Zero Trust Architecture: The Future of Cybersecurity

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
How's it going, Bob?
It's great to get you on thepodcast.
Finally, I'm really interestedin everything beyond identity.
It's obviously not a sponsoredpodcast or anything like that.
I've been following you guysfor quite a while, so I'm really
interested to have ourconversation.

Speaker 2 (00:16):
Thanks for having me, joe.
I've listened to a lot of yourpodcasts and they're really
great and fun and interesting,so I look forward to the
conversation.

Speaker 1 (00:23):
Yeah, I appreciate that.
You know it's interesting.
You know, when I started thispodcast, right four and a half
years ago, at this point, thebiggest critique that I got from
people was well, how are yougoing to find people to come on
who would want to go and talk toyou?
What are you even going to talkabout?
Right, like, is your skill setthat deep that you think that
you can actually talk toeveryone and anyone?

(00:44):
Right, and you know, for myself, right, I guess I'm a bit of an
entrepreneur and for myself,when I heard that it was just
like, well, none of thosequestions even matter.
Right, like, I'm going to do it, and if it fails, it fails.
And if it works, great, right,like, never intended on, like,
making money from it or gainingpopularity or anything like that

(01:06):
.
Really just intended on havinggood conversations with people.

Speaker 2 (01:10):
Right, well, that's, that's you.
You truly are an entrepreneur.
That's the startup mentalityyou jump first and then you
check to see if you have aparachute afterwards.

Speaker 1 (01:19):
Yeah, yeah, yeah, one hundred percent.
That that's the thing.
No-transcript.

(01:55):
It's pretty scary and I've hadon entrepreneurs that are doing
that right now, where they're intheir mid to late 30s.
They have a young family,several kids under two or three
years old and they're juststarting this entrepreneur thing
and I'm like man, I do not havethe cojones that you have,
that's for sure.

Speaker 2 (02:13):
So it's interesting and my wife sometimes calls it a
character flaw.
But you really have to have apassion for this kind of thing.
You really have to want tocreate new things.
Starting early is great, butstartups at any age.
It really comes down to do youhave a passion for a problem.
The rest of it you'll figureout.
But as long as you have a knownproblem in the market and
there's a passion for it, youget it validated.

(02:34):
Then the market's like callingyou and you just need to commit
to it and go In the end.
That's kind of what brought me.
I've done, I think, five or sixdifferent startups through the
years.
In my early years they all werea disaster, you know, in my
early 20s.
But I learned a lot, but therewas always a passion for that.
And then through the years I'vegone to a lot of different

(02:56):
startups and no regrets.
It's a different path and Iencourage everybody to really
think about it.
It's a great opportunity tokind of change things in the
market.

Speaker 1 (03:06):
Podcast as a business , you know, to some extent, and
when I think of that, right likeit's, it's a way to generate

(03:27):
your own income, to be your ownboss, to not really rely on
someone else to to, you know,pay your mortgage right, but in
other countries that's reallynot possible, not to the extent
that it is here, right, and Ithink that's a huge benefit.
You know that we have that alot of people don't even
identify and don't even you knowrealize what it is here, right,
and I think that's a hugebenefit.
You know that we have that alot of people don't even
identify and don't even you know, realize what it is.

(03:49):
I was having a conversationwith someone who you know he
went to University of Chicago,right, got his bachelor's degree
from University of Chicago, gota master's degree super smart
guy but hasn't followed thetrajectory that someone of that
pedigree you know would haveexpected to have followed, right

(04:09):
, and he was talking to me youknow about, like the marketplace
, and you know he got into thisdebate right, where you know
some people are paid more thanteachers, for instance, and
whatever it might be, right, mywife is a teacher, so I totally
get it, you know, and it's like,yeah, they totally should
actually be getting paid more,right, in other countries they

(04:30):
do actually get paid a lot morethan doctors.
But at the end of the day, youknow, it all comes down to the
value that you bring to themarketplace, and a part of that
value is actually identifyingthe gaps in the marketplace and
filling those gaps, right.
So you know, I always telleveryone, right, when I was
getting into IT slash security,I was looking for my niche and

(04:51):
so at the time, like the cloudwas brand new basically it was
just a few years into the cloudand I figured, okay, cloud
security is going to be a thing.
More companies are going to bemoving into the cloud, more
companies are probably going tobe solely in the cloud, right?
So that means that they'regoing to need cloud security.
And I I think the ccsp cert waslike brand new at the time, you

(05:12):
know right.
And so I started going down thepath of cloud security long
before people thought of it aslike it being its own domain,
right, and it's still kind ofpeople still kind of don't
understand that it is its ownbeast in and of itself.
But you know, I'm not forming abusiness around that.
I literally just identified anarea in the marketplace that was

(05:34):
lacking and started executingon getting more knowledge on it,
more training on it, gettingthe certifications and making
the jump into the field.

Speaker 2 (05:42):
Yeah, I hope just two funny stories on something you
said and then I'll jump rightinto why.
That's a great message forindividuals who want to get into
cybersecurity Don't ever thinkit's just get started.
But when you're talking aboutthe US and startups the very
first startup I did 95, I wasworking for a French company at
the time and their R&D, and thenwhen I told them I was going to
do a startup, they just lookedat me like what do you mean?

