This is identity at the center. If it has anything to do with IAM, this is the go to podcast now your hosts Jim McDonald and Jeff Stedman. Welcome to the Identity at the Center podcast. I'm Jeff and that's Jim. Hey, Jim. Hey, Jeff, How's it going? Not so bad yourself. It's going great. Did you know that I was on stage for the keynote here at Authenticate today? I did 'cause you were sitting right next to me. Pretty fantastic, huh? Yeah, it was cool. Yeah, good time.
First time having done that. A little bit rushed, but I think that's just the nature of going last in a long sequence of activities. But yeah, pleased with the way it turned out about yourself. Yeah, it was fantastic. It was a lot of fun. I think that we're going to save that. We're going to get the recording of that. And then drop that as the last episode from Authenticate. We'll do that at the end of next
week. So anybody who's interested in listening to that, we had a, you know, it's a pretty short, power packed episode, really focused on past key deployment. Yeah, it was like the Cliffs Notes version of an Identity at the Center podcast. Yeah, very much so. But it was fun. It was like. Big crowd. I think it was the we set the record for the most people listening to our podcast at one time. Yeah, which wasn't probably too hard, I don't think. But no, probably not.
Hey, we got to start somewhere. I at least I'm, I'm happy because I got my shout out to Nick, the Segway camera guy who is, I'm sorry, Andrew and Megan and Adrian others, but he's the reason I really came to authenticate. The guy's a star. I mean, he's on a Segway. He's got like this gimbal with like cameras and stuff like that. He's zooming all around the room, back and forth. I mean, that's that guy's a
superhero right there. But it's not even like it's not even like a Segway like you see in San Francisco with handles. It's more like one of those things that preteens stand on and zoom all over your house in. What does this ball and hit their face on hoverboard? I mean, I don't think they call them hoverboards, but it's not, it's not a hoverboard. I saw Back to the Future. That's not a hoverboard. So what are you thinking about the conference overall?
That's good. I'm glad to have gotten through our thing, and now I can feel like I can enjoy the conference. Yeah, it feels like I, I say probably true for anybody. When you're getting on the keynote stage is a little nerve wracking, so. Yes. So we've got also a guest here sitting with us in this room, couple of fine folks also watching us, staring in intently. We got David Mottie, He's the CIO for Transmit Security. He's been on a show with us
before. Hey, David. Hello. How's it going? It's going and and I just wanted to make a comment about the gentleman that's on the the Segway, Nick. Yeah, respect his name. Nick, I'm going to go well, I haven't met him personally, so so I so I appreciate that. But I'd say maybe it was almost like the thing in Aliens, but not. Yeah, like the exoskeleton it seems. Like an exoskeleton to me, and I'm just waiting for him to press the button and to turn into something. Much more.
You guys are so sci-fi I. Don't know what you're talking about. Yeah, that's. What they meant. Well, maybe that's why I got in the identity space because I thought, you know all the biometric scanners and everything they had in in all the sci-fi movies in the 60s and the 70s, you know, we would get that eventually. Yeah, you can make it real. We're actually here now, we're actually here with biometric scanners and passkeys and all these types of things, so.
Yeah. I spent an awful lot of time at a conference last week. At any week that was. Almost 100% like retina scan. Oh, really? That was like that. I mean, it's a big kind of used to be government conference. I think they're trying to branch out more. But yeah, lots of retina scan products on offer for whatever authentication needs you need.
I mean that's we've come a long way in a short period of time and just how all the stuff is in like these consumer devices when not long ago you'd see them in movies and go, Oh my gosh, there's Tom Cruise and Mission Impossible One. And he can't set off the biometric scanner or else the room is going to explode, right? And now you can just go and buy a phone that has that in there, so. Yeah, Can you imagine how ridiculous of a hack that would
be? And, like in the real world, Tom Cruise coming down through a vent, right? Dodging the fans and then can't hit the laser floor? Like, no, today it's just someone stole your password because you used it at Instacart. Yeah, exactly, exactly, exactly. It doesn't need to be that elegant. It never is. The movies always do that and someone calls the help desk. Initiates a reset and bang, you're done so. Or your slot machine's not working anyway. So tell us about your role as a CIO.
You've been on the show before. It's not going to have you rehash sort of like your entire identity origin story. But one of things that we have started getting to more is about roles within identity organizations, York or transmit security and you're the CIO. We also were kind of jokingly talking about the Chief Identity Officer. Cheeto is, we're starting to call it, at least I am anyway. And so is Jim. Tell us a bit about your day-to-day as a CIO of a security company like Transmit.
Yeah, so. So the CIO of security company, I mean obviously the dynamics are a little bit different. I know things like machine identity are really important to us because we see that as protecting the identity infrastructure. That we host for clients and especially building identity security solutions. Attackers are looking at all this stuff more and more and more. We see that with Okta, unfortunately and others and Pam Dingell from Microsoft.
Today at Authenticate, she talked about that. She talked about how identity infrastructure itself is being weaponized against us. So as the CIO of a security company, you know myself and the team, we take it seriously, right? So just practicing everything that we're preaching with customers. But it goes beyond you know technology it it goes along with your people and your process and and how you drive all those.
So, so kind of being in that type of role, I look at kind of all three of those areas and you know, I don't always look for a technology to solve the problem, right? Sometimes it's just changing a process or improving a process or having someone do another review making sure it goes through certain gates right and there's a consistent workflow all the way through. Again, almost like the Tom Cruise thing, it's not always the elegant things that you
think are going to save the day. It's sometimes just actually taking a look at a a workflow and improving it and kind of going from there. So, so in in this kind of role it's it's kind of neat because I get to have this internal focus, but I think where I have a lot of fun also is.
The external part of my role kind of doing activities like this with with you guys and and evangelizing all of these things as well, 'cause I don't think Transmit would be able to keep my mouth shut, 'cause I'm the kind of person that I'm like, hey, I discovered these really cool ways of of of dealing with problems or you know, our threat research lab is seeing evidence of some more AI fuelled fraud. I feel like I I should go and talk to the market about that, especially when.
You know, I talk about things like authorized push payment fraud, which, you know, I talked to someone about that. I don't know if you know anything about it, but it's interesting it's being able to attack you without doing an account takeover. So anyway. I thought about Pam's presentation today was she was talking about the evolution of the Microsoft Authenticator and I thought. That's exactly what technology companies need to be doing, right?
