You're listening to the identity of the center podcast, this is the show that talks about identity and access management and making sure you know who has access to what let's get started. Welcome to the identity of the sender podcast I'm Jeff and that's Jim. Hey Jim hey Jeff, how are you? Oh, not so bad yourself, I'm doing good. And I've been having some thoughts, you know, in our last episode kind of me. We're talking about is 2023 the year, the password dies.
And that I think I made a comment something, like well maybe we should say is this, the decade that pastors died and I got the thinking about it. It's like, yeah, this cast really you know covers the gamut of identity management identity access management and I also think we have to be careful when we talk about things because when I made a statement like that it's almost like giving permission or it's okay to let the password kind of devolve and I started to think about okay if
a breach occurs because the password password is kind of pointed to as the reason why Your company's on the front page of the New York Times, whose fault, is that going to be? And I kind of thought about it. From the perspective of, you know, this is always kind of been one of my feelings, whether it was in it or in information security and you're talking to leadership and you're trying to get funds allocated to do something right to kill the password, is going to cost some
money. You're gonna have to implement some technology to To get rid of the password or you're going to have to have a project at least to get rid of the password. And so you're going to have to communicate to business leadership of why they should take some money. And instead of returning it to shareholders, they should spend
it on password list technology. And I think at the very least, we've got to make them understand why the password has to go away and it's, you know, it's at the center of so many of these These breaches as becoming more, and more of a, of a part of that kind of threat landscape. You look at some of the, the breaches that have taken place over the past year and the passwords were at the center of
those. And so, you know, kind of the perspective that I'm coming back with is just, you know, I think I oversaw from by saying I'll we, you know, just a decade. The password guys, maybe that is what truly happens. But as I am practitioners. It's our responsibility to communicate up to our leadership, to make them understand why. This is something that should happen. Now, happened this year happen, as soon as possible and why it's worth the investment for your
thoughts. I have, I have a few thoughts, alright? So, the first thing is, I think it's realistic to say that this is the decade, rather than trying to try to shoehorn in a seismic change. Like this, I mean, what we're talking about is password, right? It is literally the only lock on, I don't know, 90% of the resources that are out there. It's usually just an ID and password may be. That you have some areas that do MFA or have some other fancy
types of authentication. But you're talking about changing the way. Authentication is done for billions upon billions of different things that are out there. That is not something that changes within a year, two years, five years even, and then you marry that up against, you know, Enterprises and budget cycles and how long it takes to get things done. I mean, you think about anybody who's been trying to get like IGA or privileged access management tools into their into
their environment. If you're any sort of decent size of organization, it usually takes even just a couple years to get to the point where it's like okay yeah, we're ready to make the That and then even those are a couple years out and you're talking about changing, literally, the way people operate. It's like that. I think it's a decade-long transition. It's like, you know, going from internal combustion, two v's. It's taken decades to get their steam engine to, you know, other
things, right? These are seismic shifts in the identity space and you're talking about literally. The one thing that is probably the most prevalent security option in the world. A password. It's going to take time to change, all right, but I need time to be the right. Like it may not even be the right solution to go to password list. I mean, Martin kind of brought up Mainframe in the last, our last episode, we've been trying to kill the Mainframe for 50 or
60 years. It seems like they're still around and they're in hot demand because you know that Lisa skill set for it because it is so rare. Password was to me is a arrow in the quiver of identity. It does not mean it needs to be the only solution for an organization. We talk about risk and like okay well if we're going to show, you know, the the secret sauce for how we make Kentucky Fried Chicken.
Of course, you probably want to have a little bit more than that a password probably you know the recipe needs to be under lock and key but if it's the menu to go you know to go to your cafeteria who cares, right. Maybe a password alone is good enough. Maybe I'm just not even having a passwords line so I think Be a risk based discussion around it.
