It's like you're sitting in a lake and what we're doing is we're we're, we're, we're trying to force the attackers to create ripples in the water so we can see potentially where the threat is. It's forcing them to use techniques which are noisy, that they make it more difficult for them. And ultimately they deter them to going looking for another victim who doesn't have these types of technology controls in place. This is identity at the center if it has anything to do with
IAM. This is the go to podcast now your hosts Jim McDonald and Jeff Stedman. Welcome to the Identity at the Center podcast. I'm Jeff, and that's Jim. Hey, Jim. Hey, Jeff, how are you? Not so bad yourself. Good. So I, I had an interesting thing happen earlier today where I had a, a video call with somebody who I've been interacting with at work for quite a while. And he said, Jim, you win the award, you look nothing like
your headshot. And so I, I didn't take it as a compliment or an insult, but it just made me think I need to update my headshot. So next conference that we go to, I'm carving out the time to get a new headshot. Well, you just missed Identiverse had them. I mean that's the issue where I get mine done. You're that or Gartner. Get Gartner later this year
maybe. I felt like I was busy the entire time at Identiverse so I didn't get it done, but maybe you can, like in post production, put a little picture of my headshot so folks can see how different it is and see if they agree. Why a lot of pictures of you and only some of them look like you? Your LinkedIn picture is like a a a super AI enhanced version. Is that your ideal state? Is that what you're trying to manifest? Yeah, like my jaw is like 20% bigger.
I've got way more hair. I mean, like, yeah, better skin. So why not? Why not use technology for good? Until until you get sold the product that is not on the tin. Yeah, exactly. Well, you know, the other thing I love about conferences is the swag. And I'm holding a piece of swag today, which is football or soccer themed, and it's a stress ball. And when I got it, they're like, oh, you want two of them? I said, oh, you can take three if you want.
I was like, well, I only have two hands on it. So I didn't want to stretch it in their bag and take it home. Yeah, that's pretty much what it came down to. And I was like, I don't have three stress balls worth of stress. I'm I'm trying to keep it much more chill than that. Well, somebody out there is probably like, give me that damn stress ball. I like I I, I don't have enough stress balls. Yeah, exactly. Exactly.
Well, let's see what else. Speaking of conferences, before we get to our main topic and guess, we've got Identity Week coming up. That is September 11th and 12th. We've got the America's Conference in Washington DC. You and I are going to both be at that doing podcasting things and I think I'm hosting a panel or something. We'll figure it out. Yeah, IDAC 30 gets you 30% off of your registration for that. And that code is also good for the Asia conference in Singapore.
So if you're going to that on October 22nd or 23rd, you can use the same code for both. Maybe you can be like Thanos and have like your identity conference, you know, Gauntlet and go to like all of them. If you went to Europe earlier this year, same code work for that. So they've been great partners for us. Also, if somebody works in government, they should just reach out to us because we might be able to help them get in for
free. If they're allowed, yes, sometimes there's rules and stuff like that. But yes, if you are needy of a pass and you qualify as a, you know, governments basically it's like what I like a customer, a real person, not a vendor in this space. Reach out, let me know and we'll see what we can do for you. But for all the other peons out there like you and me, Conference code Ida C30 for identity week. Let's see what else we got authenticate after that.
That is October 14th, the 16th in Carlsbad, CA, just north of San Diego, which is a suite location. What a terrible place to go. Yeah, I know. I love Southern California weather. I think it's like the best on earth, but that's just me. We've got a conference code for that one as well. IDAC 15, you get IDID AC15, you get 15% off of your registration for that one. So we're. Excited. We've been guaranteed you will not find a better code than that Guaranteed.
If you get out there while it's still early bird pricing, get the 15% off and the better pricing, because when the pricing goes up, the 15% off, well, I guess it goes up in terms of dollars, but not in terms of percent. So here's the problem with discount codes, right? Is to get the maximum value, you have to wait till the very end when it's most expensive, which is really dumb, right, if you think about it. But yes, it stacks with
whatever. So if you want to save even more money, right, register early, register often, that sort of thing. Jimmy and I will be there doing podcast again, podcasty things and I'm not sure for, I'm not sure where we'll fit into the schedule, but I know we've been having some discussions with the team about that. And so as we get more information, we will keep you updated. We've got some good ideas.
I think it's going to be. I have an idea that I've been I have a couple ideas that I've been trying to pull off for literally years now and we just haven't figured out a way to do it. One of them we've done once in a very long time ago when we first started the podcasts. The other one, I've been thinking about a way to try and do it in a way that doesn't injure people. Let's just put it that way. But I think we'd make for a fun episode if we can figure out how to do it.
So both of those. People would not be a good idea, right? And I don't want to get injured doing this. This is supposed to be a safe place for identity, and I don't want to feel bad for that. OK, so those are our conferences. Anything else you want to mention before we get going? No, let's get into it. We have a great guest today. Yeah, we've got Joseph Carson. He's a chief security scientist and advisory. See so at Delinia. Welcome to the show, Joseph. Many thanks Jeff and Jim.
It's a pleasure to be here and really excited to to have a a intriguing and insightful discussion with you today. Well, I'm glad you were able to set aside the time. I'm, I already know that you're a pros pro 'cause you have your own podcast doing, you know, talking about cybersecurity. And we're gonna get into that a little bit. But let's just set the table here. How did you get into the world of identity and access management? Let's find out what your origin
story looks like. Is it something that you chose or did it choose you? Absolutely. It's a really great question. And for me, you know, my journey in this entire industry, my, my career has been close to 30 years now and that's how long I've been in the industry. And you know, I started off my career in the early 90s working in system administration. So keeping systems up and running mainframes, you know, doing OS migrations. I was a COBOL programmer if anyone can remember COBOL so.
That's bringing a lot more money doing that now. True, true. So that's really kind of where my career started. Late 90s, early 2000s, I switched into focusing around cybersecurity.
I originally, kind of, I'm originally from Belfast, Northern Ireland. That's where I originally, I've travelled around the world, I've lived in Australia, America, Canada, and it was about 20 years, just over 20 years ago where I made a move to Estonia. And it was my kind of expertise in cybersecurity in in coming to Estonia, where that was my convergence of both the security and identity.