They need to see put something out there and see what the challenges are and they need to just keep improving, keep improving. Is that something you're finding as well? Yeah, so, so I, I also take it upon myself and my role as well to see that. So it's not just, you know, going out and evangelizing and pushing. It's also pulling and.
And working with a lot of identity practitioners, cybersecurity leaders as well, because cybersecurity pros and identity pros, we need to come together because attackers don't. They don't care if you're an identity person or a cybersecurity person or a network infrastructure person. They'll get it in however way they they can. So I think as as in terms of, you know, thinking about what the problems and the outcomes that customers need, right, don't just go and say here's an
identity verification solution. It's like, well, why does the customer need that? Oh, because they're trying to securely on board their, their clients and they want to reduce fraud and they want to also make it easy for their clients to securely create accounts, right. So, OK, well, maybe we come up with a product to solve part of that because that's all we can do today and maybe that's all the market will bear.
But over time, talk to these customers, see what the market's doing, but then also going back to like APP fraud and all this looking at what the fraudsters are doing. And also trying to incorporate that stuff in your product as well. So it's not just the customer saying, oh, we see this. We also have to take it upon ourselves to say what types of threats are out there and how can we, how can we mitigate and and productize that to help protect the market. So you do a podcast also, right?
Yes. Yes. This Week in Identity, Yes, with Simon Moffett from Cyber Hut. Tell us a little bit about that podcast. Yeah, that's awesome. So Simon, we, you know we're, we're, we're fans of you guys too. And you know for us, I think Simon is an analyst, I'm a former analyst. So I think when I left Gartner and and Simon kind of left the vendor space and he got into the analyst space, you know, we kind of got together. He was at Ford Rock. Yeah, yeah.
And so it's kind of interesting because as I was leaving the analyst life behind me. And he was picking that up. We had a, we had a a talk. I gave him some pointers on, you know, good things and bad things about being an analyst, just pointers, things I've learned over the years as in terms of what what works. And and we just said, hey, you know what, Let's just. Why don't we just record this right? I I think it's not on like both of you. Right.
And then we just decided to record it and I I honestly just see it as a way of us just catching up every, every week and hey what happened in, in the industry you know typically focused on news, you know acquisitions or you know new protocols or specs or? Last week, we talked about NSA and Cisa's top 10 misconfigurations. I listened to part of that and then I was listening in my browser and somehow lost the page. But I'll get back to it. Don't worry, it was a good one.
Yeah, right. So it's just stuff like that and and I think it's we try to keep them short. So you could just, yeah, listen, listen on a quick walk or or something like that. So yeah. Yeah, I have a question for you. So we've been podcasting. We're up to. Episode 230 XI Think it's. 238 went out this morning. OK. So this will be 239. It's a lot harder than you thought it was going to be. That's a good question.
Now I should say Simon, Simon does some of the heavy lifting as in terms of recording and everything else. So I'm just a pretty voice that shows up so. You're the easy. Part Why? Yeah, that should be a question I'm asking. Simon actually had this. I do all the scheduling. Scheduling is a lot of work, that is. A lot of work, especially when your Co host travels all the time. Yes, he does dirty laundry. Coming out, but let me just say for the audience, because we're
not on video. Jeff Jeff is surrounded by all kinds of devices, not unlike Nick who is on a Segway with all sorts of contraptions around him. No, but. But I I appreciate. I appreciate it for sure. So your topic this week here at Authenticate. Why don't you tell us what it is and why you chose it, why you're talking about it? Yeah. So the topic is an area that I'm super passionate about. It was an area that myself and Eric Wahlstrom, who's a Gardner analyst, we.
Kind of help define this space and it's machine identity management. Specifically the presentation I'll be doing on Wednesday at Authenticate is Rise of the Machines. Why Authentication is needed for both humans and machines. And really the the thought there is that we've spent a lot of time with identity as and as we should focus on humans. And totally makes sense, right.
All all this, all these types of authentication factors, how we use them when we talk about UX, user experience, but the users have been human, right. And so when we, when we think about machines really what what those are, it's it's there's kind of software and hardware, right. There's kind of two flavors. So if we say hardware, you're talking I0T, 0T0 T would be operational technology, so MRI
machines or? Other types of manufacturing equipment, ultrasound machines, you name it, that's OTIOT. You know, different types of sensors, all all sorts of things. That's on the hardware side. Oh, I should also say laptops, desktops, mobile devices. Devices. Devices on the software side though, that's where things get really interesting. And not to say that the hardware side isn't interesting, but software side, you've got virtual machines.
You've got containers, you've got workloads, you have software, you've got, you know all. Kinds of structure and software. Exactly right. So if you just think about the. Good old fashioned service accounts. Service accounts. All kinds of things that aren't, quote UN quote, human right Now there's a couple flavours of that too, I should say. There's supervised and unsupervised. So what do I mean by that? So a supervised machine.
You could think of it this way. So if Jeff creates a script to run on your machine that's that's or on your say your laptop, that's a machine. But that machine effectively is borrowing Jeff's rights and entitlements, right? It's it's ceiling would be whatever access you have. And I have to initiate it at some level to start the work, correct? Or you could create a bot. Yeah, right. Like where I could learn, but it's it's it's going to be like a derivative of your identity.
So it's kind of like it's, it's it's Jeff, but just a robot version of you. And so we say it's kind of supervised. You're not going to really let it do anything crazy. Hopefully not. Hopefully not that's supervised, unsupervised could be like a chat bot on a website, say you go to like, I don't know, T-Mobile or Verizon's website. And just by virtue of you going there, it's typically event driven.
The event is a new user goes to website and boom, a chat bot pops up. Hey Jeff, last time you were here, maybe use a cookie. You had a problem with your bill, right? So that machine didn't exist before you went to the website, and now it exists. It's taking signals from whatever trans whatever transmit of data is coming from your browser or whatever signals right to drive that. For the record, I hate those chat bots that pop up automatically.
They are the most annoying thing in the world. They, you know, they some of them, I won't name the providers, but some of them at some providers have actually gotten much, much better and I would say they've definitely cut down on my stress having to call into call centers. If they're helpful, yes. I run into so many of that. It just sends you a loop and loop and loop. It's like, OK, well, I could have just, I could have just
made a phone call. Yeah, and you know the How many questions do they actually solve? I mean, they're basic, right? I think if you're thinking about a chat bot. As it stands today, they are event driven to you're saying and they are basing off of a specific challenge response. Essentially that's coming from the user. They're looking for keywords. They're saying oh you typed in bill and problem.
