You're listening to the identity of the center podcast, this is the show that talks about identity and access management and making sure you know who has access to what let's get started. Welcome to the identity of the sender podcast I'm Jeff and that's Jim. Hey Jim hey Jeff, how are you? Oh, not so bad yourself doing great man. And we might get some background noise because we've decided to record on Wednesday this week.
The landscapers are here and they are mowing and I've heard them a few times but we'll keep our fingers crossed sounds okay to me but we'll see what it looks like in the post-production world and of course you've got landscapers. I actually have a guy in my yard with a chainsaw cutting down Ted trees. So, hopefully that would impact us too much but those are first world problems as far as I'm concerned, right? Yeah. And actually, for our banter this week, I wanted to bring up
a non first world problem. So I've been listening to course the risky business podcast. I was to do it pretty much every week and this week, they were talking about kind of Microsoft's moves relative to the word Ukraine, which is that they've taken the stance that they Are not going to issue patches to their software for Russia and you know the debate goes something like they think it's a really bad idea for a
couple of reasons. One is because there are a lot of, you know, noncombatant organizations in Russia that depend on their operating system for example, hospitals or orphanages or whatever. And so if hackers are able to break into the systems, they caused a lot of problems. And you know nobody wants to see hospitals and orphanages or even just you know innocent bystanders get hurt by this and then issue. Number two is that they send the signal out to the rest of the world.
That hey, if you're a company, if your country ends up on The Blacklist, we're not going to patch your software and that's going to make companies think twice about using their software. What are your thoughts? Yeah, I I feel like we talked about this a while back. I just don't know how effective this sort of approach is because how do I mean how they block it? Like, okay, if you're like, what I have a Russian IP address. You just can't get patches.
Okay, well, I'll just go to a VPN and change my I can watch Netflix anywhere I want in the world. Like, how's that going to like actually work. I think you're totally right. It's not a it's not a smart munition. I think it's a shotgun approach and you're hurting just as many people as you might be helping. I get the intention behind it. Don't know how effective it is but I'm not going to claim to be an expert on, you know the the efficacy of patching and and things like that.
Just I'm skeptical of how effective it is but I did see I think Ukraine awarded Microsoft some sort of like Freedom at all or something like that. So yeah I support the intention. I just don't know how effective it actually is in the real world. Yeah I just it kind of feels like it's not incredibly well thought out, you know, I think that like you said, the Action is right, but I kind of fall in the side of where the risky business guys.
Are you know relative to the potential downside of the potential Fallout of such a move. You know, it's just the The Squeeze won't be worth the juice. Yeah, it's always that balance. Right? Is that is the benefit worth it or not. I mean, I'm not going to claim to know everything, some guessing Microsoft thinks that it is for some reason. Maybe it's Even the technical reason, it could just be a PR reason.
I hate, I hate to be, you know, - down that route, but it could just be a were, you know, throwing our support behind it in the way that they think is the best way to do it. I don't know. Not my jam, not my, not my pig, not my farm about that. Yeah, I'm with you on that. So what do you been up to this week moving? So still getting set up finally have like my office or set up some no longer and like a makeshift couch. Got one of these fancy standing desk.
So we're trying this one standing up, which is kind of cool and interesting, but yeah, things are going well, no bear. Sightings this week not since the last one our first couple days here. So, so far so good. And like I said, I got a guy with the chainsaw side, cutting down a cutting down trees. Yeah. So this episode is going live on July 11th at which point I will be unemployed. Mmm, we will be in between physician. So I'm rain on the economy, a
drain on the economy. Well I you know I wouldn't go that far but I will be leaving my current posts and coming to work again with you and that going to get the party back together. Very exciting. I'm sure. We'll be talking about it more in the future. Yes, the their relationship continues as it's been successful for the last Almost decade at this point and yeah, exciting things in store. So super happy, super excited. That things are are working out
the way they way. They are so far, I don't want to jinx anything. But yes, we'll have some some, some new things coming up and the band is definitely sticking together and I think we'll have some more opportunities and to do some cool stuff, including potentially recording at Gartner
in a few weeks. So if you're going to be at Gartner ping gym or I, the plan is for us to both be there, and I think we're going to try to figure out, maybe how to do some recordings on site, maybe get some guests, get some comments feedback for maybe attendees things like that. Haven't quite figured out all the logistics on it yet. But that is certainly the intention so that'll be cool and exciting because you and I were talking before we hit record
here. I can't read the last time I saw you. I think it's been closed. It's been at least three years, I think, maybe at this point other than you being a window on the screen, I was going to say, How do you know it's really me? How do you know? It's not a deep fake of me. Somebody's don't get over my identity and is projecting out as me. They gave recently, I think it's pretty clear.
