This is identity at the center. Welcome to the Identity at the Center podcast. I'm Jeff, and that's Jim. Hey, Jim. Hey, Jeff, how are you? Oh, not so bad yourself. Good. I'm excited. Today. We've got one of my favorite guests from one of my favorite technology companies, so can't wait to get into it. Yeah, today we've got a sponsor spotlight episode.
These are the ones that we create with our friends in the industry to help us get some more detail around kind of what they're working on. A little bit of a departure from our normal vendor neutral, which we do every week, but this is where we actually get to ask questions about product and and things like that. So I want to welcome back for the third time from Silver Fort Head Cavetts. He's the CEO and Co founder at Silver Fort. So welcome back to the show Head. Hey, Jeff. Hey, Jim.
Good to be here. Yeah. The last time we chatted was at Gartner. And if you recall, Jim was in his like Vegas or maybe like Western dealer outfit when we were chatting there up in your suite. So yeah, what have you been? Today, you know, I had. I was expecting something, you know. Sorry, this is all I could do for the name was a golf shirt, yeah. You look very normal. Normal in quotation marks. So what have you been up to for the last few months ahead since
we last chatted in December? Been very busy. I mean, first of all, the, the identity market in general is really moving super fast now and there's so much going on and, and in silver for typically those you know a lot of going very fast. You know, we, we now have more
than more than 1000 customers. Marston for us, we we've been to, I mean we acquired a company called resume just told you about it. You know, last time it was right after, but you know, since then we've we've kind of integrated the teams and the platforms together and already started the offering it to our customers. So that has been strategic for us. We released new products. We we grew the team. We hired the new resident and chief revenue to be the goal to mark not going on in in a few
months. I like it. I like the the speed. And had we just got back from the Denver's conference, a couple observations. 1 is that this community is stronger than ever. The second thing is like how much this identity security space is evolving. You've got such a focus on NHI. They had an NHI Pavilion, which Silver Port played a part of. You've got the shared signals framework really taking center stage. It's got AI agents as a major
talking point. What do you see with all this starting to come together and evolving? It's really changing from single sign on privileged access management and identity governance, right, Taking on a
much bigger picture. Yeah, I or in general the the identity market is evolving and I think that you know what we started to see last year, I think is, is only, is only progressing which is you know the kind of identity security category forming and becoming it's own thing as opposed to a lot of features and point solutions.
So I think what we're starting to see is all these things, you know, like known human identity, security and identity threat detection response and identity security posture management and all these all these, you know, these buzzwords. The different start-ups have been doing are starting to converge and starting to to become, you know, something border and and work together and and really kind of, you know, collaborate and indicate between them.
And I think that's what organizations need, you know, not a million different products, but something that really fits the the problem holistically definitely be happening. I mean, we we are obviously pushing in that direction and and really kind of going for a platform play, but we're not the only ones. You know, a lot of a lot of people are talking about that.
And, and I think that all these, all these smaller categories like non human identity security as an example, are actually contributing to that because those are the things that kind of create the momentum for a a bigger platform to be created. That's exactly what happened in the early days of cloud security or endpoint security, all these smaller things that eventually created enough critical mass for that.
I get the feeling that there is like this assumption that people at this point have solved for, you know, basic identity governance, basic privilege access management, single sign on MFA, right? They've kind of centralized and maybe gotten the basics in place, which I struggle with because I'm not always sure if that's the case. I see a lot of companies out there that still don't have an IGA. They still don't have really
privileged access management. I guess is, is, is that a fair, and I don't want to call it a criticism, but you think it's a fair observation of, OK, we're assuming you've got these basic things in place and now we're starting to get into sort of the next Gen. of identity security. And that might be things like, you know, AI and NHI and share signals framework and Cape and like a whole bunch of other acronyms, right, that assume maybe you've got some of that stuff in place.
Is that fair? I think that you are actually, you're actually very right about the fact that there are people don't have those base build out. And I think that what is happening now is not necessarily some kind of a next layer that assumes that you already have the layer before that. I think that in many ways what is happening now is companies are realizing that they they haven't meant made enough progress with the old approach. They haven't been able to solve
the problem. And part of this new approach that we're seeing is also trying to go back to these things and, and address them in a new, maybe simpler way. Because I think what has been true for identity for many years is identity is, is very complex. Anything that you do in identity, any identity project is used and, and tons of
resources. And some of the very large organizations have been able to do it with huge investments and, and, and headcounts, But many companies haven't they, they got stuck. And I think that what's happening now with all this innovation in the market is not only offering you the next things, but also revisiting some of these problems and saying, hey, maybe there's a better way to do it. Maybe there's a more automated, scalable, easy to implement way to, to address.
