RSA Identity Unmasked

INGO SCHUBERT
Welcome back to RSA Identity Unmasked. Today we talk about one of the most high -risk and interesting sectors of identity security, which is healthcare. Today I'm joined again by Paul and John, and let's look at the challenges, use cases and best practices. Let's start. So why is healthcare such a unique environment for identity security?

JON NICHOLAS
I'll start if you like, Paul. Do you want to?

PAUL MULVIHILL
By all means!

JON NICHOLAS
I think one thing we always talk about healthcare and it's one of the first topics that come up is the technical stack they have and importantly, legacy infrastructure. One of the biggest areas to secure from an identity point of view because they might not have the hooks into modern MFA services. So legacy proprietary technology is a huge challenge within someone like healthcare, NHS been a very prime example in the UK.

PAUL MULVIHILL
It's quite often that the, there is like, we all know the NHS, but it's quite often made up of lots of smaller organisations under that same umbrella, which doesn't mean there's one massive pot for supporting the IT infrastructure, it could be that each little trust has their own responsibilities, that they therefore cannot get the latest and greatest, because they don't have the budget for it. If it was one big thing, possibly, but the world doesn't work like that, unfortunately, to an extent. So there are the challenges of how does each one of them make sure that they have got the latest and greatest when they can't because they've got legacy systems, they've got to deal with migrating or maintaining, just adds additional challenges of how do you get to a modern system

INGO SCHUBERT
Right. And I think, well, of course, it's different in Germany, for example. It's not that different, I think, in this context, right? You know, different organizations, lots of legacy applications. So I think that's, To be fair, you probably find that around Europe or maybe even around the world in many places, right?

PAUL MULVIHILL
And we talk about the legacy system, if you've got something that works and the error rates of it, so if you're dealing with somebody's health, you've got a system that tests for something, it works. You're not just going to decide to change it because it may be two years old. You're going to put that funding to something that's a new area. So Yes, it may be a legacy, doesn't mean it's old and antiquated and out of date. It just means, you know what, it functions. There's more important things to look at.

INGO SCHUBERT
Don't touch a running system. So what makes access, control and authentication so challenging in this environment?

PAUL MULVIHILL
I'll probably say it's kind of a bit of a mix again of the multiple trusts. How do you, if you're all operating independently, but you do have a workforce that may jump between trusts because they're covering a wider area, how do you set up a easy to use system that is going to be, for example, me working one place one day, somewhere else, another, that's a different trust, another, another, another trust. Is there a central system managing it all? Possibly not. Am I going to be going back somewhere or am I going to do it a one day in a year somewhere else? That kind of number of systems that you're trying to manage and trying to secure from an identity viewpoint just grows exponentially of the complexity of it. I’m across 50 sites, is that 50 systems? Is it 5, is it one? Scale that across the whole country and you’re just adding layers of complexity for various reasons.

JON NICHOLAS
Yeah, and I think it's that user count. It's the user account that is sometimes so difficult to kind of counteract because you've got clinicians who are there doing the frontline medical services who may be, of course, very good at what they do, but they're not cybersecurity experts. You've got an entire team supporting the NHS, for example, doing all the logistics and the planning and the admin side. Now, some of those might be able to use, you know, authenticate a, like a mobile authenticator, but others maybe on the ward or, you know, in more secure environments, but we know you can't use that. You have to have something else, you know, a physical token to
do your authentication. So you've got not only a giant workforce, you've got multiple use cases in terms of how they can authenticate. And then, you know, you mentioned mobile, but some people might not even have a mobile they want to use. So straight away, you've got three, four, five different use cases just to get five people into one system.

INGO SCHUBERT
So clinicians, temporary staff, rotating shifts, that just complicates things immensely. So what you just said. So that's from my identity management perspective, I can see why this has a bit of a challenge compared to a rather organized, you know, enterprise workforce, yeah, where you work from nine to five. Yes, you may have different time zones, yeah, but this basically cranks it up all the way to 11, essentially.

PAUL MULVIHILL
Yes, you can have that one big company that has, let's say, 50 different departments or 100 different departments, whereas when you look at the healthcare sector, you may have one big body that is the care sector, but that could be 50 or 100 separate companies within it that all have their speciality and they have to be autonomous with the way they work but still work with other entities within that same space. And if you do have any issues with one of them, what's the knock -on effects?

INGO SCHUBERT
So in terms of, of course, you know, we got this dramatic TV show like you know everything has to go fast yeah but that's one thing yeah we're not slowing things down i think that's that's part of the challenge here but it's not just like this hey you know somebody gets rush into the er room and things need to move fast it's also because you have you know limited workforce they need to be very efficient which also means that yes we you know security cannot slow things down because of that so what would be the challenges and like, you know, the ways to achieve that?

JON NICHOLAS
Just on that huge challenges, you wouldn't want to, if we talk about it from a governance point of view, from a least privilege point of view, you want to go, right, we need everyone on only the privileges to do their role, for example. But then the challenge is, you know, you go, right, let's make this change, and you take some permissions away from them by mistake maybe. And now they can't operate that critical bit of machinery or equipment in the ward that's that's gonna help save someone's life. So the accuracy of decision making to enforce an IGA solution, for example, has to be absolutely cast iron. So the ability to make change at that point is probably go through layers and layers of decision making, so it becomes slow. Because the last thing we want to do is go, right, let's implement this workflow and now someone can't save a life to go to the most extreme example or administer something from the pharmacy.

INGO SCHUBERT
But at the same time with, especially identity governance, of course, there's then, you know, the quick fix in this case, which of course it isn't, just give everybody more access rights, basically, more entitlements that they usually would do. Is that a valid approach? Is that making a good compromise? No, it solemnly is, I guess, right?

PAUL MULVIHILL
Yeah, because if one person gets hacked, one account gets compromised, and they've got way too much permission, what happens? You can get in and the janitor who was given everything because they're a member of staff at a hospital can go and get into the pharmacy system and get access to medication or change of records of the patient They could have unknown complications down the line for them. Right. But then you do have, like Jon was saying, of the, there's so much potential ramifications of making a change in enforcing a policy or enforcing a least path of permissions, that it's almost a paralysis of risk. I could implement this policy which removes permissions for X, Y, and Z. If you haven't been absolutely sure, have you done the analysis of, right, this affects 50 people, have those 50 people accessed this resource? If one of them has, you need to keep doing more review of it. Does that one person need to be given special permissions? If none of them have, and you've monitored it for long enough, okay, then yeah, you could enforce it, well, we'll take that away. But there is that kind of fear of if I do take something out and then that one scenario that you can never plan for with healthcare. You can try and guess around a lot, but you can never plan for an emergency happening where you need something. I've removed this permission. Now that one scenario has now come up where this nurse or this doctor or somebody needed to be able to do something and all of a sudden they can't.

INGO SCHUBERT
It's not also only operating machinery. It could also be like accessing data somewhere, right? We health records, for example. So I get the point where it's in a normal enterprise, this might be, it might be bad if somebody has too few entitlements. They cannot do their job, but, you know, they make a request, it gets approved. You know, it's like, yeah, it's bad. It might be a couple hours late, maybe next day, but, you know, It's not in the world, whereas in a healthcare environment, this actually quite literally can mean a huge problem. And, you know, might not be done to the minute, but, you know, this could actually mean that somebody doesn't get the care they need when they need it.
PAUL MULVIHILL
If it's a company and someone gets access to the data, maybe someone order something on a credit card that you can then have fullback with the credit cards to fix it or an order gets cancelled. I mean, some of these are pretty, not very severe effects, but if it's in healthcare, someone changes your medical records. Someone shares details that shouldn't be shared. There's way more ramifications there on what could happen. Or information being sort of being leaked out that could really have long -term effects on you. Like you said, It could be that some medication you're reliant on gets stopped. Are you near the end of your prescription with that medication and actually, them removing the details when you have to go through all the re -valification of what actually, yes, I need it, slowing it down even further, delaying it, which has more knock -on effects. It's because one of those sectors where, what may seem a small change in enterprise and private sector in healthcare, the problems and the ramifications are just like 10, 20, 30 fold potentially.