It is me is that you know who would come up with this kind of content other than me your mind works in mysterious ways. That is for sure. But yeah, I don't know. For fact, but this is actually a should we just get into that
article? Because I think this, I think you sent this to me and this is I'm glad that when you think of deep fakes, you think of me Me, I don't know if I should be, you know, honored or impressed or what about it, but there was an article, I think it was from dark reading that talk through basically criminals using deep fake videos to interview for remote work. And this is something that you and I talked about maybe a year at least more.
Go at this point where it was just first coming out and kind of becoming easier for people to use. And I'm curious when you read this article, what were your what? Thoughts around it like initial thought was oh Jeff is going to love this but correct thought. Yes yeah so correct thought I guess my initial thought was you know I look if you're going to kind of be cutting edge to use technology like deep fake, why would you use it to get a job?
It seems to be like getting a job as his Probably not that hard but I think that the, you know, we're using the Deep fake would make the most sense has trying to be verified credential system. So in other words trying to deep fake and show a Passport and get access to somebody's identity online to launch some kind of some kind of hack. I guess I my my initial impact was I didn't see this as the use case you'd want to really use the Deep fake for.
Ya know, I'm more about the memes and trying to get our guy Fletcher into various compromising pitch situations of not the real variety. But this is, this is actually pretty close. So what I was thinking is sort of like a threat is definitely the identity identity verification component. Especially so there's a couple things. Right? So deep fakes and impressive technology. We've seen it in movies, we've seen it in. So you know, I'm sure people have scrolling through Instagram
and talking all their stuff. But the technology is at a point now where it is relatively easy to use that. Now it becomes to start to be a problem for identity verification, especially in a remote Workforce environment where I am looking at you on a screen right now in our conferencing, you know, podcasting sort of Moment here. I am assuming it's you I'm pretty confident that it is.
Am I 100% know 99% but as these Technologies become more prevalent if you're sitting in an interview, for example, and I know that this has been a challenge for certain areas of the world, where, you know, the one person shows up for an interview and is not the person that applied for the role and sometimes it could be for, you know, a relative but nine reason, it could be. The person is very skilled technically but just has a hard time.
Interviewing for whatever reason and they hire somebody to basically be their public face. But the real work is getting done behind the scenes to someone, maybe isn't good on the interviewing side. I think we've probably all heard stories that are kind of similar to that. Now I've got a situation where criminals might be leveraging it
for any number of reasons. You know, the lazy person to me says okay well great, I'm going to get hired and you know, get get get a job in a company and who knows? They might give me access something. They might pay me for two, three, four weeks and never actually do any real work. And in the meantime, I wasn't ever a kind of a real person anyway, so be may be tough to track down. So I think there's a variety of different options. None of them are good.
Unfortunately, in this case, but I hate to throw out the technology because I do see the benefit for entertainment, you know, even as a accessibility tool, maybe for some people who who require those sorts of Technologies, but it is certainly something to be aware of.
I think this is And also the we asked, I think I remember asking Mike angle this of one Cosmos a while back is from this identity, verification, a remote standpoint and things like liveness checks, how do you know that's not a deep fake and yeah, I think yeah, I do remember his exact answer it.
