No Guaranteed Identity, No Zero Trust - transcript

hello and good morning good afternoon um wherever you are welcome to today’s webinar um my name is Derek top I’m the research director with Opus research and we’re excited to get into the topic of no guaranteed identity and at no zero trust um we’re looking forward to a lightly discussion here um we have uh us all right here I was gonna talk a little bit about uh we are this is a live webinar so um please do feel free to ask questions make comments All the Way throughout um we definitely have a q a session planned but um we’re really here for a lively discussion so um like I said I’m Derek top I’m the research director with Opus research and we’ve been covering voice Biometrics and authentication security and fraud prevention for many years um and uh and I’ll pass it off to Dan who’s gonna understand the um the lead analyst and founder here and I want to get right into the meat of what we want to talk about but I want to introduce our two you know well we’re considered subject matter experts but these are the people with real world experience bringing implementing the solutions that we’ve been writing about for two decades um on my right I think as presented here it is Matt want to give a little personal background hi everyone my name my name is Matt smallman I’m an independent consultant I specialize in helping call centers and organizations improve their security processes and I recently published a book on lock your call center which is tactfully positioned just here um and I’m really excited to join this topic today because uh it’s really interesting kind of flipping what is often a consumer-based authentication methods and looking at how those can be used to better secure the um the Enterprise right and for this session I’m going to be Dan M and below me here is Dan Thornhill or who will be DMT and a little bit about yourself then yeah uh thank you thank you Dan M um yeah my name’s uh Daniel Thornhill or Dante um I’m my background’s primarily in in telecoms and cyber security I’ve been um working in the voice biometric space for many 10 plus years um it’s a an area of particular interest for me and close to my heart um I think you know taking the identity of an individual and making it central to you know security mechanisms and authentication mechanisms is the way things are progressing and should be progressing to make the world a more secure um and safer place for people to interact online you know through iot through smart speakers um whichever way they choose to as consumers so yeah really pleased to be here today and uh yeah it’s an exciting topic right and it’s not just one topic as soon as these slides come up we’ve done the introductions um we have a few topics to go through and I’m going to gloss over the first one about what is zero trust but just to say that um at some point in the past uh computer security folks determined that the best way to make sure computers are secure other than not hooking them up to anything is to not trust any person or a thing that is hooked up to them and um that that I think zero Trustco out of that but it has become really important just recently well not just recently but over the past couple years uh but most dramatically most recently around an attack on Uber Global brand name lots of employees um uh where an organization lapses had um probably uh overcome many of the techniques uh because something like zero trust wasn’t put into practice and I think Matt you did a good rundown of our best assessment of what exactly happened here and I think it will showcase um what is meant when um when we understand what sort of attacks are going on right now yeah sure so I mean what I think is really interesting is how um kind of the Cyber attack profile has changed over the last few years from kind of conventional kind of getting into getting inside the inside the firewall uh and then compromising the organization from there by compromising a kind of a routine through to the fact that many organizations have implemented these kind of zero trust uh approaches which basically mean that they assume their networks being compromised um from the start and every service requires authentication and as a result um those authentication processes become quite a burden on users in those organizations uh and we’ve seen uh attackers move to kind of quite some low-tech methods now the sort of attacks that we used to see quite prevalent against consumers in financial services like SMS phishing attacks or email phishing attacks using those to compromise credentials and then taking advantage really of the kind of fatigue that many people inside an Enterprise have now with many of these multi-factor authentication methods like how many text messages a day do I have to get in order to do my job how many times do I have to open my authenticator in order to do my job and actually that’s what we what we suspect or what some of the kind of the write-ups of the Uber attack suggest is that the credentials were identified by using a very simple SMS attack and that then one a victim of that attack just got bored with the number of uh multi-factor authentication requests they received on their authenticating device and ultimately pressed except to one of those and that was enough for the um the fraudsters or the attackers to be to put their foothold in the organization and we also saw some other attacks and I think I think it’s up to maybe 120 organizations that have been attacked by this particular group right now using some pretty um low-tech methods in order to get themselves inside the security supply chain and then then compromise from there so yeah so really interesting