So therefore you must mean this help desk article that is you know Dash 4657, whatever maybe And then it starts going through that script right of things. The challenge becomes, well, I think it's the challenge is. You're trying to deal with a whole bunch of humans and a bunch of different ways of saying I need help with my account. Yes, yeah. But I mean, I won't get too far ahead, but if you take that notion, Jeff, and you connect it
to a large language model. Baby, that's what I'm talking about. So before they didn't really have much to reference when that bot was right. So. So I think, I think, Jim, a basic script and whatever. And if it goes off that script, the thing just doesn't know what to do. And so you get frustration on the consumer side. Plus, you know. Who knows what goes on the other side, but if you couple that with an LLM, now you get
something interesting. So that being said, going back to machines, this is also, you know, this is also why I think just before the session, by the way, for our audience, Simon Moffett went over some data. Survey data and machine identities is one of the thing he talked about.
And and I know we can get to that, but I'll I'll just say this is also I believe at least what Simon's thinking is in terms of this is. Machine identities are just going to explode when you think about containers and all that stuff. But not only that, I also think about that that robotic process automation use case, the chatbot use case, and how many agents, you know, autonomous agents we're going to see deployed in those scenarios tied with LLMS.
That's only going to fuel more machine identities. So I'll cover this in my presentation, but you're looking at, you know, at least 50 X. The number of machines you have running in your environment over humans today. I do worry about the large language model with the chat bot if you need to have good security about around it, right? Or others. Otherwise, someone may just start attacking that thing with an AI bot, trying to see what kind of data could farm from that chat bot. 100%, right.
So it's not unlike when you think about the early days of. Web applications being put up and then people just putting in you know. Yeah strings of text. Sequel injections commands. And then if they didn't filter those, it would just run those commands. I mean a machine is a machine. A machine's not smart on its
own. It's just going to you give it something to to execute and if it's in the confines, that's fine, it'll do it. So that that led to the birth of the web application firewall filtering all those out. I think we're, you know we're we're we're at the place where. There are some interesting companies that are looking at that type of concept, you know to to front load and filter those LLMS, the inputs and even the outputs. But I think I think Jim we're still very early on in those
days. But it it does if I just tie it back to machine identities, you know it it does come with if you, you know, if you think about the notion of having good IAM with your humans, if you've if you went to bat for that at your company. You should be going to bat for that for your machines. You know, I feel like at least 10 years ago we were defining I am as ensuring that the right people have the right access to dot, dot, dot and it's like that
was the huge miss, right. It wasn't just people, it was people and things. We kind of eventually got to that. But you know, one of the things that I find is like the the things that you almost forgot are the machine accounts. You almost forgot to get to where. The service accounts, right, Because they've been around for so long, it's like that's not
the exciting thing anymore. The organizations have 20 years of machine accounts that they've been carrying through their Active Directory, and they don't even know which ones they can turn off. It's kind of scary. They've got the whole clean up of that. And if they don't get their arms around the accounts for Terraform, the accounts for Docker, the accounts for GitHub. It's going to be, they're going to have clean up for all that
too. And they're just like you said, the attack service is going to grow exponentially. Exactly. And and yeah, so that's that's part part of some of the recommendations I get into in my presentation there this week. That's actually step one is discovery. So you can't manage what you're not measuring. And a lot of people have machines all over the place, right? You know, So there's there's service accounts. If they're using AWS and GCP and Azure, right?
And some other cloud service providers and maybe fragmented across different regions. If they're a global organization, they're going to have all kinds of machines everywhere. So you have to run some kind of discovery process in order to say, OK, what machines do we have out there. So we can at least size the problem and then you can determine how can we monitor these things and then manage and so on and so forth. I think also there's the difference between identities
and accounts, right? There's certainly that when you think about people. I'm Jim. I have an AD account. Maybe I'll have multiple AD accounts. Maybe there are multiple a DS. Maybe there are applications that fit outside of my IDP landscape. Machines are even more complex because you have a machine that could have multiple accounts. There's a machine, the identity or is it the human who runs the machine, and if you make it, the human who runs the machine when
they leave the organization? From a governance perspective, how do I handle that? I don't think those rules of engagement are are cleared today. I think it's just you. You kind of come up with it. It's almost like you need a creative solution. Yeah, yeah I I you there's a lot on pack Jim what you just said. So first I'll just, I'll all these tackle you know the maturity side of it. We are very early on with machine identity management. There's a lot of different kinds
of solution. Let me just say this, almost every client that I know, both of you work with and probably a lot of our listeners as well. Everybody has some kind of machine. First of all, everyone has machine identities accounts all over the place. That's anyone who says they don't. They're lying or they don't understand or they don't understand. They also, surprisingly, do have some machine identity management tools.
If you've got a certificate authority and some certificate management, you're managing some kind of machines there you have code signing products that that's also machine stuff. You've got some cloud, cloud, security, posture management, you might have some there, right, Pam solutions, Cyber Ark, Delineia, right. They all have some kind of layers to this, but right now it's a mess from a functional
perspective. And then going back to what you said from a again, remember I always think of the world as. People process and technology. So we have a lot of the technologies, but they're fragmented. So that's 1-2. We don't have people that are explicitly like, oh, I'm an an identity architect, but I guarantee you the majority of identity architects you talk to are on human identity. They focus on human identity.
We need to get them focused more on a machine identity, but you might argue that could be some developers but but then the process, I think that's also where we're we're immature to. So we're very early in that maturity curve. And I've worked with thousands of companies around the world, you know, in this topic over the years. And I would say, you know, I don't think, you know, I don't, I don't. I don't say, hey, you are all behind. No, no, no, absolutely not.
This is just the evolution of the space. So don't, I wouldn't beat yourself up if you're too, too early. But going back to the, the other point you made accounts versus identities themselves. Yeah, absolutely. It depends again on the use case. If there's a human involved, it could be Jim's account. But you're managing potentially thousands, maybe even millions of machines.
