u2019ve already discussed more broadly, just sort of beyond that. And how are security and privacy fundamental to its adoption and ultimate success?<\/p>\n
Jeff Reich: [00:34:00] Well, they\u2019re key to its adoption and success. Without both, it will fail. Hands down, it will fail without both. So, when you look at the level of security that we have now over sensitive data, critical data\u2014let\u2019s use a government standard here, at least in the U.S.\u2014because there\u2019s sensitive information, and then there\u2019s classified information. Let\u2019s stay away from classified because as much as people want to say it should be treated the same way, it can\u2019t be, because if your identity were classified, we could not find out who you were.<\/p>\n
David Puner: [00:34:29] Okay.<\/p>\n
Jeff Reich: [00:34:30] Unless you had a matching clearance and the need to know. So, that doesn\u2019t work. But if we treat it as sensitive information appropriately and consistently, we\u2019ll be able to demonstrate that you can have confidence that your digital identity and your digital wallet are not only safe and secure but usable whenever you need to use them. By the way, the example I used of a refugee\u2014just to go back to that with a phone\u2014that information can also be held on a chip, on a card, even if you don\u2019t have a phone, and there can be a reader that says, \u201cI\u2019m going to access the information there.\u201d But in all those cases, you should have a high level of confidence that, one, it\u2019s going to be secure and people aren\u2019t going to break into it and exfiltrate it or change it or use it against you. And more importantly, there needs to be a demonstration of resilience because there will be problems that happen, whether through human error, malicious attacks, or hardware failures\u2014there\u2019s a number of reasons. You work in security long enough and you realize the entire world is against you. Everything that can go wrong eventually does.<\/p>\n
David Puner: [00:35:24] Mm hmm.<\/p>\n
Jeff Reich: [00:35:25] And what\u2019s most important is being able to be resilient to say, \u201cYes, I know something can happen, and here\u2019s how I stem the tide of the problem, and here\u2019s how I recover.\u201d And I think the better governments can do that\u2014this is a big challenge, and I issue that challenge to all governments\u2014the more quickly we\u2019ll be able to adopt a secure system that people can have confidence in and, I believe, can make the world a better place. And that\u2019s the reason I do this. I know that sounds very altruistic, and I\u2019m not trying to say I have a cape flowing behind me or anything like that. The world should be a better place. It should be a nicer place to live. And we shouldn\u2019t have to focus on how much effort it takes for me to identify myself to you, and to the next person I talk to, and to the gate agent next week when I travel, and to the hotel when I check in. And I\u2019m going to do all that. I\u2019m not protesting it. That should be so much easier.<\/p>\n
David Puner: [00:36:15] So then, speaking in super broad generalities, do governments generally want this to happen, or is there a lot of pushback?<\/p>\n
Jeff Reich: [00:36:24] You know, from what I\u2019ve heard so far, clearly the EU does. Of course. I mean, they put out a directive saying it must happen.<\/p>\n
David Puner: [00:36:30] Yes.<\/p>\n
Jeff Reich: [00:36:31] Other governments\u2014I think\u2014I haven\u2019t heard of one that says, \u201cNo, this is dumb. I don\u2019t want to do it. Take me back to 1955.\u201d All right? I haven\u2019t heard that yet. However, the challenge is going to be, how does it get done? So, is it going to get done in a way that, if I\u2019m a member of a legislature, the only way I\u2019m going to support getting it done is to have a company in my district get the business to build a program to do this. Otherwise, I\u2019m not going to support it. And that\u2019s politics, and we\u2019re going to have to get past that. And unfortunately, I think that\u2019s the largest roadblock between now and that, and being able to get the legislations and executive branches and all other forms of governments around the world to a level of competency in technology. Because that\u2019s still fundamental. Most don\u2019t have that right now. If I use the U.S. as an example, most members of Congress\u2014not all\u2014have little technical knowledge. And by technical knowledge, I mean, how do you turn something on and configure it for yourself?<\/p>\n
