Identity in the Digital World: How do I keep it safe?

We are joined today by an Expert in all things cloud and security. The leader of D3Clarity’s Cloud Engineering Team, Patrick Walsh, joins in the conversation as we talk about identity and how to keep it secure in the cloud. Learn about MFA and 2FA, Brute Force Attacks, and Omnichannel Purchasing, just to name a few things, with this enlightening episode

HAVE A QUESTION?
Ask Data Dave about all things data, cloud, or technology.
We'll be happy to answer your question on the podcast.

or send us an email to: techtalk@d3clarity.com

Published:

November 7, 2023

Duration:

00:19:47

Transcript

Transcript 

Alexis
Hi everyone, welcome to Talk Tech with Data Dave, I’m Alexis, and today we’re doing an expert episode!  

I’m here with my good friend, Data Dave, who you all know. 

Data Dave
Good afternoon, everybody. This is Data Dave. Thank you, Alexis. And we’re here with our expert, as Alexis just said, Mr. Patrick Walsh, who heads up our cloud and security business unit here at D3Clarity. 

Patrick Walsh
Hey, Dave. Hello, Alexis. Good to be with you guys today. 

Data Dave
Patrick, good to see you. 

Alexis
So, if Dave is Data Dave, then Patrick would be Cloud Patrick, but it doesn’t have the same ring to it, so… 

Patrick Walsh
It does not have the same ring, does not absolutely. Does not have the same ring. 

Alexis
But as Dave said, Patrick is the leader of our cloud engineering team, and our cloud engineering team is doing all kinds of awesome things. Although we often talk about data on Talk Tech with Data Dave, this podcast is all about all things data, all things cloud, all things technology, all things D3Clarity. So, we thought it’d be awesome to bring a Cloud expert on to talk about a kind of inclusive topic today: identity.  

And so that is my question for today, Dave Patrick. Talk to me about what identity means in the digital world, because I come from an HR background, as you and our listeners know, and so to me, identity means something very different than it means to you. 

Data Dave
Right. So let me take that one first.  

Identity in the digital world and in the modern digital world especially, is a huge issue and a huge thing from social media, from the ethics of identity, who is a person. How do you protect your privacy, identity theft, and various other things?  

So, that is a tremendously large and interesting issue from a data perspective. It often means the demographic data. That describes somebody, your name, your address, your different things that actually uniquely identify you. But that’s not where I think we should focus today. I think today, and we’ll maybe come back to that in a different episode, but where we should focus is on the security and the protection of that as we see more and more data and, as we talked about in a previous episode, more and more data moving to the cloud.  

What I think we should talk about is how data can be protected, how people’s data can be protected, and should people be worried about their data moving to the cloud? And so I will hand that to Patrick, who heads our security and is a certified Security Expert. 

Patrick Walsh
Exciting news! Just got my Cyber Security Certification today, actually this morning, which was awesome. It’s through (ISC)² organization, which is the certifying organization for security governance policies and procedures. 

Data Dave
Congratulations! 

Patrick Walsh
Like good stuff that happened this morning. That was fun. Yeah. Thank you.  

Alexis
That’s awesome, Patrick, congratulations. 

So, security around identity, I guess, is the great place for us to start with this identity in the digital world idea. So yeah, talk to me about what that really means or what that really looks like, especially pertaining, Patrick, from a cloud perspective. I’d love to hear a little bit more about that and learn a little bit more about that from a cloud perspective 

Patrick Walsh
We do a lot of things to protect, in my case, the way I treat the data, it’s all PII or PCI-related data. 

Alexis
You got to stop there. What’s PII or PCI? 

Patrick Walsh
So, PII is the personally identifiable information, so that stuff like your name, your birthday, your Social Security number, your e-mail address, all that good stuff, right? These are all data points as Dave has laid out in his previous Tech Talks, that these are data points that define you. And so, all of that information is, I mean, it’s out there in droves and probably multiple locations, multiple platforms, multiple areas where sometimes it’s hard to tell where all of your information actually is. 

Data Dave
Can we drill into that for a minute? 

Patrick Walsh
Yeah, go ahead, Dave. I’m sorry. 