If you're the the, say, a website operator or you're a big part of running a digital business and you're creating those chat bots or you're creating all those, those could be tied to accounts that you manage or monitor because maybe you're the privileged user behind them. And that's also why we see some, like vendors like Cyber Ark and others talking about machine identities. Because they see that as well. I think coming into the market
anyway I'll, I'll stop there. That was a lot, that's a lot. But the other observation that I have and I see this say 90% of the clients who have are moving into the cloud. Is that developers? Or maybe a non strategic approach to moving out to the cloud, starting up applications, maybe doing DevOps, being done by teams who have to deploy some functionality not by, you know the CISO.
So then by the time the CISO says hey I've got something I need to get my arms around, it's already built, it's already doing things. So you know you don't want to be the progress prevention department, but at the same time your your cloud infrastructure has to all of the same controls the rest of your enterprise does. So I think that's one of the big challenges is that a lot of this is springing up for organizations and maybe it's
it's happened in the past. It really depends on where the organization is in their cloud life cycle. But they've got this situation that's been created for them. So they're they're stepping into it and like now having to get control over the environment. So take Terraform for example, you know it goes out and creates accounts. So as it destroy the accounts that provide it provisions the self rolls, OK, you know do you go in there and say stop using
Terraform? No, you say, OK, well how do we do this in a way that's controlled and that so then I think the Infosec group becomes like oversight kind of making sure that it's not breaking rules or that at least can be monitored and managed. What do you think? Let me add one more wrinkle to that too, because I think there's two things. There's one is the creation of those accounts. Definitely an issue. The destruction of those accounts, I think are just as
important because. In the automated world, these things might only live for fractions of a second or a millisecond. They conduct a very specific transaction and then poof, they're gone. And I think if if you try to draw a line to this, it might simple brain. All I think about is, yeah, it's just like on boarding and off boarding for a human person, it's just a whole lot faster. And we, we were not built yet to manage that volume and that time.
And I think those are the, I think that's I try to make it as simple as I can and that's I keep going back to that idea. OK, I just need to say to our audience, I swear that Jim and Jeff have not seen my slides. One of my slides is I have a graphic of a human identity life cycle and then the slide right after is a similar graphic where I contrast it with the machine identity life cycle. Actually looks the same.
But you're absolutely right. The volume, velocity and the variety of these machines, it depends on their use case. If it's one of those chat bots and you get a million people coming to your website and it's all and a chat bot's triggered, let's just say every time a new visitor comes, you might get a million bots right now at time one.
And then at time three, you know, maybe 750,000 of them are dead because people close the browser and walk away and they're not going to let that process run. They're going to. Hopefully they would it would be killed off. You would hope. Right. So absolutely there, there has to be, first of all, you know you, you have to think through all those different types of machines. Is it hardware, is it software? Then what type is it?
And based on that you know your risk profile, what are the risks of these machines, right? Are they dealing with sensitive information or are they not? Right. And then that should lead you to them say, OK, what is that creation process? Do I have to tie back to you know, one client I talked to they wanted to mirror PIV, you know, personal identif identical verification, right. They wanted to mirror that and use digital certificates for each and every machine they create.
But then they also said you know, but we if we have these like you know, public, non classified, you know, bots that are accessing, you know, public information. We don't care. We we're not even going to give it a strong identity. We'll we'll just manage how many there are just for costs, you know consumption for our cloud usage. But other than that we don't really care. So I thought that was really interesting. It's going to always come back to that you know your risk tolerance.
Do they have to adhere to any compliance standards? And then you need to determine like, yeah, we need to either go hardcore and and and issue certificates for each and every identity. And that might have an impact on what that creation process looks like, the authorization process and and and so on. But it really goes into all that. But there are a couple other things that that that you mentioned it's it's it's not just security as well. Security is a big, a big part of
identity of course, right. Knowing who and what you're dealing with and then you can determine OK, these are the areas you can play and you can access and these are the areas that you can't. OK. That's a big part of security. But we also have to think about even just identifying these these things for also cost optimization and just overall operations.
So if, if, if so, you can not only think of it as a security, you know, mitigating security, doing your compliance, all that kind of stuff, but also if you've got a good machine identity practice. I guess what I'm asserting is that it can also benefit you from an operations perspective because now. Let's just say it is the golden standard, it's hybrid, it's multi cloud.
Now you can actually take a look and say you know what Jim, this month we had a lot more machines that we generated in Google Cloud than we did in AWS. Does that mean we need to adjust our contracts in one or the other? It could very well be. So now if you actually have and it's not, again it's not unlike good human IAM, it can actually give you some really good data that can help you make.
Infrastructure decisions, cloud investment decisions and even just good business decisions because you now have data. So I would even argue if your company values data and analytics and you've justified for Chief Data officer, Chief Data Officer can work really well with this data because it could be really good consumption. And then I'll just say one last other use case, how many chat bots are you generating? How many people are coming to your website? Right.
If marketing's generating all these campaigns and now everyone's like, hey, I'm going to go to this mobile operator's website because let's say it's Mint mobile and Ryan Reynolds is doing a big push on Mint Mobile and all of a sudden they're getting a lot. They could track that and they can track it with really strong confidence because they actually are identifying the machines properly. And it's not just text based stuff.
Yeah. One more follow up and it's like the human identity management flows now. Seems so easy, right? I mean, there was a time where I was like, oh really? I have to wrap my brain around this. But now it just seems like it's black and white. There's an authority to source for employees. That's the human resource system and then it flows through your governance process.
Contractors are a little more difficult, but if they're in the HR system it's still better or if it's in some kind of third party system. I know I'm not trying to step in on a landmine here, but authoritative source and the control around employees is like people make sure they get disabled when they leave the organization because we don't want to pay them. We may have strong policies around contractors, but it's like, you know, this person's
the manager. They know when that person's no longer here, so ultimately they're accountable to get that person shut off. Now, when it comes to machines like, there's no authoritative sources there. Should there be? So one should there be 100%, because look, the world already runs on machines anyways, and it's only going to continue to run, you know, furthermore on machines. I mean, I know both of you flew here. We're in Carlsbad.