I think. I think they felt it was a they had a pretty good solution in place, you know, for that I know Adobe for example has spent time and money on kind of developing tools to kind of help to detect that, but when you're doing remote conversations like this, This you may not have the visual Fidelity that you can rely on to really kind of inspect pixel-by-pixel to see if Shadows are cast in the right way or you know, whatever it may be. I think it's I think it's very
interesting, it's obviously something that that I find personally, interesting as well. And I think of the bad things can happen with it, but I'll hope to think that there will be some good use cases out of it. To like I said, I gotta get, I gotta get the memes going for my guy Fletcher, you know, I think the the You know, thinking back to my Kangol conversation, my takeaway was we just try and stay one step ahead of the bad
guys, right? I mean, that's probably all you can do. I think if you take a historical perspective, 120 years ago they invented the electric light bulb, Tom says invented the electric light. Bulb does not have 120 years ago, you know, a little more than a lifetime ago. Now, look at things or even typing, this deep fake conversation. And so what can happen? 20, 40, 50 years down the road. It's just like, I don't think we can even predict yeah.
Who knows? Maybe we'll become deep fake individuals ourselves and instead of streaming our stupid faces, maybe we just go to a fully cartoon format. Yeah. And that becomes a Persona. What's the band? Gorillaz? I think was kind of revolutionary in that spot where it's a real band, but there are public Persona was basically cartoon monkey. Keys are gorillas. And that was sort of like how they portrayed themselves, the world, until they kind of came out later on and show their real
faces. But I thought that was interesting instead of Buddy care about me, I like some of their songs. The other thing I think to is like what happens if someone does a deep fake of, you know, a CEO and then calls into somebody and says, hey do this, and it's convincing enough. Where somebody does it, right? Which we have heard stories of people calling Again and doing voice deep fakes and voicemails and things like that where
things have gone awry. But I think now as we get to more of a distributed remote Workforce, you may not ever actually see the person that you've been emailing and what happens if you get socially engineer and all of a sudden, you know, a deep fake person comes on tells you to do something and you trust it. I think it opens up a lot of
avenues. You got to be careful from that social engineering aspect because as you and I know, social engineering continues to be the scourge of data breach Guardians, all over the place. Yeah, that's a great point though. Just one, one more thought on the D fake is that makes identity and access management verifying credentials although much more important that. All right. Now I have a CEO in front of me telling me to do something. Can I be sure that it's m as not
just that it looks like him. Sounds like him just like, I got an email, looks like something he would have written. It's got the letterhead must be from the CEO. It goes back to the next thing that were leading into is just social engineering and it's still one of the main ways that Credentials are being stolen. Yep, I think you want to talk about our data breach of the week?
Yeah, sure. So it's Marriott and I think we'll have a link to an article in the show notes, if anybody were to read up on it. But it was, I think, within the past week, where an employee at the Baltimore Airport, Marriott Hotel was Shuns you're into giving away their credentials. Now the article is not clear on whether or not the employee had the data on their on their device.
I'm assuming not assuming that they were connected back into the network and that, you know, the hacker was able to leverage some kind of pathway through that endpoint device back into
the network. The sounds like they got 20 Gigabytes worth of pii data now, I think Marriott saying that hey, it wasn't that all that was reported by, you know, I think the hackers leaked out that, hey, we got all this credit card information, things like that, but according to the article Marriott's, like, denying that it was, you know, that that level of data, but is kind of concerning, because I think they've kind of run into this scenario several times, where
it's like the social engineering, I think, you know, My biggest takeaway or, you know, it's not even just to take away is just kind of a, you know, confirming in my mind what is often the case which is that the a lot of folks in the it space think that okay, you know, you can't get through if we're doing MFA and we're doing one credential per person, you log in and assist employees and we have good deep furbishing processes. We feel good to person.
Has gone through the right Jax. However, I think we're social engineering, we had Roger Grimes on even with him if a you could be social engineer to out of a multi-factor credential. Now, once you get into the network, are your network conditions designed in such a way, like, as your trust, kind of way that you're going to be limited in terms of your movement. In terms of, you know what you can access. You can't change.
Credentials now that you're through the door and that you're not depending on the fact that okay, people who are on this side of the far, all we trust people on that side of the firewall we don't trust. I think that's the you know at the most basic level, what's your trust is all about targeting which is that traditional mentality that we have a firewall and inside the firewall. It's a higher level of trust. Zero, trust says, it doesn't matter inside. Her outside the firewall.