I just from a realistic standpoint I just I think I think we're talking like a decade transition to really even see it make make an impact or make waves. We're like that's the way the majority of people are authenticated. He is there some sort of password was approach. I just don't think it will happen as quick as we want to. I think what has to happen
unfortunately. Is you have to have that catastrophic event, That shows that passwords are at the level of like, covid there at the level of 9/11 throughout the level of World War Two, that you say, this is life-altering. We need to change this now and there's no excuse for it and maybe it's not maybe, maybe if devolving away from the password is going to be fine. Or maybe some kind of attack
happens based on the password. That's just social catastrophic that you know it makes everyone realizes the reason I used to covid as an example, think about it they everything shut down. Now all these companies have to scramble to enable remote Workforce had to scramble to you know, adopt MFA. And it happened, it happened Maybe people had their hair on
fire and had to loot work. A lot of weekends to make it happen but it did happen and it was because of this like catastrophic event taking place, and I don't know if that's what it's going to take to get the password list but kind of seems like it to me. Yeah.
I mean, I get the point on the covid thing but I also see other catastrophic events that keep occurring ransomware and other things that they just keep happening and sure that one company changes, maybe, or maybe there's a couple When the industry that changes, I don't know. I mean, I'm not gonna even try and say that I had the answer, but I just feel like it is going to be a slow transition and it will be driven by budgets more so than like an event that were
to take place. The events might be more Tactical for a specific organization but I still think the like the industry and business at large will slowly transition over over 2. So that concept You know in the future, okay? So let me write this up by going back to my original point is that we as the I am practitioners know where our risk lies within the organization, we understand what the potential impact of somebody getting hold of credentials based on the password breach.
And we need to be educating up the chain. So people understand that I can make the I could make the decision about the investment. With all the information. Make sure that the leadership understands. Here's our risk, here's the cost to address the risk and then they can make the decision as the leaders of that business. I'll even get that. That's my. That's kind of the end of my point. Yeah, I mean, everything's gonna be a risk based decision. So you know money is not unlimited.
Resources aren't limited time people, Etc. So you've got to pick and choose the battles, you know, this will be a line item somewhere to say, okay. Do we want to do? We want to dress password lists or do we want to? I don't know, you know, implements a multi-cloud, you know, security strategy or will it be identity governance or will it be, you know, XYZ, right? This is where the cisos get. Get paid, the big bucks and they sit on the hot chairs to to try
and balance all those risks. Because if everything's on fire, nothing's on fire. You have to try to prioritize some of that work. So I'm with you II, wish I would, I wish it would happen faster. I think most in the space wish it would happen faster because the idea is to become more secure but also, you know, it's much more user-friendly. Who doesn't want that? I think everyone wants it. They can real.
You know, the the realistic output though is it comes down to money and time and those things aren't limited. So you had to kind of pick and choose battles. What do you think about the upcoming conferences that are on those on the docket? We got Gardner I am Summit in March, I Denver's in May and the European identity and Cloud. In may, as well as the Cooper Nicole conference that we talked about in the last episode. Yeah, some Heavy Hitters there.
I mean, I'm going to be biased as of right now because of Gartner inviting us to come actually come to the conference and bring our podcast up onto the stage, which is very exciting news for us. So if you haven't heard Jim and I are actually going to be at Gartner's. I am Summit in March in Grapevine, Texas. We will have some sort of session on a stage with garbage.
Our analysts and put them on the hot seat, maybe we still kind of figure out what that show is going to look like, but the idea is to bring so the flavor of this podcast and this discussion format and and you know have a good time with it. So looking forward to that. So I'm going to be biased and say that right now, but obviously done a versus a great
conference. We know that European identity Cloud conference in May and Berlin is also great one too, but it's not from personal experience. We don't know. Not for present. I have not been out there yet, but I am trying to figure out how We can make that happen at some point, either this year, or in the future. Yeah, I wanted to mention, you know, what you said about them, having us as speakers that Gardener or facilitating a session to me that such a
fantastic opportunity. But it also put my personal stamp of endorsement on that conference even if we weren't doing this session is such a fantastic conference to learn
and to interact with your peers. Speaking of interacting with peers, There's one thing I want to do Jeff is put together some kind of meet up or something like that around the community, that I think we're building here with the identity at the center conference, our podcast to, you know, maybe get everybody together, you know, for breakfast or something, just meeting the breakfast Hall and, you know, take a table or to push them together and, you know, just get to know some of
the people who listen to the podcast. Wow, you're optimistic pushing a couple days ago. I'm thinking like, maybe like two or three people might Out for that. Well, I guess what that remains to be seen by prove me wrong please. I'll be great. Yeah no I mean if folks are thinking about going to the conference or surely going to conference reach out to Jeff and or myself on LinkedIn we love to arrange something, some kind of meet up.