(06:03):
What is that?
How can you leave a company andgo do something else?
How is that even possible?
So that was really interestingand they thought that that was
strange.
And then on to what you weresaying just a minute ago.
I think that's right withcybersecurity individuals at
least my experience.
My experience is very eclectic.
I started out in aerospaceengineering, computation and
fluid dynamics, was dead set ongoing into industry application

(06:24):
engineering, cfd expert, and hada lot of opportunities there.
But I got sucked into gridcomputing, because that's when
computers were starting to getinto this grid computing.
They were cheap and scalableand I found out that I had a
passion for software.
And then that led into go intothe history, if you want to.
But eventually one thing led toanother.
I ended up doing a deep packetinspection, worked on some of

(06:45):
the first security gateways backin the early aughts in session
border controllers for VoIPnetwork, which radically changed
everything.
Then, after that, when I haddone that, I said what am I
going to do next?
I ended up doing bankingsecurity, which is this is back
in 2007.
We built multi-factorphishing-resistant
authenticators before there wereeven iPhones and people were

(07:07):
telling us you're crazy, noone's ever going to tap a
personal device to authenticateand you know it was early on and
then worked on some of thefirst large-scale, verifiable
credential deployments fordigital offers and distributed
supply chains, and that ended upat Beyond Identity and all of
that.
So you never know where you'regoing to end chains, and that
ended up at Beyond Identity andall of that.
So you never know where you'regoing to end up and you never

(07:27):
know where you're going to start.
If the people listening here, ifthey have a passion for system
engineering, solving problems,and they like a lot of different
aspects of that technology,then cybersecurity is a great,
great place for them, becauseeven today, like you talked
about the cloud, I meaneverything's accelerating One of

(07:54):
the themes I learned, or thethings that I started to grok
over time through my career isthat security has to be moved
into the product early, and Ikept seeing that over and over
again.
And I think again for yourlisteners here if they're
getting into cybersecurity, it'sno longer a bolt-on thing
anymore.
You're going to be key to theproduct development.
Certainly, if you're at astartup, you will be part of
that.
Secure by design, compliant bydesign, privacy by design these
are all real things now.

(08:15):
And we have security,cybersecurity, people, data
privacy, people at the table atinception of the product.

Speaker 1 (08:22):
Yeah, yeah, that's a huge thing, right.
You know there's a lot tounpack there that you brought up
and I think I kind ofdiscovered my passion for
security in that early, you know, help desk role that I had
where, like you know, lookingback on it, it wasn't quite help
desk, it was like part helpdesk and part, you know,

(08:44):
engineer to some degree and youhad to really understand the
underlying processes andservices.
You know how they operated,what they did in their startup
process or their shutdownprocess, right, because you know
, in that role I was workingwith E911 systems, right.
So there's a database ofinformation.

(09:06):
Sometimes when you do an upgrade, things fail, right, and you
have to really kind of workthrough it.
And of course, it was always myluck that I would get the most
random, most difficult issuesthat would happen.
I was basically a part of theQA team without being a part of
the QA team, because when theywould say that it's ready for

(09:27):
production, I would have a lineof customers ready to go and we
would be running into just themost random things where, like,
I have to go get the dev thatwrote the code that is dealing
with this thing because we don'tknow what's going on right now.
Going on right now.

(09:48):
But having that reverseengineering mentality benefits
you so significantly in security.
You know that like it pays somany dividends down the road.

Speaker 2 (09:52):
It's some of the best .
It's funny you say that becauseI'm in the Dallas office.
We have a New York office andthe support team sits right over
here on the QA team and thatstory that you just described
plays out every single day hereand some of the best systems
engineers I know are on thesecurity side support and
security side.
They're either deploymentengineers, support engineers,
cybersecurity, and if you're asupport engineer, you really

(10:15):
have to be a Swiss army kniferight, Because you're getting
pulled into every direction.

Speaker 1 (10:19):
Yeah, yeah, you know, that's so true, you know.
Looking back on it, right, Ididn't think of it at the time.
But you know you're learningPostgres, you're learning.
You know Apache web servers.
You're learning Linux.
You know, you're learningPython, while you're doing it
all in Bash script, you'relearning.
I mean, there was even a pointin time where I was learning.

(10:39):
You know PKI certificates.
You know distributing the keysand how to initialize it on the
system and attach it to the webapp and all this other stuff,
right.
And then you know SELinux,right no-transcript.
Man, you know it's funny becauseour devs, you know we worked

(11:04):
with a lot of federal agenciesand everything, so they always
required SELinux to be, you know, turned on and enabled and
whatnot.
And the dev that was supposedto design that module of our
application, he never actuallylike, ran it in production.
He created it, got it workingfor, you know, this one top
secret environment, right, andnever looked at it again and

(11:26):
several years had gone by andnow I have a whole bunch of
customers that want SELinuxrunning, but every time it
starts up the applicationcompletely crashes.
You know, it doesn't startanything right.
So now I'm reading the NSA'sdocuments on SELinux, you know,
trying to figure out how to makethese exceptions and, you know,

(11:46):
going through and learning.
Like each and every singlecommand, process, service that
is tied to this applicationneeds to be whitelisted.
It's not a normal whitelistingprocess.
You have to run these string ofcommands to run through it,
right, like.
But that sort of thing developsyou into that Swiss army knife,
you know, and no one was doingthat beforehand, like I couldn't

(12:08):
.
It wasn't like a GoogleGoogleable, like problem, it
really wasn't.
It was like hey, here's thisdocument that the NSA wrote go
figure out how to use thatinformation and correct it over
here, because, like we can'tlose the contract, the contract
is worth several million dollars.
We're a small startup like thisis something that needs to be
done.