how that’s evolved over the last few years and I think even consumers are now seeing this kind of fatigue of having to keep logging into different things all over the types and it’s all for the right reasons but the processes and the methods we’re using to do that are not certainly not the most convenient and when they’re not convenient for people there’s a tendency to kind of be a bit lacks with them to choose easy to guess passwords because I’ve got multi-factor authentication or to authorize every request because I get dozens of them a day yeah so it’s really interesting how the profiles changed yeah and DNT I’m interested in your perspective of the implications of this across uh what valid soft is seeing in the world in in being and trying to solve here yeah no I mean Matt captured it very well I mean I think you know firstly you know the kind of context for establishing Trust of change right you’re seeing as Matt said this like this erosion of the perimeter that people were working within has kind of happened it’s grown right and you’re seeing much more remote working now um you’re seeing you know effectively a lot of people have become in effect remote contact center operators in the way that they operate in their day-to-day businesses and historically like where strong authentications occurred or being put in place it’s through you know proxy mechanisms so whether you’re leveraging a personal device like a mobile phone or a telecoms network for sending sms’s or and these you know where you’re you know working within uh known boundaries and secured boundaries you have these other kind of security mechanisms that you can fall back on and the erosion of those is fundamentally meant that the only way to really establish trust you know the basis of trust or the foundation of trust is identity right so you need to have that identity of the individual Central to your authentication mechanisms and you know that’s very much where you know valasoft is focused it’s like how do we how do we assert the identity of an individual and make that Central to a um an authentication method and a security process but also to keep that simple and straightforward for the um the consumer of that authentication you know as Matt said I mean you can you can make security really complicated and that may or may not make it more secure probably will but it also makes it less secure because people don’t begin using it either improperly or they try to take shortcuts because fundamentally we’re human beings right and um you know we do get fatigued we get tired we get bored and human beings are you know in in essence um they’re always the um the random factor in any security method so uh yeah um so we feel identity is the foundation of a strong security method yeah and you know our at hope is our Legacy has been sort of covering what’s going on in Customer Care contact center and the Advent of new technologies and it you know it strikes me and you just alluded to this for a second was um you know during the pandemic and the lockdown a lot of the contact centers were brick and mortar ones were just closed down and in a very short period of time you had um thousands of people working from their homes uh sort of making authentication more urgent if you will and Matt said something interesting on the planning call for this he said well you know something like um lapses with Uber you know with these persistent attacks on Personnel maybe the system admin who had all of had the credentials of a super user you know was the target um and probably got more bang for the buck but the fraud surface right be right below that turns out to be the tens of thousands of employees that are now out um working you know logging into the network uh from their contact center agent workstations and that gets scary frankly yeah I think that’s really interesting one like these attacks on these enormous tech companies like they don’t employ idiots the people who are working for them are pretty smart uh and these are pretty sophisticated these well whilst low-tech um they’re pretty well orchestrated um attacks and these guys still fell for them um but that that and privileged access and making sure that our kind of most authorized users only have access to the services they need and all the rest of it is all good security principles but I do think that kind of the thing that gets missed out is just as you say they’re like the tens of thousands of employees who have access to every single line of business system who it’s very hard to do um audit and compliance checks on how they can be used as a as a vector of attack to get inside an organization to exfiltrate customer data and ultimately exploit that um elsewhere and I think whilst we do a lot to secure kind of computer access like how do we how do we actually know that the employee on the phone is the employee we think it is yeah go ahead Dan no sorry I yeah I was gonna say yeah and actually you know take taking that you know one step further to you know contact center agents specifically I mean they you know contact century is not are not just a face of a company they are the employees of that company and furthermore they’re dealing with tons of sensitive data whether it’s personal data or payment data typically about consumers so you know 19 you know 99 of people are good actors but fundamentally you know if we look at that particular security model you may have agents logging in a particular point but you don’t know when they’re receiving calls that it’s still that right person receiving those calls so it’s also about where you apply your security and how you apply it so it’s seamless continuous um authentication if necessary um