Yeah it's cool to have just conversations like just, you know, we're humans just like everyone else. And I think I think one of the things we'd like to do is probably tap into our listening audience. Audience and try to get some good questions that we can ask the gardener folks. Well, we're on stage and maybe put a little bit on the hot seat.
So I know we've been kind of been gracious, graciously given some leeway on where and where, where and what we can go to, so maybe we'll tap the audience for that. So if you've got ideas or you've got burning questions, you'd like to ask the Gartner analyst under the Jim and Jim and I and Linkedin and we will pull that into our aren't to our quiver of questions that we may pull out at the event itself. We should probably get to what we're actually going to talk
about today. I know Jim, you read recently an article on the awesome eyes website and we've invited the author of that article. His name is Gabe avner, he's a director of content and awesome eyes. He wrote this blog post around called 2022. Is the year that identity fully merged with security a retrospective. It's a very long title but welcome to the show game. Hey guys! How's it going? It's going great, we're into the new year, we've got new. Codes.
And I think one of the things that we like to find out the first time we have folks on the show is really kind of learn about their identity background and you've got a little of an interesting one because I don't think you started here, but maybe you can kind of share with the folks were listening. How did you get into the identity space? Is it something that that you chose or did it end up choosing
you? So I'd say I definitely chose it. My background comes from geopolitical analysis, as a security consultant intelligence analyst guy. And then Transition from there into journalism. And like, all good journalist, I end up getting laid off because things closed down, because there's, no, there's no real good money in it. And at that point, I transitioned over to startups. And my first startup was actually in a knapsack.
So, it was a company that dealt with open source security, and that was totally new to me. And it was exciting because a certain large credit. Agency had just gotten and themselves in some hot water at the time.
So those players right about? And eventually when I moved on from there, I wanted to find something that was a little more deal with human issues and for me, identity is kind of that really fascinating cross between You know, if the technical management problem and the one hand, but it's also just managing people and letting people work, you know, it's very much just you know, there's a front-end back-end side of it but just how do you let people be productive while still
maintaining security? And I think also I got into it at a very interesting time when things started to change our Villa B. You start to see kind of this more I grow up, you know Colonial pipeline had happened around the time that I got into it. And I'll solar winds which I'm sure we'll get into at some
point. And those were interesting days and I was kind of like when I was trying to decide is this this kind of next Direction I want to get into and there's just too much going on. So between kind of the news value and Justice, as a writer to be able to write about those things. Identity was was the place to be You talk about the human side of identity and I think I think that's something that doesn't get enough.
I do airtime is yeah, we always talk about like tools and Technologies and you know, standards and all those things are really important by the end of the day. It's the human that actually has to use all this stuff and interact. And we talked, you know, Jim and I just had a, you know, back and forth on password list.
We're talking about the way humans interact with things, and I think it's interesting to bring more of those viewpoints in because if, if something's not usable, it's not going to be successful. Or it's gonna have a really hard time being successful. It's going to have kind of Brute Force so I'm glad you bring that perspective to, you know, to the
conversation. Yeah, you know I think Security in general is always a question of, you know, usability versus how secure is it like if people can't use it, they're not going to, they're not going to use it. And then all, you know, all the best for your products and practices can just go out the window because they're not using it for years.
I worked with journalists In the field doing, you know, kind of their secure either often Iraq to Syria, they're protesting the state's everywhere and you can be providing the best security background for them, you know, and support. But if they don't want to talk to you, if you're making system to sold so difficult for them to interact with their just going
to ignore you, right? So you always have to find in my opinion like a way to make it super easy for the users to actually want to use while making sure you Oxygen, your job as a security person. So that's that's where identities for me. It just all seems you know if you feel like I got into identity kind of post pandemic, it was kind of like towards the end pandemic where everything or have you know jump to Cloud. So like everything was already identity identity identity credentials.