JON NICHOLAS
Yeah, and on those sorts of numbers, when you look at, you know, a data breach in this sort scenario, like medical records are hugely valuable when traded on the dark web, more so than credit card details, for example, and one of the areas they can be used would be like insurance fraud, which can carry huge, you know, monetary, you know, compensation, I suppose, if someone's putting that request in, they know your medical history, then they can do that insurance forward on your behalf, and, you know, that's incredibly lucrative. So this is where, you know, the attackers want to come in. They, hopefully, he says, not wanting to, you know, risk anyone's lives, but the financial reward of having these medical records and then taking it for financial gain is what they'll be after.

INGO SCHUBERT
I mean, that information would be perfect from an attacker to have like a spearfishing attack on somebody. If you know already medical details, yeah, that's just raising level of trust, which makes you more suspicious to those types of attacks, right? Or just, you know, I don't know, blackmailing or so. Yeah, there's so many things you could do with those records, right? So, yeah, I can see that. So going back to like, you know, the practical, you know, what happens actually in, for example, a hospital? What is a typical authentication workflow somebody needs to go through?

JON NICHOLAS
I don't know if they'd be typical.

INGO SCHUBERT
Well, okay.

JON NICHOLAS
We spoke about the systems, but what should they do? Maybe the question, but you know, there should always be, there should always be that MFA step up with, you know, additional process in the back end you know can you leverage conditional access when we're talking from an IAM point of view can you leverage I'm gonna say can leverage AI to understand if that user is the right user at the right time and have that done dynamically rather than have admins trying to cobble together condition access policies based on such a vast user base and such a vast technology stack so yeah use the tools to your advantage and always have anyone doing step -up when they're actually in critical records.

INGO SCHUBERT
So one thing that I noticed in this industry, I think the closest I see is maybe manufacturing on the manufacturing floor is shared devices. That seemed to be I wouldn't say the norm, but like disproportionately high amount of shared devices. How do we deal with that?

PAUL MULVIHILL
Well, yeah, you've got a workforce on lets say 8 hour shifts, you’re not going to have for every day you’re not going have a person in a role having a their own device, so you’re going to have one shared by at least 3 people and in probably cases shared by 5, 6 ,7 because it could be a terminal at a nurses station, that sort of stuff. The best way to protect it? I mean, you're going to be putting some sort of credentials in username and password. I mean, I've been in and seeing people with the little OTP tokens, hardware tokens, because they're hard to kill. They're pretty damn resilient. But is that enough? Because it's a one -time password going through. You'e got to have somebody get to a computer, log in, use it. But they're tried and tested. People know how to use them and you've got a lot of people in this industry that they could walk the floor with any of us talking about the body and how their area of the body works give them a FIDO key and ask them to get to use to using that or mobile with push to approve biometrics it's just a completely different area for them to think about it's kind of that It's kind of that part of your comfort zone and your technical knowledge is over here. But then we're trying to say, well, to use that. You have to add in all these other elements to it.
 
INGO SCHUBERT
Plus, I think it's, again, not so dissimilar to some other areas in other industries where, for example, a mobile phone, you cannot take everywhere. There are places you are not allowed to take smartphones or smart devices at all, full stop, either because of privacy reasons, because I have cameras or, I don't know, like, you know, you're not allowed to have a Wi -Fi connection somewhere because it disturbs another machinery. So, yes, you need options, yeah. Plus, like, you know, the OTP generator, you can dunk in disinfectant, if you like.

PAUL MULVIHILL
Yeah. I mean, I was chatting to a customer the other day, and they've got that exact sort of, well, it's not medical, but it's a scenario where no mobile phones. The physical environment is lockdown security -wise. So yeah, they have either the hardware token with the one -time pass codes or they'll look at like the Fido keys. I mean some of the new ones that like with RSA iShield is they've got the whole contactless FIDO and elements like that into it. So whereas in the past it could be username password and then one -time passcode or use them in passcode. You could into the realm, okay, go to a computer, use the name, tap it, put the pin in, and you're in.

INGO SCHUBERT
That's it.

PAUL MULVIHILL
It's our speeding processes up. And there are other areas that that's advancing as well, where it may get even simpler going forward. I mean, some elements of FIDO and Passkey's, they can retain, sort of, they start learning a bit of who they are as well, so you can associate them with a person. So eventually down the line, just walk up with a FIDO key, put it onto the machine.

INGO SCHUBERT
Of course, if you have this NFC tap, it's less issues for usability. You don't have to read something and tap something again where it can go wrong that you read the right the wrong numbers or you have the right numbers and tap them in wrong. So that's removed that stuff.

PAUL MULVIHILL
And if you've got anybody with like a vision impairment side of things, reading that off a little screen that rotates, it may not be easy. So again, it's NFC.
INGO SCHUBERT
I see that.

PAUL MULVIHILL
Anyone in any sector can benefit from that element of it.

JON NICHOLAS
Probably one of the most critical sectors to probably balance security and convenience because we don’t want to be slowing down authentication flow of that and access flow for people probably when they are in a rush to do something very important so secure and convenient at the same time is going to be critical.

INGO SCHUBERT
So having multiple authentication methods is then important, not just for one user, there might be users that have multiple methods, but because they're all different types of roles out there, as understood, yeah? So it's not like there's one type that fits all.

PAUL MULVIHILL
Yeah.

JON NICHOLAS
Absolutely not. Certainly in an organization of that size.

PAUL MULVIHILL
As you mentioned about different roles, you get back to the governance side of things to make sure that each person doing their role, you've properly mapped what they can do. A nurse and hospital will have one set of things they should be able to do, a doctor, another porter or someone on the reception. And I probably couldn't even list a number of different roles there are in there and they all have different requirements and different access rights. So you've got to make sure that you can map that out and go, right, okay, this person's that role and make sure that the governance process in place and the life cycle systems in place go right okay this is your role this is what you can have and then map that back to a suitable method so that you can do your job without spending 20 minutes a day doing MFA step up you want to maybe it's once or twice a day and then maybe leverage some AI side of things and some behaviorally analytics to go right I've come in, I'm on the computer I'm always on, I'm accessing the resource I'm always accessing, do it once, and I'm in, carry on.

INGO SCHUBERT
So, staying on the governance side, identity governance side, how would, why would then, like, the join -a -move a lever, why is that so important in the healthcare environment?

JON NICHOLAS
I think when you look at, again, I mentioned the scale a lot, but you see, and Paul's mentioned it, people might move between trusts, but within a trust as well, you've moved between roles, probably regularly. So the scale of their JML process, I mean, tens, hundreds of thousands of changes per day. So being on top of that from an automated point of view is going to be critical. And not just having it automated, but also having the right timeline, you know, you're going to change role in three days time, right? That's in the system. Three days time you change from roll A to roll B, done automatically in the back end. And you know the role you're going to, or the system knows the role your going to and know the permissions you need, not a case of me having to talk to your manager and say ‘hey Ingo’s going to join your team next week, what should he be able to do’ it should be a case of Ingo has joined the team and can do everything he needs to do from day one.

INGO SCHUBERT
And that also means that role A is no longer with me then if I change trusts of course yes?

