This is Identity at the Center. If it has anything to do with IAM, this is the go-to podcast. Now your host, Jim McDonald, and Jeff Steadman. Welcome to the Identity at the Center podcast. I'm Jeff and that's Jim. Hey, Jim. Hey, Jeff. How's it going? Not so bad yourself? Did you know that I was on stage for the keynote here at Authenticates today? I did, because you were sitting right next to me. Pretty fantastic, huh? Yeah, it was cool. Yeah, good time. First time having done that.
A little bit rushed, but I think that's just a nature going last in a long sequence of activities. But, yeah, please with the way it turned out, about yourself. Yeah, it was fantastic. It was a lot of fun. I think that we're going to save that. We're going to get the recording of that and then drop that as the last episode from Authenticates. We'll do that at the end of next week.
Anybody who's interested in listening to that, we had a, you know, it's a pretty short power-packed episode, really focused on pass key deployment. Yeah, it was like the Cliffs Notes version of, and I did need the Center podcast. Yeah, very much so. It was fun. It was like, big crowd. I think it was, we set the record for the most people listening to our podcast at one time. Yeah, which wasn't probably too hard, I don't think, but. No, probably not. Hey, we got to start somewhere.
At least I'm happy because I got my shout out to Nick, the Segway camera guy, who is, I'm sorry, Andrew and Megan and Adrian and others, but he's the reason I really came to authenticate. The guy's a star. I mean, he's on a Segway. He's got like this gimbal with like cameras and stuff like that. He's zoomed in all around the room back and forth. I mean, that guy's a superhero right there. But it's not even like, it's not even like a Segway, like you see in San Francisco with his handles.
Things that preteen stand on and zoom all over your house and follow and hit their face on hoverboard. I mean, I don't think they call them hoverboards, but it's not. Yeah, it's not a hoverboard. I saw back to the future. That's not a hoverboard. So what are you thinking about the conference overall? It's good. I'm glad to have gotten through our thing. And now I can feel like I can enjoy the conference. Yeah. Like I say, probably true for anybody.
When you're getting on the keynote stage, it's a little nerve wracking. So yes. So we've got also a guest here sitting with us in this room. A couple of fine folks also watching us, staring at him, technically. But we've got David Maddie. He's a CIO for Transmit Security. He's been on a show with us before. Hey, David. Hello. How's it going? It's going. And I just want to make a comment about the gentleman that's on the Segway. Nick. Yeah. Respect his name.
Nick, I'm going to go, well, I haven't met him personally. So I appreciate that. But I'd say maybe it was almost like the thing in Aliens, but not the exoskeleton. Yeah, yeah. It seems like an exoskeleton to me. Yeah. And I'm just waiting for him to press a button and to turn into something much more. You guys are so sci-fi. I don't know who you're talking about. You're talking about. Yeah, I think that's what I'm doing. I'm really good for his cool. That's what I'm in.
Well, maybe that's why I got in the identity space because I thought, you know, although the biometric scanners and everything they had in all the sci-fi movies in the 60s and the 70s, you know, we would get that eventually. Yeah, you make real. We're actually here now. We're actually here with biometric scanners and past keys and all these types of things. So yeah. Yeah. Yeah, it's been a lot of a lot of time at a conference last week at Dundee Week that was almost 100% like retinus scan.
Oh, really? It was like that. I mean, it was a big kind of, used to be a government conference. I think they're trying to branch out more. But yeah, lots of retinus scan products on offer for whatever authentication needs you need. I mean, that's, we've come a long way in a short period of time and just how all the stuff is in like these consumer devices when not long ago you'd see them in movies and go, oh my gosh, there's Tom Cruise in Mission Impossible One.
And he can't set off the biometric scanner or else the room is going to explode, right? And now you can just go and buy a phone that has that in there. So yeah, you imagine how ridiculous of a hack that would be in the real world. Tom Cruise coming down through a vent, right? Dodging the fans and then hit the laser floor. I'm like, no, today it's just someone stole your password because you used it at Instacars. Yeah, exactly, exactly. Exactly, exactly. It doesn't need to be that elegant.
It never is. The movies always do that. And someone calls a help desk, initiates a reset and bang. You're done. Mm-hmm. Or your slot machine's not working. Anyway. Yeah, exactly. You're a role as a CIO. You've been on the show before. I'm not going to have you rehash your entire identity origin story. But one of the things that we have started to get to more is about roles within identity organizations. You're a transmit security and you're the CIO.
We also are jokingly talking about the chief identity officer in the Cheeto. It's where we're starting to call it. Nice. Please, I am anyway. And so is Jim. Tell us a bit about your day-to-day as a CIO of a security company like transmit. Yeah, so CIO of a security company. I mean, obviously the dynamics are a little bit different.
I know things like machine identity are really important to us because we see that is protecting the identity infrastructure that we host for clients and especially building identity security solutions. Attackers are looking at all this stuff more and more and more. We see that with Octa, unfortunately, and others. And Pam Dingell from Microsoft today at Authenticate, she talked about that. She talked about how identity infrastructure itself is being weaponized against us.
So as a CIO of a security company, myself and the team, we take it seriously. So just practicing everything that we're preaching with customers. But it goes beyond technology. It goes along with your people and your process and how you drive all those. So kind of being in that type of role, I look at kind of all three of those areas and you know, I don't always look for a technology to solve the problem, right?
Sometimes it's just changing a process or improving a process or having someone do another review, making sure it goes through certain gates, right? And there's a consistent workflow all the way through. Again, almost like that Tom Cruise thing. It's not always the elegant things that you think are going to save the day. Sometimes just actually taking a look at a workflow and improving it and kind of going from there.
So in this kind of role, it's kind of neat because I get to have this internal focus. But I think where I have a lot of fun also is the external part of my role, kind of doing activities like this with you guys and evangelizing all of these things as well. Because I don't think transmit would be able to keep my mouse shut.
Because I'm the kind of person that I'm like, hey, I discovered these really cool ways of dealing with problems or, you know, where I thought research lab is seeing evidence of some more AI-fueled fraud.
I feel like I should go and talk to the market about that, especially when, you know, I talk about things like authorized push payment fraud, which, you know, I talked to someone about that and if you know anything about it, but it's interesting, it's being able to attack you without doing an account takeover. So anyway.
