This is identity at the center. If it has anything to do with IAM, this is the go to podcast now your hosts Jim McDonald and Jeff Stedman. Welcome to the Identity at the Center podcast. I'm Jeff and that's Jim. Hey, Jim. Hey, Jeff, how are you? Not so bad yourself. I'm doing well. I mean, you know, I'm going on vacation next week, so yay for
vacation. But you know, and I think everybody can probably relate to this, the week before vacation and the week after vacation is like hell on earth in terms of your work life. You've got to get everything done before vacation. Then you come back and it's like your inbox has 1000 emails or whatever. But as you know, I live in Augusta, GA. It's Masters week. We're the center of the world's attention for one week out of the year, and that's next week.
So I'm looking forward to it. And damn the damn the stress. Well, there's no such thing as vacation, I think, and kind of a job that you and I have. It's just periods of work you're hitting pause on. It doesn't mean the work disappeared while you're gone and you'll spend some time catching up. Yeah, and but I'm going to spend the week like doing all kinds of yard work and things that I don't have time to do the rest of the rest of the year.
The the other weeks, I feel like weekends you have to have at least one day to do something fun where your life just goes by and you do nothing. Like, I just can't stand spending my whole weekend going to the store and doing laundry and XY and Z and spending your whole weekend and you've done nothing fun. So I feel like you have to do one thing fun, so I never get to things like, you know, updating the flower bed and stuff like that. I can imagine updating the flower bed.
That's not something that I'd normally picture you doing. It's not something I normally would do, but Denise and I are going to go to the nursery and buy stuff because I've only been in this house for like 2 years and basically the entire flower bed died, which I don't know how that happened. I think they bought all kind of like low end plants to get ready to sell and they probably didn't put a lot of effort into planting them and they probably just sat and you know, never
rooted etcetera. So anyway, my flower bed is just like, you know in the South you use pine straw rather than wood chips because we have like termites. Termites is a major issue in the South. So you use this pine straw and basically my flower beds are pine straw with nothing coming out of. It that sounds real attractive. Well, good luck with to to you and your fun vacation in quotes. We're gonna have a couple conferences. Gonna be at those.
Those aren't vacations, but those are fun, right? They're fun. They're like work vacations. Yeah, you want to tell us about Identiverse? Yeah, I mean, I'm always excited about Identiverse. We're going to have a lot going on there. We're going to have a couple of events which I'm not ready to announce, but there'll be opportunities to interact with us, maybe see us put on the podcast in kind of a a live
setting. And for those people who haven't registered yet, we're going to have a link in the show notes. But essentially you can go to identverse.com and use their discount code which is IDV 24, Dash IDAC 25, so you can go and there's still like a version of early bird. Price hasn't gone to the maximum amount I think at the near the end of April. So don't take my word for the
exact date. I thought it was like April 26th, but if you missed the date for early bird pricing, don't say Jim McDonald, you know, gave us this misinformation. So I want the discount. That ain't happening. You need to go out there and check for yourself. The conference is, I can get this part right for sure. The conference is May 28th through the 31st. Is that the Aria in Las Vegas, which I love Las Vegas, I mean, I don't gamble. I do drink a little bit, but I'm
not like, I don't go crazy. I know it's in city, but I don't go there and like sin extravagantly. But I do have a good time. I mean, the food is great. I know you're real into the people watching. I like doing that as well and I just have a good time overall. Yeah, the people and the food I like. I think that should be like your your tagline. I don't sin extravagantly. That's the motto for that, for the podcast. Yeah, I don't sin extravagantly, but that doesn't mean it don't sin at all.
Yeah. So we'll have that link in a show note, IDV 2 four dash, IDAC 2/5 is 25% off. Then right after that, I know a lot of people are hopping on a plane. Basically they're going straight from there over to Europe and Berlin, specifically for the European Identity and Cloud conference. So our friends over at Kubner Cole have given us a discount as well. EIC 24, IDAC 25 gets you 25% off. Unfortunately, Jim and I won't be there this year, but we hope make it next year.
I think that's kind of on our bucket list. We've been talking about that for a while, but it would be cool to go to that finally after the, I think, I feel like like two or three years now of us talking about it. You know, I think that one of the other cool things that we should point out is that for the years that we've been doing this
podcast, we've always been. I think that the listeners of podcasts have been weighted more towards the United States and now we are actually a majority of listeners outside of the United States, which I think is super cool. And I think we always try to remember that there's so many people listening who are not in the United States and I don't think we always nail it. Sometimes we forget and we have
our US centric statements. It's not anything intentional, of course, it's just we're just it's just a matter of convenience, if you will. But yeah, a lot of people, that conference was probably right in their backyard. Yeah, easy to get to, but yeah, that's something we want to get to next year. And then Speaking of worldwide, we've got Identity Week coming up later this year.
There's Europe, which is June 11th and 12th in Amsterdam, America, September 11th and 12th in Washington DC That's where you and I will be at. And then Asia is October 22nd, 23rd in Singapore, if you use the code IDAC 3 Zero 30% off. And that code works for all of those conferences, which is super cool. So I know you and I are looking forward to the one in DC and we'll be doing podcasting things there And and I think I was supposed to host like a panel.