When I moved to Estonia in the early 2000s, they just started their journey in digital identity and it was something that became very foundation to their entire society. They started the journey in the 90s focusing on paperless society, but it was the early 2000s when they really seen that in order to be successful, digital identity was key to making that something to grow the society, to have interrupt ability to be able to accelerate and do things much more online.
So early 2000s was, you know, what they referred to back then was Extro and that was a system that basically had several key ingredients, which was digital signature, digital signing and also a non repudiation, which was basically built around blockchain. And they implemented that across all of their information systems, all of their government
services. And that was where, you know, using my skills and working with the government back then, that allowed me to see, you know, the convergence of the importance of security and also how important it was to protect identities and what security controls and what risks they had. And it's been, you know, it's been up and down. You know, it hasn't been plain sailing. They've had great positives. You know, they've been able to
do voting online. So not just electronic voting, but Internet voting, online banking, online tax returns and that systems progressed, but we also had a massive cyber attack back in 2007 that showed weaknesses in the system and, and the importance of resiliency is as well to make sure that systems continue operating and there's continuum improvements
over that. And even to the point where, you know, they saw that, you know, they needed to be decentralized even further, not just having decentralized identity, but also decentralized in the government systems to the point where they actually created the idea of a data embassy was the ability to, you know, decentralize the government outside of the country in other locations. So that was really kind of, you know, working with the historian government and getting very
closely tied. That's where my cybersecurity skills became very kind of overlapping in the identity world. And then it was around 2015 where I decided that not just focusing on cybersecurity for things like endpoints and and applications and systems, I then moved my career to purely focusing on identity security. So the last 10 years I've been really heavily kind of focusing my cybersecurity kind of expertise on protecting
identities. There's a lot there that I want to unpack and I think I want to start with Delineia itself. So you work for Delineia and I guess for, for people who aren't familiar, Delineia is a, is not a new company, right? It's a combination of a couple, but we can, I'll let you explain that you're better than I can. So I want to ask you about what is Delineia, what you know, what would you say you do? And then tell me about your role as a chief security scientists.
What does that even mean in the real world? Tell me about your day-to-day. So, so that's a great question. So just to kind of for the audience with a bit of background, you know, Delineia is, is a new kind of name or brand in the industry, but it's not a new vendor.
It was the consolidation or convergence of both Psychotic, which provided, you know, vaulting capabilities and Centrify, which provided basically, you know, privileged elevation capabilities as those two companies joining together, which then, you know, coming up with the name was it was one of the most difficult things you have can do in this industry is what they call it a company. And delineate comes from the term delineate, which is the defining the boundaries of the
space. So so that's where the company came from. My role in the company is as a security scientist is primarily it's it's a security researcher. I use my skills to really kind of look at all of the threats that's out there in the world that really focus on compromising and, you know, stealing and breaching and getting access to digital identities and using my understanding kind of how attackers, what techniques they're using, how they're being successful.
So I do a lot of research. I spent a lot of time basically in my lab. I'm basically uncovering, recreating, looking at the events, looking at indicators of compromise, looking how attackers are abusing those controls that we've got in place to bypass them. And then I ultimately then create content from that, whether it being in the form of books. I've wrote six books to date already. I write, I write tons of white papers throughout the year, blogs, do webinars, speak at conferences.
So if you look at the role, it's, you know, part of the, the role is, is, is the research side. The second part is creating educational content to help people learn about these threats and what's the best practices to mitigate them. And then the third part of my role is really, you know, educating the industry and community. So I spend a large force of my time yearly is going to conferences, going to events, doing workshops, going to organizations.
They invite me in and, you know, asking me to provide my expertise into helping them redefine their identity strategy to make sure that they have security and resiliency in place. So that would be my kind of day-to-day. It's not always in that equal percentage of terms, but that's what a lot of my time is spent on as as well as doing the podcast as well.
Yeah, when I asked about that before I get to the podcast, I feel like that, no offense, but that's like the thing that I'm interested in as a podcaster as well. But tell me about Cupid Cybersecurity Conference. I know you have an affiliation with those guys as well, right? Absolutely. So so Cupid I get. Basically I was invited as a speaker like 10 plus years ago. Maybe it was actually 11 or 12 years ago. And one of the things I found about the conference is Cuba's a
very small conference. It's a very niche conference. It's based in Prague, but they also hold conferences elsewhere. They have sometimes events in New York. They've got events in Bratislava and others. But I was invited to be a speaker and I loved the conference. I loved the event. It was so niche, but the quality and the conversations that you have with the community was so intriguing.
I learned so much, I met so many amazing people, even my other older ego, which is sometimes, you know, myself and Dave Lewis look very much alike. So sometimes they confuse us. And I actually met Dave Lewis at the conference for the first time there as well. We were speaking together. So basically over the years, I, I enjoyed it so much that my participation now is part of the speaking Bureau, which I, I
really enjoy. So it's the ability to look for getting, you know, the next great speakers in the industry, those who's coming up with some new idea or new, you know, kind of research. And I get to review all of the, the, the call for papers for the events and then helping select the ones that ultimately get to speak at the conference.
So my kind of role there is really kind of helping make sure that, you know, my expertise as a speaker previously is helping me, you know, let's say mentor and bring in the next generation of speakers And they tend to start there and then move into other bigger conferences or what they will. And your experience as a entertainer, dare I say it, right, as a podcaster, right? It's kind of like what we're doing here. So 401 Access denied. Tell me about that podcast. Absolutely.
So, so many, many, many years ago, you know, and around the late, you know, 2019 or so I was being, I was being a guest on many podcasts and I really enjoy it. I enjoy coming on podcasts and I enjoy, you know, speaking with, you know, amazing people like yourselves 'cause I, I learn a lot as the conversation's always enlightening. I was, I like to, to be, you know, learn things.
That's my goal as as I'm a continuous student and one basically COVID had happened and you find, you know, you weren't travelling anywhere. I wasn't going to advance. And I thought at the time, you know, what better way to stay connected with my peers was to start a podcast. So started the podcast almost four years ago now.