One of the things I thought about Pam's presentation today was she was talking about the evolution of the Microsoft Authenticator and I thought that's exactly what technology companies need to be doing, right? They need to see, put something out there and see what the challenges are and they need to just keep improving, keep improving. Is that something you're finding as well? Yeah. So I also take it upon myself and my role as well to see that.
So it's not just, you know, going out and evangelizing and pushing, it's also pulling and working with a lot of identity practitioners, cybersecurity leaders as well because cybersecurity pros and identity pros we need to come together because attackers don't, they don't care if you're an identity person or a cybersecurity person or a network infrastructure person, they'll get it in however way they can.
So I think as in terms of, you know, thinking about what the problems and the outcomes that customers need, right, don't just go and say here's an identity verification solution. It's like, well, why does the customer need that? Oh, because they're trying to securely onboard their clients and they want to reduce fraud and they want to also make it easy for their clients to securely create accounts, right?
So okay, well maybe we come out with the product to solve part of that because that's all we can do today and maybe that's how the market will bear. But over time, talk to these customers, see what the market's doing. But then also going back to like APP fraud and all this, looking at what the fraudsters are doing and also trying to incorporate that stuff in your product as well. So it's not just the customer saying, oh, we see this.
We also have to take it upon ourselves to say what types of threats are out there and how can we mitigate and productize that to help protect the market. So you do a podcast also, right? Yes. Yes. This week an identity with Simon Maffit from CyberHit. Tell us a little bit about that podcast. Yeah, that's awesome. So Simon, we're fans of you guys too. And for us, Simon is an analyst. I'm a former analyst.
So I think when I left Gartner and Simon left the vendor space and he got into the analyst space, we kind of got together. No, we're a four-druck. He was a four-druck. Yeah. So it was kind of interesting because as I was leaving the analyst life behind me and he was picking that up, we had a talk. I gave him some pointers on good things and bad things about being an analyst. Just pointers. Things I've learned over the years as in terms of what works. And we just said, hey, you know what?
Let's just, why don't we just record this, right? I think it's not on like both of you. That's right. That's right. Yeah. So I decided to record it and I honestly just see it as a way of us just catching up every week. And hey, what happened in the industry, you know, typically focused on news, you know, acquisitions or, you know, new protocols or specs or last week we talked about NSA and CESA's top 10 misconfigurations.
Yeah. So I listened to part of that and then I was listening to my browser and somehow lost the page. Oh, okay. It was a good one. Yeah, right. So it's just stuff like that. And I think it's, we try to keep them short. So you could just, yeah, listen, listen on a quick walk or something like that. So yeah. Yeah. I have a question for you. So we've been podcasting we're up to episode 230X. I think it's a 281 out this morning. Okay. So this will be 239.
There's a lot harder than you thought it was going to be. That's a good question. Now, I should say Simon, Simon does some of the heavy lifting as in terms of recording and everything else. So I'm just a pretty voice that shows up. Oh, okay. I got you. So you're the easy part. I got you. I got you. Yeah. That should be a question I'm asking. Simon has his conversation. No, I know. All the scheduling. So there's a lot of work that is just a lot of work.
Especially when your co-host travels all the time. Yeah, see, does. It's starting longer. But let me just say for the audience because we're not on video. Jeff is surrounded by all kinds of devices, not on Nick, who is on a segue with all sorts of contraptions around him. No, but I appreciate it. I appreciate it. I appreciate it, for sure. So your topic this week here at Authenticate, why don't you tell us what it is and why you chose and why you're talking about it?
Yeah. So the topic is an area that I'm super passionate about. It was an area that myself and Eric Wasserman, who's a gardener analyst, we kind of help define this space and its machine identity management. Specifically, the presentation I'll be doing on Wednesday at Authenticate is rise of the machines, why authentication is needed for both humans and machines.
And really, the thought there is that we've spent a lot of time with identity as and as we should focus on humans and totally make sense, right? All these types of authentication factors, how we use them, when we talk about UX, user experience, but the users have been human. Humans, right? And so when we think about machines, really what those are, there's kind of software and hardware, right? There's kind of two flavors.
So if you say hardware, you're talking IoT, OT, OT would be operational technology, so MRI machines or other types of manufacturing equipment, ultrasound machines, you name it, that's OT, IoT, different types of sensors, all sorts of things. That's on the hardware side. Oh, I should also say laptops, desktops, mobile devices. Devices. Devices. On the software side, though, that's where things get really interesting.
And not to say that the hardware side isn't interesting, but software side, you've got virtual machines, you've got containers, you've got workloads, you have software there, you've got all kinds of software. Exactly, right? So if you just think about the machine service accounts. Service accounts. All kinds of things that aren't, quote unquote, human, right? Now there's a couple of flavors of that too, I should say. There's supervised and unsupervised. So what do I mean by that?
So a supervised machine, you could think of it this way. So if Jeff creates a script to run on your machine, that's on your laptop, that's a machine. But that machine effectively is borrowing Jeff's rights and entitlements, right? It's ceiling would be whatever access you have. And I have to initiate it at some level to start the work, correct? Or you could create a bot. Yeah, right? Where it could learn, but it's going to be like a derivative of your identity.
So it's kind of like, it's Jeff, but just a robot version of you. And so we say it's kind of supervised. You're not going to really let it do anything crazy. Hopefully not. Hopefully not. That's supervised. Unsupervised could be like a chatbot on a website. Say you go to like an on T-Mobile or Verizon's website. And just by virtue of you going there, it's typically a vent driven. The event is a new user goes to a website and boom, a chatbot pops up.
Hey, Jeff, last time you were here, maybe use a cookie. You had a problem with your bill, right? So that machine didn't exist before you went to the website and now it exists. It's taking signals from whatever transmit of data is coming from your browser or whatever signals right to drive that. For the record, I hate those chatbots that pop up on them. They are the most annoying thing in the world.
You know, they, some of them, I won't name the providers, but some of them at some providers have actually gotten much, much better. And I would say they definitely cut down on my stress having to call in the call centers. If they're helpful, yes. Yes. I run into so many of that. It just sends you a loop and loop and loops and it's like, okay, I could just, I could have just made a phone call to that. Yeah. And you know, how many questions do they actually solve? I mean, they're basic, right?