for you know particular high risk interactions with consumers so there’s lots of different um you know facets of where and how you apply authentication and making it and trying to make it as seamless as possible danced around some of the kind of the obvious Solutions here and I think that Dan T earlier um was kind of suggesting this like using a device um using authentication and to make sure we actually have the right individual but the clear thing is like a device is not an individual a password is not an individual in order to be really sure that we have the person who is in front who is supposed to have accessing our networks and our systems and our applications it has to have some form of dependence on some form of inherence factor and that invariably brings us back to Biometrics and selecting what the most appropriate biometric is for the particular use case that we’re looking at because identity is about an individual it’s got to be related to features that are unique to that individual and not stuff that can be stolen in the case of device or compromise in the case of device or um socially engineered in the case of a password so I think it’s really important that we come back to talk about the importance of inherence in relating to Identity and relating to how that secures the Enterprise yeah and I think that serves up for Dan T to talk a little bit more about you know what the concept of uh services and products that support the trusted employee approach to Security in this case sure yeah I mean uh it’s a very broad question so I’m going to try to narrow it down to uh um but you know I mean you know and I’ll obviously focus it I you know I work for valid soft um and you know we have our own focus on how you know we feel authentication or security should be applied so we work with a lot of Partners like um Okta Duo and many other strong authentication providers or leaders in the industry and so what we’ve done is we’ve taken our voice biometric technology and augmented their offerings um so you know we apply what we call Precision voice Biometrics is and it’s a multi-dimensional um way of doing it and this is specifically for trusted agent I’ll touch on trusted um remote agents or how we can apply it to remote agent shortly but um you know so what we can do is we can look at both um we can have an individual repeat um let’s say a random code and that random code can be tied back to specific elements of a transaction if we wanted to for non-repudiation purposes but the repetition of that that code or random series of numbers means two things one we check is it the right person that’s saying it um which is the Identity or inherence element of it and two are they saying the right thing so and that that’s about looking at any um vectors of attack that might be Associated to using your voice to authenticate so again it’s this layered approach I mean we’re very much Advocates of the application of multi-factor authentication so we’re not suggesting get rid of all the other stuff what we’re saying is make sure and how parents or identities Central to um to whatever authentication or security mechanisms you’re putting in place but make sure that the type of inherent you’re using makes sense to those use cases as well so again it doesn’t become cumbersome one of the real benefits of voice Biometrics we see is its applicability to all of these different channels that particularly in the retail sectors um that consumers operate on so you get employees coming in through the web through apps through vpns and you need to create a consistent method of authentication across those because again you know fraudsters or criminal organizations attack different channels where remote agents are concerned it’s a slightly different um this slightly different applications we see so we still absolutely see the necessity for um strong authentication at login making sure the right person’s logging in accessing um your networks as if accessing your Solutions and services but also um where particularly where payment data is concerned um you know it’s making sure that that agent is consistently on the calls you’re making sure that the right employee or the right agent is on the right calls and the right consumers there as well so it’s kind of a you know you could look at it as like a two-way authentication handshake um so yeah lots of different applications but specifically we see Precision um or um voice Biometrics with the repetition of random codes to be very user friendly and extremely strong security model yeah it’s interesting one of the one of the uh phrases that popped into my head while we were talking is you know we’re talking about zero trust but relationships between companies and their customers relationships between um companies and their employees actually have to be trust based so you know this is really a question of how you encourage trust in the age of zero trust and it’s it becomes very real um and I want to encourage folks that are watching to use the uh question Tab and ask questions here um the um the notion of zero trust catching on also implies sort of a different idea of what the defaults are as you know if you’re starting presuming zero trust rather than sort of setting up a situation where you just accept the logon and things like that what and I’ll point this at Matt but you know what do you see evolving as sort of like Ground Zero for introducing well not grounds Ground Zero for zero trust but a horrible thing um but you know what it means to build zero trust on Solid Ground one day I’m definitely going to interview that you’d and uh other others in the industry about the about what how voiced by metrics and at the start kind of