Data Dave
We’ve all put our personal information. We’ve all purchased things online. We all do a number of things online, and we have to put out a certain amount of information to be effective, right? So, identifying information, credit information, health information, et cetera, correct? And we trust the people with that information. That it does not get compromised, and sometimes it does. We all hear in the news the thing that’s happened recently, and I think this might be interesting to talk about. We’ve recently started, in the last couple of years really, receiving these codes on our phones that people require. What they call MFA multi-factor authentication. Could you explain that a little bit to people so that we can understand how that is used to help protect this valuable information that is our identity, whether it’s credit identity, our identity, or our health identity? 

Alexis
Right. Yeah, more than that, Patrick, I’d also like to know why? Like why do I have to do that? 

Patrick Walsh
Well, okay, these are both loaded questions, so the first answer the MFA piece. Security normally is at least through Internet or the, you know, cyber world. Something will get you access to data, right? And something you know would be your username and a password. Those are two pieces of information. That you know now anybody using brute force attacks or man-in-the-middle attack or anything like that could pick that information up and compromise whatever account that you’re logging into.  

For example, if it was a Gmail account or you know your Amazon account or whatever the case may be, if you don’t have multi-factor authentication MFA or 2FA which is two factor authentication, it becomes very easy for that stuff to get Brute forced. Passwords guessed, especially when it’s like “password123”. Or you know. 

Data Dave
Who really uses “password123”, do they? I laugh because I know the answer, but. 

Patrick Walsh
The “password123” or “letmein” or “opensaysme”. There’s all kinds of things that people use.  Here’s my last name with the birth date or whatever.  

So, a lot of these passwords that we think of because we’re like, I don’t want to forget that they’re easily guessable. Which is why not only do you see the MFA become mandatory on multiple different sites but it’s also using password managers that have instead of using an eight minimum. Eight which could be, I think if it’s like 8 letters, it could be guessed within like a couple hours. If you do 10 it goes to 30 days, and if you use letters, uppercase, lowercase, numbers and special characters it takes like 32,000 years or some crazy number like that anyway… Definitely yeah, for them to brute force it, it takes forever.  

Alexis
I’m sorry, I have to stop you now, Patrick. “Brute force it”? Is that when people just like, just make stuff up until it works?  

Patrick Walsh
Yeah, they just start guessing like you see in the movies. 

Data Dave
So, the brute force is when they just iterate through the string, right? Yeah, the computer and so, “I’m going to try all A’s first, and then I try all A’s and a B, and then all A’s a B and a C, et cetera, et cetera.” So, you’re just iterating through with an algorithm to say “Eventually, I’m going to find the right string.” 

Patrick Walsh
So, the longer your password, the more security is, but still can be guessed. So, enter 2FA. So now, you have two pieces of information that, you know,  and a third that is sent to you that only you know, and it can’t be guessed because that 2FA cycles through.  

How people use that? You get the text message, you can get the magic link in your e-mail, or you have the Google Authenticator or the OR the Microsoft. Yeah, they’re all there. 

Data Dave
The special. Yeah, the special phone apps things on, yeah. 

Patrick Walsh
They all add an extra level of protection to your specific accounts, right? So, if anybody listening, if you don’t have MFA, you should definitely turn it on for everything you have. 

Data Dave
So, the point here is that, and correct me if I’m wrong, Patrick, it connects you, the person to you, the identity in the cyber world, right? So, it connects me to my Amazon account. So now Amazon knows that it’s me, and I know that I’ve accessed the correct account in Amazon. Your recommendation is that we should all embrace these multifactor. These multiple pieces that just make that connection okay.  

Patrick Walsh
Yep, Yep, absolutely. And they’re now coming out with let’s not use passwords at all. They’re coming up with the… you have to have the specific device, right? You have to have the secret key, the encryption keys. Like I know Microsoft and Google and I want to say Amazon are implementing it. But basically, you would have a hash on your phone, and if you have your phone, you can access it right, so it now moves down to the device level. Right? 

Alexis
I’m gonna do a recap. Although, Dave, you actually just did an “Alexis Recap”, and you did a really good job. So good job there. I’m gonna do an Alexis recap, though.  