I think if you're thinking about a chatbot as it stands today, they are a vent driven to your saying and they are basing off of a specific challenge response, essentially, that's coming from the user. They're looking for keywords. They're saying, oh, you typed in bill and problem. So therefore, you must mean this helpdesk article that is, you know, dash 4, 6, 5, 7, whatever, maybe. And then it starts going through that script of things.
Yes. The challenge becomes, well, I think the challenge is you're trying to deal with a whole bunch of humans and a bunch of different ways of saying, I need help with my account. Yes. Yeah, but I mean, I won't get too far ahead. But if you take that notion, Jeff, and you connect it to a large language model, baby, that's what I'm talking about. Yeah. So before they didn't really have much to reference when that bot was right. So I think I think I've gembed a basic script and whatever.
And if it goes off that script, the thing just doesn't know what to do. And so you get frustration on the consumer side, plus, you know, who knows what goes on the other side. But if you couple that with an LM, now you get something interesting.
So that being said, going back to machines, this is also, you know, this is also why I think just before the session, by the way, for our audience, Simon Moffitt went over some data, survey data and machine identities is one of the things he talked about. And I know we can get to that, but I'll just say this is also, I believe at least what Simon's thinking is in terms of this is machine identities are just going to explode when you think about containers and all that stuff.
But not only that, I also think about that robotic process automation use case, the chap bot use case, and how many agents, you know, autonomous agents we're going to see deployed in those scenarios tied with LLMs, that's only going to fuel more machine identities. So I'll cover this in my presentation, but you're looking at, you know, at least 50X, the number of machines you have running in your environment over humans today. I do worry about that large language model with the chap bot.
If you need to have good security around it, right, or otherwise, someone may just start attacking that thing with an AI bot, trying to see what kind of data could form from that chap bot. 100% right? So it's not unlike when you think about the early days of web applications being put up and then people just putting in, you know, strings of text, yeah, strings of text, SQL injections, commands, and then if they didn't filter those, it would just run those commands.
I mean, a machine is a machine, a machine's not smart on its own. It's just going to, you give it something to execute, and if it's in the confines, that's fine, it'll do it. So that led to the birth of the web application firewall filtering all those out. I think we're at the place where there are some interesting companies that are looking at that type of concept to front load and filter those LLMs, the inputs and even the outputs. But I think we're still very early on in those days.
But it does, if I just tie it back to machine identities, it does come with, if you think about the notion of having good IAM with your humans, if you went to bat for that at your company, you should be going about for that for your machines. Absolutely. I feel like at least 10 years ago we were defining IAM as ensuring that the right people have the right access to dot, dot, dot, dot. And it's like that was the huge mess, right? It wasn't just people, it was people and things.
You kind of eventually got to that. But one of the things that I find is like the things that you almost forgot, or the machine accounts you almost forgot to get to were the service accounts, right? Because they've been around for so long. It's like, that's not the exciting thing anymore. But organizations have 20 years of machine accounts that they've been carrying through, their active directory, and they don't even know which ones they can turn off. Yes. It's kind of scary.
They've got to hold clean up with that. If they don't get their arms around the accounts for terraform, the accounts for dock, or the accounts for GitHub, they're going to have clean up for all that too. And they're just, like you said, the attack services are going to grow exponentially. Exactly. And yeah, so that's part of some of the recommendations I get into in my presentation there this week. That's actually step one is discovery.
So you can't manage what you're not measuring, and a lot of people have machines all over the place, right? So there's service accounts. If they're using AWS and GCP and Azure, right, and some other cloud service providers, and maybe fragmented across different regions if they're a global organization, they're going to have all kinds of machines everywhere. So you have to run some kind of discovery process in order to say, okay, what machines do we have out there?
So we can at least size the problem, and then you can determine how can we monitor these things, and then manage it and so on and so forth. I think also there's the difference between identities and accounts, right? There's certainly that when you think about people, I'm Jim. I have an AD account. Maybe I'll have multiple AD accounts. Maybe there are multiple ADs. Maybe there are applications that fit outside of my IDP landscape.
These are even more complex because you have a machine that could have multiple accounts as a machine, the identity, or is it the human who runs the machine? And if you make it the human who runs the machine, when they leave the organization from a governance perspective, how do I handle that? I don't think those rules of engagement are clear today. I think it's just, you kind of come up, it's something you need to create a solution. Yeah. There's a lot on Pactium, what you just said.
So first, I'll just, I'll, all these tackle, you know, the maturity side of it. We are very early on with machine identity management. There's a lot of different kinds of solutions. Like, let me just say this, almost every client that I know both of you work with and probably a lot of our listeners as well, everybody has some kind of machine. First of all, everyone has machine identities, accounts all over the place. Anyone who says they don't, they're lying or they don't understand.
Or they don't understand. Right. They also, surprisingly, do have some machine identity management tools. If you've got a certificate authority and some certificate management, you're managing some kind of machines there. You have code signing products. That's also machine stuff. You've got some cloud security posture management. You might have some there, right? Pam solutions, cyber arc, Delinea, right. They all have some kind of layers to this.
But right now, it's a mess from a functional perspective and then going back to what you said from a, again, remember, I always think of the world as people, process, and technology. We have a lot of the technologies, but they're fragmented. So that's one. Two, we don't have people that are explicitly like, oh, I'm an identity architect, but I guarantee you the majority of identity architects you talk to are on human identity. They focus on human identity.
We need to get them focused more on a machine identity, but you might argue that could be some developers. But then the process, I think that's also where we're aiming to are to. So we're very early in that maturity curve. And I've worked with thousands of companies around the world in this topic over the years. And I would say, I don't think, I don't say, hey, you are all behind. No, no, absolutely not. This is just the evolution of the space. So I wouldn't beat yourself up if you're too early.
But going back to the other point you made, accounts versus identities themselves. Yeah, absolutely. It depends, again, on the use case. If there's a human involved, it could be Jim's account, but you're managing potentially thousands, maybe even millions of machines. If you were the, say, a website operator or you're a big part of running a digital business and you're creating those chatbots, so you're creating all those.