JON NICHOLAS
Yeah, yeah.

INGO SCHUBERT
So this accumulation of rights or time, which I think we've all seen in our careers at one point in time is

JON NICHOLAS
Identity sprawl if you like.

INGO SCHUBERT
Yeah, yeah.

PAUL MULVIHILL
Kind of to add to what Jon was saying, if you are jumping around different sites and different trusts and different roles, that account that was created for you for site A, if you're not back for three, four, five weeks or even for two or three days, with the lifecycle side and kind of the levers element of it, you can instantly disable that account. So you haven't got the orphaned account scenario where this account exists, it's got a level of permissions. It's just sat there not being used, which means it's another attack vector. So that someone can't get in and then get into the realms of doing like ransomware attacks on trusts and all of that sort of stuff. You just, you lock that down because you're not here again. If you're back in two days, in two days the system turns it back on again.

INGO SCHUBERT
Right.

PAUL MULVIHILL
Until that point, it's not an option. It's turned off. It cannot be used.

INGO SCHUBERT
And the visibility that comes with that, I mean, obviously the system then knows, you know, which roles you have, which roles you will have, the roles that you did have. I think that, and correct me if I'm wrong, but you know, if you get audited, that seems to be awfully useful that information and that visibility.

PAUL MULVIHILL
You'd have a full history of who could do what at what point. So if anything did happen from an audit perspective, do you adhere to this audit criteria? Yes, here's the proof. If you've got one sort of central governance platform, everything's there. So you can kind of know, right, Yep, we're fine, no problem's still. And in the eventuality that, well, in the hopefully rare occurrence where something happens, you could then use the same set of data to say, right, who had access to this stuff at that point? Depending on what additional logging you can pull into the ecosystem and you can then say, right, well, these accounts maybe did something, but you could say, right, well, who had access to it? Who could have done something.

INGO SCHUBERT
So that helps in investigations. If things happen, I mean, as a good security engineer, you always assume that things will happen, you eventually will get breached. This helps you also to, you know, during the cleanup process, to see what happens, who was impacted.

PAUL MULVIHILL
You always assume that something, you always assume that it's possible to breach. So you put in as many steps and checks and balances as you can to minimize the impact of it, unless you're going to take that computer, unplug it, in case it in cement and drop it in the Areana trench or something, it's not going to happen. So you put as much in is that if or when something happens, it is the least possible impact to the way things are going.

JON NICHOLAS
Yeah, I think to add to that, you look at the data you get from a governance kind of approach, it's not just about can we provide information to auditors. I think you're also looking at, can we understand what we have currently. So process maturity, I talk a lot about process in these sessions, but you know, you go, you look at a team, you look at their role entitlements. You go, hang on, no one in that team has used this entitlement for six months, year, whichever time frame you define, and the system should say, it has not been used. Let's look at removing that entitlement, because that is over entitlement right right there might be a very good reason why they don't use that anymore. Maybe there's a parallel system they're using to do that part of the workload. So you have that in the new system, take away from the old one. But you need that, you know, automated intelligence to really help you uncover that information, because otherwise you're doing full manual audits and I don't know what you used on the system for the last six months, but the system will know how you've used it. So use that intelligence to say, right, let's make informed decisions on working towards zero trust or least privilege.

INGO SCHUBERT
Yeah, this where privilege comes to mind.

PAUL MULVIHILL
Then you get the flip side of, like you said, you can start seeing where this particular permission privilege they weren't using. Well actually, 80 % of the team have been doing this, but it's not part of their official role. Do we need to add that in so that we can then make sure that the entire team can do it because they need to be able to do it rather than 8 out of 10, individually saying, yeah, can I have access to system B, please, because I need it to do X.

INGO SCHUBERT
Managing by exception, essentially, yeah. Clean it up, yeah.

PAUL MULVIHILL
Let's go, well, actually, you know what, 80 % of them are using it. Let's make it officially part of the role so we can then adhere to those audits and compliance and that sorts to go, right, yes, this team needs this. It's part of their role done. Someone else joins, someone else leaves, we turn off that access because it's part of the role they've got, or we give it to the new person that's doing as well, just to keep everything in line and visibility of this is what these people can do.

INGO SCHUBERT
So what would you tell a CIO, a healthcare CIO, where should they start? Because that's, you know, so many things they could start, but like a small priority list maybe, what would you tell them?

JON NICHOLAS
I think I'd encourage them, and they're looking at this already, but the real reasons why is having a real focus on phishing resistance. I think that's where I'd start, because a lot of healthcare rely on email as their primary communication methods. And we know that's a real vulnerable attack vector for fishing. And Not only that, but those that are consuming those systems are working in high -pressured environments. You know, they're logging on, needs to do something quick, emails come in, they've just managed to hit it at the right time, yep, run through it in a panic. Not in a panic, but just in a normal flow and inadvertently, you know, release their credentials and data to that phishing site. So taking phishing resistance authentication into that, we'll just those you know from the get going it is mainly because it's such a heavily focused email communications kind of kind of sector that's certainly where I'd look at.
 
PAUL MULVIHILL
I’d probably agree you start with that kind of phishing resistance part of thing the next thing would be kind of the visibility of what can your workforce do so maybe kind of slightly behind but in parallel the let's secure the front door sort of thing make sure that the phishing resistance approaches and that are in play, but then get kind of some sort of governance visibility tool running to say, okay, who exists, what accounts exist, what can they do, make no changes, but literally just collect all of that information together to start seeing actually how much of a situation do we have with accounts and permissions. what's used, what's not, who can do what, who can't do what. Because then once you've got the data, you can start saying, right, these are the changes I can look at making that have no effect to start off with because no one's using them. But then equally, what changes do I need to make to empower a team to be able to do their job moreefficiently moving forward.

INGO SCHUBERT
Well, thanks guys. There was some really good insight into identity security in healthcare systems. If you're enjoying these types of discussions, make sure to subscribe to get notified when we release a new episode. This was RSA Identity Unmasked. See you next month.

INGO SCHUBERT: Welcome to RSA Identity Unmasked. Today, we talk about a subject that often is overlooked, the security of the help desk. Today, I'm joined by John and Paul, and we talk about real cases, the risks and the controls that help mitigate those risks.

Why are help desk becoming such a target? Start with this one.

JON NICHOLAS: Yeah, I'm happy to jump in, go. I think when you see the role of a help desk to start with, the initial thing is they want to help people. So anyone calling in to the help desk will play on that good nature of the help desk admin to say, hey, can you help me with something? So it's fine when you're an employee of a company, I genuinely need help. But when you're the threat actor calling in, they can pray on that and say, right, this person is willing to help me. And that's really exaggerated if there's poor process within that organisation as well, because the Help Desk admin is no longer confined by process to say, I can only do X, Y, Z. They might go beyond those boundaries to say, I will try and help you do ABC as well. That's a real risk for the help desk there, that they get exploited when there's not a strong process.

PAUL MULVIHILL: What you also added in with that is some help desks, there's to an extent that their KPIs are, I've got to close, someone phones in, I've got to close the ticket, I've got to get it sorted. And these are all things that if you're up to no goods, I'm going to play on it. You want to get a ticket closed, I've phoned in, you've created one, I'll do what I can to get you to give me the information I want and get past what processes may or may not be in place.

INGO SHUBERT: Yeah, I think if you ever worked at the help desk - I did briefly I mean their like statistics, how many tickets are open, you know the average close time of a ticket and all this and sometimes it's in a big monitor so, that I think creates like a high stress environment which is perfect for you know social engineering attacks. Okay yeah yeah. Did that actually change recently like what what changed that this is now like a premier attack route?