Don't know what we're going to talk about or with who yet, but we'll make it. We'll make it work. I'd like to. I'd. I'd be more excited actually to go to the one in Europe and in Singapore. I've never been to Singapore, but I really want to fly first class if we go, or at least business class. We have to get a few more sponsors, I think, for that. So if you want to sponsor an episode of the podcast, hit our website. All right, let's talk Turkey or Cloud.
In this case, I wanna welcome to the show her first time on it, Kat Traxler. She's a security researcher at Trust on Cloud. Welcome to the show, Kat. Hey, guys and hey, everybody. Thanks for having me. Yeah, thanks for making an appearance with us. You're currently holding either lump or Yawn, I'm not sure which. On your lap, one of your two dachshunds. Yeah, I have Mr. Lump.
Here he is. He was whining to get out of my lap, so if we don't want to hear him whining through the entire episode, I think it's best I just hold them. Well, I'm a dog fan and I think dogs are the best people, so I'm totally OK with that. We're not doing video for this episode, so people just have to take my word for it that that is one adorable puppy on your on your lap.
Let's talk about though, your identity background, because one of the things we do when we have someone on for the first time is really to kind of understand how did they get into the identity space. So tell us a little bit about sort of how you got up into this you know, area. Is it something that you chose or did it choose? You very much the latter. You know I have an I have a background in application development and then web app pen
testing. That was my initial pivot into security and a number of years ago and in that realm of internal white box testing. One of the large testing projects I was able to do was a white box test of a new IDP. My employer was looking to switch ID PS and needed to have an independent look at the on Prem systems, the connections, the, the configurations and assertions that we're going to be creating. And I mean my memory has it that I probably spent six months tearing this thing apart.
And you know it was that that experience that really showed me the impact that Identity had across a major enterprise and kind of got me into becoming this, yeah, I mean I I guess you could say identity junkie, right. But it was really more of like an impact junkie. Like I wanted to work on systems that had the most impact to my customers and to my employers. And that was just like identity, clearly. And having been, you know, so deep inside of an IDP and seeing the guts and glory of it.
And from there I knew that if I wanted to be at like having packed full work, it was going to be centered in identity. And you've got a lot of, you know, pans in the fires. We like to say a lot of stuff that you work on. You've got your own consulting firm, Nanuke Security. You're working with trust on cloud now it's a security researcher. You also do work with Stans Institute, IANS, Defcon. I mean, tell me about some of
the other. I don't want to call them extracurricular activities, but tell me the other things that you kind of work on and help me kind of understand as second part of that question, what does a security researcher do? It's like a really, really good question. It's so broad, you know, what does the security researcher do? And that's that explanation is going to be different from 10 different researchers you talked to.
But I like to think of it like I take complex amorphous systems and try to break them down to their essential parts and through that process try to identify the the security weaknesses typically at the joints where two trust boundaries meet, where two systems interact. And so it's that process of distilling and really like fully understanding that within the complex system there is no magic. And if you can say there's no magic in here, it all is understandable.
If you want to distill it to its essential parts, that's ultimately like what research is, is trying to distill it to its essential parts and then understand where you have, you know, security relevant issues. I might stumble across a lot of bugs here and there, but determining whether or not it's security relevant is kind of like the the unique, unique skill to have. You know, what ticketing system
do you submit this to? Do you submit this to a general public issue tracker where everybody can see Because it's like not security relevant and hey, I fixed this, or do you submit to this like private bug boundary where it should be kept
confidential? So yeah, that's what I do in my day job with Trustmont Cloud. The work product is threat models, GCP services specifically, where ultimately there is a diagram of all of the flows and interactions of the service, and then a list of all of the threats I've enumerated and then all of the controls. I do similar work. I had done similar work with past employers with SANS. I wrote a course, the SEC 549 Enterprise Cloud Security
Architecture course. Less threat focused, more just like what are the overarching controls? Lot of identity, surprise, surprise, big big identity course. What was the other thing? Oh, Defcon, right? I for years I've helped run the local Defcon chapter here. So everybody knows there's the big Defcon Vegas thing. I personally hate Vegas. I like it's torture for me being there.
But there's also these, like, local chapters in every community that meet, and I've helped run that for many years. I think that covers some of the extracurricular stuff, yeah. Now I feel like you need to defend Vegas, but I'm not going to you. You form your opinion, I'll form
my opinion. We can still be friends but I had did have a follow up on the security researcher thing which is like how why what what drives people to become security researchers or do the kind of research and get these you know find these zero days and things like that. My understanding is OK, there can be bounties that are paid and then the other is like street cred. Like I found this zero day and like I can become famous as a security researcher, But since you brought it up, I mean what
is the motivation? I mean those are two of them also, you know there's also the do good part, you know that just we want subsistence more secure. That's definitely a factor. I'm working on a project now that because of the kind of research it is, I won't get any bounty, might not actually get any St. credit of it, but if it works out, it's actually going to be really impactful for people and secure a lot of
systems in the future. So you're always balancing those three and like you do it because you're just like insatiably curious and you know and you you try to just balance that between, you know, having a life and you know, enjoying non tech things and not have it take over your life. But I know when people first start out, it can really be consuming just this insatiable curiosity of systems and trying to break them and understand them and dissect them.
