The Dual Role of AI in Identity and Access ManagementRSA's Rohit Ghai on AI Being an Attacker's Weapon and a Defender's Shield
Everyone needs to have a security-first mindset for identity because as much as it is a defender's shield, it is also an attacker's target, said Rohit Ghai, CEO at RSA. In fact, identities are the most attacked part of enterprises, yet too little energy is spent on monitoring them.
In a post-pandemic world, identities on networks have grown 10 times because of remote working and, in general, more users are now using identity platforms, Ghai said. We have more granular IT resources and are moving toward a microservices architecture, which makes things very granular and makes data for identity applications more complex. To address this challenge, implementing the latest technologies such as AI and automation will really be handy. But what about the ethics of AI?
"Any new technology often has a duality. It's a double-edged sword. What I see happening is that the attackers have been using automation and AI for a while to perpetrate attacks," Ghai said. "It's going to be a massive challenge keeping up with the threat actors because they are applying AI technology to attack identity and other aspects of the attack surface."
In this video interview with Information Security Media Group at RSA Conference 2023, Ghai discusses:
- Real-world deployment of zero trust;
- The application of AI and ML for identity management and its security;
- The evolution of identity management.
Ghai, CEO of RSA, also provides oversight to the Archer, Outseer and RSA Security businesses as a member of the board of directors. He advises global customers on their digital and security transformation initiatives. Previously, he served as president and chief executive of Dell EMC's Enterprise Content Division, Documentum.
Mathew Schwartz: Hi, I'm Mathew Schwartz with Information Security Media Group here at the RSA conference with the CEO of RSA, Rohit Ghai. Rohit, welcome back to our studio.
Rohit Ghai: Always a pleasure, man. Thank you for having me.
Schwartz: Thank you. It's always wonderful to get your impressions on the latest RSA Conference. 2023. Now, what would those be your impressions this year?
Ghai: First off, it's the most exciting week for cybersecurity. This is a first for me experiencing the conference with RSA, the company not being owner of RSA, the conference. So I get to enjoy a lot of the side meetings and truly experience the joy of the community. Right. So it's been phenomenal. There are so many exciting conversations, you know, this week influences the strategy for the industry and sets the tone for the year that's upon us. So exciting as ever.
Schwartz: But did it keep you busy? I mean, you were on the keynote stage, Stronger Together theme, and I think warming up the audience.
Ghai: That's something that I always look forward to. It's one of the rituals to kind of get to set the tone and open the conference. And, you know, this year, Hugh Thompson had some opening remarks prior to AI. So, you know, it took a little bit of adjustment there. But Hugh's been such a familiar face for the conference, and such a great champion of the community that it's just delightful to have him open the conference.
Schwartz: Well, it's wonderful to have this as an aspect of community, and a community building aspect in the calendar and see all your friends every year as well. So it's wonderful. Well, so one of the things that's surged since we last met is the concept of identity. And also for attackers, it's become a real primary target. So one of the things I wanted to ask you about is identity and access management, IAM, and the need now increasingly to transform that into what's referred to as IDT, identity theft detection and response or true identity security. Talk to me, if you will, please about that shift.
Ghai: Absolutely. Look, you know, there are two points. I'll hit on number one is, you know, we must reflect on what the core purpose of an identity platform needs to be in the era that we ran. And I think that needs to be security. Security is the primary purpose. As much as we need to juggle security, convenience and compliance, it has to be a security-first mindset and identity. As much as it is a defender shield, it is the attackers target. In fact, it is the most attacked part of the attack surface. So it's, in fact, befuddling, to me that, you know, as much emphasis and focus we place on monitoring infrastructure, monitoring data, we don't spend any energy monitoring the most attack part of the attack surface, which is identity. And therein lies the genesis of this idea called identity threat detection and response. Now, this is a very consequential but very challenging problem for the industry to solve. And, you know, RSA as a company, we've always been known for having a security-first mindset. So we are doubling down on this idea and looking to kind of innovate in this general area.
Schwartz: Well, so let's discuss if you will stick with the elements of identity security these days, I mean, zero trust. We've seen a huge rise in the use of zero trust, knowledge about zero trust, and attempts to apply zero trust. What are you seeing? How has it evolved from, you know, a definition to actual deployment now?
Ghai: Yes, I think it's switched from being a twinkle in the eye of a few people to an idea that is well specified, to just about now getting operationalized in the industry. And I think what's catalyzing that shift is a couple of things. One is, of course, maturation of, sort of, everybody getting their head around. What does this mean? More precise definition of what an implementation would look like. And I want to call out CISA in terms of publishing the zero trust maturity model, version 2.O, which is a far superior version than the version 1.0, as it should be, you know, so that's a key artifact in the industry. I think the other thing that has happened is, you know, there are some innovations that I think are timely, that are powering this and making zero trust more possible. You know, the line I like to use is zero trust has zero chance without AI. So I think the kind of the invocation of AI and automation to make zero trust possible is going to be a key catalyzer for, you know, more adoption, more realistic attainment of zero trust strategies.