Speaker 2 (12:28):
The first again to reiterate that um or just to
double down on that, and I'veled product teams, engineering
teams, cto, coo, cso.
I've kind of done the whole.
I've worked at a company that,a vc firm, that bootstrapped uh
energy, like small energystartups, and I would bootstrap
the engineer and the technology,get them going and they'd go to

(12:50):
the next one.
At the end of the day, theperson you go to first to
understand how the system worksis the deployment engineer and
the support engineer, becausethey're the ones who are going
to tell you how the customer isusing the product and how it's
deployed.
And your solution architectsDon't get me wrong, the
engineers.
They're the engine right inengineering, but sometimes you
know they'll be very supertechnical and very focused.

(13:12):
So I totally, totally get thatand that is kind of you know
when you talk about those.
Historically those roles havebeen quite separate.
But I think we're seeing now,certainly with your security
engineers, your privacyengineers and your product
engineers, even support anddeployment they're all starting
to collaborate very tightly,kind of like you know, in the

(13:33):
past it was DevSecOps.
You know you had your wallsright and younger engineers
probably can't even imagine aworld before DevSecOps.
It's the same with security andproduct.

Speaker 1 (13:42):
It's heading in that direction right, yeah, yeah, it
really is.
And there's new.
You know, with AI becoming moreprevalent and LLMs, you know,
there's whole new domains ofsecurity that are being created
right in front of us, right, andI always keep my eye on the job
market just to see how it'sperforming, what it's.

(14:03):
You know what the trends are andeverything, and I'm slowly
starting to see AI securityroles open up, right, and like
normal companies that aren'tNVIDIA, right, and you know, I'm
sitting here and I'm watchingthis industry start to pivot,
because now everyone is saying,you know pivot, because now
everyone is saying, you know,we're going to incorporate AI

(14:24):
into our platform, into oursolution, into our offering and
whatnot, we're going to offsetthis headcount.
But companies are slowlystarting to wake up to the fact
of, oh, that's a totallydifferent kind of security that
we have to provide.
I mean, there isn't even true,you know AI security products on
the market right now.
I mean there's a coupleofferings out there, but I

(14:46):
haven't seen anything that, likeyou know, is like truly built
for it.
You know, it was kind of like abolt on, sort of thing.

Speaker 2 (14:53):
Yeah, no, that's a great observation.
And you know again when youlook at kind of, how the threat
landscape has evolved over thelast four or five years and you
know the cost benefit analysislike people who have their
current.
And one of the points thatBeyond Identity always makes is
that legacy MFA is not goodenough.
Legacy solutions aren't goodenough because the landscape has
changed and if you haven't beenpopped it's not because you're

(15:15):
good, it's probably because youhaven't been targeted and the
whole cost benefit analysis forsome of those APTs has radically
changed.
Benefit analysis for some ofthose APTs has radically changed
.
It's that, yeah, that landscapehas completely changed.
And then you layer on AI on topof that and it accelerates the
scope whether it's malware as aservice, phishing as a service,
you layer on AI and then all ofa sudden you're a threat

(15:38):
landscape let's put aside theinnovative attacks and the new
enablement attacks likedeepfakes but just on top of the
legacy stuff, the scope andscale just explodes and you
can't defend.
And then you know AI is goingto augment products and
everybody just puts an AI stampon their product.
Just like you know, back in theday you had a Windows certified
hard drive and you're like whatdoes that even mean?

(16:00):
Well, it's Windows certified,so there are a lot of products
out there.
People have to be careful whenthey stamp with AI.
So there's the augmentationpart and there's a lot of value
that can be added there.
But then on the other side, youhave a whole new category of
security that needs to befigured out because all these
companies, ourselves includedthey're trying to figure out how

(16:20):
to use AI internally and it'sgoing to explode.
The use of information,information that otherwise
wasn't accessible or used withinthe organization is now being
exposed to these LLMs.
And we've spent all this time,kind of as a security engineer,
trying to make sure that thedata is anonymized and you can't
de-anonymize it.

(16:40):
And we patted ourselves on theback right Done, figured it out,
and now we put an LL-anonymizeit.
And we patted ourselves on theback right Done, figured it out,
and now we put an LLM in frontof it and the LLM itself is
de-anonymizing the data, becausewhen you ask it questions, you
don't really know how it's goingto answer and you're getting
all kinds of data leaks andprivacy violations.
It's kind of crazy.
And then just the fundamentalarchitecture, with RAGs and

(17:02):
daisy-chained LLMs.
It needs a whole newauthentication Beyond Identity,
feels it has a position therefor sure.
But there's things calledpre-inference ABAC, which is you
come in and before you actuallyexecute the prompt you have to
map it to the policy domain, mapthat to annotated data to make
sure you restrict the data.
You pull that you put it intothe LLM.

(17:23):
So there's all kinds of stuffthat's radically changed and
it's kind of exciting and Ithink there's going to be a ton
of opportunities again forsecurity, cyber security, people
in cyber security are going tobe front and center.

Speaker 1 (17:34):
Yeah, yeah.
People ask me if I'm worriedabout AI taking my job and I'm
sitting here like no, no, aidoesn't augment but it 10Xs me
right, like you really have touse it, you know I'm.
So I'm getting my PhD right nowand I mean don't congratulate
me yet until I actually get it.

Speaker 2 (17:54):
Kudos to you.

Speaker 1 (17:57):
It's very difficult, it's extremely difficult, it's
probably 10 times more difficultthan I expected going into it,
but I think the reward at theend will be will be worth it for
sure.
But you know, I'm getting myPhD.
I'm studying deploying zerotrust frameworks on
communication satellites withthe sole purpose of preparing
them for post quantum encryption.