I said we'd be maybe 3 1/2 four years and it was a way for me just to stay connected with my peers and having conversations and, and every you know, it was a it's a bi weekly podcast and it was thought leaders in the start of shady space. So it was the opportunity for me just to spend an hour every couple of weeks talking with friends and we turned into a podcast and said now a few years later, we're over 110 plus, you know, 115 podcast episodes, just under 400,000 listens across the
episodes. And we do both audio and video across all the most common platforms. But we have so many amazing guests. I've had the likes of Jeff White, who is an amazing journalist who basically was the author of Lazarus Heist and Rince. I've had the head of NATO cyber defence on talking about how NATO are protecting, you know, countries from security attacks. I've had the head of Europol on talking about how they're, you know, helping bring cyber criminals to justice who use digital means.
So it's, it's for me, it's, it's, it's just an opportunity to, to have fun conversations and, and learn. So yeah, so the podcast for me is, is it's, it's become, you know, it's, it's become a passion of mine and to, to really continue. So it's absolutely we we've got a lot of similarities in, in, in areas that we can share notes
later. But yeah, the podcast is, it's a fun, it's a fun podcast similar to this for a open discussion, talking about industry topics, trends, what's happening, what techniques are used, and sometimes even just a fun discussion to, to give the audience something, you know, of a, of a learning and lightning. And so they can be, you know, a family on the wall kind of observing and, and listening.
And, and at the end, they, they have something that they can take back to their, their personal career or the company as well. Yeah, that's also a great name for the podcast. You know, Jeff and I, we love podcasting so much and we have, you know, behind the scenes. He and I will talk about a lot of things and we're like, yeah, if we had a talked about that on the podcast, we probably would
get cancelled. So we had thought about, OK, well, maybe we'd have a podcast where we'd have avatars and our faces would be potatoes. We call it call it Potato Head chat, but I think maybe what we could call it would be four O 4 not found. You know, that could be our podcast, but you said a lot, Joseph, that interested me and one of them was just the very fact that First off, I think you're our first guest from Estonia. So bravo for that. It's an honor. Thank you. It's an honor for.
Us no pressure. You're only representing the everybody. You're only representing the entire country. Yeah, but it's, I kind of feel like a scenario has been put up on a pedestal in terms of we all see what's happening from what, you know, the art of the possible, if you will. You're actually doing some of those things around decentralized identity and things like that. But I if there's some things that really people aren't aware of, I'd love for you to point
those out. But also, I think, you know, we've heard about different people's opinions on the challenges of why what Estonia is doing hasn't really been replicated in other places. And I'd love to hear your thoughts on that. Absolutely. So, so one of the things is, you know, Estonia started this journey back in the early 90s when the first became, you know, it was the re independence from the Soviet Union.
And just, I was, I think it's important to start with the background is why they went on this journey because that's so fun. It's so critical is back in the early 90s, one of the major challenges when they became re independence from, from the Soviet Union was land ownership. And that was basically, you know, when you have a occupying country, who decides what your education is and decides what
history is? They can change history to be whatever they want it to be. They can teach in schools their version of history or their, you know, alternate facts and, and their perspective of things. And, and it really means that, you know, history can be forgotten and lost over time if that is something that continues. So in the early 90s when, you know, they, they had this kind of reforming of government and they went into the Land Registry. And of course, the Land Registry
was all kind of modified. So one of the biggest problems they had was finding out who owned really what land. And, you know, people coming, who'd left the country from Canada. They were coming back from UK from US all back to Estonia to look at, you know, the families, birthplaces and you know, where graves and and visit. And they find all of a sudden this land and manners and houses built on it and they started reclaiming that.
So made a massive issue. And as I still me was kind of it was also, you know, the early 90s was the birth of CERN. It was the, you know, digital computing, decentralized computing, where desktops were going into everyone's homes. And so at that time, they said, let's find a way to make sure that our history can never be erased again. That was the fundamental that I mean, that was the basis. Let's make sure that no matter what occupying country that they
cannot erase history. And through the 90s they did all this research. It was late kind of 9697 when the few and, and, and Estonia was, was prime at that time because it was the kind of in the Soviet Union, it was where all the cryptographers were. It's where all the mathematicians were, you know, computer scientists. So that was the right mix of knowledge and education and bringing those people together. And they said find a solution.
And in the 9697 they came up with basically time stamping was one of the fundamental capabilities. And that that research is what turned into the birth of their digital identity because they said is in a physical world. We want to make sure that in an online digital world also that we cannot change history as well. And that whole research spent that, you know, digital identity became one of the finding pieces.
It was actually digital identity was originally tried in Finland and field, but it was actually in Estonia where they were able to make it successful because what they showed was what was the critical thing that Estonia was successful was showing the value. That's what all the countries, other countries who have tried this have put it as an enforcement as you know, it's, it's you had to do it because it you know what'll make us better. But what what they weren't doing
was showing the value. That was the that was and that was also education. That was years of education before had to show the citizens what's coming. And the value was that you can go fill in your tax form and spend half a day standing in queue, parking your car, filling in forms. Or you can go and use this new online system with a digital identity that you can do it in
15 to 20 minutes. And people are like, you know, there's there's no like if I even want to save half of my day wasted time, I can do it online and get it done with. And not only can I do it online with the tax office, but I can now do my banking online, I can do my population register online, I can do my vehicle license online, everything.
It just started that snowball fact is that when people started seeing the value and how much time it was saving them, they basically quickly migrated to using the digital online services that came with that digital identity. And of course, with that comes all the security, you know, capabilities. And one of the things that some of the government was like, well, you know, we want to make sure that people have trust in the system because trust is one
of the fundamentals. And one of the ways that the government tried to get around is that so that they're not seen as the ability to change history was that they use blockchain. So 2002, 2003 was implemented blockchain, the bases. And of course, we know blockchain and cryptocurrencies and audit, you know, one repeat all of those things. But the fundamental piece there was to make sure that they go through the concatenation, they get the root hash.
And then what they actually do is they take that root hash and they print it in the Financial Times newspaper. So that means that even the government themselves cannot change history after that event has occurred. And that's what builds trust. It's builds trust in the society. Societies start trusting because they can self audit the government and they can also check the audit logs and everything else to see, you
know, has anything been changed. So that's where, you know, Estonia's been really kind of cycle. The problem is that when other countries have looked at this and tried to replicate it, they started thinking, well, Estonia's a small country, it's got 1.31 point, 4 million people. That's why they were successful. Oh, they started with a clean slate. They don't have the legacy systems.