Those could be tied to accounts that you manage or monitor because maybe you're the privileged user behind them. And that's also why we see some vendors like CyberArc and others talking about machine identities because they see that as well, I think, coming into the market. Anyway, I'll stop there. That was a lot. Yeah, that's a lot.
But the other observation that I have, and I see this, say, 90% of the clients who have, are moving into the cloud, is that developers or maybe a non-strategic approach to moving out to the cloud, starting up applications, maybe doing DevOps, being done by teams who have to deploy some functionality, not by the CISO. So then by the time the CISO says, hey, I've got something I need to get my arms around. It's already built. It's already doing things.
So you don't want to be the progress prevention department, but at the same time, your cloud infrastructure has to follow the same controls the rest of your enterprise does. So I think that's one of the big challenges is that a lot of this is springing up for organizations. And maybe it's happening in the past. It really depends on where the organization is in their cloud lifecycle. But they've got this situation that's been created for them, so they're stepping into it.
Now having to get control over the environment. So take Terraform, for example. It goes out and creates accounts. So as a destroy the accounts, it provides a provision to self-rolls. Okay. Do you go in there and say, stop using Terraform? No, you say, okay, well, how do we do this in a way that's controlled in that? So then I think the InfoSec group becomes like oversight, kind of making sure that it's not breaking rules or that at least can be monitored and managed. What do you think?
Let me add one more wrinkle to that too. Because I think there's two things. There is one is the creation of those accounts, definitely an issue. The destruction of those accounts, I think, are just as important because in the automated role, these things might only live for fractions of a second or a millisecond. They conduct a very specific transaction and then poof, they're gone.
And I think if you try to draw a line to this, in my simple brain, all I think about is, yeah, it's just like onboarding and off-boarding for a human person. It's just a whole lot faster. And we were not built yet to manage that volume and that time. And I think that's, I try to make it as simple as I can and that's, I keep going back to that idea. Okay. I just need to say to our audience, I swear that Jim and Jeff have not seen my slides.
One of my slides is I have a graphic of a human identity lifecycle and then the slide right after is a similar graphic where I contrast it with the machine identity lifecycle. Okay. Actually looks the same. Right, you're absolutely right. The volume, velocity and the variety of these machines, it depends on their use case.
It's one of those chatbots and you get a million people coming to your website and it's all in a chatbots triggered, let's just say every time a new visitor comes, you might get a million bots right now at time one. And then at time three, you know, maybe 750,000 of them are dead because people close the browser and walk away. And they're not going to let that process run. They're going to hopefully they would be killed off. You would hope, right?
So absolutely there has to be first of all, you have to think through all those different types of machines. Is it hardware, is it software, and then what type is it? And based on that, you know, your risk profile, what are the risks of these machines, right? Are they dealing with sensitive information or are they not? Right. And then that should lead you to then say, okay, what is that creation process?
So I have to tie back to one client I talked to, they wanted to mirror PIV, you know, personal identification, right? They wanted to mirror that and use digital certificates for each and every machine they create. But then they also said, you know, but we, if we have these like, you know, public, non-classified you know, bots that are accessing, you know, public information, we don't care. We're not even going to give it a strong identity.
We'll just manage how many there are just for cost, you know, consumption for our cloud usage. But other than that, we don't really care. So I thought that was really interesting. It's going to always come back to that, you know, your risk tolerance, do they have to adhere to any compliance standards, and then you need to determine like, yeah, we need to either go hardcore and issue certificates for each and every identity.
And that might have an impact on what that creation process looks like, the authorization process and so on, but it really goes into all that. There were a couple other things that you mentioned. It's not just security as well. Security is a big part of identity, of course, right? Knowing who and what you're dealing with, and then you can determine, okay, these are the areas you can play and you can access, and these are the areas that you can't. Okay, that's a big part of security.
We also have to think about even just identifying these things for also cost optimization and just overall operations. So if you can not only think of it as a security, you know, mitigating security, doing your compliance, all that kind of stuff, but also if you've got a good machine identity practice, I guess what I'm asserting is that it can also benefit you from an operations perspective. Because now, let's just say it is the golden standard. It's hybrid, it's multi-cloud.
Now you can actually take a look and say, you know what, Jim, this month, we had a lot more machines that we generated in Google Cloud than we did in AWS. Does that mean we need to adjust our contracts in one or the other? It could very well be.
So now if you actually have, and it's not, again, it's not like good human I am, it can actually give you some really good data that can help you make infrastructure decisions, cloud investment decisions, and even just good business decisions because you now have data. So I would even argue if you're a company values data and analytics and you've justified for a chief data officer, chief data officer can work really well with this data because it could be really good consumption.
And then I'll just say one last other use case. How many chat bots are you generating? How many people are coming to your website?
Right, if marketing is generating all these campaigns and now everyone's like, hey, I'm going to go to this mobile operators website because let's say it's Mint Mobile and Ryan Reynolds is doing a big push on Mint Mobile and all of a sudden they're getting a lot, they could track that and they can track it with really strong confidence because they actually are identifying the machines properly and such as tech space stuff. Yeah, one more follow up.
And it's like the human identity management flows now seem so easy, right? I mean, there was a time where I was like, oh, I really have to wrap my brain around this. But now it just seems like it's black and white. There's an authoritative source for employees. That's a human resource system. And then it flows through your governance process. Contractors are a little more difficult, but if they're in the HR system, it's still better.
Or if it's in some kind of third party system, I know I'm not trying to step in on a land mine here, but authoritative source. And the control around employees is like, people make sure they get disabled when they leave the organization because they don't want to pay them. We may have strong policies around contractors, but it's like, you know, this person's the manager, they know when that person is no longer here. So ultimately, they're accountable to get that person shut off.
Now when it comes to machines, like there's no authoritative source as there. Should there be? So one should there be 100% because the world already runs on machines anyways, and it's only going to continue to run, you know, further more on machines. I mean, I know both of you flew here. We're in Karlsbad, California, a San Diego area. And they're pregnant. Now because you didn't fly here. No, I didn't fly here. I drove here, but I won't say anything else.
But there was all software on those planes. The military is using drones and all kinds of things that get updates every day and software, your cars are, you know, what the average car has 250 plus computers on it. So the world is run by software and that is only going to increase. And all of this is just machines and these machines need identities. So, you know, I think Jim, you bring up a good point.