(18:17):
Because, really, like, that'swhere, that's where everything
is going, that's where, like thenext, you know, major war will
start.
Right, it's going to start inspace long before it starts on
the ground, you know, becausehow else are adversarial
militaries going to interceptcommunications?
And, you know, hack a country,right, like you would start with
the satellite, really.
But you know, in that right,I'm using Grok heavily, heavily.

(18:41):
Right, I'm using Grok heavily,heavily.
And the whole purpose is becausewhen I started my research, I
was using Google to try and findscholarly articles that support
my research in different waysand it was very difficult to
find just reliable sources,material that I would actually

(19:01):
be able to use, anything likethat.
I mean, it was just, it wasjust very impossible, basically.
So I went over to chat, startedusing that a bit.
It definitely provided me morevalue, but it wasn't able to go
deeper than what the text wasgiving me.
And this is, you know, a yearago.
And then I, so then I startedcomparing it with Grok and Grok
was able to give me, likeprecise information.

(19:24):
Hey, this document mattersbecause of this table.
They did this work.

Speaker 2 (19:29):
Here's the actual quote to try grok out yeah,
everything.

Speaker 1 (19:32):
You know, I've never, I've never.
So I've made requests of grokbefore and it didn't give me,
you know, a result or whatevermight be.
I think it's because I'mliterally like hitting limits in
the chat window of how much,how much text is actually in
that chat, but it gives meexactly what I'm looking for,
like every single time, you know, and I've had it.

(19:53):
You know, even like, write mesome code, and I'm not a
developer by any means, but itgets me 85% of the way there and
I'm smart enough to know whatto adjust and how to plug in
different things, right?
So, like it's, it's literallybeing used to augment me in a
way that would take me years toget through you know.

Speaker 2 (20:12):
yeah, so a couple things.
One of the things, uh, thebiggest issue I have is is doing
research and again, everythingI do now is ai assisted
certainly all the research andthe synthesis of information,
but it's attribution.
That's a real problem becausethe MLM will.
Again, they call ithallucinations, but it's
confident about everything right, and so I won't really

(20:33):
reference anything or use itunless I have strong attribution
.
No, that's pretty important.
And then the other thing is andI don't know really how this is
going to shake out with AI,honestly, but I have a sense
that people like yourself andsystems engineers are going to
be 10x'd right and I agree withthat, that people can think from
a system perspective.

(20:54):
And then the individuals whocan't bridge that gap and get to
the system level and become,you know, engineers are going to
really struggle.
Because I've been using AI,claude Cursor, all kinds of AI
tools and it's actually writingkernel code that just works.
Wow, I've done all the way fromUI development, back-end

(21:16):
development process,productivity work and the AI
stuff just really works.
Now, two or three years ago itwas still you know what it was,
but it actually you can writeserious code with it and I think
the you know and then you'llsee.
I think the cybersecurityindustry is really going to be
impacted in a lot of differentways.
With the proper agents and theproper security architecture

(21:45):
internally, a lot of the stuffthat I can do can be rapidly
accelerated right so that I canfocus on more important problems
.
Whether it's compliance, it'sautomated compliance, regulation
, reviews, all that stuff.
All that stuff's going to beaddressed very quickly.
And then you know, threatsurface analysis, attack,
surface analysis, incidentresponse.
Those are all areas where AI, Ithink, surface analysis,
incident response, those are allareas where AI, I think, is

(22:06):
really going to augment thesecurity operations.

Speaker 1 (22:07):
Yeah, yeah, that is true.
I feel like there's areas thatit would be able to, you know,
replace a headcount, potentiallyright.
But, like with everythingtypically, you're going to find
that the industry will cut, youknow, so severely because they
think that they're going to saveall this money with having this
LLM or this AI thing andgetting rid of all these people,

(22:30):
and then they're slowly goingto be adding them back in.
Like if you, if you look and ifyou actually follow it, you
know Microsoft laid off likewhat, 200,000 people in the past
18 months or something likethat.
I mean, like it's a significantamount of people that they laid
off.
Google did the same thing.
Probably a different amount ofpeople obviously met up everyone

(22:50):
and now they're hiring in otherareas.
They're hiring in other keyareas because they're finding oh
okay, we didn't need as manymarketing people to do this work
, we can augment it with thisother tool over here and then we
can divert those fundssomewhere else.

Speaker 2 (23:05):
That's right.

Speaker 1 (23:07):
And so we're moving into an interesting place.
But I kind of want to shiftgears a bit and talk about
Beyond Identity, absolutely.
So talk to me about you knowwhat Beyond Identity is, what
the problem is in themarketplace that you're solving
for and how you're doing it.

Speaker 2 (23:23):
Yeah.
So I mean fundamentally we're asecure access platform built
from the ground up to addressthe new identity threat
landscape.
So we target identity threatsdirectly and we design them out.
We try to move as much fromdetection to prevention and it
kind of takes advantage.
We do that by providing.
I mean, if you look at ZeroTrust, we provide

(23:43):
phishing-resistant MFA.
We'll get into why I think mostof the legacy phishing MFA we
know is not good enough, but atits underpinnings it has
phishing-resistant MFA.
It has strong devicecredentials and device posture
so it can do continuousauthentication.
We have a secure access layerand SSO and now we're starting
to expand into kind ofcollaboration tooling like

(24:05):
RealityCheck which is basicallytargets deepfakes.
And so the problem fundamentallywas when you and it was a
re-imagining, it was from ourfounders and one of our founding
CTO, jason Casey, who had veryearly on recognized I think long
before I certainly did a lot ofother people in the industry
that there was somethingradically changing.