That's why they were successful. It's a very well connected on, you know, society technically wise from mobile data and online. That's why they're successful. Yes, those are all reasons why they're successful. But what they've been able to do is being able to look and understand education in the society, doing the services, showing the value, showing the trust, building auditability from the citizens to the government, showing it's a front
door, that this is a way. And one of the things that's over time built is that the citizens, you know, the last time a citizen visit has visited a government office, it's probably in in years, you know, even for voting and for renewing licenses and registration and changing your address. It's been years since they've had the visit office.
And that's one of the things is that, you know, the government has got the point where that that with the value of the citizens is two things is that they don't have to talk to a government official. And, and at the same time, they're reducing waste of time. And the calculation of that, if you get into, you know, even the value of, of saving of time is that they calculate it in basically GDP, they say per year and there are about five to six days GDP, say per year.
And that calculates into about 2 1/2 billion EUR. So you show, you know, the value of the value of the value and that's what's critical. So over time, Estonia society is really kind of that's become, it's actually ingrained in the culture now. And it means that also when things like COVID happen, people could still work safely. They could work from home very easily. It was actually interesting because typically Estonians, if you see a bus stop that will stand as far apart as possible
from each other. And they said when when they removed that restrictions of two meters, they were unhappy because now they could, they could go back to further distance away. So it really gets into, you know, that now it's become so ingrained that even, you know, voting majority this year and last year when the voting in the elections is more people voted online than in person.
And that shows that, you know, it become it's now that generation changed as well, where the the next generation are starting to become those digital nomads, natives. And, and they're continuing that evolution as well as in in recent years, they've also added artificial intelligence into
that mix as well. And with artificial intelligence, you know, to the point where things have done really well as things like the medical records and E prescriptions and E voting and all of those things have done fantastic. But for me, this what was artificial intelligence agent, which is known as CRAT. Now, interestingly, I had a big conversation with the CIO at the time seems secret. So and he's the CIO and he was talking about this crat, crat, Crat.
And and if you understand kind of Estonian, you know, methodological history, Crat is a little creature. So it's it's a story, story fairy tale. And it's this creature that at night time, it comes into your room when you're sleeping and it steals your, your kind of your thoughts and your memories for its master. And I'm going, how is the government going to sell this to
the citizens? How, how are they going to take crap that's going to be a government technology that's going to come and steal your memories when you're sleeping? How, how are citizens going to accept this? And it wasn't until later when I started seeing the implementation of it was that it's really about interoperability. So Sony has done a really great job in dropping, but across multiple systems, I can
authenticate in one area. I can laterally move across depending on what let's say trust or or risk level that you come in under at the beginning. That will determine how you can laterally move across systems without having to re authenticate again. And you know, the idea is that when you fill in like let's say you do a process one time, such as, you know, let's say a postal package comes, you have to do a declaration about what that package is. You might have to pay import tax.
Then you have to go and pay to the bank and do the exchange. And then you have to tell the post office where to send that package. And you do that one time, the crap bot remembers the what you did. And the next time that same activity comes again, you can say repeat the same process that I did last time. So it's really the automation. It becomes the citizen's assistant to remembering all the things I've done in the past.
So when I realized, you know, the crap bot, it's, it's not stealing the memories, what it's saying, it's remembering my preferences and choices so that the next time things come, so I'm not wasting my time, I can just simply ask my the crap or the AI assistant to do it for me. I still have to authenticate myself, yes. And I still have to authorize the action of the bot to do the action or the task that I want to do still is those actions.
But there's no typing. There's no, you know, decision making. I just say do what I did before. So that's really about making the user experience more simple. I can tell for one thing from, you know, that answer to that one question, the reason why Martin Cooper recommended you for the podcast, he's like, you've got to get this guy on the podcast. Very insightful, knows everything about every or a lot about everything. You surround myself with smart people.
Surround yourself with smart people. That's that's a smart thing to do. But as you're going, I'm, I'm sitting here like I've got to pick your brain on a topic that's specific to the identity space and one that I'm hot on, but I want to see where you fall. So this idea of ITDR, really, it's like identity intelligent monitoring in my book. And then there's the response part. Let's set that aside because I think that's just an automation
piece and etcetera. And maybe there's way more to it than that, but it's really about identity intelligent monitoring, at least for me. I want to know what you think of ITDR and where do you see it five years down the road? I think that's the real question. That's a, that's a fantastic question and it really gets into a lot of the things I've been doing research wise into looking at. A lot of the activities I do is I get sometimes called into these, you know, massive data
breaches or incidents. So I'm used as a subject matter expert. So I'm sometimes allowed to go in and help organizations to become victims to recover. It could be, you know, data extortion attack. It could be from a identity theft, an insider, or it could be from a data breach right through to ransomware victims.
So one of my expertise is going in and you know, let's take, you know, one of the skills that I have is going through all of the event logs, all of the scene logs, all of the activities to identify, you know, the attack path that the attackers came in and how they moved around, how they gained access, how they
elevated privileges. So that's a lot of the research that I do. And the great thing is that when we look at new kind of areas, technologies and and advancement such as text response, IDTR is that they're taking the skill set that I have and automating my knowledge to be able to do it
repeatable faster. And be able to make sure that either in a pre beat breach that you'll be able to identify potential attackers much earlier or that in a post breach, to be able to accelerate and find out potentially how they moved around, how they gain access and therefore being able to mitigate and lock them out. And because typically, you know, in those scenarios, the attackers typically are still high persistence, they're still on your network and you want to
find it as quickly as possible. So it's a really great way to be able to look at all of the different methods or techniques that attackers currently use and look across your identity fabric or identity framework or identity event logs and information to be able to quickly determine is there any indicators of an attack happening on your network immediately. And then you get into that response pieces that let's take remediation.