Yeah, yeah, definitely got the sense that that's a a big motivator for you from the different things that I've seen you do on like YouTube and things like that. And you know, one of the things that attracted us to ask you to be on the show was that, you know you're in this IAM space, but you're also focused on the cloud. You kind of spend a lot of time on GCP, Google's cloud, a lot of
time on AWS. And I'm just going to start with kind of like one of the questions I think every identity practitioner has either faced or is facing now as they're transitioning having to manage you know on premise environments and having to manage cloud environments from an IAM perspective. And I'm wondering, you know, the investments that we've made over time in IAM tools, can the same tools that we bought for on Prem be used for the cloud?
Is it black and white? You need different tools or is it there's some kind of like Gray area? I will have the most, you know, probably frustrating answer and saying maybe maybe you need new tools. I think, I think that's like the Holy Grail right? Like I have this, I have this permission catalog that stood up in my enterprise and like can't I just like put all of my AWS rules in here and then have those roles be auto assigned to the people and then deprovisioned after a time?
And that's all I think possible and some of the big vendors are incorporating it. But I think it's it's not a, it's not a natural externalization of cloud concepts. I think like what's natural to externalize from the cloud is authentication. So like you can naturally you know, externalize your to your IDP and you can naturally externalize to say your group memberships and have those carried through over, you know,
SAML authentication. But when it comes to your like roles and your authorization, that's a harder nut to crack and I think there's just less less kind of all in When I say all in one, I mean like it'll handle all of your, you know, on Prem privileged assignments and your in the cloud, you know, developer roles. There's just less all in
Is there authorization concepts? See, I think This is why I wanted to get you onto the show because I didn't even feel like I asked the question well, but your answer was perfect and exactly what I was looking for. You you've really focused in on kind of the core technologies of Identity, you know from the on
Prem world. There are a couple of other technologies that you didn't touch on that I'd like to throw them out there and just kind of get your take and whether or not like how much value you see in them. And the first one I'm going to touch on is, you know, kind of built for the cloud, the space called Kim or C i.e. M cloud infrastructure entitlement management.
What's your take on that? I mean those those folks are trying to solve like the the huge problem of both lease privilege and trying to time box privilege assignments around, you know, doing that just in time. I mean my take is that it's a massively hard problem to solve. At some point when you're large enough and you have a large enough enterprise, bringing some of that tooling in makes sense.
And is it? It's probably not going to be the same tooling though as your on Prem permission catalogue. That's why they have that whole CI space and yeah. It's like I said built for the cloud. And I think a lot of people are determining whether and whether or not they need to be spending money on that. The next one is kind of more traditional on Prem tool, Privileged Access Management or Pam.
And kind of it's a, it's always been to me like a bunch of capabilities kind of put together in terms of what they call Pam. But I'm just wondering like. You talk about like traditional Pam technologists say, like a Cyber Ark or Beyond Trust or the Delineia Suite, like is that the place to start? Is that the place to build your privileged Access management for the cloud?
Likely not. No. I mean, I mean the Cyber Ark people will probably you know shake their fists at me, but I I don't see that it's, I haven't seen that it's moving at the speed that folks need. And I'm thinking about like the usages of Cyber Ark being this I'm going to everyday then do you this privileged user and it's going to be bended out to a small hand handful of your you know, your sys admins, your your DAS.
But now in the cloud who has I'll use airports privilege like all your developers like so many people. So maybe the first thing to do is to figure out how to have instead of having 500 developers needing privilege, maybe the first thing to do is to try to figure out how to have zero touch production where nobody actually is logging into that
system. And like the the ways that the cloud and privilege identity has evolved has been different than it evolved 20 years ago in like the on Prem systems to where I don't know that your traditional Pam vendors shoehorn in great. Yeah, I mean I think, I think my answer to this or my feeling on this has to do with how you went to the cloud.
If if your approach was like let's lift and shift our internal environment and you're doing little virtualization where little infrastructure as code, then maybe it's just a bunch of servers that you are renting from someone else and that model would work. I don't think it's going to really help you too much for your console.
But in terms of like, hey, we're not doing any kind of automated management of these server instances and that's what our cloud happens to be, then I think yes, traditional Pam probably would work in that model. If you're doing a lot of automation, you're using a lot of, you know, service accounts and you're using Docker and things like that, I mean, it starts to chip away at what value kind of extending that privilege access management would bring to you securing your cloud.
I think how much, how much effort might go into deploying a Pam solution, say for like your server instances, right? I worry that somebody might end up missing the forest for the trees, because even if you have, you know say a a lift and shift style fleet of IAS and that's really all you're using, you're missing the entire control plane which is through your most juicy
target. You might spend a ton of effort securing these SSH credentials or just securing this like 1 jump post ingress, but you've completely missed your entire control plan. That's right. That's what I was calling it, the the console, but it's really more the control plane. Yeah, yeah. Which just comes along for the ride, really, no matter what. What do you think that those privilege access management tools are kind of missing the mark there?