David Puner: [00:37:30] Mm hmm.<\/p>\n
Jeff Reich: [00:37:31] Now, I\u2019m a digital immigrant, all right? I\u2019m not a digital native. I grew up before that happened. For digital natives, that\u2019s relatively straightforward. For digital immigrants, it\u2019s a little more of a challenge. Then there are the people out on the island still that haven\u2019t begun that trip\u2014it\u2019s difficult. Unfortunately, most members of Congress live on that island. They may have staff members that are digital natives who do something on their behalf, but it\u2019s still not the people that pass the laws. So, I think there needs to be a level of competence with current technologies at a fundamental level. They shouldn\u2019t have to ask, \u201cHow does Facebook work?\u201d<\/p>\n
David Puner: [00:38:11] Correct.<\/p>\n
Jeff Reich: [00:38:12] That\u2019s an example. And, you know, we\u2019ve seen them ask that or make assumptions and be completely wrong. So, I think we need to get the majority of members of governments to at least that level so that they can get the level of confidence they need that this can work when done correctly. So, there\u2019s a political component, and then there\u2019s the education component.<\/p>\n
David Puner: [00:38:31] Really interesting stuff. Jeff, you seem like a realist. I guess to understate it, or maybe it\u2019s overstating it\u2014who knows\u2014you do seem like a realist. What makes you optimistic about the future of identity?<\/p>\n
Jeff Reich: [00:38:45] Well, first of all, there are organizations like IDSA\u2014and we\u2019re still around\u2014and CD Hub, Secure Identity Alliance, IDPro, and a whole bunch of others that focus on identity and say, \u201cLet\u2019s all go towards that focal point that says we have reached a point where we can have a level of confidence that identity is secure, reliable, and usable.\u201d As long as those missions all coincide there, all are directed towards that, I feel very optimistic that we\u2019re going to get there. It would be wonderful to say we can get there in two years, but I don\u2019t see that. I think we\u2019re going to take it a step at a time. I think five years from now, you\u2019ll see a big improvement. I think ten years from now, if we could save this and play it in ten years, you\u2019re going to say, \u201cWow, we\u2019ve come so far from there.\u201d<\/p>\n
David Puner: [00:39:28] Mm hmm.<\/p>\n
Jeff Reich: [00:39:29] There\u2019s still a journey ahead of us. So, I feel good because as long as that progress is occurring, we\u2019re doing the right thing.<\/p>\n
David Puner: [00:39:36] So, as far as your next immediate steps go, this episode is most likely going to come out toward the end of September or the beginning of October. What\u2019s next? What are your next steps? What does the IDSA have going on? What do you have going on? What are we going to see?<\/p>\n
Jeff Reich: [00:39:55] So, IDSA has a couple of major things every year. Our showcase event is Identity Management Day. It\u2019s always the second Tuesday of April. So, in 2025, it\u2019ll be April 8th. What we started this year with it was expanding it from an eight-hour event to a 21-hour event. And it is Identity Management Day around the world. It starts in Australia, which covers the whole Asia and Oceania time zones. And there are about six or seven hours of presentations there. Now, last year in Australia, there was an in-person one as well as streaming it. Most of this is online, though.<\/p>\n
David Puner: [00:40:30] Okay.<\/p>\n
Jeff Reich: [00:40:31] And then after about a 45-minute break, we move to the EMEA section\u2014Europe, Middle East, and Africa time zones\u2014where there are presentations. And we had speakers from different parts of Europe and from Africa talking about what\u2019s going on with identity and how we\u2019re going to make it better. And then after another, actually close to a 15-minute break, the Americas start. That\u2019s the traditional Identity Management Day as well. So, you’re seeing that expand. It\u2019s going to be expanding more next year. So, I\u2019m really looking forward to that. Now, you will start seeing some things about that in October. That\u2019s when we officially start our planning for the April event.<\/p>\n
David Puner: [00:41:00] Okay.<\/p>\n