California, The San Diego area. And they're bragging now because you didn't fly. Here. No, I did not fly here. I drove here, but I won't say anything else. The but there was all software on those planes. The military is using drones and all kinds of things that get updates every day. And software your cars are. You know what? The average car has 250 plus computers on it. So the world is run by software and that is only going to
increase. And all of this is just machines and these machines need identity. So you know, I I think, Jim, you bring up a good point. When we see something in front of us, like a human being, you know, it's much easier to say, OK, you're an employee, you're a contractor, you're a business partner or you're a consumer. Identity, identity, identity, identity. Maybe I use this system or that system or whatever, but machines are a little bit more tricky because OK, maybe the physical
ones. We could say, hey, I've got these MRI machines and I need to put them on the network and Cisco's telling me I need to put a certificate on it so I can do cert based offs. OK, what about all this funky stuff in the cloud? What about all these bots that are running? No one's really there right now as like, a regulatory force. Forcing organizations to do this? Am I advocating for that? I don't want to make life harder for our community, but at the same time, I think it might need that.
I think we might need, you know, folks to do this because I'll give you another example of a a machine identity risk. Code signing, right? Applications need identities too. And So what if I'm able to actually hack into a software developer like, oh, this happened to Asus? And get into their environment and I could get access to their code signing cert. And then I start signing malicious code.
And you have an Asus machine, and your Asus update application engine just downloads the malware and deploys it on your machine. And it doesn't really know any better because it goes, oh, it's it was signed by an authorized source, right? So that's that's an example. So should there be an authoritative source in your organization for all of your machine identities? Yes. Should we start thinking about
it now? Yes. Is there technology available for them to do it in one like we do that would mirror human identity? Not really. I thought you were going to say yes. Not maybe. Yeah, it. Depends on the use case and I think the types, right? Correct. Yeah. Correct. We we see some interesting things with secrets managers again Pam this area. That traditional service account management type thing? Correct, correct. And then you have on the certificate side there I see
some interesting things there. You have companies like Venify and Key Factor and others we're talking about machine identity, but that's a little bit more on the crypto space. But there hasn't been this leap to connect those dots with the service account side to to all this. But I think if you, if you go back and look at Gartner, Gartner's talking about this more and more, good, right? It's going to be an expensive problem to solve.
I think there are folks whose mindset is don't sell things on FUD factor and it's like we're going to need a lot of money to solve this problem. It's a very real problem. The results are, you know, these major breaches that you're seeing. It's like that could happen to us. It's not FUD factor. No, no. I mean, I've been in this space for two decades now. And you know, I started out doing more like social hacking and all that. It was BBS stuff, IRC, you know, we're not getting more origin
story. But. And then when I got into this field, it was cybersecurity. It's just folks I would talk to and say you're always scaring us. You're scaring us, you're scaring us. And and I don't think, Jim, now today I've heard anyone say that to me. I mean, if you are tripping over yourself and trying to scare someone with data, look at this breach. Look at that breach, OK, you know, just lay off.
But again, going back to what Pam Dingell said, everyone in in in our space really needs to take note. Because as someone who was like formerly an attacker, it's like we have to get out of the mindset of joiner mover lever and think joiner mover lever adversary. Because attackers do not care if it's a machine, if it's a human, or if that machine identity or human identity is owned by this group in your company, that group or or or.
You're an identity expert and this person is a is an endpoint security expert. They don't care about those roles or responsibility and they also don't have compliance. They don't have to adhere to anything. They'll just try and get in. So all this infighting we might have as as a community or as an organization, attackers love that, you know. And so I think that we are, you know number one, we need to plan on more attacks happening on our machines. It's only going to happen.
Pam talked about identity infrastructure. Identity infrastructure is run by machines. Humans write the code, but it's the machines that are executing. It's containers and workloads in the cloud that allow you to authenticate, that allow you to do that SSO. And if someone compromises that because they stole a cert or they did whatever, they now own your identity infrastructure and they can do lots of things. Now you're in big trouble. Exactly. So I totally agree with you.
This is a. I I think Simon said in the last session, he's like, this is going to be a Titanic problem to solve. Yeah, we've already talked about like the separation of duties within the hacker community, right? Some people go and steal the credentials with fishing or whatever method they use and sell them. The people who buy them just know how to run scripts. Once they get in, it's like, OK,
I'm on this machine now. I'm going to try these 10 or 15 things I can do to escalate my privileges or see how I can move laterally. Exactly. I I didn't go to cooking school. I'm not going to say if I'm a good cooker or bad cook, but I can follow a recipe. I can follow a recipe. Makes them feel a good cookie would have, said Chef. There we go. There we go. But I mean you know we could if you break it down and and people can follow recipes. And I, I, I, I know one of the talks today.
When? When I can't remember the speaker's name. It drogged my memory. It's been a long day but when she was going through all the stuff with ChatGPT and she showed an Icelandic banking attack and it's like, hey, I think there was only what, few 100,000 people who could speak Icelandic. But now with the advent of ChatGPT, everyone can, everyone can. I can make a phishing campaign that's in a that's in a that's in Icelandic.
Sorry. And. Now as a result, a lot some of the Icelandic banks are like, wait a minute, are the number of phishing attacks just increased? You know, it's like, well ChatGPT made it easy. So I think to Jim's point, you know, unfortunately a lot of these things are getting easier for attackers to take advantage of. And I think machines, just machines give them a massive attack surface. We thought humans were of decent size attack surface. Machines are even bigger. Is that Rachel Toback?
Yes. So, yeah. Credit where Credit's. Yes. Yes. Sorry, my brain is my brain's fried today, but. Well, if your if your security strategy relies on people not knowing how to speak your language you know, you probably should be thinking of other lay other layers to that security onion. You should be building exactly exactly. We've been talking a lot about Pam as sort of like one of the areas of solving this. But is it Pam? Maybe this is more like IGA considering the life cycle looks
a lot like a human. Gardner has a market guide that talks about matching up machine accounts and to machine identities. Maybe IGA is we should be starting this if if IGA's root, you know capabilities to know who has access to what, how difficult is it to turn into what has access to what? Doesn't matter if it's a human or non human. Is IGAA place that we should be looking at to store these accounts or at least to inventory them and start to at least try to manage or govern
them. So I I actually do think IGA is so. So I agree with you. I think IGA is a a big part of the core. But again I think if you think about when I describe the identity life cycle, there's onboarding, there's the creation of this identity. IGA could play a role there, but it could also be IGA orchestrating a connection into let's just say the identity is deemed that it needs to be a certificate coming from a certificate authority. IGA doesn't traditionally do that.
So you're going to need some kind of orchestration capability to call out to a certificate authority which could be on Prem or in the cloud and then you know pulls it in. So. So I agree that I think IGA is at the is that really when you distill it down is really the core because it is about governance and administration and all that. But I think what IGA is missing, the traditional part, which is there's going to be a lot of heavy lifting here is the orchestration side of it.