PAUL MULVIHILL: It's probably been an attack for a route for a while, but we obviously had it come into the news a lot more of late. We had Mark Spencer's co-op, JLR, Jaguar, Land Rover the last 12 months. They all got hit partly because the help desks were targeted. Someone managed to convince somebody to give them credentials of an account, got in, and then got up to no good but pretty much.

JON NICHOLAS: Yeah and i wonder what role like outsourced IT has here as well because no longer you know just your employees from organization A who are relying on third parties and we always talk about third parties to prior risk within the industry, so how much does that play into it and then that's coupled with maybe staff turnover at the help desk tenure of a help desk engineer might be quite short, so for them to be aware of your process, aware of their responsibility and how it can impact the business they're serving. Maybe there's limited kind of knowledge in that side as well.

INGO SHUBERT: Okay. Yeah. That and of course if they don't know the culture of the company, yeah, they're dealing with then.

PAUL MULVIHILL: Well, if you have got like you said an outsourced help desk, you may know the procedure, but you don't know the people. Right. So what can you put in place to kind of say, okay, I'm phoning you? We've never met before. We've never been in an office before.

INGO SHUBERT: How would that, like, for real attack, how could that happen? I mean, like, what's a typical attack in this case? What does the attacker try to achieve? And how does it do with it?

PAUL MULVIHILL: It could be, I think, from just trying to either get an account reset to getting help to getting onto like a VPN network. I mean, we're living in a world where there's a lot of social media around what people do. I've got friends who they basically publish their life on it for various reasons. Some make sense, some don't. So if you wanted to find out about someone, you probably could start tracking down sources and pulling together a lot of information. So you're phoning up a help desk and you may have worked out where somebody was born or a pet's name, all this, that and the other, so that you can then go, right, well, I need to get a password reset. What's the steps today to know, what's the steps today for you to know who I am, who I say? Probably security questions.

INGO SCHUBERT: Right. So it's basically a combination then of some, potentially some prior knowledge that the attacker has, either from social networks. I know it could be like a different attack maybe or data they bought and a data broker, illegal or not. And then with like combined with the, you know, this high pressure environment that where we talked in the beginning, yeah, that seems to be a really nice and juicy target for the attackers, right?

JON NICHOLAS: Yeah, just on top of that as well, we talk a lot about researching the individual they might want to mimic, but I think with, you know, current tools available to all of us, we can go and say, hey, what does company X use in their IT infrastructure? What's their technology stack look like? So when you're having the conversation with the help desk, you can be more credible. It's not can I have access to the VPN. It's like, oh, the Palo Alto VPN is not working for me. Can you help me with that? So instantly, they're just going, this is more familiar.

INGO SHUBERT: I was going to say, in this case, it sounds like, You know, you as the attacker, sounds more familiar, which means you're one of us, yeah, so I can trust you more with an outsourced help desk, yeah, you're one of them almost because in the end, you know, you're not part of the company.

PAUL MULVIHILL: I watched a, it was about one of the kind of the conventions not too long ago, and there was a person who was paid to hack companies via the help desk. and the video had him getting access to the help desk systems within about 30 seconds, because they basically phoned up, they managed to fake the phone number to look like it was from the company, so instantly the help desk persons gonna think, "Oh they're internal." And then they convinced them, asking questions about - pretending to be the user or having information what the VPN systems were, what those were, to get them to help them access a website, which actually then gave them backdoor access into the computer that the person was on.

INGO SCHUBERT: So this is basically relying on evidence for authentication. It's more like, you know, a nice and warm and fuzzy feeling that the attacker generates. Is that, I mean, what should be done instead? I mean, like, you know, what could they help this do differently? I mean, it's, it doesn't sound like it's a brand new problem, right? I mean, this help desks are around for decades now, right?

PAUL MULVIHILL: Well, yeah, I mean, I think we've got to a point where, I mean, when it comes to IT security, we are the weakest part of the entire equation. If you're relying on something that we know, you can probably find it out. You need to kind of get down to the realms of doing something where doing an authentication with somebody with something that they have, that they can't be gleamed from some other source or can't learn? So you're like doing some sort of MFA step-up, something along those sorts of lines, say, right, okay, you've got a system, you're asking for help, prove it. But not by asking you a question, because that can be.

INGO SCHUBERT: Well, I was going to say, the most popular one is those security questions like, yeah, grandmother's maiden made name and all this. How many of them are always the same?

PAUL MULVIHILL: Exactly. We've got the same set of 10 questions, pick three of them. It's like, well, you know what? I can probably find that list and go and work out what the answer is for everybody.

INGO SCHUBERT: Right. So getting back to like the overarching theme, like in general in identity security is like, yeah, you need proof and strong proof. I think you mentioned MFA. This is where MFA then comes in.

PAUL MULVIHILL: Yeah. I mean, if you're in a company and you've got MFA in place, use it to your advantage. If John's got MFA set up and he's calling the help desk, use that to prove you are who you say you are. There are obviously kind of not all MFAs are created equal, but it's better than nothing of just relying on a, I go research John and find out where he was born or a maiden, mother's maiden, this, that and the other, and I answer the question. If it was a then a step of you've got a MFA setup, prove it.

INGO SCHUBERT: So, but how would that work now? So with RSA ID Plus in this case, because, I mean, what would the help desk need to do? What would the end user need to do to do that? Because like saying, you do MFA, it's like, yeah, that's one thing. But like, how does that work step by step. Like how would, what would a user need to do?

PAUL MULVIHILL: With kind of the ID Plus stuff, you've got a bit of two sides to this of, the call happens between two people. The help desk person finds the user in the system and then they trigger a verify session. The end user who's calling up knows the URL, or it's been taught to the URL they need to go to and then within end point, it's a, okay, do an MFA. The company's going to decide whether that's FIDA, whether that's pushed to approve, biometrics, whatever the method they choose is acceptable. And when they succeed in that, they get a verify code. Give that back to the help desk person. But that, that is purely a identity verification number. It's not an authentication number. They can't look into anything with it.

INGO SCHUBERT: Right. So they don't have to give away their current OTP or something like that.

PAUL MULVIHILL: They do the OTP if they're doing OTP. They do the push approved, the biometrics of Fido. They do all of that without sharing any info at that point. Get a result. Give the result to the help desk person, which again is just for verifying. It's not any sort of authentication. And then the
help desk person goes, right, give me this number, one, two, three, four, five, put it in, the system goes, yeah, I was expecting that this is who they say they are.

INGO SCHUBERT: Welcome to RSA Identity Unmasked, the Vodcast where we break down the forces shaping the future of identity security. I'm your host, Ingo Schubert, and today we're diving into the topic that's generating a lot of heat across the industry, quantum computing. Today I'm joined by David Lello from Burning Tree. Let's get straight into it. Today, quantum computing, hype, threat, opportunity, or all three of them. We are actually revisiting a debate that began at Bletchley Park in September of last year with David Lilo from Burning Tree and myself, Ingo Schubert. So let's get straight into it. David, welcome to this episode.

DAVID LELLO: Thanks

INGO SCHUBERT: I think from like benefit over the audience can you describe in a couple of words what quantum computing is so that we are on an expert level after you finished

DAVID LELLO: Well um I'll start with the the basic way of looking at quantum computer because i think that if we start getting into theoretical physic s I think we might lose a few people.