Let's maybe, you know, stop that person from having an access, let's change the password, potentially enforce a re authentication. Let's level up their security controls and require multi factor authentication. Let's monitor that session. Let's turn it into a, let's say a, a, a non recorded session to recorded session. And then start looking at the, the activities and context of
what that person's been doing. Let's prevent them having access to more sensitive data, maybe customer data or financial information. So it's really taking the action and limiting the attack surface that that, you know, identity has on the, on the infrastructure, whether on premise where it would be in the edge or in the cloud or, you know, in your data. So for me that, you know, that ITDR is a massive array of, of, of really value to organizations
because it can help you. One is to cover discover attacks and threats much earlier and prevent them leading into something of very big catastrophe or in a post breach. It can help you identify quickly the attack path and then make sure you're able to shut the door and put better security controls that would, you know, allow that attacker to move
around. Now it's kind of where it's going is we're having this big kind of, let's say, acceleration into, you know, we've had the identity access management space for a long time. You know, we've had basically SSOMSAID, PS:, all of that IDAS side of things. And what we're seeing is that converging, it's really turning into an authentication experience end to end. So the authentication is really about, you know, me kind of proving I'm really me. That's all to me, what we're
saying. And and I've talked to, you know, my kind of vision in this space is that it's an evolution of basically where we've had bring your own device, you know, I'd say 15 years ago to where, you know, the last five years has been bring your own office, working remotely, people bringing their own printers and their own devices. And it's moving into where you start seeing this conversions of the consumer identity, where it's bring your own identity.
And I really do see that in that authentication space, there will be an IDP that's, you know, you're bringing on Zente, but organizations may want to add more security controls and, and, and you know, verification to that to trusted ID. PS So there'll be different levels of, you know, authentication. So that's where you're starting
to see that whole IM direction. And then the other side of it is basically where you've had things like Palm and IDDR and you've had chem and auth, your authentication, even multi factor authentication falls into that area. And they're all convergence as well. They're all moving into an authorization experience. It's all about now, OK, Joe's come in and I've proven who I am from authentication role. Now what am I allowed to do after I've proven who I am? What things can I do?
You know, can I access the server? Can I log into this application? Can I view this data? Can I make these changes? And that's really the authorization experience. And then sitting across that's a whole governance layer about, you know, what has Joe been doing across the network? And that's where you can take all of those pieces and put it into IDDR and determine about, you know, should I be, you know, logging in at that time? Should I be accessing that system and have I ever done it
before? And then determining, you know, OK, if that's a baseline, let's make sure that we put a risk score against that so that the IDDR can say this is something of an anomaly that we should actually either send to a seam out of additional security controls or just going to be a bit more cautious with this particular session activity. So this really getting into and, and it's moving, you know,
there's two major areas. I've been talking to a lot of analysts over the last year, and this is turning into an identity security posture management, which is then combining with data security posture management. We're starting to see more identity controls moving away from the the me and those identity controls moving to the data. And the data will then in, in, in a dynamic way, determine whether I'm allowed the access real time. So it's going to be an
interesting space. But the one thing that's going to change to, to, to Jim, your question is that a lot of these ALAI algorithms will be self learning. And, and my role in the future might be just training the algorithm. It'll be taking the new threats and indicators of compromise and showing the algorithm how to detect and then applying that across, you know, entire platforms and entire data sets to be able to quickly identify potentially areas of, of threats.
Ultimately what we're doing here is, you know, we're really accelerating the ability to, to, you know, I, I will say it's like, it's like you're sitting in a lake and what we're doing is we're, we're, we're, we're trying to force the attackers to create ripples in the water so we can see potentially where the threat is. It's forcing them to use techniques which are noisy, that they make it more difficult for them and ultimately they deter them to going looking for
another victim. He doesn't have these types of technology controls in place. I love that analogy of the lake, you know, you, you, you, we, we, we get into the space of identity and access management and digital identity. And we've done a show on this that's been one of our more popular ones. We went out and we asked a whole bunch of people what is the difference between digital identity and identity and access management? And we've gotten a different answer every time.
So I'm going to ask you, Joseph, what is the difference between digital identity and identity and access management? It is a great question. And sometimes they've been used inter exchangeable, but a digital identity is what associates me to basically authentication or an online system. It's it's, it's the person. It's tying it back to me as the human. A digital identity, when you look at IMIM, sits across multiple types of identities, not just human, but machines,
but keys, code, systems. So identity access management is, you know, more about the authentication and the access control side. A digital entity identity is just a static object that, you know, associates to me. So you think about, you know, I always go back to it. It's how this industry's progressed over time. We have to look back at where we started off and sometimes it was basically, you know, in this space, we used to call it
account management. You know, it used to be account management because we only had one or maybe 2 and it kind of goes back to the object and it was so, so tied back to me and it was the association. So when I look at, you know, even how you know, it's tied back in Estonia today is the digital gently is association as me and it's the attributes to me as the human. And it's my digital DNA for
online activity. And I might have multiple identities, digital identities that associates back to me. So it's, it's, you know, I'm the connection between them. When you look at IMIM is the policies that'll determines what I can do with each of those individual identities to target systems, to applications, to code, to resources. So it's the IM pieces, the tie to my, of my digital identity to
a target system. So it's, it's, it's, it's almost like a, an object of, of an extension, but a digital identity is ultimately, you know, association with me as the human. May I go back and forth on do things have identities? And I generally come down on no, they don't. And I think folks in our industry, the majority say yes to you. Devices have identities and things have identities.
So, you know, I've got a thermometer or thermostat on my wall and it can connect and it's got an IP address. I don't think it has an identity. I think it's a device that belongs to me. I'm the identity. I mean, let's say you so. It's a great question and great point. I, I do can, I mean calling it a digital identity because I'm all association digital identities back to the human side. It can have, you know, the machine identity side of things.
You know, it really evolved from how to manage asset management. That's ultimately kind of where it started from when we think about even it has its foundations going back to license management. License management is really where all of this started was, you know, we look back to even Microsoft licenses. It was, you know, five pieces of hardware that was used to basically create a a GUID that would then tie back that this machine's using that.
So it was a really to kind of do asset management and tagging in some regards. But what we started seeing is, you know, and not necessarily, you know, I. We might not have devices that have owners as well associated back to humans. Those devices might be doing workloads, they might be just doing processing. It might be a workload needing having access to a specific piece of data or computational power. But you know, calling it an identity.