The trust level is Euro. We don't trust you because you're on the inside, you need to be able to present the credentials for the system. Now, the reason I bring all that up, is that a front desk worker at one of the property locations, their credentials should not be able to get 20 Gigabytes of data? So I'm assuming that unless the system that had that data was extremely flawed that they elevated to another credential that. Also, cause for concern, but we don't know all that.
We're just, you know, there's obviously like an article that's, you know, a couple paragraphs long, it doesn't give all the the anatomy of the breach but you know, that's that's what we kind of know at this point. That's a little white on details but at the end of the day, social engineering strikes, again the unhappy path, right? I think of maybe people looking for access to things.
It sounds like, you know, you know, they had them if they wouldn't matter in this case someone got tricked into doing it. And I think this is where the education component comes in. I think we still see reports. So we said I've seen that still show that, you know, awareness and and security education is still, you know, dollar for dollar the best spend, especially for scenarios like this. The challenge is, how do you make sure that you're targeting the right people?
It's easy enough to say, okay, yeah, we'll never fall for fishing. And then the one time that you fall for it is the At time so you can continue we have to reinforce and you know Rogers quoted on this in this article from Silicon angle and we'll definitely link in the show notes but he points out a good thing. Here is the continual reinforcement of that message. Always be alert for it. You start to develop sort of that mindset and that and that awareness.
But yeah, as a Marriott bon voyage person, I find it disappointing again, I think I saw an articles elsewhere that this is the seventh time that They've had a date incident since like 2010. So, you know, if you're averaging one every other year, that's probably not a great stat, that you're probably want to be proud of hopefully things get better, but I would assume they're a pretty big Target,
right? I think one of the last acts also had was linked back to China and some Espionage going on there as well. So all the more reason to try and close as many doors as you can and certainly start to look at potential e zero trust. But also Save your analytics
right? 20, gigs of data, you know, exiting your network should have trip, all kinds of alarms accessing that number, you know, that that much data should also, you know, trip up some things as well to try and be more proactive about it. The subtly right? Those are all great points. I think in their defenses, they've got a global customer base. They are the biggest hotel chain in the world, I love Marriott.
I mean, I went to to book. A hotel for an upcoming trip and it was in San Francisco and like the number of boutique hotels that came back that are now under the the Marriott umbrella really impressive. But I think with having a global customer base, you've got so many different challenges in terms of the requirements for data privacy and really what level Factor authentication is feasible. I mean, the use cases that you pretty much anybody in the world
could become a member. They may have a smartphone, they may not have a smartphone, you want them to become a member. I mean that's that's your whole business, right? Your you want everyone to be a customer at least, you know, I think now we're thinking, like, B to C and that scenario for a PHA, you know, how does that Maffei work differently between
b2c B2B bde. This is actually IE a conversation that I started earlier today, with my new friend, Nick, we're kind of talking about, you know, what's the difference between customer MFA versus what, I'll call Workforce MFA, and I'll lump be to be within that Workforce environment as well because typically, they might be an extension of your Workforce, or maybe like a supplier or something like that, but it brought, it was interesting
conversation because I think that at face value, it's like, oh, it's just MFA but as you and I know anybody probably Neck deep in a sanitation, they are very different beasts and very different use cases and very different user experiences that come unto it. And I guess maybe this is world will kind of take them in conversation for today is what is the difference between customer MFA versus Workforce MFA from your perspective? Which you think is harder to do?
You know, I think one of the hardest things to do is MFA is to get the user experience, right? And I kind of feel like the user experience on the customer side is a little bit more difficult. You've got to get a more tailored and what it ends up doing is requiring you to scale back having a complex process. So you compromise strength for usability On the employee side, I think it tends are the workforce outages, a tends to be less that way.
So for example and I think this this conversation has so many chemicals but from a technology perspective, most MFA technology that works for the workforce will also work for the customer. So one example is SMS, tax for one-time password, a time-based one-time password, and you get Sent to your phone and you see that in so many different customers scenarios because they have the person's phone number on file and sending him.