When we see something in front of us, like a human being, you know, it's much easier to say, okay, you're an employee, your contractor, your business partner, or your consumer identity, identity identity identity. Maybe I use this system or that system or whatever.
But machines are a little bit more tricky because, okay, maybe the physical ones we could say, hey, I've got these MRI machines and I need to put them on the network and Cisco's telling me I need to put a certificate on it so it can do a shirt, base, off. Okay. What about all this funky stuff in the cloud? What about all these bots that are running? No one's really there right now is like a regulatory force, forcing organizations to do this. Am I advocating for that?
I don't want to make life harder for our community, but at the same time, I think it might need that. We might need folks to do this because I'll give you another example of a machine identity risk. Code signing, right? Applications need identities too.
And so what if I'm able to actually hack into a software developer like, well, this happened to ASIS and get into their environment and I could get access to their code signing a search and then I start signing malicious code and you have an ASIS machine and your ASIS update application engine just downloads the malware and deploys it on your machine and it doesn't really know any better because it was signed by an authorized source, right? So that's an example.
So should there be an authoritative source in your organization for all of your machine identities? Yes. Should we start thinking about it now? Yes. Is technology available for them to do it in one like we do that would mirror human identity? Not really. I thought you were going to say yes. Maybe yes. Depends on the use case and I think the types, right? Correct. Correct.
We see some interesting things with secrets managers, again, Pam, this area, that traditional service account management type thing. Correct. Correct. So if on the certificate side, I see some interesting things there. You have companies like Vanify and Key Factor and others are talking about machine identity but that's a little bit more in the crypto space but there hasn't been this leap to connect those dots with the service account side to all of this.
But I think if you go back and look at Gartner, Gartner is talking about this more and more. Good. It's going to be an expensive problem to solve. I think there are folks who's mindset is don't sell things on Fud Factor. And it's like we're going to need a lot of money to solve this problem. It's a very real problem. The results are these major breaches that you're seeing, it's like that could happen to us. It's not Fud Factor.
No. No. I've been in this space for two decades now and I started out doing more social hacking and all that. It was BBS stuff, IRC. We're not getting my origin story. And then when I got into this field, it was cybersecurity. It's just folks I would talk to and say you're always scaring us, you're scaring us, you're scaring us. And I don't think Jim now today, I've heard anyone say that to me.
I mean, if you are tripping over yourself and trying to scare someone with data, look at this breach, look at that breach. Okay, just lay off.
But again, going back to what Pam Dingles said, everyone in our space really needs to take note because as someone who was formerly an attacker, we have to get out of the mindset of joiner mover lever and think joiner mover lever adversary because attackers do not care if it's a machine, if it's a human, or if that machine identity or human identity is owned by this group in your company, that group or your identity expert and this person is an M point security expert.
They don't care about those roles or responsibility and they also don't have compliance. They don't have to adhere to anything. They'll just try and get in. So all this infighting we might have as a community or as an organization, attackers love that. And so I think that we are number one, we need to plan on more attacks happening on our machines. It's only going to happen. Pam talked about identity infrastructure. Identity infrastructure is run by machines.
Humans write the code, but it's the machines that are executing. It's containers and workloads in the cloud that allow you to authenticate, that allow you to do that SSO. And if someone compromises that because they stole a cert or they did whatever, they now own your identity infrastructure and they can do lots of things. Now you're in big trouble. Exactly. So I totally root you. I think Simon said in the last session, he's like, this is going to be a titanic problem itself.
Yeah, we've already talked about the separation of duties within the hack community. Some people go and steal the credentials with fishing or whatever method they use and sell them. The people who buy them just know how to run scripts. Once I get in, it's like, OK, I'm on this machine. Now I'm going to try these 10 or 15 things I can do to escalate my privileges or see how I can move laterally. Exactly. I didn't go to cooking school.
I'm not going to say if I'm a good cook or a bad cook, but I can follow a recipe. I can follow a recipe. I make some food. I feel like a good cook. You would have said chef. I'm going to see. There you go. But I mean, if you break it down and people can follow recipes, and I know one of the talks today when I came around to speaker's name, a drug memory. It's been a long day.
But when she was going through all the stuff with ChatGbt, and she showed an Icelandic banking attack, and it's like, OK, I think there was only what? A few hundred thousand people who could speak Icelandic, but now with the advent of ChatGbt, everyone can. Everyone can. I can make a fishing campaign. That's in Icelandic, sorry. And now as a result, some of the Icelandic banks are like, wait a minute, the number of fishing attacks just increased. It's like, well, ChatGbt made it easy.
So I think to Jim's point, unfortunately, a lot of these things are getting easier for attackers to take advantage of. And I think machines just give them a massive attack surface. We thought humans were of decent size attack surface. Machines are even bigger. Was that Rachel Tobak? Yes. So yeah. Credit work, right? Yes, yes, sorry. My brain is, my brain's fried today.
But if you're a security strategy relies on people not knowing how to speak your language, you probably should be thinking of other layers to that security on you knew she'd be building. Exactly, exactly. We've been talking a lot about PAM as sort of like one of the areas that solve in this, but is it PAM? Maybe this is more like IGA, considering the life cycle looks a lot like a human. Gardner has a market guide that talks about matching up machine accounts and to machine identities.
Maybe IGA is where we should be starting this. If IGA's root capabilities to know who has access to what, how difficult is it to turn into what has access to what? It doesn't matter if it's a human or non-human. Is IGA a place that we should be looking at to store these accounts or at least to inventory them and start to at least try to manage a government? So I actually do think IGA is, so I agree with you. I think IGA is a big part of the core.
But again, I think, if you think about when I describe the identity life cycle, I think there's onboarding. There's the creation of this identity. IGA could play a role there, but it could also be IGA orchestrating a connection into, let's just say the identity is deemed that it needs to be a certificate. Coming from a certificate authority, IGA doesn't traditionally do that.
So you're going to need some kind of orchestration capability to call out to a certificate authority which could be on PAM or in the cloud and then it pulls it in. So I agree that I think IGA is that really when you distill it down, it's really the core because it is about governance and administration and all that. But I think what IGA is missing, the traditional part, which there's going to be a lot of heavy lifting here, is the orchestration side of it.