So for me it's just a fantastic time to get into it and now you're with awesome eyes for folks who aren't familiar. We've had gal disk and on from awesome eyes was episode 98 back in. Of 21. So it's been a couple years a year and a half or so for those not familiar with awesome eyes. What's the you know? 30 seconds 60 second elevator ride sort of commercial for what you guys do. So awesome eyes is a identity threat detection and response platform so this is still a new
term. The Gartner is developing. They have some interesting papers out there that you can check out and get their perspective on it but it's basically the idea of that You know, everybody knows that you haven't, you needed, endpoint security, and the network security, and the cloud security.
And now identity is at the center of security and it's time for organization to actually have this the solutions that they need or to have the visibility and control the see, you know who's using, what who has access to what's, how are they using that access? But also, how are their systems being protected from active threats? So it's not just a my doing pasture management.
It's a It s suspicious activity. Do I have a way to respond to it as part of like you know the rest of my security stack and the workflow? Like does it go to my splint, does it go to my whatever itsm I'm using? And optimize is going to help give you that visibility in the control and the context across all the different Cloud systems that you're using and on-prem to be able to figure out how to do it. Gabe, let's, let's switch topics a little bit. Talk about that blog.
And I want to know is this title click bait or is it is? Is it something real? So you called it 2022 is the year that identity fully merged with security retrospective. So as I click bait or is there actually something special about 20 22 that, that was the reason that you wrote this article. So I try to never do clickbait first off because I'm bad at it. We could we could teach you. That's what we're all about
here. No, I just I've tried and tried to do to get better quickly because it's good for four Clips but I'm just bad at it. I did always want to use the word a retrospective in a title so that one was like a little bit of just wanting to do that but I think 2022 was actually a very interesting year because kind of The Facts of the field
changed. I think you look at 2020 when the solar wind attack happened and and it's Colonial pipeline that year 2021, you started to have large identity-based incidents going on. In 2021. But at the time it was still stayed actors.
He was big enough. You know that there's always this this issue and security of I'm going to get by because I'm obscure like nobody knows me well enough, I'm not going to be an interesting enough targets to be worth putting these you know, practices in or having these tools in place and The solarwinds attack was you know, reportedly nobelium apt as in
29, which is Russian hackers. Basically you know it was a very skilled team and so a lot of organizations said, oh wow, that was a big thing but they were very selective. It was a front from a hacker perspective, is actually super interesting in the way that they went.
You know, they had access to Basically everybody, you know, government organizations University is your large companies but they were very selective about who they actually use that access to the front that they got from the supply chain to actually go and breach. But me, 2021, you can still kind of say, I'm not really going to be likely to be a Target, because it's only going to be the Super Elite hacking teams and going after strategic
targets. And that's not me, even if it was, people were still going to say, you know, that's not me.
20:22 was the year of lapses and that's, you know, there was there wasn't a lot of kind of joking about like is 20 is lapses, kind of the democratization of identity hacking because all of their hacks have basically kind of been not super technical from like a, you know, they're not going through and finding, you know, 02 bones, like they're they're going in and like the they're sending, you know.
They're, they're like SMS by They're doing things to trick the human element and they're explaining the identity part of the, the threat surface. So 2022 for me was the year that's organization organization. Start to understand it's not enough to kind of hope to skate by by, you know, not being a big enough Target script kiddies basically, canals, Target me with a little bit of software, you need to maybe pick up my MFA. So they can annoy the hell out of my people.