Is it just it's very hard for a third party product to, you know, manage that in a more secure way than kind of comes out-of-the-box or? I just think it comes down to like when you have a hammer, everything looks like a nail. You know, that's they've had a very successful business doing this thing. And how do they appear to have coverage for this new thing? They have a hammer. Let's try to make the hammer work in some way.
So the last group of technology that I really wanted to bounce off you was monitoring technology seem and the new, the new cousin ITDR. Do you need to enhance the monitoring of the cloud with external products or use what is kind of built into the cloud? All right, you got to help me out here. Itdr What was? Identity, threat detection and response. Oh, OK. Interesting. So my previous employer, I probably did that. We called it Cdr, Cloud Detection response.
And maybe this is just an evolving girl, right. So yes. Do we need new things? Yeah. So you're going to need, you're going to have the same problems with monitoring that you know folks in the soccer always had, which is this data normalization issue. But you're going to have it times 10 because you're going to have audit logs from likely three different clouds and you're going to have additional system logs from a number of different IAS and SAS services.
So with all of these logs comes a ton for data normalization. And then what do you do with them? Do you dump them in your your Splunk and start adding extra zeros to your checks and that's an option that people do and they start cross correlating just in one big central location? Or do you do the thing that says
I want to gain insights? I will use air quotes against insights at the edge, which means which means that you you find the uniqueness and you find the vadnais you monitor in those clouds using cloud native monitoring technologies, likely from the CSPS because they have the insights as to what uniquely you need to look for in that specific cloud. And then you pull pull not the logs, but you pull the insights to a central location where you can do correlation.
Personally for larger organizations, it really more looks like the latter. And so you in both cases you do end up using new technologies, but in the latter solution you end up using quite a bit more cloud native detection technologies because you're doing that insights at the edge thing and and centralizing only the insights.
We kind of jumped right into a bunch of different technologies and I want to take a step back a moment because I think one of the things that at least that I've discovered myself personally is GCP for example, maybe is not as well known as some of the other ones like AWS and Azure and sort of things like that. And I think this is the thing that a lot of people struggle with is every cloud provider kind of does identity or insecurity a little bit
differently from each other. Totally, yeah. I mean, it's it's like a totally different language and we're seeing some of these tools pop up where they're like trying to be the Rosetta Stone between all three. And so I can certainly see, you know, some of the cloud posture, management, cloud detection, response, right, all that, all those things, they're meant to help, but they don't replace true knowledge of how things work, right?
I mean, you need to know how this stuff works, What's the best way to pick up and start to learn things like like GCP 'cause I think you wrote a blog about this, didn't you? Yeah, I mean I put out you know, a basic like one-on-one series on my website several years ago and I just, I just refreshed it recently. Have you ever had, have you ever had the thing where you go back to things you've written a few years later and you said, oh, this is garbage? Recorded. Yeah. Yeah. Yeah.
So that's that happened recently. I put out the 101 series, I think in 2020 and I went back to it. I was like, oh oh, this is garbage. And so I I I rewrote it well. It might not have been garbage at the time though, right? Isn't this the challenge with any technology as things change over time and? Your. Standings and yeah, it's like, OK, well, this is the way it used to be. It's time to update it. I think that's just a natural refresh, right?
That's yeah, thank you for thank you for bolstering my confidence. I remember just you know kind of rage updating it. But yeah I know that's correct. It needed to be refreshed because so many, so much terminology had changed. And then I think the longer you work in a system, the more crispy your understanding becomes. And that's, that's what I really wanted the 101 series to be, was crisp.
There's documentation from the cloud providers, you can go to their websites, you can read all about their IEM models. But I didn't see anywhere where it was just like the TLDR, you know, prioritizing brevity, prioritizing you know the crispest way you could get your point across and then breaking them down into these like minimum bite size pieces. And part of it for me was just this like exercise of like how few words could I use to give somebody 99% of the picture.
You know how how little could I write as opposed to how much could I write and how much could I tell somebody. I wanted to see how little could I write and still give him a huge part piece of the pie. There's still a A2O1 series that I owe people, but one O 1 in GCP gets you really far. So we'll have a link in our show notes to that cattracksor.cloud. I think it's as of right now it's like the top thing on the list that I remember seeing. But it is good.
And I think there's a real skill and an art form into. You took the word that I was immediately thinking it was brevity is how do you get to the point quickly, right. Everybody's watched a cooking video where they spend the first half hour talking about the history behind the parchment that they use to write this recipe. And it's like not just get to the facts like I don't care. Right. So I appreciate short bits of content that are direct to the point.
Tell me what I need to know. Guess what. I'm gonna come back. I'm gonna keep reading and I feel like if I want to learn more, sure, right? There's other things like that, but sometimes I I just love those little bite sized things. So I'm I'm excited to scan it over and start to get into it because I think GCP is one of the areas I personally just I don't have really any experience with. It's been all 80 WS and Azure to date. Do you see GCP growing?