started getting commercialized and where its first applications were what when I kind of cast my mind back there was some of the first applications we saw of this technology were actually in in Enterprise password reset it was like viewed as a way of increasing the efficiency of those organizations because people had to reset their passwords all the time because we had strange rules about how often they needed to be changed and how complicated they needed to be and all of those kind of things and um that kind of by creating a voice print at that point it kind of gave us this Baseline complete piece of piece of trust that we could say right this is this is the employee and if they lose their device they’re not in a corporate building they can’t remember their badge number and they um and they’ve forgotten their password and maybe even their username like we can we can Resort back remotely without even to be in person in front of them to um to who they really are and those kind of applications there’s still many of those deployed all over the place and organizations still deploying them today um that that’s kind of where we started and I think it’s really interesting as we look at kind of um some of the approaches that Dan was talking about Dan which is this kind of um it’s almost like two for the price of one yes we’re using the voice to make sure it is the individual but we’re also using the voice to say some codes that we know are cryptographically bound to the transaction that’s required and the location that person’s in and the device they’re using and all of those other Associated details it means we’re kind of almost getting that kind of two for one um in in our in our authentication and I think it keeps coming back to this kind of lowest common denominator like when all else fails you how do we really be sure that this person in front of us is the person we want I I’ve just been really struck over the last um uh last weekend in fact I’ve been doing a bit of a personal password and security audit uh and there’s definitely as an individual there’s this like I’ve got a thousand services in my password manager that I’m logged into and scarily 300 and something of those had the same password I was like okay I really should do something about this and if you look at um the kind of have I been porn site you can see that actually yes my password is well known to be my password and I really should change it and obviously not obviously my bank’s not secured with that kind of service and the rest of it but it just shocked me as how as frightening the lack security required to actually change those passwords many of those accounts I was kind of locked out of or that they had in fact detected that my password had been breached um and but their part reset processes were woefully inadequate um and thankfully they don’t protect anything of real uh real value but it just frightens me how few organizations um actually have that kind of ground Truth for their customer like who is this customer individual not as a as a mailbox hosted by a third person third party service not as an ID number issued by a government not as a phone number issued by a Telco but actually that we ourselves can be confident uh is the individual so I think this is just um another step in that Evolution I think it almost certainly has to start with uh employees and having high confidence about the employee being individual but I’m also hopeful that that will enable consumers to be better protection in the future as well yeah that was a bit of ramble sorry I had to get in mind my story about mine yeah you’re late you’re like now an open book and yeah I think I know what your password is so yeah I mean I think that just that speaks to human behavior that’s not going to change and so there’s this need for security and for identity security specifically is you know you talk about the original point of voice Biometrics I remember we had a conference some 10 years back where you know the there was the guy from PayPal and the talking about today this year is going to be the end of passwords no more passwords and you know that was you know 10 years ago so I think there I mean there is just an inevitability about the security risk they’re going to be a part of accounts and organizations and certainly within uh both of the both in the employee and the and the customer so I think I think it’s like uh human humans or people customers employees they want security but will choose convenience every time absolutely but Dan t when you know we’re saying inherence in a in a funny way we really mean uh Biometrics and since we are who we are we mean voice Biometrics so when you think about the era of zero trust um what are the considerations for implementing zero trust identity security you know using voice biometrics um so I think it’s it I mean maybe so if we talk about Biometrics generally then I can touch on voice because I think you know there is a we have to look at how what the what the risk of the transactions are first of all um and also what channels this the employee or individual is interacting on um because you know fundamentally there are different ways to implement inherence um you know the great thing about wish Biometrics is its versatility right so you know we’ve been talking a lot here today about um you know try you know how do we secure employee access agent access um and you know then the complex if we talked about the retail world there’s a whole load more complexity there right um so you know the voice Biometrics um at its you know raw is about an individual speaking doing what something is completely natural to somebody and then fundamentally um where tying the sounds