(24:26):
So where you had on the IT sidewhich was doing mostly
productivity and that's whereall the identity solutions were,
it was really about workflowmanagement, orchestration and
most of the security threatswere at the network layers.
All your engineers.
You know that war between thered teams and the blue teams was
all at the network layer.
As that started to, as westarted to move out and started,

(24:47):
everybody started using SaaSapplications.
Bring your own device you sawan explosion.
You saw an explosion of all ofthat layer and it exposed an
identity substrate where it wascompletely vulnerable.
And then the IT guys who wereawesome people, but but they
were focused on workflowoptimization and identity
management all of a sudden hadan entirely new security problem

(25:10):
, which was identity, and all ofthe security engineers were
trained for the last war, whichwas network penetration malware.
Once you penetrate a device,you do lateral movement Totally
wasn't going to work anymore.
So that's kind of where BeyondIdentity came from.
And we started withphishing-resistant, passwordless
back in 2019, long beforeanybody else had an

(25:31):
enterprise-level solution, had alot of success there.
And then we expanded into, likeI said, the device posture.
We have an offering calledDevice 360 that allows you to
look at your device fleet,recognizing that the real
problem.
And when you get down to it, ifyou follow the user's lifecycle
and this is the next generationkind of secure access platform
they start on a device, they goto the access plane and then

(25:54):
they get to an application Makessense, right?
A new platform has to followthat entire journey from the
device to the access layer andthen finally to the application.
Again, one of the things we'rereally excited about right now
is our reality check solutionthat targets AI deepfakes and
that is only made possiblebecause we can tie the device to
the session, to the user, andwe can tell you who's actually

(26:17):
on that call.
So, on our platform, iteliminates that deepfake threat,
but anyway.
So that's kind of where BeyondIdentity came from, and we're
having a lot of success in largeenterprises Fortune 50, all the
way down to SMBs.

Speaker 1 (26:32):
Yeah, that is pretty fascinating, you know it was.
I think it was right around2019, probably when I started to
actually follow, you know,beyond Identity, a little bit
right, because you're startingto do things differently and the
problem with identity securityoverall just IAM is it's

(26:54):
typically an arduous experiencefor any sort of end user, really
.
I mean you got to think aboutit, right, so you're not going
to remember 10 or 12 differentpasswords.
I mean it's just not going tohappen, you know.
And if it happens, cool.
But guess what?
You're going to have to changethem all eventually and you're
going to be relearning them,right.
So now you move it into apassword vault, which is great.

(27:16):
I mean, I use a passwordmanager myself.
I use 1Password it's great.
Does one password?
It's great.
Does his job, does exactly whatI need, you know.
And so now I have this solutionover here that you know has
complex passwords in it for allthese different websites, but
still for someone that's nottechnically savvy, right?
My wife is a teacher and Itried to get her to start using,

(27:37):
you know, one password and it'sjust not going to happen.
You know it's never going tohappen, right?

Speaker 2 (27:44):
You bring up a good point and you mentioned the
usability.
So fundamentally the enterpriseand the consumer, at least on
the surface, have very differentrequirements.
But when it comes to passwordloss so let's even move away
from passwords just say it'ssecure authentication and secure
access they kind of look verysimilar because with an
enterprise you have to meet theuser where they are and they
have these massive heterogeneousenvironments.

(28:05):
Some are deeply technical inthe way you can put a PAN or a
platform authenticator and youcan device posture Others you
have to use a FIDO key or wehave a solution which is called
a hosted web authenticator,which allows us to engage the
user just in the browser.
That's security there.
So even with the consumer, apassword vault, that's a

(28:28):
starting point, but it's notokay anymore, right, and we see
that a lot of times at theenterprise level as well, where
they have these.
They weren't clear about howthey were going to deploy the
next generation MFA or aphishing resistant MFA.
So they deployed an MFA, whichis really just another factor on
top of passwords.
And so now they have theselarge heterogeneous environments

(28:49):
where in some places they havephishing resistant password
solutions.
In other places they have MFAsolutions that are not phishing
resistant, which they can beeasily.
And the other thing they runinto is the user experience is
horrible, like if, even in anenterprise, when you try to push
an edict out, if the usersdon't, you're outnumbered.
You worked on the IT side.
You're outnumbered by yourusers, and if your users refuse

(29:12):
to use something, it's really,really hard to get it deployed.
And that's another thing thatbeyond identity.
Again, I know we're notsupposed to be pitching our
product here, but it's what Ijust from my personal experience
.
If you don't focus on theusability, whether you're on the
consumer side or the enterpriseside, it's just not going to
work.

Speaker 1 (29:29):
Yeah, I've deployed privileged access management
solutions before to pretty largecompanies and you know I've
beaten every record that thatvendor had of previous
deployments, of size and speedand capability and everything
else like that right.
And so a huge part of thatdeployment you know I'm

(29:53):
deploying it to probably 12,000individual people, about 100,000
individual accounts, includingonboarding, you know servers and
you know all these otherworkloads and whatnot, and maybe
the biggest part of that wasactually vocalizing it and kind

(30:13):
of, you know, going around andmaking sure that all the people
in the company were on boardwith this right and the biggest
thing was explaining it to themin a way that you know related
to like, not only just their jobbut what's at risk.
You know, and it was veryconvenient for me because one of
our competitors had a breachvery recently in that timeframe,

(30:36):
so I could literally say like,hey, they had a breach, this
exact way that we're trying toprotect against right.
Like I know this makes your daya little bit longer.
It's a little bit moredifficult for you to log into
this server that has all thesesocial security numbers on it,
right, I know that.