Shrinking? Is it better suited for maybe certain businesses and certain applications than others? Because I've kind of heard like GCP is great for some things and not as great for other things, but like where if I'm out there as an IAM person, like where should I expect to see? Oh yeah, we're probably going to be using GCP in that type of context. Yeah, I mean, whenever I hear of somebody using GCPI think are you using it for data science? That's really popular in that respect.
It's really popular for its offerings around like Kubernetes and like serverless containerization. And it's not as popular for say just like workhorse workloads like, you know you need like you know some some VMS, start up a load balancer and get a database up. Like that's really just like your bread and butter AWS stuff. I can't tell you if you know GCP would be competitive, would not be competitive. It's just I typically don't see them playing in that space as much.
It's more of the big data data science area that you know if you're if you have GCP it's it's in that scenario which again is very cool because for me that's impact you know that's that's high impact data that needs to be protected. So let's give people a kick start here. If I guess what is the most important thing that people should know when they start to look at GCP from an Identity perspective? The one thing that GCP has that is not prevalent in AWS is this resource hierarchy.
This concept of a hierarchical model starts at the organization flows down to folders and projects and then underneath resources where each of those points on the hierarchy. Those positions are attachment points for policy, and then policy can then be inherited down the hierarchy. That whole hierarchy inheritance model, you know, characteristic is the most powerful thing in Google Cloud, and it's the thing that people just completely forget.
It's the thing that's just not in the forefront of people's minds, especially coming from an AWS background. Is that something that from, you know, your day job as security researcher, you're starting to look at maybe those policies, attachments and say, hey, something misconfigured, is that a valid way or a viable way or a most common way, Like what are you looking for in those kinds of areas?
Yeah, yeah. I mean, that's this is the this is the best way to provide scope right To to attach grants to attach permissions at a resource level. Provides the scope, tells you how far those permissions can roam. And because it's not in the forefront of people's minds, I think a lot of times things are attached, say, at the project level, which is the equivalent
of an AWS account. And that's conflated with the idea of an identity based policy in AWS where you're assigning a person a policy and that user lives in an account. So these two contradictory models that actually aren't the same are conflated with each other.
And what that results in in GCP is over permission, where somebody is provided the ability to, say, administer all compute instances because they have their permission attached at the project level when it really should be attached at say a compute instance. That's actually not a valid example because I don't think you can dash that the compute instance, but the lowest resource level possible.
I'll say you know, somebody has the ability to administer all buckets because that permission is assigned at the project level as opposed to really at the very specific bucket that it matters at. Is there something similar for AWS? Is that on the road map? Would you think you would ever tackle it like that or something already exists that you feel like? No, it's. It's this lack of a hierarchy and this lack of policy inheritance was sort of like the
part of the EWS original sin. It was, it was the, you know, the founding of the founding and creation of their resource model just never included that. And and So what they've had to do over the years is create these mechanisms to kind of create scope. So there's things like permission boundaries, conditionals, and then a handful of resources. A handful have the ability to create attach policies at the resource level as opposed to the identity. But now you have a problem.
The problem you have is now you have two different competing models. You have the identity based model and then you have the resource based model competing against each other in AWS for supremacy and so now you have have to have all these complex rules about like which one takes presence in which situation depending on which resource and things become complicated. Is that the main difference between GCP and anybody else or are there?
Other things you know there are There are 1,000,000 scenarios in which they are different. However, it all rolls up to the same issue. It all rolls up to the same issue of AWS not having the resource hierarchy and AWS not having the the policy inheritance model and all of subsequently all of the changes that they've had to make to their original resource model just sort of craft this idea of
scoped. You know, I know we've been talking about I am so much and I think that securing the cloud goes well beyond I am certainly other areas, certainly other layers, but I even think it kind of starts with having a good asset inventory knowing what you're protecting.
Do you find that kind of that traditional approach to an asset inventory or CMDB that kind of like been popular in the IT space for as long as we've been in the IT space makes sense given the cloud or is it there's some kind of shift where IT actually has to be looked at differently?
I was thinking about this about like a cloud asset inventory because that that actually is a very specific service from Google, the cloud asset inventory knowing you know, the ability to carry what's in your account, I apologize. Now I think my dogs are it's. The best part of the show so far? No offense to angry. It's all good. I think the Mailman's more around and so they're they're wrong with everybody, no like so
like fundamentally. And I just love getting to like the philosophical level, like philosophically like what's the difference between these two things because it's really easy to have an inventory of your assets in the cloud, the cloud at home programmatic. You can make you know a series of API calls and you can get a a deadly accurate list of everything that's in your cloud. Now, what makes that different than your traditional autocom enterprise asset inventory?
Like, I'm thinking like ServiceNow or something, right? Like there's a ServiceNow that tells you what are all the servers, what are their names, what are their first names, Who hones it. The big difference is, is that we're assuming that that list that classic asset inventory on Prem. We have every, every reason to assume that that's correct. And then that's what the world should look like. The world should look like these five servers with these five host names and Bob and Jane from
them. When we pull from the cloud, and we pull directly from the AP is. We have no context on whether or not this is correct, this is malicious, this is misconfigured in some way. There's no context around whether or not this is good, bad, or indifferent.