of that they make to the inherent physical makeup of them right so that takes away all this necessity for worrying about securing sms’s or emails or um all of this sort of stuff and then because um voice is so applicable to many different channels so you know you speak into smart speakers or you’ve got a microphone on your laptop or you’ve got you know an earbud in your ear or you know you’ve got a telephone that you can receive calls on it’s an extremely versatile way of being able to have consistent security across um all of these different channels even web browsers you can now speak directly into web browsers very simply right so the implementation of voice Biometrics well there might be some complexity and technically how do you make all of these things work and that’s valid soft’s issue to solve right we’re here to make it really simple and consumable for our clients and customers um but basically as a as an end user you’re just speaking you’re just naturally speaking and it’s a very simple very versatile way of authenticating and as you know Matt said earlier because if you include random digits in it you’re getting all of these other factors essentially for free you’re getting this cryptographic OTP which the consumer doesn’t know it’s cryptographically tied to location or whatever it’s tied to they just know I’ve got a code I’ve got to speak and it lets me in so you get all of these other things for free so the mechanisms of that is simply present an OTP and the user speaks and you know you can apply that I mean us alone we’ve applied it into you know self-service in IVR, IVAs and in web browsers in apps in smart speakers not as much that’s something that’s gaining um oh boy you froze um smart speakers are proliferating um and Daniel’s in a in a bandwidth challenged Island but um yeah it looks like we may have lost him so uh but I think you know we’re kind of closing up here too so we can start to um move to q a um well and first uh yeah let’s go ahead and go ahead and put the slide up yeah Dan about the event and then the Q a sure just one sec I do see the Q a so just a reminder of what we have gone through I think we’ve covered all of our all of our questions here but what I hope we’ve done is oh Daniel’s is back can you hear us Dan yeah okay well we’ve literally just come through I live on a small Caribbean island we’ve literally just come through hurricane Fiona so there’s some intermittent uh I’m suffering from that so you’re back just some time for the Q a what and we were sort of taking the opportunity to say so we’re opening some of you know this is an example of the type of discussions we expect to see at the intelligent authentication and fraud prevention conference coming up in December in London um there yeah no yeah no we’re looking forward to it so it’s December 1st in London um and yeah we certainly will be talking about uh the need for um identity security and voice Biometrics and the applications across uh both employees and consumers um in addition we and as we’ve talked about you know it’s we’re looking at multi a multimodal world so we’ll also be looking at Network authentication and behavioral Biometrics and utilizing all the different uh security factors that could go into assessing risk and then providing that level of security that businesses need um so we have several case studies and presentations um we have from Lloyd’s banking group will be there and uh and uh yeah and Pat Carroll who is the CEO of validsoft will be presenting as well so um we’d love to have you join us and please do if you if you go to iafconference.net you’ll get more information and we do have questions that came in um so well I saw the first one it was about the name of the book it’s right here unlock your call center yeah that’s the easy question excuse me okay exactly okay the EU seems to be encouraging voice biometric authentication through regulations if you agree with that in the US there seems to be a legal battle and some class action lawsuits creating a wait and see approach to use this technology this is the Hipaa question it says how do you overcome reluctance to adopt voice Biometrics as a solution in the U.S is regulation in the U.S on the horizon so um my favorite topic Stan okay so um yeah let’s volleyball this around you can go first Matt so I love their subjects of Regulation because it’s like it’s it like the first system that there was no regulations available when we first invented these systems so we basically had to make stuff up but I think the principles are really important as we’ve said throughout this like Biometrics voice more metrics particularly it’s an inherent part of someone’s individual identity and therefore it’s a completely right that an individual should want to feel some control over that um element of themselves um and therefore in every system we’ve ever implemented we’ve always had some element of um whether it be formal or explicit consent but certainly the permission or the knowledge of the individuals whose voices are being used in his biometric factors are being analyzed so that they can make an informed decision about whether that’s something they want to do or not and a lot of the legislation that’s been introduced subsequently is merely kind of codified that and to some extent provided kind of helpful guard rails for which we can make sure that we don’t trip ourselves up that there are some exceptions in some in in in Illinois uh particularly uh which makes that which makes that really challenging we obviously every organization in Penance technology needs to be confident of the legal basis under which they’re doing it but we do see a number of um legal basis under which uh