A text is pretty much Universal, it's will work whether you have a flip phone or you have a smartphone However, I think on the employee side, having worked with so many customers, I rarely see anybody depended on SMS time-based one-time password. When you do see it, it's usually as an option, Bjorn option C. And I will point out that hacking that that kind of scenario is usually based on the unhappy path. So it's oh my Other applications not working. Okay, then we'll just send you an SMS.
Oh, I don't have that I just changed my phone number. Okay well just log in with the secret questions and I was like okay yeah I've got the secret questions because they got dumped with you know this big data breach a happen somewhere but yeah that's that. So what's harder to do? I don't know that once necessarily harder than the other except that I think that if you're saying which One's hard to do in a very secure way. I think customers harder to do
in a very secure way. Yeah, I can see that. I mean just the sheer footprint, right? Number of clusters, you might have the variety of devices that might be out there. And I think that's why we see SMS continue to be leveraged, even though it's not, you know, even recommended at this point keep using, it's still better
than nothing. So you see that as sort of like the fallback plan, sometimes I only know the primary for, for some organizations, I guess I see them as equally difficult, but for different reasons the customer side, definitely the user. Variants. But I feel like for the customer side, you can narrow down the paths. Pretty pretty specifically. We're going to do SMS. We're going to do, email magic link. We're going to do, only push notification through our own branded app that you need to
download from the store, right? Something like that. And I feel like still traditionally organizations are willing to spend the money on customers on security, on usability, on the user experience versus Is the workforce where sometimes they'll put up with a less than great experience because I well it's just our Workforce.
We don't really care. Yeah. But their experience which I don't think is correct way to approach it and I think on the workforce side you get into really interesting and very specific use cases. Where, how do you deliver MFA to a variety of personas on the workforce side? Sure. There's going to be your, you know, will come cut, your strip, your typical office worker who might have a smartphone it.
Is it but what happens if you are working with somebody who works in like a clean room environment or a shop floor or someplace? Where they can't bring a physical device in with them? What how are you going to deliver to them a multi-factor? You know device. They can't carry. Phone can't carry a token. Is there a phone call that they get maybe? And they have to do voice verification? Is that a retina scan, a fingerprint?
You know. I think you get into some really interesting use cases on the workforce side that you really don't need to Account for is often on the customer side. And so, I think it depends, which is a great Consulting answer. Let's see. Which one's harder, but I feel like work force can be harder depending on how complex, your authentication scenarios look like. Do you need to count for
something like that. If you have a pretty basic Workforce, it's just hey, we're all logging into Microsoft and we want to turn on, you know, MFA through Microsoft, that's probably pretty easy. It's always the details and those like Edge used Is that trip up a lot of organizations? And then they start developing and itís like back doors, but maybe back doors but alternative exception paths, that might be easier to exploit than just having a standard process that
all of our users. Go through all of our customers do this. Maybe not all your employees do. I think if your paint with a broad brush to generally speaking, the customer side scale is way greater than the workforce. I'd say. Alright, I mean there are certainly companies with enormous workforces and there are certainly companies where their customer footprint is relatively small. But let's assume customers into millions Workforce in the thousands It makes it very difficult to use.
Some of the stronger Technologies for MFA like authenticator applications. You're one of those scenarios where I run to personally a few times is where you change devices. So even if you're going from one iPhone to the next generation iPhone, you back up the iPhone
restored. The new iPhone, it doesn't bring over the authenticator app information, you have to re-register the but the device and if you do that before You do that and you get rid of the old phone or yard, he wiped the old phone, you go to access the applications. Like oh so now what I do. Okay. Maybe they have a backup path but if there isn't a backup path, what do you do? I think from a customer, I am perspective. You'd have to think through that
whole scenario. And do you want to put your customers through the headache of having call Help Desk? Well, if it's a banking scenario, or it, always comes
down to the risk. What your answer is going to be And probably you have to ask yourself a question is like, it's my customer going to go through this or they going to abandon doing business with me. And so, if your level of affiliation is not so strong, I think at the most that point you can do is like an SMS or an email, so that the challenges you might not be implementing the level of security that you want to implement, because we already know there's a lot of
weaknesses in a lot of ways around. And SMS and email, especially if you're dealing with people who'd be like a Target like, you know, politicians or human rights activists or celebrities things like that, they use their customers of different places as well, right?
