For the security practitioner, identity can be seen as a performance. That may sound odd at first but please bare with me.

"mccoy tyner giant steps reference solo" I typed into the search bar. I started this morning with one of John Coltrane's most revered works, "Giant Steps", an unfolding labyrinth of harmony that can grip the attention of anyone in earshot, regardless of interest in jazz. The album of the same name is a favorite of mine, so there was plenty of familiarity, but I had never really thought deeply about the piano solo in that particular song. McCoy Tyner was a regular collaborator of Coltrane's when it came to the keys so I had just assumed it was him this entire time, and a certain moment during the solo stuck out to me enough to inspire an investigation.

I'll spare readers from the analysis of what that 'moment' was since this is a cybersecurity blog and not a music blog, but the point was that I thought Tyner was playing piano. It turns out it was Tommy Flanagan.

For years I had been picturing McCoy Tyner every time I listened to that piano solo. This wasn't necessarily devastating information, and in fact I salute Tommy Flanagan for stepping up to the plate sans-rehearsal, and attempting to improvise over changes no one in jazz had previously seen on a sheet of music. But it was a bit of a shock, or surprise, since I had been holding onto my own false perception for so many years. I trusted in that false perception. Hummed to it, danced with it, shared it with others.

I didn't know the performance as well as I thought I did, thus my analysis was inherently off. I had incorrectly identified the player. What if I had known Giant Steps front-to-back, however? The composition, the personnel, the recording context & location, the versions and iterations. You could see this as data I could've accumulated for my own knowledge of the piece. This would've enhanced my understanding of the piece during a listening session. I'd also be more equipped to recognize Tommy Flanagan's piano playing in other compositions, in other contexts, in other versions.

The same goes for digital identity, and every single identity that interactions with your organization's environment. I've been watching cybersecurity create and map context, and highlight context as critical in today's threat landscape. As identity has become even more central to our understanding of security we've realized there is more to the story than a log-in. We have the tools - we have leveraged AI for real-time detection, pulled from browser telemetry and IdP logs, device posture, user and entity behavior analytics, and more. Yet we still get caught with our pants down once an attacker has authenticated into our environment and successfully flipped the ill-observed Zero Trust switch to "TRUST". Once they're in, they're in.

We are chasing time as time becomes a playing field for new ventures in the AI realm. Taking all of our constructed contexts and doing our best to bridge them with Detection & Response as quickly as non-humanly possible. Identity security and IAM are being welcomed with open arms into the infosec party, at last - commended for the infrastructure that we continue to infrastructure. What about identity has truly transformed or evolved, though? Where are the back-porch conversations at said party between Identity and Red Team? "What have you really been up to lately?"

I can promise you: there is a transformation-in-progress within identity. This blog was created to shine a light on this transformation. Thanks for baring with me.

We can stop the chasing if we see identity as a performance. A performance that requires an audience. This performance is not based on hearsay, memory, or stitched-together context clues. It's a live, second-by-second performance. I'll say it plainly: time is the differentiator. If we take all of the contexts we have collaboratively developed with blood sweat and tears, and simply map them to time, the game is different. An identity is then subject to perform for an audience that we've developed and deployed.

Why is this transformation in thinking significant? Because it knocks on the door of Zero Trust's five-star hotel room and asks to talk.

Zero Trust is dangerously a static situation. "I don't trust you... until I do!" and then we walk away from re-evaluation that trust. When I currently talk about digital trust I've realized most people tend to see it in the abstract, but it's actually quite technical and concrete. I got here from studying Kerberos, the default authentication protocol in Active Directory - the identity system for 80% of the organizations on our planet. My background is in Active Directory, as I am an identity person, so I was already making glances at Kerberos over the years. I didn't start asking questions about it until recently.

As aging as it may be, Kerberos teaches us that trust decays through time. When it was developed at MIT time had to be a factor, in order to prevent replay attacks, where authentication is intercepted and re-used for access. If you give that access a shelf life and a timestamp, you prevent that from happening. As we've seen, however, Kerberos gets exploited all of the time. Attacks are simply grabbing those timestamps and moving laterally before the shelf life expires.

What if you took that timestamp and gave it a living heartbeat? Second-by-second, measure-by-measure. A live performance.

What happens is this: an attacker is forced to 'perform' for an audience of AI to prove that it is still the identity it claimed to be when it presented stolen authentication at the front desk of our enterprise. The attacker, non-human or not, will fail to keep up this performance over time. The attacker will essentially need to improvise an authentic 'performance' of the identity - that is, if they're even aware they're being observed by the second. And because the audience has been watching and listening, they'll know that something is off. That's when our friend from the back-porch and everyone else on the security team comes in. Identity is not seen in this way, currently. We forgot to talk about trust beyond a buzzword or "best practice". It should literally be a measurement.

GlassVault Labs has developed a way to dynamically score trust and effectively place an authenticated identity on a stage, requiring it to perform for your security stack. In short, the thing we're making acts as a 'sidecar' protocol that will ingest the various contexts from security tools and place them on a time grid, keeping a living Trust Score. If that score goes below a certain threshold (set based on your organization's risk and other factors), action is taken. The identity can be quarantined, forced to provide additional authentication than what was initially provided, or have access weakened (i.e. an identity doing increasingly sketchy things with privileged access). At any rate, we benefit from seeing the full security camera feed, taking contexts that were previously unsynchronized and meshing them together. No more chasing - just let them perform.

Every time I listen to Coltrane's "Giant Steps" going forward, I'll be hearing Tommy Flanagan on the piano. I can now understand and study Tommy's playing, and my experience of that song will never be the same. I feel informed about what I'm putting into my ears first thing in the morning. I'm glad I looked into it.