organizations can deploy this technology but most often that’s with the knowledge and consent of the individuals whose Biometrics are being captured and that that’s the best practice that we encourage everyone to um to use right so there is regulation it militates towards informed consent for storage of biometric uh data whatever you want to call it uh that that is getting more and more identified as personally identifiable information so in a way you want to treat a voice Grant much as you would any other personalized information um and yeah the question is there regulation in the U.S on the horizon um it still seems like it’s state by state but you know they’re you know between California and stuff going on at the at the federal level yes no doubt about it so we shall see um but I think importantly people should shouldn’t do that as a blocker because when individuals customers or employees are asked in the right way whether they want to do that like can we start can we stop sending you these annoying texts you just read out your PIN number every time you call us like it’s a no-brainer it’s the human equivalent it’s they’re seeking convenience yeah it’s easier so when presented in the right way the vast majority of individuals will give their permission and consent right and that’s been our experience and we’re just overcoming a period of time where it was believed that opting out setting up an opting out situation would always get you more than opting in where at a situation where you do have to do a sale you do have to get people to opt in and mats hey the vast majority will do it when you prove that it’s going to be more convenient um you know it’s moving the needle from the hey 20 would agree to you know with hope 80 but it but it is you know it’s effective and as Matt was saying I wouldn’t use it as a reason to not try  and there’s a great book yeah goodbye I know um and then probably as a last question because we are bumping up against time about what percent of calls into the ivr are a threat people trying to get credentials for account takeover um and what percent of agent handled um my thing just jump contacts our account take over percent um I don’t have you know this is like sort of uh you know since not all of them are successful and with hope very few of them are successful you’re kind of measuring a negative here unless you know different than I mean and this is sort of the purpose of zero trust treat them all as an effort to you know do an attack and come up with you know the uh tactical approaches that also make them um convenient so I mean there’s the age-old conundrum that’s it I mean I think this this question it’s a very hard question to answer actually because it probably depends on the type of business you’re in geography yeah um scale all of these types of things repeat call rates of your customers you know things like that um but you know Studies have shown that you know implementing uh you know wish Biometrics in the contact sensors reduced fraud by you know 80 90 but it does depend on many factors so one statistic um won’t apply necessarily to another business because you know it’s about risk too right so um not all contact sensors deal with the same level of risk as others so it’s a very subjective question uh I mean as planning figures I mean this is mostly about consumer facing more than it is about employee facing but um in the consumer facing kind of large retail banks in North America and the UK and Australia and New Zealand with sometimes see maybe up to one in 500 uh calls be um from imposters um and uh in kind of brokerage and uh retail and Telco we’d see that far lower maybe one and two and a half thousand one in five thousand calls and those are just really rough planning figures but they very much as Dan says depend on the scale of the organization but what I don’t think you should see is that the like these are not the these are just part of a multi um multi-pronged attacks every time like an ivr is an amazing way to figure out uh when people get paid so when if I’ve got the credentials for their account I can empty it on the right day uh it’s an amazing way of figuring out whether or not the credit card numbers I’ve brought from the dark web are actually valid or not um whereas an agent might be a way in which I can figure out um what the age of the account holder is or some other information about them so that I can compromise them at a different organization so it’s not necessarily about that being the point of loss or a specific takeover attempt at that point so um that that it’s more complex and again there is some helpful information I think another thing to keep just to add to this you know question is it’s not we focus a lot here on attacks and security and authentication but there is also a convenience factor to this and uh and uh making this better simpler and faster for your employees so whether that that’s it that saves operational cost your business increases you know employee satisfaction there’s a lot there’s lots of other software metrics that actually apply to it’s not just about security 100 well good this has been really helpful and we’ve have definitely uh um touched a lot of topics here and I and I definitely feel like we have some ways to go so um really appreciate Valentine being a part of the webinar today and then Dan uh dan t you know your thoughts and um was very helpful so um yeah so I think uh I think we’ll wrap up here and again if people have any questions or any further uh you know comments or please feel free to follow up with any of us uh offline and we’ll be sure to um to answer those questions so all right thanks everyone thanks everybody thanks bye-bye then bye