There really has to be a lot of, again, you need to say what kind of machine is it. It's something that needs a certificate. We need certificate authority. It's this other kind of machine that just needs a secret, OK? It needs to go into some kind of secret manager to generate a secret and pull it out. That could be a Pam function, but it's IGA at the core. It could be a symmetric key, it could be, you know a whole variety of things.
So I think it's it's it's we can take the classic notion of IGA, but it has to be augmented to in order to I I I think really fulfil the variety of the different types of use cases. And the last thing I'll say, Jeff is that you mentioned it earlier, but the velocity of these things is going to absolutely mean that anyone who's running this infrastructure that would create or destroy these machine identities, it really has to be like. Super critical. Now it's Tier 1.
Whatever the highest thing is to make sure it's got the appropriate resources back up. You know recovery plant like all that stuff, it's, it's critical infrastructure for the organization, correct, Correct. And even if we look at, again, I keep coming back to certificates because certificates are actually a good, a good best practice for what When I was at Gartner, we talked about PKI and IoT authentication, digital
certificates, that kind of form. And even when you think about Fido and passkeys, that's PKI based, that is the gold standard for authentication is using PKI. But you got to make sure that that is not only scalable, everyone can talk scale, it's response time. That's the thing that if a consumer is sitting there, what is that? Just type something in for this chat bot and it's supposed to be LLM based and it's taking 20 minutes to get back to me. They'll just kill the transaction.
This is like when traders would buy, you know, land near. The circuits that were driving markets because they wanted a faster response time, is that where we're headed? We need to have your identity management nerve center next to wherever your bot plant is. I I will say we haven't gone far
from that. My son who who's a teenager, he is big in a fortnight and we recently moved from Canada to the San Diego area and he's he's like, hey daddy, Oh my gosh like so the main servers are in Los Angeles. We're so close to these servers. We're so. Way down now, Yeah. So he's not on like those traders, he's he's and then he keeps riding me to keep bumping up our bandwidth, you know? Can we get T1 lines, Daddy? Yeah. You don't really need T1. What you need is is symmetrical speeds.
Because everybody, for whatever reason, the US loves fast downloads and overhooks, fast uploads. So if you can get like fiber or at least a symmetrical. I saw like Comcast is running A2 Gigabit symmetrical through coax, which I don't think was possible to figure out a way to do it. So now you're talking about instantaneous responses back and forth, which is crazy. I I'm sure they'll charge an arm and leg for it, but for people
like. Me and Jim and others and like yourself right, who are doing audio, video, that instantaneous transfer back and forth is it can be a big game changer for our use cases. A normal person. I say normal person because let's be honest, we're a bunch of weirdos in here, but a normal person probably isn't going to have that as a use case. But machines, well, they need to move quick, fast. You know, lift fast, die hard. Yes, all that stuff. I like what you did there.
I like what you did there but but no but that that is a a straight up legit point because I mean what we also didn't talk about as well so far is the machine to machine
communication. So imagine if you have like to an autonomous agent that's working for Jim and Jim has given it instructions to to to say OK I need you to do trades for me or do whatever for me and you give it its rules and you here is access to my my my bank account and when you see a stock do something just go you don't don't have to call me up.
I gave you the rules of engagement go now that machine might talk to another machine that is actually doing maybe the buying and selling you know on on behalf.
And so if you have those great connections it means that there shouldn't be there's that that symmetrical upload and download between the two because it could be I'm using just transaction triggers but there could actually be you know bulk content that could be shared could be you know different types of things that that could be shared.
So I think we're entering a really I'm I'm I'm excited about where we are going with everything and I think just first everything has to start with recognizing a problem and and what I'm really happy about is that for years myself and a few others like Eric Wahlstrom and and and some other folks in the industry we've been talking about this this potential sleeping dragon of of issues that will happen with machines.
But no one was really maybe there was a little bit of a there's that's fear, uncertainty, doubt. But I think we're getting to a place now where people start to see it and and my hope is is that the industry will rally together because it's not going to be 1 vendor that's going to be able to do this. It has to be all of us. The cloud providers I think are taking it seriously.
For their cloud, for their. Well, no, I think I think you're touching on the top most important issues and this kind of starts back with Jeff's question around what's IG as role. Well, I think the IGA vendor thinks they can solve it, but they take on the piece where their tool works well, Privilege access management kind of the same thing. Access management vendors kind of say, well, the authentication is what really matters. OK. Well, there's all the other
stuff too. Right now, you have new markets springing up with like the Kim or Keem, whatever you want to call it. So I'm not sure if if you have an answer for that or it's just like it's the evolving space. One of the things I wanted to do is recognize you like you're taking on this issue at a conference and it's not a solved issue. This is not. We're not at the space. We're like, yeah, we figured this out and here's the road map. Now I'm going to lay out the road map for you.
What you're going to be talking through is like, there's a lot of hard problems. They're not solved by the industry. Here's I don't know how I think about them. Yeah, I I love that. So again, you know Gartner like really burnt in me the notion of like always leaving clients with recommendations and a path forward. So absolutely I'm not going to go up on stage today. OK, Doom and gloom everyone. I'm going to obsess about the problem and see your time. See you. Thanks for your time.
Bye. No, in the presentation I have clear recommendations which I can, I can mention a few here and I I believe I did. But so you know, I'll reiterate, always start with discovery, enumerate and discover what machine. Well, first of all define machine identities. And if you're a Gartner client, look at Gartner's research. But there's more and more research out there that's, that's that or you can you can
hit me up and ask me, right. But identify the machines in your environment do some kind of discovery process that's kind of you know, part of your you know your your first journey which would include some tooling and and so on and so forth. Start to think about the teams. Establish a physical and or virtual team. There might be some developers that might be in the group, maybe some of your IM team, maybe some of your cybersecurity team.
Because inevitably there will be cryptography based machine identities. Is that someone that's traditionally in your IM group or are they in the cybersecurity group that maybe you've tagged a network infrastructure person to your PKI. Someone who knows PKI is probably a good person to have on that team. The other thing I mentioned too I alluded to is the risk. So when you identify what machines are in your environment, also segment them and prioritize them based on
risks. So what machines have, you know, access to things that are really risky and what machines have access to things that are maybe somewhere in the middle and then stuff that, you know what if that got breached, it it's segmented out, it wouldn't be a problem. That's also handy too. So those are the first pieces that I would, I would recommend and just understand that it's totally a new space, so it's OK to be, you know, no one's behind here, we're all just learning here.