And so they they just click approve and it's going to work for them. So maybe I need to start taking some more seriously. And I think that, you know, as identity folks yourselves you've seen over the years and identity started off, you know, there's always a security element to it but it was very much kind of an ith are kind of, you know, side of that the house right there was, I mean, you had to make
sure you getting the right. You know, provisioning to the right people, but I don't think it was fully taken as a, as a security discipline. I think that now that is, you know, been proven by not just kind of the elite level of hacking teams to you, nobody, but also by anybody who wants to try, you know, identities. Now evolved into the kind of Like I hate the militarization of cyber stuff but like it's kind of the next next you know mud pit where everybody's going
to sling it out, you know. So it's Battlefield is the mud pit. It's a place where people are need to, you know, actually start to take seriously. And I think if you look at some of the conference's, a lot more kind of traditional security people are showing up to the conferences and a lot more have more questions to their identity people. So they're waking up and wondering. How do I get the identity? You know the data from the identity side so I'll give you
like an example. If there's an attack and they realized that that certain files were accessed the way that they're going to be able to understand. You know what happened there. It's not just going to be by looking Network logs it's going to be what did this identity have access to? So I know that they had access to this one file. What else do they have access to? And that's, that's like you some questions. We hear from a lot of security
people. And yeah, I think 2022 is was the year that they realize they have to stamp start seeing these capabilities up and identity as part of that stock. Now, You brought up a couple points there that that I find interesting. I think you described early on the types of attacks right nation-state actors and sort of these very targeted attacks which is certainly one style.
Then you have got the I do I call them you know targets of opportunity which is really weird the ransomware kind of comes in. It's not a smart Weapon It's just hey who's going to click on this thing? And let me get into their system and all right. Get money on them and I think that's what causes two. Current styles of prevention and mitigation and sort of awareness around it is if if you are the target of a nation state actor, you they're going to try to figure out you are the target.
Like they are going to do everything they can to get into your system and odds are eventually, they will find a weakness somewhere and get in which is a totally different mitigation response versus a general ransomware attack, where it is, you know, kind of Spray and pray or shotgun style or, you know, whatever it may be, where they're, you know, you have some, some mitigations you can do about it is probably
little bit easier. I would think to try to defend against because it is the human element. Don't click on things, you shouldn't click on, you know, watch the URLs, watch for the spam attacks, right? Things like that fishing fishing, right? All that stuff, but they're still certainly a limit to what can be real. You know, what can be effective
from a mitigation And point. So I think you've got these two different styles of attacks and I guess, you know, obviously identity is important to both, but where do you see things going? I mean, I don't see either of them going away, but are we just becoming more jaded to? Yeah, of course, there's hacking. Everyone's hacking each other. So what are we going to do about
it? Or are there specific things that you see as a point to as a trend to say, you know, I'm seeing more of this maybe in our own, you know, research or the things that the awesome eyes. Join together. So there's like a ton of stuff there. So, where do I see things going? Start with. I think I see things going to attackers focusing more actually on the identity systems and any management providers and other identity infrastructure. The past, you know, lapses
itself. When after a very well-known identity provider and the was also recently targeted And had their source code stolen. I think that you know you're seeing more and more attacks going after the infrastructure because they realize that if they're able to pop the infrastructure they can hit everything else is Downstream from there. So I think, you know, in the same way that you know, solarwinds was was targeted because it was a perfect supply chain spots.
It's a breach. You're going to start to see that happening. Also more through the identities Space. I have I agree and disagree with what you're saying before. I think, of course we're jaded. I'm not that security. If you're not Jaden security gonna burn out, we all real fast. I think that you can when you look in state actors versus criminal or you know, just general malicious, it's some dudes job to show up every day from 9:00 to 5:00 and try and
hack their target. They don't care about Oh, I like that's that's their job, you know, and they'll keep going till they hit something but it doesn't necessarily mean that they're going to achieve all their goals and I think that you know, if we're assuming breach which is kind of how we deal with, you know, and the post post post post post mortem of the you know of the perimeter being dead.
I think that we have to assume that somebody's already, you know, if you're interesting enough To them. They already have something inside of you inside of, you know, whatever perimeter because there is still a perimeter but it's just it's changed from get to that later. The question is, how are you mitigating? How are you keeping them away from kind of the really important things? So I don't think it's a binary, you know, they're a nation state actor. So therefore, I'm gonna get popped.
I think that we can be a little more optimistic than that. I think though that when you talking about the criminal groups, what's the problem with that? I mean there's only X number of X nation state. Actors who have good, hack and resources. There's an exponential number of criminal Crews who think they
can make a quick buck. So I think that the more were able to frustrate them by, you know, maybe getting rid of passwords may be doing other things that are just kind of low hanging fruits to make their jobs harder. The more we can maybe encourage them to go look elsewhere. When it comes to, you know, Finding Target because criminals do care about Roi. They don't care about how they get to you, or how they make money. They just want to make money so I gave them.