Yeah, I kind of feel like there's also, I mean this debate isn't new for the cloud, but I think is it, is it exacerbated by the cloud or that might be not be the right word, but the idea around there's logical groupings of things called applications, but then behind the scenes it's all these either hardware or services and then there's different owners and
different groupings within. So I think that that's always been the challenge though I think when everything's a service and everything's logical, it just may be either exacerbates or maybe to some extent simplifies it. I'm not sure. But I think that's something that that debate won't be solved on this call. But I saw you speak simplifies it and complicates it. I saw you speaking on another podcast.
And this has been kind of a hot topic within this identity community around least privilege versus serious standing, privilege versus good old role management over provision roles, if you will. And to me, there's a time and place for all of those. Do you agree with that? Or do you agree with like throwing certain things of that stack out the door? No I wouldn't throw any of it out the door. It reminds me of Google's cloud
maturity road map. I think maybe we can include that in the show knots Then what they have in that is this, you know this kind of crawl, walk, run model. And then they describe, I'm, I'm, it's not actually called mark one. But say say somebody in the cloud is crawling and they describe here's all the behaviors that you might be doing if you are say crawling.
And in that maybe they are, you know, simply provisioning some very coarse grained rules and they're walking, maybe they're doing some efforts around these privileged around those rules. And then when they're running maybe they're going and they're doing that 0 standing privilege to do it just in time stuff. But it's like all of that's valid, but it's it's about where you are in your cloud maturity life cycle.
And there's a lot of people process technology to get to that model of we're only going to provision you just amount of access you need for the exact time you need it and then pull it back. There's a lot you need to do to get to that point. So having this privilege around you, you know always on roles is still a very valid place to be as your Blues. Seems almost a little unrealistic. Yeah, And well, it's it's unrealistic if that's the only thing that you think is good.
I know that like I mean that can be a, you know, like you said like a crawl, crawl, walk, run, it can be a goal at some point. But you have to balance that out against everything you're doing to secure your data and whether or not investments to move from all these privileged model to a jet model, whether those investments are valid as opposed to say, giddling a handle on, say, detection or any other control. Yeah, I said. My perspective was all of them
have their place. I don't think everybody has the 0 standing privilege infrastructure at hand, but let's assume that someone does. I would say you still don't want to try to use it like a grenade, right? You want to use it like more like a scalpel. You know, very specific use cases where super standing privileges make sense, least privileged. I think it's just another step down from that where it's like, hey, you're really trying to do your best.
I think it's a journey. I don't think it's black and white. It's like, you know, if you're trying to get to least privilege, the closer you can get to that the better. But then there's certain levels of privilege which the resources are so low risk, it's like a a role probably is good enough. Now The funny thing is when you see most IT security policies, it's like we're least privileged. All we allow is least
privileged. And it's like, yeah, it's nice to say that, but it's it's not realistic. So I I kind of feel like that's like the the hierarchy of needs if you will is like 0 standing where it's absolutely critical based on risk, least privilege is kind of your in between where it's still high risk or medium risk, but it's not maybe the highest and it's also not the lowest.
When I think you're when you're talking low risk, things like throw it in A roll, maybe not give it to everybody, but you know, like don't lose sleep over it. I just want to go back to a 0 standing privilege grenade. I think we've stumbled upon a new product here that we can use to really clean up environments. Just Chuck that into the cloud. I just really appreciated your like breakdown.
All the three approaches to IEM and I'm thinking about like you know the like the owner role in Google and Google cloud say this is the owner role. Literally every permission if 5000 of unless I check probably maybe even 6000 assigned at the project level. Your initial blush would be Oh no could possibly ever assign this ever. There are no scenarios. But then you know you have sandbox projects where you you say that it's you know it's going to be turned off once it hits $50.
And this is a sandbox account for a developer to do certain things. And you've limited the blast radius of this so that yeah, giving them the owner role on this sandbox account to have $50.00 worth of fun is perfectly acceptable. 'Cause they can always go back and ask for for more money to to stop that account. Yeah. So other than reading your blog and the GCP 101, what are some other ways that people can really get up to speed on cloud security?
I know you and I were talking about some conferences that are coming up. You wanna talk about that? Yeah, yeah. I'm a huge fan of the Four Cloud SEC Conference. It's been going on since 2020 and was its and unfortunately was its inaugural year and so it'll be its fifth year coming up here in June in DC. So this conference, I think there'll be 40 some tracks.
Everything from, you know, classic Builder talks of like how do you secure this piece of infrastructure to open source projects to we found this crazy hack and it's going to make the news and it's going to make the news here.