MFA, two-factor authentication, is a good thing to have to help us make sure that the person who is logging in is the person who’s supposed to be logging in. And the reason we do it is to add a third layer of security versus just a username and password. Is that kind of the synopsis of that? I think I understand that a little bit more. 

Patrick Walsh
Yep, so even better than two-step or MFA or, you know, username, password, all that stuff, would be pass keys. Which is you have your personal device log in into your computer. It syncs that information, and now you have to have a device. I mean, even my laptop has biometrics on it. No one can get in my laptop unless they got my fingerprint, no one can get in my phone unless they have my fingerprint. Or they could try and guess my super-secret pin.  

You know, these are all the things that protect us. And what are we protecting? Well, we’re protecting our financial information. We’re protecting our health information. We’re protecting our personal correspondence between loved ones, whether it’s text messaging or emails or anything like that.  

So, it’s not like it was when I was growing up. Where you just like… Yeah, no phones, no pictures, no cameras, no evidence. Right now, there’s evidence in cameras and pictures everywhere. So, you know you want to make sure you protect yourself, and this is just one of the ways that you would protect it by using these various different ways of authentication. 

Data Dave
Excellent. And the risk there is that if somebody does gain access to your information, they can pretty quickly gain access to an awful lot of information. If they can get into your Amazon account, they’ve got your entire buying history. If they can get into your bank record, not only can they possibly transfer money out, but they’ve also got your purchase history and your financial history, which is essentially a fingerprint of you.  

That way, it’s a lot of information, so being able to properly authenticate or identify yourself to these systems that you want to be identified by and then hold that tight is actually incredibly important with all the benefits of this modern world. But there are risks and dangers that come along with those benefits. 

Patrick Walsh
Oh yeah, everybody has to do their own risk acceptance and mitigation and all the stuff that comes along with putting your stuff up on the interwebs. 

Data Dave
This goes into the real life as well, right? So, we see what people call “Omnichannel purchasing” and so on, where you can go into a store, and the store knows your online presence.  

So, this is the Whole Foods plus Amazon Prime knows exactly who you are when you come into the store, when you check out. And it’s that, okay, not only is it that online presence, it blends into this, “You bought this online therefore you probably want this when you get to Whole Foods or get to the actual store.”  

Alexis
Dave, you called that Omni… omnipresence? As in always present, is that a technical word or is that a Dave word? 

Data Dave
It’s “Omnichannel,” and it’s a term for essentially all channels that a retailer or a business can use to reach you, Alexis, so it’s. 

Alexis
Omnichannel, okay.  

Data Dave
Think the data moves across all the channels that are being used to reach you, whether it’s online, whether it’s in person, whatever it might be. All the channels are using the same data set and the benefits and the same sales, etc. 

Patrick Walsh
All in the name of marketing. “Hey, did you know you’re on the aisle that has something that you just bought on Amazon? You should buy another!” 

Data Dave
One so interestingly, I did a project some years ago for a gaming company. What they did was as you walked past the store, if you’d been to their store before and logged on to their network, then they would detect you walking past, and they would play a clip of the video game that you recently bought on the monitor outside the store. 

Patrick Walsh
Ah… 

Alexis
Oh my gosh, I mean, that’s kind of genius and also very scary. 

Data Dave
Yes, it is. But that’s the power that we’re reaching to. If you bring in the security, this authentication type realm that Patrick’s talking about and combine that with the data work that we currently think about and start to say, “Okay, Alexis is walking past this store, therefore her phone is walking past the store. Therefore, we’re going to do this because Alexis is interested in this.” 

Patrick Walsh
We were just at DGIQ, right? And we’re about to go to DGIQ again, well, everybody who goes to DGIQ has a badge, and then that badge has an RFID chip or one of the little Bluetooth. 

Alexis
It’s like a barcode scanner, yeah. 

Patrick Walsh
So, when you walk into a session, you get automatically scanned. They’re like, oh, they must be interested in topics X, Y, and Z, and you automatically get the emails, the follow-up emails after the event from whatever companies that you visited, the booth, or whatever the situation is, right? 

Data Dave
So shameless plug, Patrick, you just mentioned DGIQ, which is the data quality conference that’s occurring in DC, Washington, DC, in the beginning of December. So, if you wanna come talk to us, we will be there, and we will be hosting sessions to talk anything data and data governance, data management, et cetera. 