And people love to get their accounts, you know, thinking on the employee side I think putting those strong controls in is very reasonable and not even to say like we don't care about the user experience, but if you get to the end and you go get New device and you have to call the help desk because you didn't do things in the order you should have done them or for whatever reason. You're still talking thousands instead of millions and it's more feasible and plus you're
paying those individuals. So there's some level of expectation that either something that comes along with that. Yeah. I think about it from blast radius to if a customer account, gets breached, what can they actually do with the customer information? One person's, probably not going to have a good time or maybe a family. Right there might be associated with that. If a employee account where to get breached, I think the blast radius tends to be larger in that case.
The damage might be more significant relatively speaking. Now, if it's the wrong person, the customer side that could have. Traffic, you know, you know, issues as well. But where is the most damage
going to get done? Is it because one customer didn't set up MFA in their account or that one customer got breached or because one employee got reached, I see the ladder because we're seeing it on, you know, a customer counts or employee counts, getting breached and then getting access to other sorts of data within the environment and a locked, I had struggled with it earlier this year with one of their msps. No had yeah, they got octave itself, didn't get breach but the MSP did.
Yeah, that bead. So the blast radius to me plays a lot into this to say, okay. Well what's if the goal is to provide security It's obviously important to make sure that the customer data is safe. But if a customer gets breached, its One customer. If the employee gets breached, it could be multiple customers as we saw here.
Potentially with whatever happened with Marriott that's why I think I lean towards they're probably the same from a difficulty standpoint but for different reasons based on a different types of complexity. If it's yeah it's a couple hundred people on the Enterprise side, maybe in the workforce you know. Maybe it is less of a concern or maybe the type of business that you do just It's as much of a target, maybe you're more The ransomware Target.
Just for, you know, getting a few bucks out of you versus maybe something that's more, targeted Espionage or you know in a case of War trying to bring down you know different services or whatever. Maybe I think that blast radius has to play into the decision as well. Do you want to lose customers? No. Do you want your company to go underground and lose everything? Because the proper was security wasn't a place. I think that's equally as important to maybe even more
important in some scenarios. Yeah. Well I think that we're in a scenario where what's the difference between the two? I think. Technically speaking, the Technologies work. The saying are the the same sets of Technologies can be used for either scenario, but some of the masses, an SMS is an SMS or a magic link is the same or a push notification. They're all the same, they work the same, right? And you know what I mean? Sometimes I really like the SMS.
You know. If it's something that you know my LinkedIn account for example, I need to access it. Do I think that SMS is the strongest form of MFA. E naught, but I think that using SMS MFA is appropriate for the level of risk involved with logging in to LinkedIn and that's what I like. You're inviting people to try and man-in-the-middle you and take over the Jimmy Mac. I am LinkedIn profile. Maybe this is where defects get started all of our millions of listeners who are out there.
Like oh yeah, you're gonna challenge me. Yeah. Well you only need a small percentage angry at you and then bad things happened. That's true. That's true. But, you know, one thing I feel like I need to bring this up but
it's so cool. Like how on iOS devices now when you get an SMS one-time password whether you're in a native app or in a browser-based application, if you have the focus on the, you know, where you enter your SMS code kind, Of pops up and you just push the button and you're you're right in. I mean it's a great time saver.
Yeah, I'm happy Google and apple have figured that part out, I'll be much happier when the Fido standards get put in place and we start to see passkeys just live there and it just becomes, you know, look at your phone to authenticate or press the finger print button or whatever. Maybe even, that'll become a whole lot easier. But, yeah. So it's those little, it's those little Time Savers that make the
difference. I think, on the usability side, there's nobody Likes having to put in a second password because that's really what we're talking about is that SMS is just another password. So the easier that you can get it into the right field and make it secure the better.
You know I'm sure there are people figuring out you know how to scrape that information from the message app on your phone and do man in the middle I think especially on Google or Android you know there's tons of messaging apps that's not the same messaging app for everybody and Some of those you give permissions that they can see your clipboard, they could see everything you type. You know how secure is that?