INGO SCHUBERT: Yep

DAVID LELLO: So um with quantum computers quantum computers work in a different way to traditional computer. you're telling the computer to do. With a quantum computer, it does it differently. What it's using is quantum mechanics, and therefore, in a multidimensional world of quantum mechanics, it looks at the data and it sees the data. It doesn't read the data in the same way, and as a result, it can hypothesize and look at multiple constructs all at the same time. It's kind of like when you read a book, a traditional computer will read it from the beginning to the end with a quantum computer, it'll read the book and it'll see the data. And so because of that, the quantum computer is able to process information far faster. And when problem solving, it's kind of like solving all the problems at the same time rather than looking at a problem in trying to solve it in a series.

INGO SCHUBERT: Yeah, so the algorithms are quite different, of course. Yeah, I think that's probably why many, and I'm counting myself there as well, you know, struggle, of course, with like, how do you actually program that thing. I think from a traditional IT background, I think what helps me sometimes understanding, like, you know, this is really a different beast, is that, you know, a traditional computer, like every bit, yeah. If you have N bits, you can store N amount of data. It's zero, one, yeah? With quantum, it's two to the power of N, yeah, which is like, immediately, like, if your old instant kicks in, it's like, yeah, that's a lot more, yeah, in the same amount of qubits in this case, right? So, therefore, storage and processing is just on the different level, right? So I think we'll leave it there because otherwise we'll be here for days, right? Just explaining the basics.

So, the next topic I'd like to explore is what is the current state of quantum computing? Where are we right now? Because I think this probably, and if people watching that may have watched us at Bletchley Park, we have some different opinions on where we are, where we will be. So let's start with you. What is the current state of quantum computing?

DAVID LELLO: I think that quantum computing is in still early stage. So there are a number of quantum computers out there, and you can actually hire time on quantum computers so that you can look at data. But I think that with the way that quantum computers have been developed, I think there's a number of issues. Some quantum computers are requiring a lot of control in terms of things like temperature. So a quantum computer operates at absolute zero, so minus 270 degrees Celsius, which is really cold. You need big facilities and big equipment and big energy for it. Otherwise you lose cohesion and you lose the stability of the platform.

Early quantum computers were just burning out all the time because of that issue. And so that is a problem that needs to be solved and addressed. The other problem is that because the quantum computer looks at the data all at the same time, it creates a lot of noise. If you had to take something like the Bible and read the Bible instantly, rather than going through it from beginning to end, it would create a narrative in your mind that would be incomprehensible. And trying to be able to digest and understand and distill what the message is becomes very difficult.

So, the noise in the system has created a huge amount of issues. We have seen some good success coming out of Oxford, where they have reduced the error rating and the noise within the system quite significantly. But probably the most significant issue at the moment is the amount of cubits that can be entangled at once because you start losing cohesion of those cubits when you start exceeding about 100 or so cubits. So the amount of qubits that actually can be entangled at once to be able to process the information is limited. And that means that the processing power and the capability of the machine is limited.

So, it's not yet what we would call cryptographically relevant quantum computing, which is a big issue, but it is at a stage where it is proven. It works. It does what the scientists say that it does. It's just about taking it to that next level and investing further. Every few months, further advancements happen or being heavily invested in, and we're starting to see progress.

INGO SCHUBERT: Yeah, so the, and that's true. And I think if you compare quantum computers, if you just look at pictures of them, right? From like, you know, five years ago versus today, I would still call them partially a physical experiment, but it was way more physical experiment like five years ago, right? If you just look at the physical setup of those things, right?

However, while it's true that, you know, become like, yeah, you throw a problem with them and they can solve it much faster than traditional computers. And part of that is what you said is cohesion. Yeah, it's basic cohesion is, you know, if you only can keep the system stable for a certain amount of time. And that's usually measured at maximum in seconds, yeah, or in milliseconds, depending on which chip in all this. And that is a good amount away from being useful in many cases. Now, there are some use cases where it makes sense. Think of it as like a quantum co-processor. But the issue I have with that is like in many of the use cases, it's questionable if you could solve the problem as well with a couple of Nvidia's GPUs, right?

So, one of the things I see still constantly being done, there's a lot of hype in this quantum computing space as well. I think it overlaps a bit with the AI hype as well. You can also argue, you know, if that's a hype, it's real. But the point is there's a lot of hype, a lot of money floating around. I think part of that money now is looking for like an exit strategy. And quantum computing seems to be attractive, right? So they're pumping a lot of stuff in there and there are companies out there which fundamentally look at this are overvalued and also overhyped in terms of what they promise what they do and and this is actually goes across the spectrum here right. At Bletchley Park I had the google willow chip as an example where google actually had a press release about this this new chip where they had great error correction all this and the claim that got picked up by also the popular press was this chip can do in five minutes what a traditional computer can do in 10 to the power of 35 years yeah which is extraordinary because the universe is only 10 to the power of 25 years old right so and and then if you read it it's like yeah no it can't do it right it was like if this thing could run for five minutes and like it's like by like millions millions of times they're not capable to do that, then it would be like that. And if you look at some other press releases of different companies, large and small, there's a bit of a trend to overhype what they achieve.

And I think, unfortunately, this drowns out some of the real advances that quantum computing actually has done over the couple of years, right? And I think what, and this is where we get to, it kind of makes this threat of quantum computing seem much more real in terms of this is around the corner than what it really is. But before we go into like, you know, why the world will end, if quantum computing just suddenly shows up, what would be the benefits of a quantum computer that you have in mind? So what would be the, So what could it do much better than anything else?

DAVID LELLO: I'm going to respond to that in reacting also to what you said about the quantum computer in terms of where it's at the moment. And I think while I agree that there are issues in terms of the quantum computer, I think that we're a lot closer to actually achieving stability in a quantum computer than what is being suggested. I think that if I look back, I think one of the best ways to actually look at the future is to look at history. And when I was a young man working in a bank, there was a mainframe and it was an old school IBM mainframe. The mainframe occupied a room. It was a big room. It wasn't a small room. It was quite a big room. And it filled the room. There were valves on this mainframe. It had three water cooling tanks. There were swimming pools underground in the basement of this bank. This thing was massive. And only a few years before that, they'd replaced the punch card system out of that mainframe.

When they took that old mainframe out, which needed forklifts and some very heavy machinery to get it out, they actually had to cut some doors out because they couldn't actually physically fit that mainframe out again. And they replaced it with a rack and a mainframe computer that was exponentially bigger than what was there before. We have seen a massive acceleration in the advancements of computers over the years. And if we go back just 30 years, you know, if you go 40 years, it's just, it's massive, the amount of change that we see happening.

INGO SCHUBERT: Yep.

DAVID LELLO: And what we've seen with quantum computers now, yes, there are early indicators and science, it almost feels a little bit like that old mainframe in the basement with the three tanks because you need the cooling systems, you need the big equipment, you need all the sort of stuff that goes with it. There's a huge amount of money going into it. There's a lot of investment going into it. And these problems will be solved. And they may be solved quicker than we might think. And the advancements that we've seen from month to month at the moment are suggesting that we're getting closer and closer to cohesion. And so I think it might be a bit closer.

And if it does comes I think really really exciting because what the quantum computer can do because it can actually process data so much faster and not quite as fast as some people claim but because it can process that data so much faster it means that it can look at and solve problems that could could not be solved before.

So you know in in theoretical physics you concept of Schrodinger's cat, and is the cat dead or alive? Is it decayed? Is it, what is it? What is the state of the cat? Well, the quantum computer would be able to actually look at and see the cat in every possibility and therefore be able to solve major problems that we have not been able to solve.

INGO SCHUBERT: Yeah, and I think like in terms of like medicine, you know, protein folding or or so, quantum computers would actually have the edge over traditional computers, for sure, right? And there are other things where, you know, simply everything with massive amount of data that needs to be processed, you know, weather forecast would be one thing, like, you know, anything, geological data, there's quite a bit of use cases that would benefit from computing.