There really has to be a lot of, again, you need to say what kind of machine is it. It's something that needs a certificate. We need certificate authority. It's this other kind of machine that just needs a secret. Okay, it needs to go into some kind of secret manager to generate a secret and pull it out. That could be a PAM function, but it's IGA at the core. It could be a symmetric key. It could be a whole variety of things.
So I think we can take the classic notion of IGA, but it has to be augmented in order to, I think, really fulfill the variety of the different types of use cases. Then the last thing I'll say, Jeff, is that you mentioned it earlier, but the velocity of these things is going to absolutely mean that anyone who's running this infrastructure that would create or destroy these machine identities, it really has to be like, specific critical now. It's tier one.
Whatever the highest thing is, it's got the appropriate resources, backup, recovery, plant, and all that stuff. It's critical infrastructure for the organization. Correct. And if we look at, again, I keep coming back to certificates because certificates are actually a good, a good best practice for what I was at Gartner, we talked about, PKI and IoT authentication, digital certificates, that kind of form. And even when you think about FIDO and PASCII, that's PKI based.
That is the gold standard for authentication, it's using PKI. But you got to make sure that that is not only scalable, everyone can talk scale. It's response time. That's the thing that if a consumer is sitting there and what is that, just type something in for this chat bond, it's supposed to be LLM based and it's taking 20 minutes to get back to me. Those will kill the transaction.
This is like when traders would buy land near the circuits that were driving markets because they wanted a faster response time. Yeah. Is that what we're headed? We need to have your identity management nerve center next to wherever your bot plant is. I will say we haven't gone far from that, my son, who is a teenager, he is big and a fortnight and we recently moved from Canada to the San Diego area and he's like, hey, daddy. Oh my gosh. So the main servers are in Los Angeles.
We're so close to these servers. We're paying his probably. Yeah. So he's not on like those traders. And then he keeps riding me to keep bumping up our bandwidth. Can we get T1 lines, daddy? Yeah, you don't really need T1. What you need is symmetrical speeds because for whatever reason, the US loves fast downloads and overlooks, fast uploads.
So if you can get like fiber or at least a symmetrical, I saw like comp cast is going to get a bit symmetrical through coax, which I think was possible to figure out a way to do it. So now you're talking about instantaneous responses back and forth. Which is crazy. I'm sure they'll charge an arm and leg for it. But for people like me and Jim and others and like yourself, right, who are doing audio video, that instantaneous transfer back and forth is a can be a big game changer for our use cases.
A normal person? Because we're a bunch of weirdos in here. But no person probably is going to have that as a use case. Yeah. But machines, well, they need to move quick, fast, you know, live fast, die hard. Yes. Yes. I like what you did there. I like what you did there. But no, but that is a straight up legit point because I mean, what we also didn't talk about as well so far as the machine machine communication.
So imagine if you have like to an autonomous agent that's working for Jim and Jim has given it instructions to say, okay, I need you to do trades for me or do whatever for me and you give it its rules and you're here is access to my bank account. And when you see a stock do something, just go, you don't have to call me up. I gave you the rules of engagement. Go. Now that machine might talk to another machine that is actually doing maybe the buying and selling on behalf.
And so if you have those great connections, it means that there shouldn't be, there's that symmetrical upload and download between the two because it could be, I'm using just transaction triggers, but there could actually be bulk content that could be shared. It could be different types of things that could be shared. So I think we're entering a really, I'm excited about where we are going with everything. And I think just first everything has to start with recognizing a problem.
And what I'm really happy about is that for years myself and a few others like Eric Wallstrom and some other folks in the industry, we've been talking about this potential sleeping dragon of issues that will happen with machines. But no one was really, maybe there was a little bit of a, there's, that's fear uncertainty doubt, but I think we're getting to a place now where people start to see it.
And my hope is is that the industry will rally together because it's not going to be one vendor that's going to be able to do this. It has to be all of us. Cloud providers, I think, are taking it seriously for their cloud. For the, well, no, I think, I think you're touching on the top most important issues. And this kind of starts back with Jeff's question around what's I, GAs role? I think the RGA vendor thinks they can solve it, but they take on the piece where their tool works well.
Privilege access management kind of the same thing. Yeah. Access management vendors kind of say, well, authentication is what really matters. Okay, well, there's all the other stuff too, right? Yeah. Now, you have new markets spring up with like the Kim or Kim, whatever you want to call it. So I'm not sure if you have an answer for that or it's just like it's the evolving space.
One of the things I wanted to do is recognize you like you're taking on this issue at a conference and it's not a solved issue. This is not, we're not at the space where like, yeah, we figured this out and here's the roadmap. Now I'm going to lay out the roadmap for you. Well, you're going to be talking through is like, there's a lot of hard problems. They're not solved by the industry. Here's, I don't know how I think about them. Yeah. I love that.
So again, you know, Gartner like really burnt in me. The notion of like always leaving clients with recommendations in a path forward. So I'll absolutely I'm not going to go up on stage today. Okay, doom and gloom everyone. I'm going to obsess about the problem and see you later. Thanks for time. See you later. Thanks for time. Bye. No. In the presentation, I have clear recommendations, which I can, I can mention a few here and I believe I did. Go for it.
So, you know, I'll reiterate, always start with discovery and numerate and discover what machine, well, first of all, define machine identities. And if you're a Gartner client, live at Gartner's research, but there's more and more research out there that's that or you can, you can hit me up and ask me, right? But identify the machines in your environment, do some kind of discovery process.
That's kind of, you know, part of your, you know, your, your first journey, which would include some tooling and, and so on and so forth. Start to think about the teams, establish a physical and or virtual team. There might be some developers that might be in the group, maybe some of your IAM team, maybe some of your cyber security team because inevitably there will be cryptography based machine identities.
Is that someone that's traditionally in your IAM group or are they in the cyber security group that maybe you've tagged a network infrastructure person to your PKI? Someone who knows PKI is probably a good person to have on that team. The other thing I mentioned too, I alluded to, is the risk. So when you identify what machines are in your environment, also segment them and prioritize them based on risk.