So I think you're, you're completely correct about a lot of companies don't even have those basics figured out. So we, we can't afford to just move on. We we have to take care of them. OK, well, I'm glad to hear that you say the I'm going to hear you said I was right. So that's all I took away from that answer. So you guys have recently expanded and you know, from, I guess like the on Prem identity to including now non human or NH is which as Jim mentioned was sort of the buzz around the
recent identifiers conference. Why do you think that is? I mean, it's not like NHS are new, at least from my perspective. We've had service accounts, another non human identities for a long time. And I'm just curious as he why do you think this is getting so hot right now? I think it has been a problem for a long time. I don't think it's a new problem. You're right. Service accounts specifically have been a problem for decade.
Some of the newer types of energies are, are newer, obviously, you know, maybe the the ones who are in the cloud and SAS applications and things like that. So they are obviously newer, but the, the fact that everybody's talking about it right now is, you know, a combination of the fact that it is a big problem and it is a big list that people need to address and the fact that there are vendors of, you know, investing money and raising money around it.
So that creates that feeds some of the hype. I think that's actually a good thing because I think that the, you know, the the startup ecosystem and, and, and you know, the innovation that it brings with it is actually a, a great way to to fuel this revolution that was seeing across the identity industry. It's not just non human identities. You know, last year it was all
about ITDL, right? And I'm assuming next to it will be all about the security for Jen, TKI and all of these things, you know, separately, they look like trends that come and go, but all together they create this, this wave of, you know, priority and investment in identity security in in a new generation of identity security products. And if you look at the early days of other security segment, I mentioned cloud security. That's what happened, right?
It started with people, you know, kind of building companies to do a container security or cloud security posture management or, or, or other specific things that eventually created enough pieces to, to combine into an overall cloud
security platform. And I think that's what we're saying in identities is all these waves and you know, all these trends, they seem to kind of come and go have this kind of hype cycle, but, but all together they're creating the, the bigger wave of, of just overall awareness to identity security and, and, and your approach of addressing it, I think specifically that NHI is a big problem. It's not just a trend, it is a big problem.
People spend so many years trying to protect the human users with multi factor authentication and, and beverage access management and, and, and they have neglected the the non human identities and those non human identities are now targeted in the majority of data breaches. So it is it is a very true, you know, risk and something that
needs to be addressed. I think it will also go now with, with AI. So, you know, AI agents are also increasing that problem because they're taking a bigger and bigger hole in organizations and they probably probably will continue to to grow. So overall, this is a very growing problem that has no good solution. So I I get why this is a priority. So let's talk a little bit about that recent expansion you guys
did into that whole NHI space. I'm going to put my very well worn on jaded, you know, see so hat there's so many products in this space. So what makes Silver Fort difference when it comes to how you guys are approaching, you know that that that type of identity security is in a specifically for these NHIS or maybe cloud identities?
So first of all, we announced an expansion in that area, but, but we've been doing anonymous identity security for, for several years now from before it was cool and we just started from what was the priority. I think it still is the priority in many cases, but it was definitely the older problem, which is service accounts. So Active Directory service accounts, that's when we started, you know, maybe five
years. And with AD service accounts, I think we've built by far the best solution in the market. I, I stayed very comfortably because I think that, you know, we've really done some massive innovation though that no one
else has been able to do so far. So not only we are able to discover all these service accounts, even the ones that are not documented, the ones you don't even know about, because we, we look at the behavior, you know, we can, we can see that it's behaving like a machine, not like a human. So we find even even unofficial ones, you know, ones that, you know, maybe, maybe some person is using the personal accounts to run some application or script.
We'll, we'll even find that. So not only the documented 1 then we also show you what they're doing. So we show you that this service account is being used from these sources to these destinations with these protocols. We give you the full mapping of the, you know, the dependencies where is it actually being used. That has been a huge problem for years. People couldn't protect these accounts because they were worried if they make any small change to them, something will break.
You know who knows which other applications have been using this account. And if I, if I even change the password once, something will break. We, we map all these dependencies. You, you have full visibility to them. And then the most powerful piece is we have a way to actually enforce a policy. We can protect them in line. And that is probably the biggest differentiator of silver fault
in general. And specifically for for non even identities, not only we show you what they're doing and offer some offline kind of, you know, risk mitigations you can do, but also we can control what they do in line. So if we see a service account being used outside of where it's normally usable, it needs to be used. We can, you know, kind of block anything else, you know, or, or, or tell you if anything else is happening.