Now, coming back to like this is sooner your point as soon as you might think it's like I don't think so because it's not a straight line where he goes this happened in the past with transistors that it happens again so it might it might not be it's like the lottery just because you won last time doesn't mean you don't win the next time it starts from zero every time and especially with cohesion, if you talk about like, okay, a couple of hundred qubits, maybe a couple of thousands, to be a universal quantum computer that, for example, can run Shor’s Algorithm, which would be a threat to cryptography. You're talking about a couple of hundred thousand qubits, right? And on the way to that one, we might hit a wall somewhere, right? There's no guarantee that we will solve for those issues. We might, and actually, yeah, sure, there could be, but there's no guarantee. And at the same time, a quantum computer has to commercially survive in an environment where we have seen massive amounts of increase in compute power worldwide, thanks to GPUs essentially, right? Thanks to AI. Well, before it was the whole Bitcoin craze, now it's AI. So that without having advances like fundamental advances in chip design. I mean, yes, they get smaller under this. We massively increased the compute power, so much that we are basically the limiting factor is now power, right? So electric power.

And in that environment, a quantum computer has to survive. Now, you can make the argument that, hey, especially for those, you know, cracking keys, you know, some governments will do that, fine. Yeah, so that's fine. They have enough money. They don't really care about that. Well, maybe they should care. It's our taxes, but let's assume they don't care.

There are practical quantum computing use cases along the way to a fully functioning universal quantum computer. I think that's undisputed. I'm not saying that's not the case. And there are good use cases for that. As I said, like, you know, protein folding, for example, in pharmaceutical research, right?

But let's talk about the threats, right? And I'm not talking about like power consumption, all that because we have that today with traditional units, right? I mean, threats in particular to IT security and then it is security, right? Because there are some, you know, I mentioned Shor’s algorithm, so maybe we should, you know, briefly explain, you know, what this is and how does it affect security.

DAVID LELLO: Yeah so um with with the quantum computer because it can process that information and the data so much faster um it's able to use shaw's algorithm to reverse engineer um cryptographic keys um and and therefore um when we have a cryptographic, relevant quantum computer, it would be able to break those keys within seconds, minutes.

INGO SCHUBERT: Yeah.

DAVID LELLO: And therefore, the most data that we consume, use, access would be vulnerable to attack.

INGO SCHUBERT: Yeah. And so Schor's argument, as I mentioned it before, you know, today you don't of a quantum computer that could run this because you need hundreds of thousands of qubits on in cohesion and running for some time. So yes, it's a couple of seconds, but even a couple of seconds are an issue nowadays for some quantum computer. So it would actually essentially break or invalidate in a sense, the RSA algorithm, yeah, so a private public key, using RSA, but also using Diffie-Hellman and using elliptic curves, ECC. So basically all the ones that are popular and that have been used for the last couple of decades would be essentially broken, right? They would be broken with a quantum computer. Of course, traditional computers would still struggle as they always do, so it's no threat there.

And yeah, so if this is broken, I mean, those algorithms are used everywhere, yeah? So these are, you know, your traditional TLS, a web server communication, from a client to web server, VPNs, email signatures, encryption of files being sent around and all this, you know, they're all often based on RSA, ECC, and or Diffie-Hellman, right? So, I mean, that would be, you could actually call it catastrophic.

DAVID LELLO: It would be, absolutely. It would be completely catastrophic. I think there's, the more I look into it and the more use cases that I actually, the more systems will fail. It’s a global issue. Like authentication and authenticating into the financial system. Even things like Bitcoin become compromised. So they use elliptic curve encryption and it would be compromised. You then have a complete breakdown of the financial system as a consequence of that being compromised.

So, yeah, it can be absolutely catastrophic. I think that we can see in in the typical wide use cases major issues but also in in smaller less public issues which I think people don't always think about so when we start talking about IOT and OT and we start thinking about medical devices and medical equipment the ability to be able to compromise that. You know, you take a person who's wearing an insulin pump.

If I can compromise the encryption on that insulin pump, I can kill someone.

INGO SCHUBERT: Yeah.

DAVID LELLO: That's, you know, all of a sudden, the criminality behind these things can become exponentially more significant. And we start seeing things like Minority Report and Terminator type use cases of things happening.

INGO SCHUBERT: Now you're talking. This is just got interesting now, yeah.

Okay. But I mean, that, coming back then to availability of quantum computers, that won't happen overnight because it wouldn't just be like from one day to the next. Let's assume somebody, yeah, finally gets a quantum computer with like, you know, 200,000 cubits where it can run Shor’s algorithm, for example. Usually it's about a million. There are some research that says you only need around a couple of 100k qubits. It's not like, you know, suddenly everybody has a quantum computer. It’s only a couple of governments and research facilities that have access to quantum computing. It’s not like every cybercriminal has access too it.

But the threat is real. I think it's similar to like, you know, the year 2000 problem a bit. So we've seen that coming for a while, but we did things to mitigate that and it turned out to be a bit of a nothing burger.

DAVID LELLO: But but only because we did something.

INGO SCHUBERT: Exactly. Just because we did something, right? So if we would have not done anything, that probably would have been a huge issue and we did something and it turned out to be okay, right? And I think it probably will be similar to in this case here because there are things that can be done, which brings us to the next work.

Yeah, so we might disagree how long we will have, right? So just as throwing this out there, there was a MITRE report, so as a government -funded research institute in the US a recent report beginning of the year and they put this Shor’s algorithm somewhere like early 2040s probably more 2050s around so it's not like they had an incentive to push it out right so it was a solid report there but even if you say like this is much sooner, it's unlikely it will be before 2030s. I think it's highly unlikely, unless some miracle happens. So what can you do today to prepare yourself for this quantum apocalypse?

DAVID LELLO: I think it's definitely going to be a lot quicker than 2050. I think, you know, I hate to try and predict because it's an impossible thing. You know, when one tries to predict the future, you inevitably fail because we don't have a supernatural mind.

INGO SCHUBERT: Well, let's meet 2055. Same time, yes, so we can talk about this. If I'm still at the inside.

DAVID LELLO: Absolutely. Let's do this. Same time, same place. Let's do this. All right, but if it's sooner, I think let's see how we can celebrate that event because I think with any advancement in technology, a breakthrough happens, and it happens at a point in time. It may happen next week. It may happen in 10 years' time. We don't know. But it's going to happen, that I'm sure, because the science is there. It's credible. It's real. You know, a field of sunflowers is able to maintain cohesion right now. The stability is there at room temperature, in a field, with all of the things that are happening around it. Animals running around below and pollution and everything else. A field of sunflowers can have cohesion.

INGO SCHUBERT: That's right.

DAVID LELLO: Why quite a bunch of scientists do it?

INGO SHCUBERT: Yeah, but they got a couple of million years to evolve, right? So that's my point. I agree with that, but they have a bit of a head start, right?

DAVID LELLO: Getting back to you to the issue is, think one of the problems we have, and we got into a little bit at Bletchley Park, is that what we have at the moment in terms of practice and what we would call good practice around managing of cryptographic keys, I think a lot of companies have failed. So when it comes to events, so a few years ago, we had the SSL vulnerability, and everybody scrambled around and looked at replacing keys. And it meant that organizations became a lot more agile in terms of how they rotated their TLS keys, which is fantastic. That's solving a good chunk of the problem. If you have agility within your TLS keys, then it means you can change them. You might have to do some testing along the way to make sure that it all works.