Speaker 2 (30:53):
You know solution with no password be less usable
than a solution with a password.
It is kind of interesting, andoftentimes that's the case,
right, because again, securitywasn't the like I said.

(31:16):
You have to push security intothe product and that's happening
, but you also have to pushusability, and that's exactly
the feedback that I've seen inthe market is your solution has
to be low friction, becausewe're trying to get users to
authenticate and access safely.
That must include it's got tobe easy to use, because if it

(31:36):
doesn't, they're not going touse it.

Speaker 1 (31:38):
Yeah, yeah, I mean, I've seen it where users
immediately start trying to justgo around the product, no
matter what.
They try to have perpetual SSHsessions going and RDP sessions
going and they're they're, youknow, logging into.
You know.
I was at a company and we hadthis fantastic solution right

(32:00):
when if you didn't log into aserver for a certain amount of
time, you would lose access andyou'd have to re-request it.
Right, and the request justgoes to your manager.
They approve it, you get theaccess yeah, it's a typical idea
.
It's like an early form ofjust-in-time access yeah, pam
yeah so I was talking to likeone of our top engineers, slash
developers, right, and he wentand you know, just all

(32:23):
willy-nilly, just logged into abunch of different servers, you
know, right off the bat, and hewasn't doing anything in them.
And I'm on security.
But he likes me, you know, Ihave a way about getting people
to talk to me, probably morethan they should.
And so I was asking him, I waslike why do you log in?
You know, once a week orwhatever it is to get in to
these servers if you're notdoing anything?

(32:44):
And I'm like what's the purpose?
You know you could really beopening up the environment to a
foothold if your device ever gotcompromised, you know.

Speaker 2 (32:51):
Right, that's right.

Speaker 1 (32:52):
And he's like well, I have to log in, you know, maybe
once a month, once a quarter,to actually do work, but at that
interval I have to go and likerequest permission.
You know, every time I log inand my manager my manager isn't
always available.
He had a whole list of excusesand I'm like man, we have this
multimillion-dollar solutionthat we just deployed and bought

(33:15):
.
We were talking about it witheveryone vocalizing how great it
is and everything.
This guy is just having no partof it.
He's getting right around itand there's literally nothing
you can do about it, because heliterally said yeah, if it
changes, I'm just going to startwriting a script that has a
perpetual inactivity monitor onit.
That will just forever keep meactive.

Speaker 2 (33:37):
So you hit a key point for me.
You're making a key point whereit's a pet peeve for me of the
legacy solutions that have triedto adapt from the identity side
and the IT side have createdall these add-ons and bolt-ons
and it starts to look like itlooks like security through
configuration, right, which is areally, really bad model, right

(34:02):
?
You want security by defaultand one of the pet peeves I have
is and again it's all about PAM, privileged access management.
There's a lot of great stuffgoing on there and extending it,
but fundamentally, the questionyou have to ask is why do
privileged accounts have adifferent access management
solution than everyone else?
So I think there's again it'srethinking the security solution

(34:24):
At the end of the day, when wetalked about the access layer,
you start from the devicecryptographically bind that all
that great stuff devicecredentials, continuous auth but
even in the access layer, ifthat's built properly for the
future, you have all of thatprivileged access management
built into that access layer.
That's available for allaccounts all the time and you

(34:44):
shouldn't be running into thesekinds of problems and that
individual.
That just wouldn't even be aproblem because that's an
artifact of having a reallycomplex system.
That is, it's no one's fault.
It's just how we all got thereorganically.
That is security throughconfiguration.
Yeah, yeah, no, that's a reallygood point, which is a bad model
, by the way.

Speaker 1 (35:00):
Yeah, you really have to take kind of the guesswork
out of it.
You know there should be noquestions about it and there are
, you know more advanced ways ofauthenticating a user and a
network and whatnot.
Right, like you know, with zerotrust.
If you want access to anapplication, you have to meet a
certain you know criteria withyour device.
You don't have to worry about,you know, getting onto a VPN,

(35:21):
logging into that VPN, logginginto a server to get you access
and whatever it might be right.
I, I was working for a companythat's been around for you know
100 years, whatever it might belike.
It was probably 100 years andso they had this this, you know,
siloed it's like a three-tieredad architecture.
Right where they had it wasmicrosoft built it for them and

(35:44):
then microsoft coined the termand wrote a whole document on it
because you know this companypaid them so much.
Then Microsoft coined the termand wrote a whole document on it
because you know this companypaid them so much money.
They were just like here's ablank check design this thing,
you know, build it all out,right.
And it was like an earlyiteration of zero trust, where
you put your crown jewels intoone environment, you shut off
all access to that oneenvironment and God forbid you

(36:05):
ever have to log into thatenvironment because by the time
you log in, your sessions aregoing to start timing out and
you can't do anything.
You can't manage thatinfrastructure.
And when I was diving into thisarchitecture with the engineer
that was around when he set itup, he was actually retiring, so
it was pretty important for meto get an understanding of that
environment I started divinginto okay, well, you say you

(36:28):
know nothing can touch it.
How do you patch it?
Right.
And he said oh, you know, wehave to log in and patch it
manually from you know thisconsole or whatever.
Like, okay, that's fine.
Well, how do you get thepatches there?
Do you like download them onprem and then transfer them over
through some secured you knowSCP process, right?
He goes oh no, there's aconnection out to the internet

(36:50):
and it pulls it down through youknow the official repository
and everything.
I'm like okay, well, that's agreat idea, but you know how the
federal government does it,right, where they interact with
a vendor, they verify thosepatches.
You know, in some securedenvironment they shoot it up to
a satellite and that satelliteis the only thing that's allowed
to connect to that internalenvironment and it's on every

(37:11):
repo.
It has a special key andeverything else like that.
Like you're trying to replicatethat without doing that, you
start going down this rabbithole of finding out oh, this
thing hasn't been patched infour years.
You know this system isn't evenused anymore but it's active in
this environment for this oneauthentication token.
That breaks everything else ifit ever gets turned off.