Yeah, I wanted to kind of well first, I wanted to make a comment because I think you did a real good job about, you know, not pointing out. The victims, whether they are, you know, vendors or not, picking on the victims naming
names, and things like that. Because to me, it's kind of like, you know, a lot of these breaches that are happening, there's a victim and then there's, you know, a group that is hacking that my destroying their businesses or destroying their brand and there's Real people that work there and there's real victims of these crimes and I also think that a lot of times when you just keep saying the names of the victims over and over again, it almost is like becomes people start to
take out it's their fault, they didn't do a good job of securing things. And a lot of times when you dissect these hacks It's a lot of things almost everybody's doing the relying on third parties, for you know, whether it's customer support or whatever or if they were storing credentials in the cloud. Okay. Yo, can you really look at yourself in the mirror and say, hey I don't do that, I would never be stupid enough to do
something like that. I've worked in enough large companies where even the top technical Architects don't have that visibility across the entire company. And so I think it's a good practice for us and we followed on the podcast here because you can go and find out who the victims are over and over again, but not to name and shame them. So I, you know, I just want to tip my hat to you on that. They I noticed that you really work hard to avoid that.
The second thing that I wanted to say is, you know, going back to the question about your blog is you know, really pointing out 2022 is kind of the year. Identity became the, the center of the infosec world. And look, we have a podcast called identity at the center, right? So we've been thinking about this for longer than the three and a half years that we've been doing this podcast.
However, I do think there's kind of a point where, you know, it's like a Tipping Point and maybe 20 22, was the year of the Tipping Point where it's like, Like enough. People are now buying into this that is is now truth identity is at the center of information security. Wait hold on a second. Jim I'd like to I'm going to make that sound bite. I'd any of the center is a truth. There we go. Cut it print it. Sorry. Good ready sure it's ready for publication Billboards.
No I mean by on your first point by The Graces you know go us when it comes to hacking it's just a matter of how bad is it if The dive of RSS feed of come from breaches dotnet and it's just a constant constant constant flow of, you know, this hospital or that the University or this. Somebody heard this. Like, I think some government office at on La yesterday. Got the ransom, we're just, it's a constant flow. So I mean, hacks happen and in
organizations. Especially the larger, they are the worst, they handle things, you know? I'm just even the most basic of security things like patch. Everybody's always saying patch patch patch. How often does something happened to cousin from somebody didn't patch because it's hard, get doing things, a hundred percent, right is just it's impossible at the end difficult
to impossible. So it's even if somebody didn't do what they're supposed to nobody's doing what they're supposed to. Well, yeah, I think the to the next point that I wanted to bring up, I think this is point, which is unless you're to unplug, there's really no way to eliminate 100% the risk. You tackle the topic called identity and access its risk, and this points back to the conversation. Jeff and I were having earlier around aiders these risks out there.
We understand them as I am practitioners, we need to boil them up. To the people who make decisions about Where the money goes but we have to explain to them the risk. To me the risk is, you know, the likelihood of an event and the impact of the event and there's different ways to mitigate that. Usually they have a price tag Associated through them and you have to choose we all make choices in life, right? About what risks were going to accept object? I ride a motorcycle.
That's risky. Ready to participate. In fact, a lot of people You'll think I'm stupid. Okay, but it's a risk. I choose to take righto. In fact, I pay for that risk. A lot of money for that risk but you get the point. So I'm wondering, you know, what was that about for you? So from my perspective, what people need to understand is that you with with no risk, there's no reward every bit of access that you're granting is a risk. And That's just part of doing
business. You know, if you're going to, if you're going to open somebody up an email, open up, you give them access to the resources. They need to do their job. That's a more than acceptable risk. You just have to be able to work into your threat model of. Is this, you know, juice worth the squeeze. and I think that, Organizations are starting to really understand that identity. Again, comes back to the to the to the Billboards.
We need to put start putting out is at the center of, how do you provision access? Its that key, it's no longer. Am I at the office? It's no longer. You know what endpoint in my login on to, it's about who you know, who am I? And all acts as kind of revolves around that. So if you're not basing your Risk assessments around identity and access.