I agree that, you know, maybe the term is not right, but it does have some type of asset tagging, which which, you know, it just means that you have to be able to somewhat understand that it's this piece of code that's doing the the, you know, the access or is this, you know, specific machine that the access is coming from. So you do have to have some sort of tagging and asset identification. And I think that's just, you know, some, some people has just
made it simpler. I used to call it non human identities, people called machine identities, asset identities, asset tags. There's lots of different names we can call it, but ultimate, it's ultimate to to to source of origin of what, you know, what the specific resource is doing and why does it need to have access. And I think one of the biggest things is as we moved to cloud, it was a it was a lot more as we moved to just just in time
access. We need to have some ways and that that gets into the challenge of doing digital forensics and cloud and and that's why we need to have some sort of at least asset association or tagging so. I think we could get to the point. I think it's easier to just call it an identity. I think we could get to the point of with robotics and artificial intelligence, where it's so indiscernible that the AI is doing so many human activities that it actually becomes an identity. I agree.
So I mean AI agents you know do have an identity associated to them. It's simply just an account that it gives it some type of access or, you know, authorization into performing a specific task. And that could be basically a persistent, you know, authorization or could be just in time authorization or just in time access.
But absolutely right is that, you know, I, I, I don't see them as, you know, becoming sentient, you know, that they become operating in their own, making their own decisions. There's two things that I refer to as when we look at AI agents or even I look at the AI bot that it's only created with the Kraft bot. It's an, it's an assistant to humans. It's not to replace humans, It's just to augment the decisions we make.
And it's either two things. It's either basically assisted technology, meaning that it's going to provide, let's say augmented intelligence to helping me make decisions, which is, you know, I'm going to decide the action that that AI agent will take. It will show me options and I will decide which one to take. Then once we'll get to a certain point is we'll make, let's say autonomous actions, meaning that I will allow that agent to operate on my behalf.
But I want to be able to audit, you know, you know, explain ability into how that will actually, you know, that that result will happen. And of course, they will be potentially less, you know, harmful or, or damaging types of actions, but things you might just say, you know, file my tax returns on my behalf. And, you know, I, I don't need to, you know, just show me the results. I don't want to have to deal with it. I've done it the same way for the last five years in a row.
Why would they do the same? Or even voting, you know, I voted the same way the last few years, unless I'm going to change my decision. Maybe, you know, you're going, you know, intervene with the algorithm and say I I'm having questions or, you know, you might put, you know, responses in. But a lot of times, you know, what we're going to be able to do is that they will be, you know, extensions. It's, it's not going to be identities by themselves. It'll be an extension tour
identity as identity assistants. I, I think that's what they originally were, were trying to do many years ago when we had these virtual assistants and we had Clippy and other types of, you know, assistants for us. But ultimately it's it's really there to to make our wall. I'm waiting for Clippy to come back with you. Know now one. 100% more AI and it's like writing your paper for you and it's like, no, you get
the paper clip. I have to ignore it, but that's, I mean, it becomes an assistant to us that that's what it's truly there. So, so I do like, you know, you know, the things that copilot's doing is is pretty impressive and other, you know, degenerative AI capabilities. It's really there to extend my kind of where I can then focus on the things that I really enjoy doing and and and automate the things that are just mundane and repetitive that's are not
interesting that you know. That's where it's at now, but it could be in the future where it's much more evolved. And you can say, all right, AII want you to build a whole business of AI robots, right? And you could do that for the purposes of, hey, I want to start, start a law firm. So start creating and training all of these lawyers in different areas. Not even lawyers. Lawyer bots. Lawyer bot things, right? I mean, this is the worst it will ever be.
Like it's right, No? It it can, it can get, it can get a lot worse than we can take. A lot worse for the same. Abilities like you. Set them off for evil? Yeah, no. Because because the. Capability right now, yeah. Because the worst it'll ever be, it will get more capable over time. Absolutely.
I mean, what, what basically attackers are simply just taking the same basically, you know, algorithms and they're taking the card grills off so you can get, you can get, you know, the safe one and you can get the unsafe 1. So, so we're, we're in this situation where that, you know, we're trying to do it for good, but attackers can simply take the same thing and take the protection off it. Guaranteed that that the adversary is going to take AI and try to teach you how to steal.
I mean it. It's only it's 100% certain, right? Go target this crypto exchange and steal all this big, you know, Bitcoin right and just give it, you know, the instructions about what you want to say. So absolutely, you know, there's going to be these separations of, you know, technology can always be used for good or bad, but we can't we're in a situation right now where we can't change that.
We're, we're, we're, we're committed, we're going forward, it's going to happen, but we just have to become very aware. I, I really think the explained ability is, is very important out there and and there's will be areas that will become heavily regulated as well. It's only a matter of time, you know, so, but I mean, the good thing is right now is attackers are not using it that much. They're using it to analyze data
dumps. So when they exfiltrate and they steal data from an organization, they might say, hey, hey, you know, AI go on determine how much I can, I can, I can try to get ransomware from this organization. How well is their finances? So, and it will tell you, you know, here's the ransomware, here's what their insurance is covering, here's what you can request. And therefore, you know, it's so the intelligence and data
analysis is happening. Definitely they've been using it for improved fish fishing capabilities. So one thing is in Estonia, the language has been protecting the country and society for many years because the language is very difficult. And what attackers have been able to do is that the real to do campaigns using generative AI to do automatic translations. And those translations are so good. They're, you know, to the point now the language is no longer protecting society.
And it just means that, you know, citizens now have to become better aware of phishing campaigns, social engineering that are trying to steal their their passwords and credentials and access to do damaging things. So it just means that generative AI is it's lowering the bar and it's making them better quality. So lowering the bar, meaning more people can, you know, be online criminals with just a computer and Internet connection and improving the quality.
Meaning that we're, you know, the, you know, the e-mail coming from Africa from your long lost cousin, you know, that has inherited billions to now where it's basically very sophisticated. Very, you know, hard to tell the difference between real communications, real messages, and those who are abusive. I mean, Can you imagine having an AI go off and say hey go take a look at Shodan, find everything that's usually a default password and then try to
breach it? That's exactly lowering the bar and giving you better, better quality capabilities. Those are the things that, you know, it's what I'm worried about more is it's the battle of algorithms right now that we're moving into. So I'm worried about that right now. The the, the reason why attackers are not using AI is because the basics work today, you know, going in and stealing a password, you know, buying the credentials online, you've got access brokerage who just
specialize in that. All day long that when everybody uses the same password anyway. Exactly so and and and ultimately, you know, you, you get cyber fatigue from things like, you know, MFA fatigue. Bombard them with Tom sons of MFA request and he's simply just like, OK, I'll just get away with it and I don't want to see them just accept it. So really the the techniques just work today. So that's why they haven't moved.