Speaker 2 (37:30):
Yeah, I mean I know people overuse the term zero
trust, but zero trust is realand material as far back as
2007,.
Some of the earliest TCGTrusted Computing Group
architecture around TPMs andsecure elements to the famous
Black Core document issued bythe government, which is the
next generation securityarchitecture, which was the

(37:51):
beginning they didn't call itthat yet, but it was the very
beginnings of zero trust.
This is not a trend.
Security experts have realizedthat to ensure trust it has to
start at the device and then ithas to go up and you have to
cryptographically bind theentire lifecycle to the
destination.
You just have to do that, likewith your satellite example.

(38:11):
There is a huge push.
So the DOD has made it anabsolute imperative that all
corporate, government corporatenetworks are zero trust by
February 2007.
That's a hard hit.
All military networks by 2035.
It's not.
I think there is.
I was listening to the CISO, theDOD, give a talk at RSA and I

(38:32):
think there's 145 differentnetworks that they have to kind
of manage and understand.
It's crazy, but zero trustprinciples are grounded in real
deep engineering andfundamentally it has to start
with, like I said, the root oftrust you and a company have to
be able to build a root of trustand then extend from that, and
Microsoft has made a lot ofgreat progress there too.

(38:53):
They use device credentialswhen they deploy.
When you move to Entra and youmove off hybrid or AD, a whole
ton of like, pass the hash, passthe token.
A lot of threats on the devicedisappear.
There's a lot of other issueswith the paradigm, but
fundamentally it's real, it'sbased in real engineering
principles and you can't.

(39:13):
You just have to get on boardand understand that.
That's where the industry'sgoing.
Well, a huge part of theindustry's already gotten there
and the government's got to bethere.
And just as a side note, joe,what is interesting too is
everybody looks at.
So I've, beyond Identity, wentthrough, we got FedRAMP Moderate
and we work with partners andwe have a really strong interest

(39:35):
in the Dib and the FedSiv area.
But what I am learning too iswhat I learned from that
experience is that all of thecompliance stuff that you know,
people look at the governmentand say they're slow and they're
bulky.
That's just not true anymore.
In a lot of ways they'rethinking faster and more
strategically than the privateindustry and they're driving a
lot of stuff and you're going tosee some pretty significant

(39:57):
changes around automatedcompliance and zero trust
architectures where the federalgovernment's leading that.
I mean you see things liketheir SWIFT program and their
FedRAMP 20X.
There's some pretty innovativestuff going on there and they're
really, in a lot of ways,driving.
They're going to start drivingthe private sector, in my mind.

Speaker 1 (40:25):
Yeah, no, I mean, it's so that satellites.
It's interesting because you'retalking about, you know, let's
think about it like with a 6Userver Each U has a different
component that's doing adifferent thing, and all of that
has to be zero, trusted, butyou can't use, you know, an
extreme amount of resources.
You're in an environment that'sextremely limited with

(40:46):
resources, especially when thesatellite is on the other side
of the earth and not facing thesun.
Now you're running on batteriesand now you have limited
resources for everything, right?

Speaker 2 (40:55):
Well, think about it.
I'm sorry, go ahead, Joe.

Speaker 1 (40:58):
Yeah, so the zero trust in that situation then
turns into a tiered architecturetype of thing, where you have
these root nodes, right right,that are at higher altitudes,
that you're now authenticatingto and you're verifying your
identity with and you'reverifying other connections with
, because those are the onesthat then have to be focused on
that process, because that's allthat they do, rather than, you

(41:20):
know, the lower tier satellitesthat are authenticating within
itself, right?
Yep and you know with that.

Speaker 2 (41:28):
If you think about that, extend that to um, uh,
what's it called mum tea and uasmanned, unmanned, uh, teaming
and uh, the drones that justexplodes.
That wasn't a satellite I getfor you, still working off with
you, but in the last three years, and particularly with what's

(42:12):
going on in Ukraine.

Speaker 1 (42:13):
Think about that times 10 for drones, you know,
lagging behind this huge, youknow infrastructure that you
know doesn't really adapt thateasily or that quickly or
anything.
And then Stuxnet happens, right.
And then I read the book onStuxnet Zero Day Right.
On, stuxnet zero day right Kindof changed my entire mentality,
because they were doing IOChacks long before anyone even

(42:34):
thought of IOC as a thing likeas a thing even being a part of
someone's infrastructure.
It was a controller that youjust had to run in the
environment.
No one was thinking of it, of.
If I manipulate this controllerhere, I can make this power
generator over in Idaho.
National Laboratories, you know, operate at such an RPM that
it's not even built for and it'sgoing to explode all on its own

(42:56):
without me having to doanything.
I don't drop a bomb on it, Idon't send someone with a bomb,
it is the bomb itself alreadyand we're going to blow it up
with code, right, that's right.
And then you look at how theybuilt out Stuxnet and everything
.
I mean that is a work of art interms of technological
engineering, of what they didright, like having the different
modules, how it sat there andwaited for an undetermined

(43:19):
amount of time just waiting forthe right system to log into it
and how it was even queryingthat system to get the device
properties and whatnot.
It wasn't doing normal queries.
They had to create this wholequery language around it just to
figure it out in a very stealthmanner, right?