Jeff Reich: [00:41:01] The other major deliverable we have is our annual research paper, which focuses on the trends in digital identity security, which is exactly everything we\u2019ve been talking about so far today. And just as an example, some of the things we see in that report\u2014this is now the fifth year\u2014are the gaps between what the CEOs think is happening in their organizations and what the CISOs think is happening in organizations. Up until a couple years ago, they were just nowhere close to each other.<\/p>\n
David Puner: [00:41:32] Hmm.<\/p>\n
Jeff Reich: [00:41:33] They\u2019re still not next to each other yet, but they are getting a lot closer because, unfortunately, of the pain of data breaches, which involves identity. So, it\u2019s helping that education process I was talking about. That research paper, by the way, we create a level of abstraction. We have an organization that does the surveys for us, so we don\u2019t know who\u2019s answering. All we get are the demographics about it. So, we can see what are CEOs saying, what are CISOs saying, what are security architects saying\u2014whatever the different category is. So, that\u2019s another major deliverable we have that we\u2019ll have again next year.<\/p>\n
And the third thing, in addition to blogs and social posts that we have, we host webinars\u2014on average, a couple per month\u2014that we facilitate but our members deliver. And that is a thought leadership session. It\u2019s not marketing or sales for the vendor members, but it does allow them to say, \u201cHere\u2019s what\u2019s important if you’re starting an identity management program. Here\u2019s what\u2019s important if you know nothing about identity.\u201d We also have some that say, \u201cHere\u2019s what\u2019s important when you’re really in the weeds, and you need to use some new tools to help refine it.\u201d And we really like that. Our members like it, and we get a good response. We have over, I think, about 8,000 people that subscribe to our webinars. We\u2019ve had over 1,000 people at past, and then 1,200 registered for Identity Management Day. So, it\u2019s growing. The word\u2019s getting out there. That helps me feel good about what we do. And that\u2019s what we have going forward. There are clearly going to be a couple more events that we\u2019ll probably participate in next year. But those are the big deliverables you see coming out of IDSA.<\/p>\n
David Puner: [00:43:00] You\u2019ve got a lot going on, that\u2019s for sure. Is there anything from that paper that came out this year, one of the findings perhaps from, let\u2019s say, the CISOs\u2014like one big thing that totally caught you by surprise and has maybe shaped your focus a bit in the last months since the paper came out?<\/p>\n
Jeff Reich: [00:43:17] There is one set of facts, and it\u2019s CISOs and CEOs. This is why I mentioned that earlier. It\u2019s gotten better, but last year\u2019s report, the CISOs said, \u201cWe\u2019re doing either a good or better-than-good job of securing identities.\u201d They also said that about 92% of organizations suffered a breach with identity information and had negative consequences from it.<\/p>\n
David Puner: [00:43:43] Right.<\/p>\n
Jeff Reich: [00:43:44] So, something that I think is interesting that I challenge people on all the time, since I don\u2019t know who actually answered the survey, is: how can most people say, \u201cWe\u2019re doing a good or better-than-good job,\u201d and at the same time, most people say, \u201cWe had a breach that actually caused a measurable negative impact on what we do\u201d? I\u2019m still trying to resolve that.<\/p>\n
David Puner: [00:44:10] Really interesting stuff, Jeff. There\u2019s obviously a lot that we can talk to you about, identity, moving forward. Hope to have you back on the podcast sometime in the near future. Wish you well with all your travels and endeavors, and thanks so much for coming on to Trust Issues.<\/p>\n
Jeff Reich: [00:44:26] David, it was my pleasure. Thank you.<\/p>\n
David Puner: [00:44:28] Thanks for listening to Trust Issues. If you liked this episode, please check out our back catalog for more conversations with cyber defenders and protectors. And don\u2019t miss new episodes. Make sure you\u2019re following us wherever you get your podcasts. And let\u2019s see\u2026 oh, oh yeah, drop us a line if you feel so inclined\u2014questions, comments, suggestions, which come to think of it, are kind of like comments. Our email address is trustissues\u2014all one word\u2014@cyberark.com. See you next time.<\/p><\/div>\n","protected":false},"featured_media":213927,"template":"","class_list":["post-197617","podcast","type-podcast","status-publish","has-post-thumbnail","hentry"],"acf":[],"yoast_head":"\n