If anything, we're we're keeping up just by even knowing and understanding that there is a problem here that we need to address exactly. I mean just you want Tactical 1, so this is something Simon mentioned. It's like 70% of respondents to a survey question was machine accounts should use multi factor authentication. Where do you stand on that? Yeah, 100%.
We're getting to a point where something, let me just start this way as in terms of evolution, when you talked about Pam talking about the evolution of the Microsoft Authenticator, it's the evolution of thinking about machine identities. You know, when we think about Pam, you know, years ago it was just we had Pam on its own and then it's like, wait a minute, Pam needs to be bolted in with MFA and hopefully other passwordless strong Fido based methods, right?
Because why would you have a privileged user that's not using that, right. So that that just is laughable at this point, right? We have to do that. We're not doing that for machines. So when I saw Simon's data, I I totally agree with that.
I think machines have to have strong identities and with that it should come part and parcel with some kind of authentication risk, view cause like a machine again in that that journey, just because that machine exists and it's allowed to exist, and let's just say it's not ephemeral and it goes to authenticate to a certain resource, should it be allowed access to that resource at that time, Maybe there's an attack going on in the
organization. It's like this bot that's a clone of Jim shouldn't be allowed to access the credit card database right now because we're under attack right now, right? So. So I think all these things need to start to come together, and we're just not doing that right now. If a machine wants has access in your environment and it wants to walk into a credit card database, it could do that, which is, by the way, that's malware. That's ransomware. Ransomware is a machine I was.
Going to say you just described it. Yeah, ransomware is a machine. And in terms of managing machine accounts, you know we talked about AI, generative AI in terms of kind of the bots but. Did you see a role for AI relative to machine account management? Oh. The bots watching the bots. Is this how the matrix started? Yes. So so or or or Terminator with Skynet.
Yeah. I mean you know it it's there is a point where the the look the bad actors are already starting to use you know evil GBT, fraud GBT like was discussed today in in in the keynote I I transmit our researchers are certainly seeing that like we're seeing the threat environment just really quickly has done a huge phase change and so they have this now access to all this stuff and we do have to fight
fire with fire. It's all we it always has been and always will be an arms race and it's like the situation where if someone is firing tons of missiles at you or you gonna have humans on the ground you know shooting shooting them down manually. No you're going to need a system that is automated and is using AIML to fight back. So I'll I'll just say this legitimately. We saw how good that works if you ever played Missile Command, right? Well, yeah, exactly.
Yeah, right. That's what you're going to lose. Yeah. I mean, well, so there's a couple ways I think about AIML and benefiting, let's just say, security and identity leaders. One is there's AIML tools that hopefully your vendors are starting to build to help with administering and managing the stuff, right? So think about access certifications when you think about governance, right? Like for years they talked about identity intelligence.
I think now we have the technology for vendors to apply that to give you a better idea, be like anticipate all these recertifications I need to do so I don't have to do it manually. That would be nice. Or short circuit like can I interface with a chat bot where I'm like, how do I set up this certain policy within this product? And I can just type in two things and boom, it tells me what to do. So that's where I see the first.
I've seen many. I've been briefed by many vendors and that's where I see a lot of the quote UN quote, innovation right now today. But the other aspect is how that technology can be used to fight bad actors. So monitoring machine identity behavior, and then if something happens it's weird. Then it can respond either by terminating that machine. Or pause the transaction, pause exactly or stop and get more information.
So it's similar with like risk based authentication on the human side going back to what you're saying as well with with the, you know the the 70 some percent of of people saying machines should have MFA. Hopefully that's what what you know people were thinking as well they should have risk based kind of authentication for these machines as well and if something's weird they're just just stop it. That's where I see AI now, also helping the fight here.
Excellent. So we'll start to wrap up because we're about to hit an hour here and I want to be respectful of your time, but you may be super jealous this morning when you started showing me some pictures on your phone. No, not like that. Star Wars Rise of the Resistance. You went to this? This is Disneyland. Disneyland. Yep. And I want to know everything about it. Yeah, yeah.
So you give me two minutes. No, no, no. You got as much time as you need so recently did did a did an amazing family trip to to Disneyland and we were lucky enough to make it on the ride. I would actually say it's it's a ride. It's also an experience. Star Wars, Rise of the Resistance. I think I got the name right and it was Rise of the Resistance Usually it's a long wait you know we we we got in at with decent decent timing amazing ride.
So it's themed after kind of the newer Star Wars movies. So like Kylo Ren and all that and the the story and I don't want to ruin it but the premise is, is that you you kind of come in and and the cast members at Disney, they're all in character and they don't break their character. You know you they're like, hey you you're thank you for joining the resistance. You're part of the Resistance. We're going to share with you a secret base location.
And then you go on some, you go outside, you see all this cool stuff, you go on the ship, you're flying and then suddenly the Star Destroyers with Kylo Ren, they board you because they believe that you have the location of some base, but you deny it. Then you're on like a Star Destroyer with like hundreds of Stormtroopers on this. It's amazing. And then, you know, then you go on kind of the ride, if you will, so. So when you say on like you're you're not talking about like
watching a video, right? You're in this thing or you're help me understand the perspective here. You're in this thing. You're seeing stuff. You're it's a blend of multimodal multimedia. Wind blows on you and stuff like, oh, you feel everything, See shakes, Yeah, you feel everything. It it it goes beyond just a ride that you get on it just it takes you somewhere or you sit in something and hear music and it, I mean it, it really does try to tap into all your senses and and
everything. And I was blown away. Probably one of the most enjoyable experiences you know, I've had after. Honestly, after we did that, I think we did it around midday, a full day at Disneyland. I was like that's it. Everything right now, right? Yeah. I mean, everything else is great, don't get me wrong, but I was like, if we went home now, I I wouldn't be disappointed. That'd be fine. How long was the experience? That's a good question.
It probably felt like it. If it, if it, if I feel like if it's a good experience and you're into it, it goes fast, right, 'cause you're engaged throughout the whole time? Is it 5 minutes? Is it like half an hour? To me it it felt so. I I I agree with you like it definitely had experiences where it felt you know like good ones. It felt like it went by fast. It didn't feel like it went by fast. It it felt to me like it was 15 minutes long. It probably wasn't.