Then what are you basing? It on now, I mean, it's just kind of so so essential to I kind of feel like again kind of I feel pretty strongly that executives are the ones who are there. Some group that makes its decision around? What we're going to invest in if they don't understand the risk. Other words, the likelihood the impact. But you know, they everything that leads up to it, then it just becomes another acronym, we need ite Dr. And it's going to be a million and a half.
Like, okay, that's too much. Well, that might be exactly what they need to cut their risk. But unless they understand what, I, what I get for that. And they also have to realize that that's not a insurance policy. In other words, like, We do end up getting hacked. We get all of our money back like there's right. It's not a guarantee. So, anyway, that that's my thought on it as a risk. I did want to touch on one other
thing that you had in the blog. Which is, you know you talk about identity is the new security perimeter. To me, the sounds like zero trois. I wonder, should we say zero trust By Any Other Name. Is this Gabe's spin on zero? Trust What is that? What you're talking about here essentially is like the whole zero trust piece. Yes, short answer. Yes. I think that, you know, to go
back to what I said before. When you assume reach, you assume that, you know, whoever is trying to attack, you is already inside, you know, that there's no more castles and mode stands and big walls. We live in modern cities inside of me. Turn City. You know that there's no more Good Guys inside bad guys outside. You have to understand who every person is that your you have inside your city as much as you can and, and live with that risk.
So zero trust. I mean again an overused marketing term at this point but it's still a good idea, you know, the concepts like least privilege. I mean they're good ideas. Yeah, that's the unfortunate part. Is that it's kind of been like, oh, that's just a marketing term low. So it's probably one of the most important fundamental concepts that have saved information security in the past 10-15 years, you know? Well it's a it's a great concept like it. It makes sense but it's like
anything else, right? It gets. Obfuscated in overused by everything, right? Everything is zero trust. Now. Really come on. Well, yeah, I mean it's It's a problem because as soon as one person, you know, what was the c-suite starts understand? This is what it's you know is something I need it soon. As you have you know executive orders from the web, the White House saying you need to take a zero just to you know architecture approach. Then everything's going to comes here at rest.
But what I like about zero trust is it's it's an acceptance of risk. It's acceptance of, I have these risks in my environment, my environments. So, any ideas that I have of, you know, everything has to be 100% safe. Everything's given to be 100% anything. Go out the window, it's all about. How do I mitigate risk, how do I let my people continue to operate and then me as a security team, Put all the efforts that we can and place at the end of their possible to minimize that risk.
And and that means, you know, doing a lot of dynamic analysis, kind of activity, from behind the scenes, trying to lower friction as much as possible with through a lot of Technologies. But also I think that there's a cultural aspect of getting people used to the idea of,
okay? I'm going to have to, you know, take my phone to do a facial recognition, like a facial Faith ID in order to To get into my my password manager or it's new, its authenticate into to Microsoft or whatever it is, you know. I think that all those things are part of creating a more secure culture, you know, at the at work but it's I don't want people to be so annoyed with, you know, the marketing term that they forget. You know that they throw the baby out with the bathwater.
I think that's a real good point. Yeah. Like it is I think it sounds to me like we're all big Believers in zero trust and I think there are a lot of people. Rightly. So I think it is. You're totally right on. Their right. Is, the term has been overused and it has been applied to every single product out there in the security space to jump on top of it. But that doesn't mean that it's not a sound strategy. Well, it's not a product, they're exactly.
And I think that front part that people, yeah, that's right. Is there is no 10 trust product. It is a combination of several security Concepts and strategies pulled together is very effective when it is pulled. Together as a group, right? For so I mean there's some vendor and I'll pick on a vendor. Just anybody out there, right? To say that, oh, we are the zero trust thing, okay, you're not the thing, you're a thing in the zero, trust ecosystem, right?
Security is all about Stacks anyway, right? It's the other layers, exactly. And and zero trust is, is, you know, and whatever product you have are going to help you do zero, trust better, you know, you can easier MFA, you need your itd. Are you need all the Things that you're going to help you do that but no one product is going to do is going to be that. It's going to be about.