But organizations can start thinking now about their certificate authority and how they issue their keys and how they replace their keys at a TLS level. And that's fine. The problem that we find in is when we get into an organization is 20 to 30, maybe even 40% of keys are not managed in this way. Very often a lot of hardware has embedded keys in it within a piece of hardware infrastructure and some of these pieces of hardware can live around for 20 years and the ability to change the keys within that hardware means changing the hardware.

We've also got a lot of bad practice in coding especially in the days of monolithic builds where applications have got embedded keys within the applications themselves. And when we start thinking about not just have happened.

INGO SCHUBERT: I think that's my point. That was bad practice regardless of quantum computing or not.

DAVID LELLO: It is. And so when we start thinking about this idea of Q-Day, which in Y2K was easy because we had a date. We don't have a date with Q -Day.

INGO SCHUBERT: Very good point.

DAVID LELLO: But when it eventually does arrive, and it might arrive tomorrow, or it might arrive in 10 years time, or if you're right in much longer than that, then we have a situation where a good chunk of the organisation and its keys are not readily or easily replaceable, and we're going to have a panic. We're going to have a massive, massive issue as data becomes compromised.

But it also, the other issue that we have is one which is something that I get asked questions around a lot and that is the ‘harvest now decrypt later’ threat. And we've seen data being stolen which is encrypted for years I mean back in in this country with David Cameron, he famously said all of our data has been stolen by China, but it doesn't matter. It's encrypted. So going back a few years, that kind of a statement is while true right now, given the technologies that we have in time with a quantum computer, that becomes an issue. And yes, of course, data ages.

INGO SCHUBERT: But some of that data will still still be relevant. Not all of it, but some ways. So I think that's same. Like, they stayed out there which like, yeah, you know, if it gets, if it gets decrypted like in five years, like, who cares, right? Or in 10 years, yeah. So you can make an argument that many of the identity data for authentication, if that gets, you know, decrypted in five or 10 years, like, you don't really care that much because it's outdated by that time. But there's many strategic data where, yeah, this could harm you for decades down the line, right? And you don't even have to be a state. You could be just a normal corporation, normal enterprise.

DAVID LELLO: Exactly.

INGO SCHUBERT: And what's the case?

DAVID LELLO: I mean, you know, the amount of organizations that I go into where there is legacy systems. In fact, I was in an organization not too long ago where there was an application. They treated it as a black box, and they treat it as a black box because the source code was lost. The person who wrote it, long gone, don't touch it. If it falls over, the answer is turn it on or turn it off, turn it on again and pray because it's the only thing you can do. There's nothing you can do. And this system controlled all access in its stores, all access in its stores. And if compromised, if taken down, you take down the organization.

INGO SCHUBERT: Single point of failure.

DAVID LELLO: Single point of failure. The amount of organizations that we're going to where there is that single point of failure is extraordinary. Organizations really need to start thinking about how do they modernize their identity and access management infrastructure? When we start thinking about identity and access management, identity and access management is the route into everything. We've seen with the latest ransomware attacks that have been happening in Germany, as well as here in the UK, Italy and other places. These ransomware attacks, they are targeting the access control systems. They are targeting it in authentication because it's a soft, easy target, whether it's active directory or whether it's a system like I described, the ability to be able to actually compromise access, you bring down the organization, you stop communication, you stop the ability to be able to access. Modernizing identity access management in this context is going to be one of the big priorities.

INGO SCHUBERT: Yeah, yeah. It's hard to argue against that because, you know, because that makes sense, no matter how you look at it, right? I think when we go back to the bare -bone cryptographic encryption key management, many customers don't know what they have, right? They don't have a good view of where they encrypt, where the keys, where do they digitally sign. They don't have like this overview. I think that's part of the problem, right? Because you can't fix what you don't know exists. Many of customers struggled with simply basic cyber hygiene. That's what I see on a constant basis, unfortunately, right? Just this morning at a call about a customer that is running a 20 -year -old RSA software, 20-year -old, right?

DAVID LELLO: Wow.

INGO SCHUBERT: So, actually, they called our support about something, and support couldn't answer, and it's like, yeah, sure, you know, probably the support personnel that was answering the phone call was probably in kindergarten when that software came out, right? So, my point is that as long as we don't do this basic cyber hygiene and visibility, first of all, you cannot reach this quantum ready state, yeah, where you're ready for Q-day. That's just like no way possible.

It's also, my opinion is you're not allowed to worry about quantum computing until you fix that stuff, right? Because if you don't know what software you're running, if you don't keep that up to date, of course you're dependent on vendors fixing this thing, like you're implementing post -quantum cryptography, for example, right?

But if the software is out with the new version, with all this nice quantum computing stuff and you don't install it, it makes one doesn't exist, right? And And coming to that, even if you do that, if your policies and procedure around, for example, like the data management, if they're not right, what are we talking about here? So if the attacker can just phone your help desk and ask for entry, they don't need a quantum computer to do that, right? They don't need it today. They didn't need it yesterday. They don't need it tomorrow. They just phone your help desk if your policies aren't right and gain access.

So, there's a lot of things that can go wrong, did go wrong and will go wrong, which have nothing to do with quantum computers. And my fear is that people are looking at this quantum thing, this Q -Day, and being distracted by this nice, shiny toy, right? Whereas they have so much homework to do, which they haven't been done probably for decades, right? And of course, you can make the argument that, hey, you know, you need to do that, have visibility, you know, have patching in place on that, fix your procedures. If it needs this threat of quantum computing for a customer to do that, so be it, right? I could be happy.

But part of me goes like, nah, because what happens if we hit a roadblock with quantum computing? And like, for a couple of years, there's no real advantage or advances and then you go like ah that's like you know 2060s like I’ll be I’ll be I’ll be long gone from the workforce so I don't have to worry about that and that's the wrong approach because you should fix that no matter what.

I’ll drop some knowledge on you yeah some some name dropping yeah German philosopher Emmanuel Kant yeah now don't cut that editor yeah that's k that's k. That's K -A -N -T, right? So I call him Emmanuel from now on, yeah.

So German philosopher, 18th century, and many smart things he said. But one of the things that I believe is one of the smartest is you do the right thing because it's the right thing to do, right? Not because it earns you some brownie points with some deity something like that. You do it because it's the right thing to do.

And have a good overview of where you encrypt, how you encrypt about policies, procedures, and patching and all this, that's the right thing to do, regardless of if quantum computing is 10 years away, 20, 30 years. It doesn't matter. You need to do that. Now, you should have been doing that for the last 20 years. That's essentially a point. I think this is where we agree. Yeah, absolutely. I think the motivation behind that, I think, is where we disagree because we have different opinions on where quantum computing is and where it will be. But absolutely, if there's a customer that says I need to be quantum ready, the effort is not wasted.

DAVID LELLO: No, absolutely not. I think also, Ingo, one of the things that is a reality that I'm always being challenged on because we spend a lot of time with boards of large companies talking to financial directors and the like and a company exists for the purpose of supplying a product or a service and if it's in the private sector to make a profit unless of course it's charity but let's not worry about that so the idea of actually spending money just because it's the right thing to do, where it gives me a negative return becomes difficult and challenging for financial people to actually realize. And so investing in something because it's the right thing to do becomes more of a philosophical discussion. I don't think it's necessarily the right approach.

INGO SCHUBERT: Well, yeah, absolutely.

DAVID LELLO: Even though I agree with you, absolutely 100%, you know, from a faith perspective from, you know, what I believe, I would always want to do the right thing. But the reality is that businesses don't exist for that. They don't exist to the right thing. Sometimes they're a little bit immoral.

INGOSCHUBERT: Really? First time I hear that. Let me make a note of that.

