Field CTO Aubrey Turner of Ping Identity shows how to orchestrate a secure authentication flow using Ping’s Da Vinci identity orchestration platform integrated with Beyond identity to ensure user and device trust.

Transcription

Hello, and welcome to the Beyond Identity Zero Trust Leadership Series. My name is Aubrey Turner, I lead the executive advisor practice at Ping Identity. 

And in this brief session, I will share with you a little bit about Ping Identity and also talk about our partnership with Beyond Identity and some of the use cases that we are supporting from a zero-trust perspective. So, with no further ado, I'll go ahead and jump right in. 

So, for those of you, and hopefully, you have heard of Ping Identity, but maybe for those of you who haven't, Ping Identity is an identity security company. We are focused on protecting every digital experience. That's what we do. 

And then also as part of that, making identity frictionless. And so, taking an unknown to known, being able to support identity, authentication, and authorization. So, who are you, strong authentication, and making sure people are appropriately authorized. And certainly, you can imagine how that fits into zero trust. 

And so that's what we do here at Ping. And if you think about why that's important, you know, imagine a borderless world, as we like to say, that you've got applications, data, supply chain, business partners, the network is the internet. And so how do you secure that? 

And we see that being secured through identity. So, that's really, you know, again why Ping exists, what we do, and what our focus is. From a zero-trust perspective, how that relates is when we think about zero trust, our point of view is one that is identity-centric. And for the simple reason, and if you've ever, you know, happen to hear me talk about zero trust, kind of my perspective on it, why it's identity-centric is that least privilege element of zero trust. 

And by that, you know, we mean that you can't get to least privilege without identity. There's no at least as far as I know no way to get there from here without identity being a key part of that. 

And so, the last few years has really seen a lot of energy, momentum, the pandemic really fueled a lot of interest in zero trust. It's become a buzzword of sorts, a lot of marketing, a lot of hype around it. However, you feel about it as a model, a framework, a practice where you're pulling pieces of it is relevant to how we're treating identities and how we're protecting those digital user journeys. 

And at Ping, we think about zero trust. We think about all identities, not just workforce. You can see the zero trust historically maybe aligned more around workforce, but we think about all identities. And so, from a zero-trust principle perspective, you're really trying to answer some fundamental questions. 

Who is this user? What's their identity? What about the device's reputation? Its posture? What is the network? As I mentioned it is the internet, context, risk indicators, the value of the resource, and what can that subject do based on policies. Those are some of the fundamental questions we are trying to answer as part of zero trust. 

There are two other thoughts that I'd like to share relative to, you know, thinking about identity-centric zero trust or just zero trust in general, replacing the implicit trust with identity and context-based trust. And here's again, not so secret, sort of part of zero trust is optimizing security... 

In addition to optimizing security posture, excuse me, is improving the user experience. And this is where, you know, a partnership and partnership is incredibly important to delivering zero trust. 

No one vendor can really help. No one vendor can deliver a holistic zero trust. You know, if you're listening to this series, you've probably heard the phrase it takes a village. And that's really the case with zero trust. It is a team sport. So, as we're talking about how we're replacing that implicit trust with identity in context as a goal of optimizing the security posture of your enterprise, improving the user experience is a key part of that. 

And this is an area where Beyond Identity and some of their capabilities can be incredibly important and helping to balance the security and convenience. And I think when we're thinking about zero trust and thinking about adopting elements of zero trust, we often don't think about, well, how do we enhance the user experience as an opportunity to enhance the user experience to make sure that we drive adoption. 

So, that's how some questions, how we, you know, define zero trust. You know, a few fundamental things that we here at Ping think about when we are talking about zero trust and, you know, beginning to look at use cases and actually beginning the journey and maturing things like, you know SSO everything, put MFA everywhere. 

Know your users, know your identities, and know your devices. Here and again, you know, those are the concepts. Your maturity, your mileage will vary based on obviously a lot of the elements of your environment, processes, technology, and certainly the people aspect. 

But those are some of the fundamental things that we can do there. And those are core to Ping's strength: single sign-on, consolidating, authentication, certainly strong authentication along with that. And again, here, this is where Beyond Identity can also come in and augment that support the strong identity or strong authentication piece of that. 

Leveraging things like FIDO, and if you've been paying attention, you know, the National Cybersecurity strategy, and even before that, a lot of conversation, a lot of discussion around phishing-resistant MFA. This is where FIDO certainly comes into play in terms of being able to deliver an experience that's not only more secure but reduces a burden on the user. And so, taking that consolidated authentication, leveraging strong authentication, passwordless, making sure that it's leaning into phishing resistant, and also leveraging risk signals. 

And that's another way that Ping has elevated how we do authentication. It's not a binary yes/no type of ceremony as it once was. Intelligence vis-a-vis risk signals are now incredibly important in that zero-trust journey. We've got to be able to understand, and, you know, what's funny about zero trust, is that it's called zero trust, and ultimately it is about establishing trust. 

So there's, from my perspective, just a little irony in terms of the name, obviously, we fundamentally know what it means, but it is about establishing trust. And certainly, where are you going to get the information to establish that trust, and is that source trustworthy? 

And so, sort of all these elements, all of these ingredients again, are relative to partnership and some of the fundamental capabilities that, you know, again, Ping delivers. And again, in conjunction with our partners in the larger ecosystem, as I mentioned, nobody does zero trust alone. 

So, being able to integrate these things. And this is another area, and again, just to refer back to Beyond Identity, Ping has an identity orchestration platform called DaVinci that allows us to accelerate the integration with partners like Beyond Identity in ways that we previously couldn't do before. 

So, these integrations take, you know, hours and days instead of, you know, weeks and months, non-standard things we need to ship identity around across these user journeys. Identity needs to be consumed to mitigate identity fraud, deliver better experiences. Again, all under the umbrella of zero trust. 

Ping's Identity orchestration platform today has well over 300 pre-built connectors in it. And as I mentioned, Beyond Identity is one of those. And that's part of Ping's larger vendor anti-lock-in strategy, as well as we partner with your partners because we realize, again, we can't do this alone. 

And we need to support our customers, our mutual customers, in their efforts to reach their zero-trust goals. And so, that's an area where identity orchestration can accelerate, help you mature along your zero-trust objectives and the things that you are trying to accomplish, optimizing your security fosters while delivering these better experiences. 

And that canvas in DaVinci allows you to sort of design these flows, test them, optimize them, and get them into production faster than ever before. So, bad guys are moving faster, threat actors are moving faster, we need to do the same. So, I will leave you with just a few thoughts there. 

Again, bears repeating that zero trust is a team sport. There is a larger ecosystem, even with Ping's point of view that is identity-centric. We've got to pull these different technologies and partners together to enable zero trust. And as always, please don't hesitate to reach out for additional conversation, additional discussion around your zero trust current state, and what you'd like your future state to look like. 

And thanks for listening. Take care.