But when we get those basics right, when organizations really start getting the foundations and they start getting MFA in place, not just at the front door, but at lateral moves, when they start looking at, you know, auditing, context based access controls, dynamic based access controls, they're looking at
policy based. So it becomes very not just static controls that's always been in the past to much more adaptive controls of the future, meaning that it's starting to look and analyze all the different things that I'm looking to do and therefore deciding what card rails that put in place and making it difficult for attackers to be successful. The more those get, the more we get better with the basics, the more we'll be pushing the attackers to move, moving to using AI much more.
And my worry is then what happens is you start having the algorithms, having a battle, whoever designs the algorithms the best is going to be the winner. So and that means attacker is going to be moving to things like real time campaigns, real time campaigns where it used to be, they'll just create one campaign which might last for six months to a year and it'll be successful because they're is using the same vulnerability over and again.
They're using the same credentials and passwords over again, the same techniques has just created a campaign playbook that reruns that over and over again. They put AI into the mix. That playbook will be self progressing, self learning and will augment itself. So at field on XYZ targets, what can you learn from that? Let's kind of re evaluate, let's redesign our tech playbook and attack pass and then, you know, look to bypass those much more
in the future. So we're in this battle of algorithms and it means that you know what we put in place from AI capabilities today. We need to keep progressing that that that needs to be a a continuous improvement over time in order to to make sure we we stay a little bit ahead of criminals. All right, so I'm sufficially terrified. Thank you very much for that, Joseph. There's no hope for us in the future, so. We're AI at the center.
Right, yeah, Gonna have to go and create a new podcast for that one. You know, we've, we've talked about so many different things here and I feel like we could talk for hours and hours and hours and hopefully you'll come back and have another conversation with this. But I do want to be respectful of time. You do a lot of public speaking, right? That's kind of one of the things you do. You got your podcast, etcetera. I am always curious about what
happens behind the scenes. Like, you know, what are the fun stories where it's like, oh, people only saw this part, right? This was the public facing presentation. But behind the scenes, oh boy, if only you could see, you know, like, do you have any good stories that are like behind the scenes of either speaking or broadcasting or whatever it might be? Yeah, so absolutely so so I mean just kind of give you an idea. You can see, I don't know, the audience can see all of the the
badges in the background. So that's my speaking badges over the years I've done. A lot of badges. I've done somewhere. It's probably close to about 1000, I think, speaking in my career of different conferences and events. And you know, for me it's, it's always a, it's an almost pleasure to be able to go and share my experience with the audience.
I always hope they just somebody you find some value of my experience and, and, and they take that away and there's been interesting things over the years. I just even I've had people, you know, speakers here basically kept their headset landed on and went to the bathroom. So you've got a room full of 500 plus people and all of a sudden you're, you know, you're. Flashing. A little tickling and the flushing going and everyone's
just going what is going on? And you know, this is the person had a, a hot mic, you know, forgot the Lander was on and went in the bathroom. I've had situations where, I mean, I, I've mentored speakers over the years and I had one time there was a girl kind of, I was mentoring speaking and you know, she got up on, on stage and she was fantastic. It was like really great speaking.
But she got into this thing where she was walking around and ultimately she stepped backwards and she stepped literally off the stage and the stage was like a good like meter high. She disappeared behind the curtains. I was just like, Oh my God, Oh my goodness. Like for any, you know, obviously any speaker to recover from, that is always hard when you, when you're in that situation, you're just like you can get frightened. All of a sudden she just jumped back onto the stage again and
literally just continued. And actually even once she was off the stage, she was still, she was still speaking, she was still continuing her talk. She jumped back on and she continued on. And I was, for me, that was spectacular. A couple of incidents happened with me Now I was, I, I mean, I do, it's usually about 30, can be upwards of 50 speaking sessions in a year. And I'm always, when you get to my experience, you can always double checking everything you have backups and backups and
backups. And I've got multiple laptops that I carry, which is always a pain. I've got all the kind of dongles and I've got my own clickers that I, I don't use anyone else's clicker because I use my own, because I know it's going to work. And last year was a, a session I was speaking, I'd just finished two talks and it was the 3rd and final one. And it about probably about close to 400 people in the room and there's about 2000 people online watching my talk.
And, and if you ever see me speaking, I'm one that's always, kind of, I always take the high risk. So I'll always do, if I, if possible, I'll do a live demo. I'll always, I'll get up there and I'll keep my virtual machines running and I'll take you through because you know I can, I can change my demo as I need to and go into different. Things for trouble, Joseph. It's just asking for trouble.
So, so I'm up there on a stage, I've got my virtual machines running, I've got my hard drive plugged in, I've plugged in and bringing it to the podium and I'm about maybe 25 minutes into the session, you know, and there's one person kept putting their hand up. I'm going, as I said, I'll take questions. At the end, it's his hand up again. I'm going, OK, you have a question. It looks like it's really
important. He says, I hope you realize that your battery is only 5%. I looked down at the screen and I just the shock and the fright, I just saw my batteries like it was like a countdown 5% for because I'm running tons of virtual machines. That thing was just eating the power under plan. It was just ticking down. I just were like, Oh my goodness. And when I realized that even I plugged into the podium, but there's no power to the podium. So I just said I said the
podium. So I was like just one second, you gotta solve it. I ran, I jumped off the stage like almost 400 people in the room, ran over to my bike, pulled out APD power plug, ran back to the stage, took out the plug, plugged it into the the the podium pack and it just kept it going, kept it at that four or 5%.
So while that was happening, so I continued on, the technician got a massive cable onto the back of the room, started plugging Power Pack, Power Pack. And then eventually after like I felt this tap in my ankle saying there was a power supply to fruit. So I felt this this little tapping. She was like, OK, I looked down and I was like, OK, so change the plug from the pudding that and this kept going. So there's those moments.
It just was so close. But the big fail, I was presenting not long ago this year and there was a massive, there was a couple 100 people in the room and I was presenting and all of a sudden boom, electricity completely went out. Somebody outside was preparing for the lunch, the catering. They'd plugged in a massive like toaster and took the entire par out of the entire conference room, this thing.