So what machines have, you know, access to things that are really risky and what machines have access to things that are in maybe some of the middle and then stuff that, you know what, if that got breached, it's segmented out, it wouldn't be a problem. That's also handy too. So those are the first pieces that I would recommend and just understand that it's totally a new space, so it's okay to be, you know, no one's behind here. We're all just learning here to have the more people.
We're keeping up just by even knowing and understanding that there is a problem that we need to address. Exactly. So this is something Simon mentioned, it's like 70% of respondents to a survey question was, machine accounts should use multi-factor authentication. Yes. Where do you stand on that? Yeah, 100%. We're getting to a point where, let me just start this way as in terms of evolution.
When you talked about Pam talking about the evolution of Microsoft Authenticator, it's the evolution of thinking about machine identities. When we think about Pam, years ago, we just had Pam on its own and then it's like, wait a minute, Pam needs to be bolted in with MFA and hopefully other passwordless, strong phyto-based methods. Why would you have a privileged user that's not using that? So that just is laughable at this point. We have to do that. We're not doing them for machines.
So when I saw Simon's data, I totally agree with that. I think machines have to have strong identities and with that, it should come part and parcel with some kind of authentication risk view because like a machine, again in that journey, just because that machine exists and it's allowed to exist, let's just say it's not a femoral and it goes to authenticate to a certain resource, should it be allowed access to that resource at that time? Maybe there's an attack going on in the organization.
It's like this bot that's a clone of Jim shouldn't be allowed to access the credit card database right now because we're under attack right now. So I think all these things need to start to come together and we're just not doing that right now. If a machine wants has access in your environment and wants to walk into a credit card database, it could do that. Which is by the way, that's malware. That's ransomware. Ransomware is a machine. I was going to say you just described it.
Yeah. Ransomware is a machine. In terms of managing machine accounts, we talked about AI, gendered with AI in terms of the bots, but do you see a role for AI relative to machine account management? Ooh. The bots watching the bots. Does this have a matrix started? Yes. So or a terminator was kind of. Yeah. I mean, there is a point where the, look, the bot is going to be a bit of a problem.
The, look, the bad actors are already starting to use, you know, evil GPT fraud GPT, like was discussed today in the keynote. I transmit our researchers are certainly seeing that. Like we're seeing the threat environment just really quickly has done a huge phase of change. And so they have this now, access to all this stuff. And we do have to fight fire with fires. It always, it always has been and always will be in arms race.
And it's like the situation where if someone is firing tons of missiles at you, are you going to have humans on the ground, you know, shooting, shooting them down manually? No, you're going to need a system that is automated and is using AIML to fight back. So I'll just say this a little bit. We saw how good that works if you ever played missile command. Right. Well, yeah, exactly. Right. I'm actually going to lose.
Yeah. I mean, well, so there's a couple of ways they think about AIML and benefiting, let's just say security and identity leaders. One is there's AIML tools that hopefully your vendors are starting to build to help with administering and managing the stuff, right? So think about access certifications when you think about governance, right? Like for years, they talked about identity intelligence.
I think now we have the technology for vendors to apply that to give you a better idea of like anticipate all these certifications I need to do. So I don't have to do it manually. That would be nice. Or short circuit, like can I interface with a chatbot where I'm like, how do I set up this certain policy within this product? And I can just type in two things and boom, it tells me what to do.
So that's where I see the first, I've seen many, I've been briefed by many vendors and that's where I see a lot of the quote unquote innovation right now today. But the other aspect is how that technology can be used to fight bad actors. So monitoring machine identity behavior and then if something happens that's weird, then it can respond to by terminating that machine or post the transaction. So that's right. Exactly. Or stop and get more information.
So it's similar with like risk based authentication on the human side, going back to what you're saying as well with the 70-some percent of people saying machines should have MFA. Hopefully that's what people are thinking as well. They should have risk based authentication for these machines as well. And if something's weird there, just stop it. That's where I see AI now also helping the fight here. Excellent. So we'll start to wrap up because we're about to hit an hour here.
You know, I want to be respectful of your time. Yeah. But you may be super jealous this morning when you start showing me some pictures on your phone. No, not like that. Star Wars, rise of the resistance. You went to this. This is Disney Land. Disney Land, yep. And I want to know everything about it. Yeah. Yeah. So you give me two minutes. No, no, no. You guys much time as you need. So recently did an amazing family trip to Disney Land. And we were lucky enough to make it on the ride.
I would actually say it's a ride. It's also an experience. Star Wars rise of the resistance. I think I got the name right. I know it's rise of the resistance. Usually it's a long wait. You know, we got in with decent timing. Amazing ride. So it's themed after kind of the newer Star Wars movies. So like Kyla Renn and all that. And the story, and I don't want to ruin it. And the premise is that you kind of come in and the cast members at Disney, they're all in character.
And they don't break their character. You know, they're like, hey, you're thank you for joining the resistance, your part of the resistance. And we're going to share with you a secret base location. And then you go on some side. You see all this cool stuff. You get on the ship. You're flying. And then suddenly these Star Destroyers with Kyla Renn, they board you because they believe that you have the location of some base, but you deny it.
Then you're on like a Star Destroyer with like hundreds of stormtroopers on this. It's amazing. And then, you know, then you go on kind of the ride, if you will. So when you say, like, you're not talking about like watching a video, right? You're in this thing or you're, help me understand the perspective here. You're in this thing. You're seeing stuff. Or it's a blend of multi-modal, multi-media wind blows on you and stuff like that. Oh, you feel everything. Seat shakes.
Yeah, you feel a reason. It goes beyond just a ride that you get on and just it takes you somewhere or you sit in something and hear music. And I mean, it really does try to tap into all your senses and everything. And I was blown away probably one of the most enjoyable experiences, you know, I've had after, honestly, after we did that, I think we did it around midday, a full day at Disneyland. I was like, if we didn't have a whole right now, right? Yeah, I mean, everything else is great.
Don't get me wrong, but I was like, if we went home now, I would be fine. You'd be disappointed. I'd be fine. How long was the experience? That's a good question. And it probably felt like it, if it, if, I feel like if it's a good experience and you're into it, it goes fast, right? Because you're engaged throughout the whole time. Is it five minutes? Is it like half an hour? To me, it felt so I agree with you.