It was probably like 5 but. You're so into it and it's such a good experience. Felt like 15 minutes and just everything that you're that, that that your senses pick up when your body picks up. It just was that. And if you love those movies and just Star Wars genre, not all, not only is that experience and ride great, but the whole environment around it because you you walk into Star Wars Galaxy edge and it's like it's a new world. Even the restaurants are seemed like indoor.
We had Endorian chicken, which is another thing, right? It tastes like chicken and they have blue milk there too, like blue milk and everything. It's really, really cool. But when you when you when you go on it's like you're on the bridge of a or you're in you're in the hangar Bay of a Star Destroyer. It it's really cool and how the the backdrop behind the stormtroopers looks like a shield with space raw space behind them.
They did a good job. I really have to applaud the the team at at Disney for for doing that because it you know, it it goes back to the, you know, the Imagineers I guess, right. And I just think you know, amazing amazing job. We need some Imagineers to come in and help us in the IM space. I think you know. Can you imagine an Identity and Access Management theme park? Oh yeah, that what that would even like. Yeah. Well, we would have, you know, Disney has the magic bands.
We would have like our pass key bands, you know? What would be like the the top drawing ride? That's a good question, Jim. What do you think? I think humbersome, this is so lame.
Although I will say my my son said he looked at me and he and again he's a teenager and he goes, hey daddy why don't why don't they have like Austin Powers land you know or like Towers Land, Beetlejuice Land or like he just started dropping these other like cool kind of movies like you know, I said what about Anchorman lands or you know. They spent a lot of money for the Star Wars. Be dead. It's unfortunate they shut down
the the, the hotel. I think though there was like a hotel experience and I think I heard that they decided to shut it down. It wasn't, yeah, I think. I've heard really good things about it and I guess it was too expensive or something. I don't know. Just can't. I missed out on that one. I can't always have nice things. I know I missed out on that too. I remember talking about that. But then COVID happened. I don't know. I don't know if it had. Who knows? But But either way, I would
highly recommend. I haven't been to Disney World. I haven't experienced their Star Wars thing. So it was just Disneyland. So that one's in kind. Of difference is Disneyland is in. California and Disney World is Florida, correct. So the weather is going to be a lot better in California, yes. But it's not as big. I mean, Disney World is huge. I've been to both. It's not even close. No, it's not even close. I think I've spent.
More multiple parks. In in Florida, Yeah, you've got M was it MGM, Epcot, Disney itself, plus you got all the resorts things. I mean, it's a whole thing, but I think what? Between the two, I actually prefer Disneyland better because I think the quality is higher even though there's fewer things compared to Disney World in Florida, which is there's a ton of stuff to do, but the quality
is very inconsistent. Like for me, Space Mountain and Disney World Classic, but I don't care about anything else there. When my. Kids were very young, was when Cars was the movie. Cars was hot, and there's Hollywood studios, and they had. Cars everywhere. It was like my. Kids were just drawn in, so they have that. So I actually, I should, I should say this, but it was kind of cool, ran into a YouTube in the park and he was like so Cal
Disney dad. And we got so many great tips from watching his video in the lead up to us doing this trip. So it was like my kids were kind of excited when they saw him. You know, it's like, because he's like an influencer, much like you guys as well, right? And so it's no, it's it's true. It's right. You don't know. Go on. But it's really cool.
And so so but what he said was he's like, you know, Disney World is very cool, but he's like one major pro when you come to California because it's California Adventureland and right across, like you could throw a football from one gate to the other. Disneyland's on the other side and downtown Disney's there. So you don't have to take all
these shuttles everywhere. Like you can get a really nice Disney experience and I will, I will further it with Disneyland is the original Disney park and it's like one of the most original theme parks, I think in the world. I mean, someone can correct me if I'm wrong, but YouTube videos that I've watched on it, it's pretty amazing.
And all the tricks that Disney had to do like that that used to be an orange Grove that was flat with nothing there and that was transformed and and I wish I remember the name, but there's a really, if you're really interested in Disney, the story I find of what Walt Disney went through to get that park there was incredible. Like he almost ran, ran out of money. Everybody said this is an insane idea. Why would people come to a theme park? Like what does that even mean?
What is? What is the theme park? Yeah, and he almost ran out of money. We do the same thing in Orlando, right? It was the original drain, the swamp. It was like all swampland that you bought. That's right. Yeah, yeah, I don't think he even lived to see Disney World happen, right. But anyway, But yeah, no thanks for asking. It was unbelievable experience and highly recommended if you love Star Wars. Well, I do and I don't. And you don't. But I probably would enjoy the
ride. I mean the experience, right? I mean, I think you can appreciate. I can appreciate experience. I'd like to go to a star Star Trek One star. Trek One, I'll go both. I don't discriminate. I'd like to go into the hollow deck. I mean, that's where we're going with things like VR and AR and things like that. Eventually, someday. That's it. You can have experiences with that without actually being there, Yeah, yeah, exactly. All right.
Let's go ahead and wrap it up. David, thank you so much for taking time with us. Nice to see you. Looking forward to your talking. You can find us on the web, idacpodcast.com, Twitter at IDAC Podcasts. I have a link for David and his LinkedIn if you want to share Disney tips or machine identity tips or whatever, along with the link to transmit security so you'll learn more about stuff that he works on. What else?
We're on Mastodon at IDAC podcast, at infosec dot exchange, connect with Jim and I at LinkedIn, like subscribe. That's all the stuff that people can do to help us out. Get us on the mainstage again at Keynote for for Authenticate, which is very cool. Definitely a podcast highlight. I think of kind of making it from 2 dudes in their basements to now or you know, on a stage somewhere. I think it's all of our Mastodon followers. Yeah, I don't know about that one.
We have it out too. We have no, we've got several. By far, LinkedIn is the best way to you know that we get the most engagement. But I don't know. I think Mastodon came along at the right time, but the usability isn't quite there yet for the masses. Let's wrap it up. Thanks everybody for listening and we'll talk to everyone in the next one. You've been listening to Identity at the Center. We hope you've enjoyed the show. Make sure to like, rate and
review and we'll be back soon. But in the meantime, hit the website at identity@thecenter.com and find us on Twitter at IDAC Podcast. See you next time on identity at the center.