Schwartz: Well, I want to circle back to AI and ML in a moment. But in terms of some of the core elements, if you will, of identity security. Where does passwordless play? So you know, pass keys. RSA, of course, heard of them before, I know, but also, you know, the FIDO standards, and how do we eventually get into this passwordless future? What does this look like for the future of identity security?
Ghai: So, look, you know, the one thing that I think the cyber industry unanimously agrees on is that passwordless world is worth striving for. Our passwords are a big pain in the behind. And you know, we've been working at it for many years. And similar to the kind of the zero trust topic, I feel like even the password less sort of movement, I think, is at a point where I think people have the right level of conviction on standards like FIDO, I think, that is enough user sort of appetite to kind of switch and experience this. Because, you know, even users are tired of dealing with plenty passwords and clunky password policies of having to update passwords and assurance as well. I believe the assurance and the assurance that comes with it. So look, FIDO as a standard, I think is mainstream now. It is real, you know, we ourselves released the DS100 product, which actually codifies FIDO along with our own proprietary protocol. So it's a dual form factor. So it's getting adopted, and it's getting mainstream, and it's getting user acceptance.
Schwartz: Excellent. Third generation identity. Is this a data problem? And maybe just explain the concept to me, if you will. We were talking about it before, but how do you see the evolution here?
Ghai: Identity, the evolution of identity, the way I see it, Matt, is that look. You know, identity is all about having your actors on the network resources on the network and assigning the privilege of who should have access to what, when, where and why. And, you know, on the actor side, we have proliferation of machine identities post pandemic, there is 10x more identities on the network, both because of machine identities, as well as just more users using identity platforms. So 10x on the resource side, we have more IT resources, of course, but we have more granular IT resources, we are moving toward a microservices architecture, which makes things very granular. So the entitlement relationships is an exponentially more complex problem. It's a data problem to borrow your phrase, which means you need apply AI and automation to really tame that challenge. And that's, again, back to the AI point we touched on earlier. I think it's it's going to need technologies like AI to really tame that problem.
Schwartz: Well, the question I had about AI and ML is opportunity for defenders, opportunity for attackers. Do you want to dive into maybe those two areas a little bit?
Ghai: Yeah, look, you know, in general, the cyber industry has learned that any new technology often has this duality, right. It's a double-edged sword. What I see happening, though, is that, you know, the attackers have been using automation and AI for a while to perpetrate attacks. Having said that, I think on the good side, the adoption of AI, I feel, is sort pretty pragmatic. I think we are not - there are many issues with AI around ethics. And as well as sort of, you know, making sure that we are not getting too reliant on it. And, you know, always using human insight as a safety net, if you will. So I think we are adopting AI in a very pragmatic way where it starts from data insights to human supervised decisions to eventually autonomous decisions from an AI perspective. But it's going to be a massive challenge keeping up with the threat actors, because they're applying AI technology in spades to attack identity and other, kind of, you know, aspects of the attack surface.
Schwartz: So unless we're using it on the defensive side, we're at a disadvantage.
Ghai: Without good AI, bad AI will take us for the ride.
Schwartz: And we don't want that obviously. Okay. So let's talk a little bit about the present and the future of RSA. What's coming next. And as you're speaking with the market, why does it matter?
Ghai: Yes. I believe in the AI and data era, the cybersecurity industry and the industry at large needs an identity security platform, not an identity and access management platform. Because just like smartphones, the core purpose of it is not making a phone call anymore. On the identity side, access management, identity management is table stakes, we have to look at the core purpose, which is security. So what RSA is focused on is delivering what we call a unified identity platform, which is Open AI powered and data driven back to a point with a security-first mindset. So that's what we're kind of working toward. And I think identity is the most consequential aspect of a cybersecurity strategy, if we may say so ourselves. At RSA, we've been at it for a while, but in my view, identity centerstage yet again, and that's a good thing for the industry. And we are privileged to have the opportunity to serve the industry in that area.
Schwartz: Well, it's a privilege to get to sit down with you and to hear what's happening with RSA as well as your impressions, as always, of the RSA Conference. I really appreciate your time and insights. Thank you.
Ghai: Pleasure is all mine. Thank you for having me.
Schwartz: I'm Mathew Schwartz with Information Security Media Group. Thank you for joining us.