The chat boxes were on fire and Twitter was buzzing during the recent Hybrid Identity Protection Conference 2021, where the identity and security community gathered to grapple with current-day challenges and prepare for the future of identity.
The online conference held Dec. 1-2 drew a mix of identity and access management (IAM) pros, IT ops practitioners, and security leaders from across the globe. And although this was a virtual meet-up, the conversation was lively throughout, with friends, colleagues, and newcomers jumping in on networking sessions, Twitter conversations, and a surprisingly competitive song/trivia contest emceed by a DJ who was an impressive music buff.
If you missed HIP Conference 2021, you can relive the sessions through the video stream, which will be available through December 31. (A thought-provoking place to start is with Chris Roberts’ candid evaluation of the cybersecurity industry’s “misconceptions, empty promises, and over-inflated egos.”)
Here are a few take-aways from the conference.
1. We’re going passwordless (someday)
It’s not a matter of if—just how, and when. As with the adoption of electric cars, the move toward ditching passwords is accelerating fast as escalating cyberattacks have made this outdated mode of authentication untenable.
“The problem with passwords isn’t passwords: It’s us,” said keynoter Jim Routh, former CISO of Mass Mutual, CVS and Aetna in his session on behavioral-based authentication. “We have changed. We are digital consumers, and we can’t remember all the unique, complex passwords across our (on average) 150 digital assets. So what do we do? Most of us use the same passwords. And about 5 years ago, criminals figured it out.”
Obstacles remain, but in his session documenting the progress of Accenture (a 650,000-employee company!) toward passwordless authentication, Joe Kaplan (Accenture Associate Director) systematically laid out his successes and lessons learned in his effort to ditch passwords completely by 2022. Check out his session Taking a Large Organization Passwordless, which lays out a roadmap for organizations wanting to walk a similar path. If you’d like a primer on Microsoft’s underlying passwordless technology, check out “Windows Hello for Business Hybrid Access” with Sander Berkouwer (CTO at SCCT). Denis Ontiveros looked at the future identity through the lens of behavioral economics in his chat with Sean Deuby, “Scaling Identity for the Future.”
John Craddock closed the conference with an enthusiastic endorsement of verifiable credentials (VCs) using the Microsoft Azure AD Verifiable Credentials service. He and Guido Grillenmeier (Semperis Chief Technologist) spun up a demo of VCs that allowed attendees to try it themselves in real-time.
2. You can protect AD from common attack tactics
In the here and now, organizations are challenged to close security gaps in Active Directory. HIP Conference 2021 featured several practical sessions that gave attendees immediately useful guidelines.
Darren Mar-Elia, Semperis VP of Products, walked through common AD attack paths in his sessions, “Practical Tips for Protecting Active Directory,” pointing out that AD wasn’t designed for today’s threat landscape. “It’s complex and hard to protect, and new attack paths are constantly being discovered.”
Orin Thomas, Microsoft Principal Hybrid Cloud Advocate, pointed out common AD misconfigurations that arise as expert AD practitioners are becoming rarer. Sean Deuby and Alexandra Weaver did a deep-dive (or, rather, got on their soapboxes—quite literally) about AD account security. And Ran Harel and Tammy Mindel walked through “Top Legacy AD Infrastructure Vulnerabilities and How Attackers See Them.” If your organization has been attacked, security consultant Jorge De Almeida Pinto offer tips for “Resurrecting Active Directory After a Ransomware Attack.”
3. Diversity matters in cybersecurity
One of the sessions that generated the most activity in the chat log was the fireside chat with Simon Hodgkinson (former CISO at bp) and Emma Leith (European CISO at Santander) about how to foster diversity and inclusion in the cybersecurity industry. Check out this lively discussion and follow the chat conversation (which is still available with the session recording), where attendees and the speakers brainstormed ways to welcome different perspectives and contributions.
4. Uniting identity and security teams strengthens security posture
Securing AD traditionally has been relegated to IT operations. But with the surge in identity-related attacks, many organizations are now restructuring to bring IT/identity teams and security teams together under the CISO—or simply fostering better communications between these two groups. Collaboration between IT ops and security teams is critical to hardening defenses against attacks, according to panelists in the session “Uniting Identity and Security Teams Against the Adversaries” with Jim Doggett (Semperis CISO), Asad Ali (Technologist at Thames), Paul Lanzi (co-founder and COO at Remediant), and Gil Kirkpatrick (Semperis Chief Architect). Paul Lanzi also gave a session called “XDR Is Coming for Your Identity” about how cybersecurity tools are evolving to fit the needs of both identity and security teams.
5. Cloud computing brings inherent security risks
Three sessions tackled the challenge of securing cloud identity systems. Thomas Naunheim, Cloud Architect at glueckkanja-gab AG, talked about protecting privileged identities and DevOps pipelines in Microsoft Azure. Jose Barajas, technical director at AttackIQ , pointed out that “You are in the cloud whether you know it or not” in his session on how the threat landscape changes with the move to a cloud environment. And Roelf Zomerman, Cloud Solutions Architect at Microsoft, talked about the security implications of using Azure Active Directory Connect to provision identities to on-prem AD from Azure AD in his session “It’s Raining Identities: The Impact of Azure AD in AD Migrations.”
6. Identity and security pros are savvy about music and movie trivia
#HIP2021 closed out the first day with a talented DJ and music buff who led a hyper-competitive group of identity and security pros in a music and movie trivia contest. The level of knowledge about 80s-era music (in addition to identity security) in this crowd was impressive.
If you missed any of the sessions, dive back in now through December 31 to catch them on replay. Be sure to follow @HIPConf on Twitter and LinkedIn for news about our 2022 events—maybe we’ll see you in person next year.