DAVID LELLO: So I think what you do is we sort of looking at it in in in a different way and I think one of the one of the realities that we see and that does resonate and people do understand is measuring and recognizing and realizing what is my risk exposure associated with a given environment and we need to tie it back to something that's tangible we need to always get back to how do I build a case for change in this world yep and what does change even look like? You know, one of the, one of the challenges that we set ourselves, because when we started looking at helping organisations answer this problem, is that there isn't actually a framework that deals with quantum preparedness. There isn't one.

So, we went and wrote one. We wrote a standard to say, here is an approach to look at quantum. We took various different standards from NIST and good practice, ISF and various different things to be able to come up with a model and a framework so we can start looking at it. But what that does is it allows us to start looking at and saying, well, when you take a system like that identity system that manages all the access that is a black box environment, what is my risk exposure of having a machine like that? And I'll take quantum out of it completely. What is my risk? Do I really understand my risk? If that goes down, what happens to my environment? And if I can appreciate that risk, I've got to do something about it.

INGO SCHUBERT: Oh, and this is, I mean, in the end, this is the proper risk management, which I see is missing from many corporations ororganizations in general, right? And that actually needs to be done and should have been done for years and should be done today, regardless of quantum computing or not. So that's my point.

Well, of course they don't do it because it's the right thing to do, right? That's a hard financial argument to make. I completely agree with you that. But there's all the other threats why they should be doing this, right? And again, if you need to sell this concept of looking at all this and figuring it out and having proper risk management because of quantum computing, be my guess, right? I think that's absolutely the right way. If that's the lever you need to get the signature, oh, yes, absolutely do it. Because in the end, even if quantum computing is still 30 years out, you still benefit today. Because having that readiness helps you being secure today as well. You're not wasting the money. Yeah so I think that's that's perfectly that's the right thing to do. And there are some recommendations and some frameworks from the European as well for example they actually say that by 2026—which to be frank you should have already if you want to be DORA compliant. You see maybe the same things again because you don’t see some people doing it. So visibility and risk management by 2026 and then some quantum readiness in some form by 2030 for high risk and 2035 for low and medium risk, right? So it seems seems to be far way out, but, you know, we already, like, at the end of 2025, when we record this, release is 2026.

So it's like, yeah, this is like only a handful of years away. And if you're coming back to the beginning of our conversation, if you look at the Y2K problem, yeah, if you started in 1999, you're probably well, like a bit late for this, right? So you need to be prepared now, absolutely, right.

DAVID LELLO: I think, I think one of the things that you brought up there, which I think is a fascinating point in terms of human psychology, is the regulations, European regulations and things like Dora. Regulations only really come into effect because companies are negligent in doing the right thing.

INGO SCHUBERT: Yes, absolutely.

DAVID LELLO: And because they're not doing the right thing, lawmakers say we're going to have a major issue in the country unless we look at it. So the laws come into play when you have to do something it. So the NCSC in the UK have put guidance in place around quantum. And we’ve got DORA in Europe. And sadly because of Brexit—

INGO SCHUBERT: You brought tup I didn’t.

DAVID LELLO: We're only starting to look at our Resilience Bill here. So the Resilience Bill has been released for public comments. So issue one has been released and comment is happening. And so we'll have a reading in Parliament sometime soon. Hopefully we catch up with the rest of the world on that particular issue.

INGO SCHUBERT: Well, except the US. US seems to be like, you know, this wild place on the map, yeah. Yeah,I t really is. Yeah, it's like, and I see that talking also to U .S. colleagues, yeah, it's like, yeah, we don't really have that, right? But everywhere else in the world, it seems to be like, resilience, risk management seems to be a bit more mature in terms of regulations and loss, yeah, which is—

DAVID LELLO: You've got to have it.

INGO SCHUBERT: You've got to have it, right? And when you read through them, and you probably have as much and probably more than I have, some of those things like is blindingly obvious, having proper risk management. It's like, you should know, if that thing goes down, you just know the consequences, right? Of course you should because your business is making money and is something preventing it from doing that. You should know why and how to fix that. And yet they don't do that not until they're forced by by law which is which is sad in some in some sense right

DAVID LELLO: Human nature sadly come to play. I struggle with it though because these these aren't difficult things you know looking at risk and risk management is not difficult.

INGO SCHUBERT: No but they take time.

DAVID LELLO: And it it does take time but I mean there's there's so many different technologies out there that can help simplify the process. You know, computers are designed to automate process. The whole reason where we have computers is because we've got manual processes that take armies of people to actually do something. With computers, we can automate all of that process. And with modern systems, we can automate even the more. You know, you take things like vulnerability management. If you've got a modernized environment and you have vulnerability scanning rolled out, you have a relatively good visibility in terms of what your technology risk is.

INGO SCHUBERT: Yeah. Same thing for us. Identity governance. In the end, it's not rocket science. Yes, of course. You'll connect all the different systems, maybe create some rules and all this. But then you have that visibility and you have the view of you like, you know, in terms of segregation of duties, compliance and you have that. And yes, it's it's work. Yes, it's investment in terms of money and time, of course, but you get something from it.

DAVID LELLO: Yeah.

INGO SCHUBERT: Right. Which also I think people don't realize that probable risk management also gives you something back because you actually find out things that maybe you shouldn't invest all that money into this one securing or you're making this thing resilient because it's not such a huge impact whereas the other one you should actually invest more because if that goes down bad things happen. I think that's also and of course you don't realize that because if you don't do proper risk management you don't have that visibility so how should you make that decision right? So people are, basically, organizations are hurting themselves by not doing this, right?

DAVID LELLO: And identity governance does go a long way in terms of actually enabling that and helping. Yeah. You know, when I talk to a lot of organizations around identity, identity isn't one of those security things that you do because, you know, it's an insurance policy. Identity is an enabler. It's a real business enabler to help organizations to be more efficient and more effective in terms of how people have access. But having the right access at the right time and the right place and having the governance models that actually drive that is what is critical. So when we start looking at your ITGC controls and financial systems and you start looking at how access needs to be created in your entitlements, your segregation of duties, the mandates that go with it. These things are not anything new. They have been written into Companies Act and Financial Regulation for decades.

INGO SHUBERT: Absolutely.

DAVID LELLO: And the ability to be able to control that with a good identity governance system is there now. And with a modernized solution, it becomes actually quite easy. It's not as difficult as people think it is.

INGO SCHUBERT: Look at us. Talking about identity security governance and we started with quantum. It's like, let's just, yeah, but that's the point. I think this is something where it's also like a door opener with some discussions at customers or like in organizations in general where like, yeah, it's fine. Talk about the quantum threat and, you know, but at the end you end up at discussions, which are not really about quantum but about other things. That, yes, you can fix now, you should fix now, regardless of what happens in the future.

DAVID LELLO: It’s the basic hygiene concept.

INGO SCHUBERT: It’s the basic hygiene concept, exactly. So that’s—what a perfect way to wrap this up. So David, thank you. It was, we could talk for hours, really, every time we meet. So, thanks a lot. And so I think the quantum threat may feel distant.

It may be, it may not be. But hopefully during this conversation, our viewers and listeners got the idea that, you know what, regardless if you should do things today to like be quantum ready. This doesn't hurt at all.

What you get from it benefits you today from threats which exist today, right? You don't have to wait then 20 years to realize the benefits. You actually realize them today.

So that wraps up today's debate on quantum computing and its impact on identity security. The quantum future in science fiction and organizations need to understand where the real risks and opportunities lie. If you want more insight on identity resilience and the technologies preparing organizations for what's next, visit RSA.com. If you like inbox access to more episodes of RSA Identity Unmasked, don't forget to subscribe. Thanks for joining us and we'll see you next time.