And it was like it was a it was like a bang and everything, all audio screens, everything went down. I'm just down there going, what can you do? So, so I just present cause 'cause one of the things is when you're doing this so long, you know what you're presenting, you don't need to look at the slides. So I just kept presenting as let's. Go to the theatre of the mind, right? Imagine, if you will, right? I I think this is what was on the next slide, so I'm going to present that.
So, so I had to be very articulative. Is that what you're not seeing here? But what you would have been saying is this and to explain through what's. Worth it? Not, not so much. It wasn't definitely worth that toaster. The other thing was like for bagels or something, or like this bagel toasters thing. But yeah, I had the complete power go off, no mics, no and all things. So I just had to, I just had to amplify my voice so everyone in the room could hear.
And I had to just so they had. To do back in the day, right? I mean, back in the day, they didn't have AB equipment. The politicians like Abraham Lincoln would have to just speak very loudly. Loudspeaker. Yeah, they get one of those big megaphone type things that. Yeah, so so say next you know as as I need to add that to my backup now. So, so you see a guy in the airport carrying in like this giant paper. They can't have batteries, right? We don't want to run out of power.
Just giant paper, you know, megaphone. That's probably plan. C or Plan D. So, so over the years, interesting things have happened. Absolutely. I mean, I've from ad hoc. I mean, I've had, you know, organizations or conferences had speakers not turn up and he's like, Joe, what can you speak about? It's. Surprising how often that
happens, isn't it? Like I, I think that's one thing that I've noticed as I've done sort of more of these is how many times people get asked to pinch hit because someone couldn't make it. Or, you know, now it's like, OK, well, someone tested positive for COVID and they weren't able to travel right. Or, and they're doing the right thing or whatever it might be. So like things like that. I I'm I'm almost astonished at how many times it happens at
conferences. And I think sometimes that's why they've got to start, you know, accepting my talks because I usually submit several call for papers and they're like, you know, we'll just accept one. So we know these got like 5 more. That's a great pro tip actually,
right? If you can kind of make a name for yourself of being able to, you know, pinch hit as needed, that might be something that might be a tiebreaker, right, where somebody gets accept or not, or you know, maybe just kind of nominated as like, hey, you know, you're not officially on it, but if you can have something ready, that would be great. Yeah, I've, I've been, you know, I've been brought in, you know, for, you know, lots of conferences, even like first conference as well as as a
backup speaker. They just say we, we, we're not going to have you as the main speaker right now, but we know if you've cut tons of talks, we'll just have you as a backup. So one thing and and it has happened where I've had to, you know, step in as a backup and, and take a major speaking session, which sometimes was a keynote. Yeah, right. Flights get delayed. You know, people, something happens. You know, personal events happen.
And you know, if you're organizing conferences and events, you, you're bound to have, have these, you know, terror. I even, I used to host the cybersecurity conference in Tallinn many years ago. And I had to have, you know, even the point where you know you, you know you got when you're choosing speakers, you want speakers, you can deliver multiple sightings. Hey, we're going to throw an impromptu panel together.
Come on back, guy folks. I've done that as well for P Pals. So so it's absolutely you just become, you know, it's just like in the security industry, you just become resilient. You learn a lot from what happens, what kind of happened. And there's always the unknowns.
There's always things that, you know, there's new things like, you know, for me, the toaster blowing the electricity, you know, there's things that you just can't prepare for, but you, you know, if, if they do happen, you just be resilient. That's, that's what we're here to do. I realize that my, my, my job is historically cybersecurity, but I realize that that's actually not my job anymore.
My skill set is, that's my skills, but what my kind of job is, is how to, to help organizations become resilient and, and when bad things do happen, that they can quickly just move on. And that's what, that's the skill set you learn. And that's, you know, whether being with conferences and speaking or, you know, doing podcasts and things happen sometimes, you know? You just find ways that we, we become so experienced and so knowledgeable that we find ways around them.
We find ways to, to keep it going and you know, it's, it's ultimate. And that's with experience. And that's what we, what we try to then do is, is, is put that into automation so that next time you know it, it fixes itself. Yeah, I'm a fan of Littlefinger. From where? From Game of Thrones, right? Fight every battle, everywhere all the time, and you'll never be surprised unless you got Aria somewhere out there ready to
stick it with a knife. I think that's a great place to wrap up. I don't know how we can actually top that. It's been such a fascinating discussion, Joseph. I hope you'll come back and I feel like this again. We can just pick something and just go on for our. Absolutely. So hopefully you'll come back, we'll have a link in our show notes for people to reach out to you if they've got questions or anything like that. Have a link to Delinea so people can find out information about that.
If you're not already aware, definitely one of the major players in the identity management space, the Cubit conference, so people can find out more about that. The 401 Access Denied podcast, so you can find that. So I have a link to that as well. And then I actually found a link to the Estonia Kratt AI bot, so. Fantastic. You know, it's the, the, the link will be there for people to find it. I think it's such a cool idea and maybe we'll figure out how
to do one for our own website. Do the IDAC bot people wanna ask questions or stuff like that? See what else for a wrap up, our YouTube channel. We are starting to grow it. We've just started doing video just within the last like couple
months. So if you go to idacpodcast.tv, that'll take you right to our YouTube channel, or you can find us on the web, IDAC Podcast, Twitter X, whatever it's called when this hits your face or ears at IDAC Podcast and then Mastodon at IDAC Podcast at infosec dot exchange. Jim, did I miss anything LinkedIn? Yeah, that's how we get great guests like this. So if you got ideas, suggestions, introductions, we're always happy to have conversations just like we have
with this. Joseph, any final thoughts before we wrap it up? Absolutely, it's, it's always a pleasure. I mean, it's been a long time since we got the chat, so it's always a pleasure. And can I, you know, to, to get your insights and, and you know, the, the questions you're asking me really can I, it's for me, I, I enjoy sharing the knowledge as much as I can.
And absolutely, you know, next time you want me on, I'm, I'm here and available for you, for the audience and to to really kind of, you know, help educate and bring the community together. Perfect. Yeah. Thank you so much. So yeah, that's it for this week. We'll wrap it up here. Thanks everyone for watching and or listening and we'll talk with you all in the next one. You've been listening to Identity at the Center. We hope you've enjoyed the show. Make sure to like, rate and
review, and we'll be back soon. But in the meantime, hit the website at identity@thecenter.com. See you next time on Identity at the Center.