So it's like it's really great breadth of the top research and this will be the first year that'll there'll be an EU version 2. So folks that didn't want to make the trip over to the States can find it in Brussels in September. I'll be at both and come by and say hi and if you're looking for like just some great practical hands on cloud security, a friend of mine Rich put together the the slaw labs like coleslaw, SLAW and those are like bite
sized pieces of content around AWS and then practical hands on labs that you could do. Sounds pretty cool. We focus a lot on identity conferences and I think this is probably just the natural extension where you start talking about cloud Cloud's not a fad, right? It's gonna stick around for a while. I'm looking to get a ticket for the one in North America and it
says it's sold out. It's yeah, you know, it's sold out in in seconds, but I think there is a waiting list and in the, you know, in the couple days before the conference,
people do return tickets. So get on the waiting list and if you're have the ability to travel relatively last minute, you'll be able to get in. So this isn't something with cloud security, but I'm on the Eventbrite website and it's, you know, it says sold out other events you might like Shrimp Blast 2024. So obviously it knows me and it's like, hey, this guy likes food. Yeah, they know you. You must have some cookies on your on your computer. Other than shrimp, I guess.
Yeah. I just kind of imagine, Kat, like, you know, you're at the conference and there's like it's like a sporting event, right? Hey, looking for two, looking for two. Cloud security looking for two, right? Yeah. And I think people have also done some, some watch parties too. So people who couldn't get tickets, they've done some like off site watch parties where they will stream the talks. And so you could have a sort of a a mini conference feel or just come to Brussels, Brussels would
be great. Yeah, that's easy. I love the idea of having like watch parties because one of the things that I run into and cat, I don't know if you're the same, but it's like there's too much content sometimes in a conference. And it's like you have to choose, Am I gonna go see this thing, watch this thing, or am I gonna get stuck in a hallway, you know, talking with somebody or. Because I want to right.
Or or something like that. So I love the idea of being able to watch it in kind of after the fact. So that's always my recommendation for anybody to put in a conference is have some way for people to, like, catch up for things. I don't know if you struggle with that same. Ah, yeah. I'm all about the Holloway Con. I mean, I'm lucky if I watch two or three talks in the whole conference because I'm just catching up with people I haven't seen since the previous
previous year. You know, I think we all end up becoming fast friends. And yeah, and so this is our chance to kind of see each other. And then we'd watch everything on YouTube. All right, well, let's start to wrap up this conversation. I'm gonna pause a scenario here for us. Jim walked in with a IDAC branded zero standing privilege grenade and chucked it into the cloud. And identity security is done. Or it's so screwed up now that you're like, I'm outta here. Like I'm done.
What is it that you're gonna do with your life? What is your job? Whatever you wanna call it that you're quit and say I'm out of this. I'm not working on technology. Oh that's a good one. Yeah. The the, the, the JIT grenade came came in. Yeah.
I think my, my long standing you know, I've quit technology job has always been to start ACSA right to just you know have sort of a, you know the intent would be to create a small hobby farm and it would quickly get out of hand into chicken and goats and quickly get out of hand that I'd have to start ACSA because I'd be growing way too many vegetables. And yeah, I'm probably just, you know, one small, you know, cloud security issue away from becoming a farmer, so.
So CSA is Community Supported Agriculture or something? Else Community Supported Agriculture yes and not not not join the CSA as in received vegetables, but grow so many vegetables I have to then sell them to my neighbors. Yeah, you go to the farmers market. I mean, hey, come on down to Asheville. We got tons of that down here, I'm sure. What would be the, what would be your crop? What's your What are you growing? Oh, it's always too many tomatoes, yeah.
We call it Summer of Tomato whenever they start to bloom here and then 'cause my wife is. Into this as well. I got her a hydroponic garden, so that has really accelerated things. So I got her the fancy one that's like the tall one that has like the different things. And So what she does is she starts them there and then when they're too big for that, she moves them out into the soil and just is continually growing stuff. So things are starting to to appear.
Well, you're you. You're lucky with your growing season, where I still have a good six weeks until I can plant anything, but I make I make use of my time. Well, the problem is the bears then come out and eat it. So you have to be concerned about that, Yeah. Wow, I don't have that issue. I just have have have squirrels, no bears. But what about you? Yeah. Yeah, I want to find out what Jim wants to do if he's not doing technology.
Well, first of all, I want to make a farmers market comment. I'm more of a buyer than a seller. I like farmers markets. But when I go to one and I see them selling like bananas or you know, any kind of fruit that can be only grown in like South America, I'm like, no, that's not the point of the farmers market. That's what we have the grocery store for.
So I did want to make that comment because that happens a lot, at least here in, in Georgia, OK, my rage quit job or I shouldn't even call it a rage quit job because I'm taking the question a little bit differently. So I throw that grenade, and I'm going to assume the grenade was so successful. So you admit it that? It actually turned into. This is Exhibit A fortune, and this is Exhibit A in the defense. You're admitting it right here. Yeah, well, I'm only going to do
it if it's going to be a winner. So grenade is thrown. I make millions of dollars and now I can do what I want to do and I think what I would do. So I took a class in college called sculpting and it was basically how to create bronze statues. OK, so most of most of the projects were much smaller than statues, but I could literally envision how you could build statues or make art, but basically 3D art out of bronze. And I love that class.