Alexis
As long as we’re doing shameless plugs, I’m about that life. Patrick, the cloud team had some really great news recently because D3Clarity just achieved its AWS Cloud Migration Competency, right? 

Patrick Walsh
Yes, we did. It was a big competency. We had enough use cases and clients and stuff that we were able to get that competency; that competency is the migration competency, so it goes all the way from data migration, which is one of our specialties. Whether you’re moving megs, gigs, or terabytes, we’ve done it all, and then you know data migration, application migration, also putting in the security, governance, networking, all the pieces of the puzzle that a good cloud architecture design is needed.  

A lot of people think, “Ohh, we’ll go to the cloud, it’s super easy.” But these days you have a whole team that runs your data centers, right? You have a network engineer. You have a platform engineer. You got a database administrator, right? Those positions don’t disappear when you move to the cloud. It’s still needed, like you might not need 10, but you still need a couple of people there to manage the environments, right? And do all the maintenance work that’s required?  Which on the cloud side of D3Clarity, that’s, we do. All of that stuff. 

Alexis
Right. 

Patrick Walsh
You can hire some of our team members to go do that stuff for you. 

Alexis
Shameless plug. I’m all about them. 

Data Dave
Exactly. Shameless plug. If you are moving to the cloud and starting to take some of your data and applications to cloud, then we, D3Clarity in conjunction with AWS and as certified by AWS, can assist in moving the data, the applications, networks, et cetera in a managed, secure, guaranteed manner that says, ”Yes, this data is protected in a manner that is acceptable within the industry and within the various levels of privacy that are required, whether it’s identity, whether it’s health, whether it’s credit type info.” 

Patrick Walsh
Yep, and don’t let the easiness of the cloud fool you. The easiness doesn’t put any security in place. The easiness is just that. It’s easy. And the reason why we have a cloud team and why there’s hundreds of cloud migration experts out there in the world is because it’s not easy.  

Right, by default, TLS encryption is not enabled for your communication to your databases. By default, it just allows anything to talk to it right? It’s PCI standards. You have to have the proper encryption between your application layer, your data layer, and all that stuff. These are all things that we can help you get working.  

Data Dave
Just to drive that home, isn’t it true, Patrick, that we were doing an audit one time when we happened to come across an organization that had their data warehouse open to the entire Internet? 

Patrick Walsh
Yeah, it was. It wasn’t great. But we got that shut down as soon as we found out. So, it was like. Told the client I was like, “Yeah. This is bad bad juju.” 

Data Dave
This is not good. 

Patrick Walsh
Dude, you need to fix this, yeah. 

Alexis
Okay. So, Patrick, you just said like TCL encryption, is that what you said?  

Patrick Walsh
TLS 

Alexis
TLS, that is a subject for another day. I’m going to put a pin in that. Dave, I’d also like to put a pin in this bigger conversation of Identity. I think that that’ll be a great question for you and I to talk about on another day, not from a security standpoint, but from a straight digital standpoint. 

But this is basically the end of our time. So, to wrap things up, Patrick, thank you so much for being our expert. I’d ask you a bunch of questions which means you did a good job, but it means I had to learn something today, which is awesome. So, thank you so much for being on with us. And Dave, thanks, as always, for being Data Dave and chatting with us. 

Data Dave
Yep, and thank you, Patrick. Congratulations on your certification and on the accreditation that we received. So, congratulations on both of those, and thank you very much for joining us. And Alexis, as usual, it’s a pleasure as always. Thank you very much. 

Alexis
Bye. Thanks everyone.  

Recent Case Studies

TALK TECH WITH DATA DAVE
PODCAST

RECENT BLOG POSTS

Schedule a free meeting with an Expert.

Ask Data Dave!

Listener questions are the best.
Ask Data Dave any question you have about all things data, all things cloud, or all things technology.
We'll be happy to answer your question on the podcast.

We will never sell, share or misuse your personal information.

Let's Talk.

An expert, not a sales person, will contact you quickly.
Usually in less than 20 minutes during business hours.

We will never sell, share or misuse your personal information.