Like it definitely had experiences where it felt, you know, like good ones felt like it went by fast. It didn't feel like it went by fast. It felt to me like it was 15 minutes long. It probably wasn't. It was probably like five. But you're so into it. It felt like 15 minutes. And just everything that your senses pick up when your body picks up, it just was that.
And if you love those movies and just Star Wars genre, not only is that experience in ride great, but the whole environment around it because you walk into Star Wars Galaxy Edge and it's like it's a new world. Even the restaurants are deemed like indoor, we had indoorian chicken. It's just another thing right? It tastes like chicken. And they have blue milk there too. Like blue milk. And it's really, really cool.
But when you go on, it's like you're on the bridge or you're in the hanger bay of a start-us-strier. It's really cool. And how the backdrop behind the stormtroopers looks like a shield with space, raw space behind them. They did a good job. I really have to applaud the team at Disney for doing that because it goes back to the Imagineers, right? Amazing, amazing job. We need some Imagineers to come in and help us in the IAM space, I think. Can you imagine an IJNX's Management theme park?
Oh, yeah. What that would even like look like? Yeah. Well, Disney has the Magic Bands. We would have our Paskey Bands. What would be the top-drying ride? That's a good question. Jim, what do you think? I think Homer Simpson said, this is so lame. Although I will say, my son said he looked at me and again, he's a teenager and he goes, he down, he, why don't they have Austin Powerslands? You know, or like Beale Juice Land? Yeah. Or he just started dropping these other cool movies.
Or I said, what about Anchorman Land? Or you know? They spend a lot of money for the Star Wars. They did. Unfortunately, they shut down the hotel, I think, though. There was like a hotel experience and I think I heard that they decided to shut it down. It wasn't. Yeah, I think they heard that. I've heard really good things about it and I guess it was too expensive or something. I don't know. I missed out on that one. I can't always have nice things. I know, I miss out on that, too.
I remember talking about that, but then COVID happened. I don't know. I don't know if it had who knows. But either way, I would highly recommend. I haven't been to Disney World, I haven't experienced their Star Wars thing, so it was just Disneyland, so that one's in California. The difference is Disneyland is in California and Disney World is for it. Correct. So the weather is going to be a lot better in California. Yes. But that is big. I mean, Disney World is huge. I've been to both.
Yeah. And it's not even close. No, it's not even close. No, it's not even close. I think I spent more multiple parks in Florida. Yeah, you've got. It was an MGM, Epcot, Disney itself, plus you got to hold the resource thing. It's a whole thing.
Yeah. But I think what between the two, I actually prefer Disney Land better because I think the quality is higher even though there's fewer things compared to Disney World in Florida, which is there's a ton of stuff to do that the quality is very inconsistent. Like for me, Space Mountain and Disney World Classic. Yeah. But I don't care about anything else there. I think the kids were very young, was when cars, the movie cars was hot.
Yes. And there's Hollywood studios and they had cars everywhere. Yes. Like my kids were just drawn in. So they have that. So I should say this, but it was kind of cool. Ran into a YouTuber in the park and used like SoCal, Disney Dad. And we got so many great tips from watching this video and the lead up to. That's cool. So it was like my kids were kind of excited when they saw them. You know, it's like because he's like an influencer. And much like you guys as well, right? And so go on.
No, no. It's true. It's right. No, no, go on. Yeah. But it's really cool. And so, but when he said was, he's like, you know, Disney World is very cool. But he's like one major pro when you come to California because there's California Adventure Land. And right across, like you could throw a football from one gate to the other, Disney lands on the other side and downtown Disney's there. So you don't have to take all these shuttles everywhere. Like you can get a really nice Disney experience.
And I will, I will further it with Disney Land is the original Disney park. And it's like one of the most original theme parks I think in the world. I mean, someone can correct me if I'm wrong. Like YouTube videos that I've watched on it. It's pretty amazing and all the tricks that Disney had to do. Like that, that used to be an orange grove that was flat with nothing there. And that was transformed.
And I wish I remember the name, but there's a really, if you're really interested in Disney, the story I find of what Walt Disney went through to get that park there was incredible. Like he almost ran around at a money. Everybody said, this is an insane idea. Why would people come to a theme park? Like what does that even mean? Yeah. Is it what is the theme park? Yeah, and he almost ran around at a money. We did the same thing in Orlando, right? It was the original dream, the swamp.
It was like all swamp land that he bought. That's right. Yeah, yeah. I don't think he even lived to see Disney world happen. Yeah. But anyway, but yeah, no, thanks for asking. It was unbelievable experience and highly recommended. If you love stories, why do? And I don't, and you don't. But I probably would enjoy the ride. I mean, the experience, right? I mean, absolutely. I think you can appreciate. I'd like to go to a Star Trek one. Star Trek one. Oh, Star Trek one. Star Trek one.
I'll go both. I don't discriminate. I'd like to go into the hall of the deck. I mean, that's where we're going with things like VR and AR and things like that, eventually someday. That's it. You can have experiences of the deck without actually being there. Yeah. Yeah. Exactly. All right. Let's go ahead and wrap it up. David, thank you so much for taking time with us. I'm glad you look forward to your talk. Thank you.
You can find us on the web, idacpodcast.com, Twitter at idacpodcast.com, a link for David and his LinkedIn. If you want to share Disney tips or machine identity tips or whatever, along with the link to Transmit, Securities, you go to more about stuff that he works on. Let us run Mastodon at idacpodcast at infostech.exchange, connect with Jim and I and LinkedIn. Like, subscribe. That's all the stuff that people can do to help us out.
Get us on the main stage again at keynote for a Thinna Kate, which is very cool. Definitely a podcast highlight, I think, of kind of making it from two dudes in their basements to now or on a stage somewhere. It's over Mastodon followers. Yeah, I don't know about that one. We have it out too. No, we've got several by far LinkedIn as the best way to, you know, that we get the most engagement.
I don't know, I think Mastodon came along at the right time, but the usability isn't quite there yet for the masses. Let's wrap it up. Thanks everybody for listening and we'll talk to everyone in the next one. You've been listening to Identity at the Center. We hope you've enjoyed the show. Make sure to like, rate and review and we'll be back soon. But in the meantime, hit the website at identityatthecenter.com and find us on Twitter at IDA. AC Podcast.
See you next time on Identity at the Center.