I don't know. You really you're putting a lot of trust into whatever messaging app you're using to not read every single thing. You're typing into it and store it somewhere. We're be able to capture it and send it elsewhere, so think there's good and bad that comes along with it. I like the idea of it. I have a little more trust and Apple's implementation of it but Yeah, it's everything has a risk and reward to it. Well, you brought up there with the Fido possibility.
I wonder how that would work when switching an iOS device because are those keys going to transfer when you get the new one, or you're going to have to re register your device. I'm assuming it's you, imagine high clouds can be a big part of this because that's how iCloud the key chain works right now between Mac OS, Mac OS, IOS and iPad OS.
The iCloud portion is really sinking things behind the scenes and even if you use something like the Microsoft authenticator on iOS, you can still back up your Microsoft, authenticator keys to your iCloud account. You go to your new device log in with your Microsoft account and then restore from iCloud your keys. So I think, I think there's all these. Are you sure that I don't quote me but I feel ready. Sure.
Because I change devices all the I'm and I rarely have to register new apps within my authenticator, so I don't use Microsoft for everything. I use authy for some things as well. So somewhere there is a sink and a decryption is taking place that takes all of my you know one time password generators through my through my authenticator app and is putting them on my new device.
I'm not going out re-registering like 50 new apps, every time I get a new phone, otherwise would stop getting new phones. I don't want to do that. No, but I saw, I recently got a new phone with my previous employer. And there are Microsoft shop and install in tune to create like a, you know, basically. Yeah, it is stalls and Emi in. Tune, doesn't he definitely throws a wrench into it sometimes. Yeah, yeah. Somehow is creating some kind of encrypted package using the keys
on your phone. So if you have that, I think it makes it much more difficult to kind of take your Rich tration from before and uses some of the gifted just start over. Yeah that's why I think the the workforce I could be more tricky if I'm a consumer you generally don't see that problem as often because they're allowing you to move those you know one time password generator is between devices. If you hassle I get in tune or an other MDM platform.
There's probably more controls around it by policy. That is blocking you from doing that. You need to put a new certificate on which invalidates maybe, you know, the previous tokens that were Using you have
to set it up again. That is definitely something that I have seen experience is painful when it happens, it's always happens at the worst time but I can see that scenario and, you know, maybe this, maybe this tips it for some people say yeah, Workforce might be harder because of that type of scenario, whereas on the consumer side, you maybe don't have that level of control or the device.
So therefore you have to be a little bit more open with it and just by that nature, makes it may be a little bit easier to
deploy. Yeah. well, I think the other thought that crossed my mind as you're talking about different scenarios with Workforce being more difficult is I think you're going in posture of all of your security tools, how close you are too, kind of a zero trust world because if somebody does kind of slip through the cracks of MFA, you know, are they now in they can just run wild or have you established kind of the entry into the network that's going to Segment and limit their
access around the network. So I think there's that element kind of plays into how much risk you're talking about. Oh yeah. For sure. I mean, how many times do we? You know, your people are listening right? When they when they log on to their company VPN. Can you get anywhere in the network or basically, in any any rule from routing perspective or
are you limited, right? That's one of the first steps from a zero trust perspective, is making sure that you can only get to the resources you can and you know you and We need to see lots of lots of companies. They have vpns that are wide open. Hey, what's your IV p on your trusted? You can go anywhere, do anything you want. And think if you got a shot, what you want to do, that's that's still so much the case. I mean, I work with so many organizations and that's exactly
where they are. If you get on the VPN, you have full access and it's hard. It's hard to do it. Maybe you're basically how about Riri. You know re-architecting your IP space within an organization.
If you're a small enough If maybe it's not as difficult, but if you're a relative Argosy organization or you have a pretty complex environment, maybe have to do segregation between, I don't know, like, you know, manufacturing lines and scada devices, or power company, or bank or whatever it may be. And you haven't like figure that out or architected it in advance. That's a lot of work. You have a, it's we should be doing it, right?
I mean, think about it, like, all right, so I was on the network engineering side early in my it career, and each office had IP segments, you know, like this IP range for this office and that IP range for that office and really, you should at the most be able to access kind. The office that you go to but really you should be accessing any endpoint devices or printing to any printers when you could VPN.