Speaker 2 (43:40):
Yeah, no, it's absolutely crazy.
So I think the takeaway for methere is again I think the
government, in a lot of ways, isdriving a lot of this
technology and I think thesecurity the enterprises that
need to deploy a solution justbecause that's not their
business they need to securetheir business really need to
look for vendors that understandsoup to nuts, the raw device

(44:00):
attestation and secure like zerotrust architecture plays into
that, Because it's really prettyintense.
What you can do now andeverything has to start now, it
has to start at a root of trust.
I mean, if you were to say toan enterprise today, or even a

(44:23):
small business for that matter,hey, we just want to verify the
hardware supply chain when thedevice is out, they're like,
yeah, that just seems like sucha secondary, tertiary problem.
I've got other things to solve,but that's not the case anymore
.
That's a real problem thatneeds to be dealt with today and
it needs to be part of adefault solution.
Because the attackers we thinkwe're more sophisticated,

(44:44):
because in a startup industry,private sector, we're doing all
the kinds of innovation thethreat actors aren't.
They have their own startupecosystem they really do, and
it's funded by nation states.
So we have VCs, they havenation states that fund that
whole ecosystem and it'schanging and growing quickly and
the attacks are getting moreand more sophisticated.

Speaker 1 (45:03):
Yeah, it's very true.
Stuxnet was only the beginningof what we're seeing.
I mean, you look at the Pagerattack that Israel pulled off
against.
Iran.
That is one of the mostimpressive compromises that
we've ever seen, right, thatwe'll know about in the public
eye and even, just, you know,with the recent bombings in Iran

(45:27):
.
Right, I'm sure that we'll, youknow, hear more details about it
in like 15 years, right, whensome people you know that were
tied to it, probably like passaway or whatnot.
But just thinking about thelogistics that go into it, I had
on someone a few weeks ago fromthe cia that specialized in the
umds and you know, monitoringthem and tracking them

(45:47):
throughout the world and whatnot, and he was talking about the
precision that these pilots hadto have with dropping those
bombs.
And if you look at thesatellite images, there's one
hole.
Right, that means that thosepilots literally dropped
multiple bombs into the sameexact hole to make sure, because
they knew that those bombs areonly going to go down so far,

(46:09):
right, so they hit that target.
Well, maybe the facility isbelow that.
Well, they just kept ondropping them, you know, and
that alone to know where to dropit, to know, you know, the
infrastructure inside andeverything like that the
logistics behind it is soimpressive.
It's not like anything thatwe've seen before or even dreamt

(46:32):
of, you know, decades prior.

Speaker 2 (46:34):
No, and I think with that high-tech stuff, I think
zero trust architecture andsolutions that kind of
incorporate that in for theenterprises by default are going
to be really, really stressful.
You know, it's just again thelevel of sophistication.
As we get more sophisticated,the attackers get sophisticated,
and me personally on my journeythrough cybersecurity, coming

(46:58):
from product and engineering,I've always wanted the first
thing I do is I look at thearchitecture.
How can I design problems out?
Because I know we're going into.
We have one of our marketingpeople that coined the MFA
apocalypse.
But as we get ready for this AIonslaught, you know it's
batting down the hatches.
Look at your legacy ecosystemand the gaps that.

(47:18):
There are solutions out therethat can close those gaps and
move it from detection toprevention, because you do not
want to be in a position whereyou can't focus your resources
away from the legacies.
I've just buttoned that up.
Get a solution that works, it'ssecure by design, it is privacy
by design, compliant by design.
I mean just out of the box,secure defaults and focus on the
new threats.
I mean the last thing you wantto do is be looking over your

(47:40):
shoulder saying, hey, did Ireally close the back door
Because there's stuff comingRight.

Speaker 1 (47:44):
Yeah, that's a great point.
Well, bob, you know,unfortunately we're at the top
of our time here.
It was a fantastic conversation, you know like we went down so
many rabbit holes.
It's always great having thesesorts of conversations with you
know, people of your caliber andexperts in the field.
Yeah, absolutely.
Well, you know, before I letyou go, how about you tell my

(48:05):
audience you know where they canfind you if they want to
connect with you and reach out,or where they can find Beyond
Identity?

Speaker 2 (48:10):
Sure, first and foremost, beyondidentitycom.
Beyondidentitycom, you can goto our website.
You can also go to our BeyondIdentity slash podcast and
you'll see a lot of the lateststuff and hopefully this will be
up there pretty soon.
And then we're all going to beat Black Hat, so we have a huge
presence at Black Hat.
So anybody who's going to bethere, they should reach out to
us and we look forward to seeingyou Awesome.

Speaker 1 (48:32):
Well, thanks, bob, and thanks everyone for watching
.
I really hope that you enjoyedthis episode I know I did.

Speaker 2 (48:38):
It's a great service, Joe.

Speaker 1 (48:39):
Yeah, yeah, absolutely Well, thanks everyone
, I'll stay tuned with the nextone.

Speaker 2 (48:44):
Hey, one last thing, Joe.

All Episodes

Episode Transcript

Popular Podcasts

Stuff You Should Know

Dateline NBC

New Heights with Jason & Travis Kelce

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}Zero Trust Architecture: The Future of Cybersecurity

Episode Transcript

Popular Podcasts

.css-r6mb8g{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:1;overflow:hidden;}Stuff You Should Know

Dateline NBC

New Heights with Jason & Travis Kelce

All Episodes

Zero Trust Architecture: The Future of Cybersecurity

Stuff You Should Know