How does your organization actually implements those tools and actually work with your Workforce to use it correctly? Like how do you, how do you, how do you actually empowering people to do security better? Yeah, I know. We're in shorten the Scion time and I want to make sure I leave enough time to ask a Brazilian jiu-jitsu question. If I can, we're going to end on a lighter note. And one of the things that we were talking about is we're sort
of getting prepped. As you mentioned, that you study. Jujitsu and I'm not super familiar with it. I took Taekwondo very long time ago. I don't think Jim is taken any martial arts other than maybe some sort of like word kung fu for developing presentations or strategies things like that. What is something? What is something that people need to know about? Brazilian jiu-jitsu that you
don't think is well known. There's all kinds of good means going around about about Brazilian jiu-jitsu at the the gentle art of folding people's clothes. As with that, but I'm still in it. I love that play. Really? Yeah, the the memes on BJJ go deep. I think that the thing that I always like to tell people who are getting to it and we actually have a couple guys on the office to do it. And and also just in my group we have a lot of security people to kind of a side note.
I think that the big thing is kind of embrace the suck and embrace being bad at something for a long time. Race. Somebody really just just switching the hell out of you and and hurting you for a while until you learn because at some point you're going to get
better. So I've been doing this now for 11 years or so before that I was a bad Thai boxer and before that was a bad wrestler but you know it's like anything that you if you get used to the idea of sometimes, you can have some good days and some bad days you're going to have some days. We just, you know, give you six months with Nothing goes right? But eventually you learn and I think that that's kind of something know about that and it's a good, you know, as a
parent as as other you know. It's a good way to a good way to is to approach life something. I think that so if you if you take that that idea and you go into Jiu-Jitsu with that approach, you're gonna have a much better time and I'm going to last longer. So I'm going to take take this recording and I'm going to chop it up. So that it says Says basically, you know, Gabe is saying use Brazilian jiu-jitsu as a parent on your kids.
So I do I do and my, my young child loves to give me an arm bar as and hates it when I give him. He'll hooks. So you know, it's It's hard to do, it wasn't like holiday tradition, armbars and heel hooks all around the around the Festivus Pole or something. Well, I can't use too small to actually get a proper heel hook on it. So it's I'm working on it. A friend of mine came up with jiu-jitsu for on babies.
Okay. You know, it's especially when you're changing diapers to go to control the hips very important. I think that's gonna be a whole library of other episode. It will need to get into it. I know right time Jim. What are your thoughts on? On Brazilian jiu-jitsu or BJJ something, you know, you taking risks, man, you ride a motorcycle. Yeah, I do. I do bad boy. What what, what what kind of motorcycle, it's a Kawasaki Falcon. Okay. Yeah, it's not super expensive
but I did make it sound. Like I spend a lot of money on it, but I spend some money on it Insurance. Exactly. And getting not actually as good on gas to. Yeah, as far, Is BJ. I don't have any tips for anybody because they've done it. Never done any martial arts but I've watched a lot of Bruce Lee, you know, Kung Fu movies and I would say that my tip from watching those movies is you don't have to speak perfect
English to speak, perfect. English, you know, your mouth just moves and then the words come out and they are crystal clear, kind of like a podcast. All right, let's go ahead and leave it there for this week. Gave thank you so much for being with us on the show. Today, I'm going to have a link pleasure, LinkedIn profile on our show notes along with the article and the awesome eyes. So people could learn more about
what you guys do over there. So feel free to connect with Gabe. If you've got questions, agree disagree. I'm sure he's happy to engage. I'll just throw you out to the will always like that. Always, always bring it. Bring it. Bring it. So we'll go ahead and leave it there for this week. You can follow us on the web where at idac podcast.com. Mom, we're on Twitter at.
Idac podcast, we started a mastodon account over, the winter break at idac podcast at infosec exchange which is a total mouthful we did is we did a bitly link for that. Yeah. No kidding, right. That is be like better somehow. I'm not sure how though. But anyway, we're going to go ahead and leave it there for this week. Thanks everyone for listening and we'll talk with everyone in the next one. Thanks for listening to the identity at the center podcast.
If you like what you heard, don't forget to subscribe and visit us on the web and identity at the center.com.