I was not a Fine Arts major or anything, but I feel like I would want to go back and take that to the next level. And I would do it in college because they have all the equipment there. So it costs the same as any other course. But you have access to a bronzing lab. And I mean, you're not just going to buy that equipment for yourself.
And then the other thing I would do is I probably create a YouTube channel, 'cause I think people would be really interested in learning about this and seeing it happen and all that. So that's what I would do. I'd become a sculptor and I would, you know, create a YouTube channel. But that's technology, YouTube, which is fine because hey, whatever. So we got a bronze worker, we've got a farmer, I guess for
keeping it simple. So you guys are looking at skills that are like viable, needed by human beings and I have none of that. I don't think I could ever get out of technology. I I just, I've this has been who I am forever man. If I had to do something that was not technology, I honestly don't know what I would do because I, Jim knows I'm constantly tinkering.
I mean, we, I spent the weekend video editing and trying different tools and all kinds of different softwares and stuff like that, trying to, trying to, you know, work on different things. Like that's just who I am, is like a technology person. I mean, it would be probably something with the podcast, but podcast is technology. I don't want to be outside, 'cause I don't like hot weather, I don't like bugs, I like Wi-Fi, I like air conditioning.
So I need to find something that's like inside. And I'm not artistic, so I'm not gonna be, you know, the next great sculptor with Jim and his massive bronze structures as testaments to identity at the center in the sky. I'm not growing stuff, 'cause that's just not my thing. I don't know what I would do. Do you guys have suggestions? Like what? What should I do? Stunned silence. Without technology, without technology, I can't think of anything.
I I mean without. If it was outside of IAM, I could probably come up with like 100 different things you could do. I was actually thinking one thing that you used to really be into was collecting bags so that you could travel with one bag. So I kind of feel like that's one of your areas of expertise, hey. Now you're talking. But I think also you have to sell the bag somehow. And who buys bags in person anymore? You buy them on the Internet. Yeah, but you got a YouTube channel.
Let's go with this because I that's a good idea. I didn't think about that. I I have a affinity for bags, travel bags, other variety things. I'm constantly in a search for the one bag to rule them all. So yeah, I don't know if it's a tailor or something like that, but I I feel like I can design the world's greatest, you know, travel bag for me and my purposes. So maybe some sort of? To get everything down to one bag that you're but you're pretty much there.
I mean that, but that was your goal for so long and then you finally achieved it if. You're traveling and you're on flights and you can get away with just sticking something under the seat in front of you and you've got everything you need. I gotta tell you, it's so freeing. You don't have to worry about overhead space. You can bore blast.
Your stuff doesn't get lost. I mean, I never check a bag, but I do, you know, say 5050 will have an overhead carry on or something like that just because of whatever. But yeah, if you can get away with just that one bag fits under the seat. Now we're talking, baby. Yeah. All right. Well, they can't lose that. No, I yeah, I the the quest continues. I do have a lot of bags. It's kind of hard to see. But I have.
This is just a small sampling I was looking at here we've got 12345, probably another closet full of another 30 and I'm constantly rotating stuff out. The quest continues. Cat is like shocked. She's like, who is this nerd and what? Did I get? No, I I can't wait to ask you for for for Rex.
I need some advice. I've got a very important gentleman birthday coming up soon who also is obsessed with bags, but he's really into one very specific brand and I want to kind of like float that by you. OK. Yes, we will talk about that, I am. But no unpaid sponsorships I'm gonna keep. No, I hey, I would love to be sponsored by and these these bags are expensive. I mean, they're anywhere. Like a good bag is anywhere between 200 and $700.00. Now these are bags you buy at
once and you should be good. And unless you're like me and you find like the smallest tiny detail that nobody in the right line would care about. But I do and the and the quest continues. But anyway, let's talk about that offline. Let's go ahead and wrap it up for this week. Kat, thank you so much for being part of this. We talked. We're gonna try and get dinner next time in in in the Minneapolis area here in a couple weeks.
I'm looking forward to that. I will have links in our show notes to your blog around GCP 101 series. Also have a link to Trust on cloud trust on cloud.com. So be able to check out what you do over there as well as links to the forward Cloud SEC conference so that people can either get on the waiting list or, you know, maybe just hanging out on the street and you know, looking for two, looking for two. And with that we'll go ahead and leave it. So thanks everyone for
listening. You can find us on the web, idacpodcast.com, on Twitter, X, whatever you want to call it at IDAC Podcast and now Mastodon at IDAC Podcast, at Infosec, dot exchange, Send Gemini a note. And YouTube and YouTube. Yeah, we're still working on the YouTube channel, so more to come on that. And yeah, connect with us on LinkedIn, like subscribe, do all those fun, you know, social things to help us grow the show. And thanks for listening. We'll talk to everybody in the next one.
Listening to Identity at the Center. We hope you've enjoyed the show. Make sure to like, rate and review and we'll be back soon. But in the meantime, hit the website at identity@thecenter.com and find us on Twitter at ID AC podcast. See you next time on Identity at the Center.