Or if you do it should be kind of the exception case or maybe basing it on DNS, rather than IP addresses, you should be accessing applications that are in data centers. Ideally you get to the point where you're saying, you can only access these IP addresses in these ports. Anything beyond that just seems like it's it's not good enough and you see like in other areas of it where an information security where we've made so much progress, but we still in
math. I say let me know if it's I'm just over generalizing your but I see the lot where there's just very little control when somebody's on the VPN they've been authenticated. Might have good authentication controls but once they're in, they're in, If I think I'm the different least, I think that's the difference. I think it is, I think local networks generally are in a better shape, but when it came to VPN, it was just, hey, we
need to get access to everybody. And maybe the pandemic accelerated that for people who weren't ready for it and they had to put something in place and they didn't have the time to architect, the VPN eyepiece, to make sure that they were the way they were supposed to be. So, should they be doing it? Yes, I Hope they've started. If they haven't already, you're probably buying the This, but I think that's the difference, right? Is the VPN angle of it is.
You're coming in, any any? And if that's what gets breach, and now you have a remote laptop that's been lost or somehow compromised. That's an endpoint that has any any access to your network? That's bad times. Totally agree. Well, Jeff, we can go on all day with different topics, but I do have to kind of wrap your yep. Let's go ahead and wrap it up here before we go. Today is the 11th. It's national state. Fair, food day. What's your poison?
I'm going to let you answer first because I think we're going to answer the same thing and I've got a good, I've got a good number of answers. I could feel with, I mean I'll eat most things. I think you know the Irish you haven't been to Exotic when it comes to state fairs. Like I've never had a Fried Twinkie or a Snickers bar or anything like that, but I do enjoy. We're talked about this before, we started as a funnel cake. I was like, yeah, that's that's that's my jam.
That's my wife's Jam to, we try to get at least one per year, you know, in to us. But that's that's that's that's where I'm going to go with. So it's a little cake. Do you put it like dealing a lot of powdered sugar? I like Define a lot because it's amount of the be covered. No. It's like yeah, you should know. It should be an appropriate amount of powder sugar. It should not be a mountain that you can stick your finger through and not hit any funnel cake if that makes sense.
Well, there's also like sometimes I've seen them where people get the funnel cake powdered sugar and then like chakra tell, what may be your something on it? Yeah. Or caramel. Yeah. What do you do? I'm a plane. I like I like the funnel cake. The the way it was meant to be just some powdered sugar. But I you know certainly willing to allow others if they wanted to desecrate their funnel cake with various sauces or dips.
Yeah. So I mean that is definitely like funnel cake is If anybody's listening it happen, hasn't had funnel cake. You need to try it unless you're diabetic kidney to try it. It's wonderful. I too, like, the fried Oreos and I will get them once in a while. I'm not a junk food kind of sir, but they are pretty good, and the front twinkies and fried Snickers bars. I don't really hang out in the south of the u.s. now. So, you know, you have to have to get your carnival on.
This will be and yet another excuse for my ever expanding waistline. So all right we'll go ahead and leave it there for this week. Appreciate everyone for listening. You know. One of the things that we like to do is you know, have conversations like this. If you got topics that are out there, feel free to hit us up on LinkedIn. You're going to be a gardener hit us up on LinkedIn. We'd love to this pump, you know.
Maybe figure out if there's something that we can, you know, get guests on the show and kind of talked with that, I love hearing stories from people are out in the field, so definitely don't hesitate to Ping Jimmer eye on LinkedIn for that. Sort of thing. You can catch Us online on the web. I'd any of the center.com, we're on Twitter and idac podcast, I'm finally getting my office back in order and getting schedules you know back in order.
So I'm sure the live stream will come back at some point, but we still have those out there on YouTube a tidy, a seedot As a shortcut. So I'll hopefully people will check those out and with that, we'll go ahead and leave it for this week. Preciate everyone, Jim thanks for your time. Thank you all for listening and we'll talk with everyone in the next one. Thanks for listening to the identity at the center podcast.
If you like what you heard, don't forget to subscribe and visit us on the web and identity at the center.com.