So if we see that this account is used to connect from A to B every day, any attempt to use it anywhere else or to anywhere else, we can alert on or we can even block in real time. So make it impossible to abuse this account. This really reduces the risk of those accounts because it means that even if you steal the password, you can only go from A to B. You can't cause damage. And then that is what we've done for a few years very
successfully. Hundreds of enterprises are using it, some of the biggest companies in the world. I think we we'll probably have, I think we have the most advanced ported for that. What is the the newer edition is that we expanded that to all the cloud environments and that is thanks to acquisition of resume. So resume it had those connectors and and and analytics around all the different cloud environment and we've now fully added that into our platform.
We really merged the product because a few months I think we did it relatively fast. So we, we completely really combined the pot. Now we can protect non human identities anywhere, not only in AD but also in all the major cloud identity providers like Okta and Intra and all the the cloud infrastructure, the providers like, you know, AW and Azure and GCP and also all the major SAS applications.
So even if you have SAS applications that you use, you know, with local identities, we'll even we'll even see and protect that. So now it's a really end to end offering. And I think it it's probably the boldest offering in this market. And and also, as opposed to some of the younger start-ups, we have a much bigger customer base. We have, you know, many large
organizations using it at scale. So I think, you know, overall with the the taction and maturity that we have and with the fact that we have this, this in line active enforcement, modulating that we have a lot of advantages in this space. And and then I think the the next thing that you know, was going to to be important and we are all over it is, is how do you protect the identities of AI agents, which are non human identities? But I think it's a new type.
It's a completely new type of energize, not like the the regular energize. Yeah, I know we're going to talk about AI because we just, we can't go for an episode of the Identity Center podcast without getting into AI at this point. I want to ask you real quick though, about the the ITDR space itself. When we first met, that was kind of like, oh, OK, this is the area you're playing in.
How is ITDR fitting into this? Because you know, Jim and I just got back to my identifiers conference and there really wasn't a lot of mention of ITDR specifically. And I'm curious to see if, if, if that term has evolved or are we moving now into it? Is it just identity security? Like where do you see ITDR fitting into this?
It's a great question. I think that what is happening to ITDR and what I think will also happen to these other subcategories of identity security, including an agile is they're emerging and they're getting some maturity and then they're being at some point kind of consolidated or, or merged into bigger identity security offerings.
So, you know, IPDR, there were a lot of startups doing it and, and you know, a lot of enterprises started, you know, even looking for that and then a lot of these stars got acquired, right. And the and and what kind of merged into bigger identity offerings or identity security offerings until the point where it's almost a feature now in, in border platforms. By the way, two types of platforms that where you see it kind of melt now. One is into border identity security platforms like ours.
And 2nd is into XDR solutions that, that are not really identity specific, but they do detection response in general, right. So a lot of the the companies that will just focus on detection response. Now ITDL is one pillar of that. So you know, if you really think about it as either a feature of a bigger identity security platform or as a feature of a bigger XDR platform, but it's no longer a stand alone thing. And that makes a lot of sense.
You know, who wants so many different products? I think the same will eventually happen to NHI Security. I don't think that in two years from now people will buy NHI Security from from companies that only do that. And so I think that the, it makes a lot of sense that these things are, are kind of created and, and developed and, and you know, kind of, you know, getting innovation from the startup
ecosystem. But then once they, once they really kind of figured it out, they, they become part of bigger platforms, very similar to what happened to UEBA in the past. If you remember, there used to be a lot of products doing user behavioral analytics, and today it's just a feature of every Security Council. Yeah, good point on UEBAI actually wanted to bring you back to that service account
discussion. This ITDR thing is so fascinating, but I think the service account is everyone can relate to it. You guys put out a new report, let me get the name right. Insecurity in the shadows, new data on hidden risks of non human identities. There are a couple statistics in there, but one that really jumped out at me was that 80% of organizations can't stop the misuse of service accounts in real time. I think 20% are out to lunch, don't even maybe don't even know
that there are service accounts. This is a really hard thing to do. I mean, you mentioned it where you have these service accounts and for some organizations, they're the kind of the outlier accounts that were created in 2006 and nobody who was around there and works here anymore kind of thing where you have these really oddball service
accounts. But even when you have good control of your service accounts, to know that they're being misused 1 requires that you would need to understand what the proper use is. Then you need a mechanism to stop that account from taking action if it's being misused. So you kind of spoke to that, like what is the mechanism to make all that work from a Silver Point? Perspective, first of all, you're right, I think those those 80% is probably really 100%.
Maybe there are the others of our customers, but other than that, I really think it's a, it's a problem that I don't, I don't see people solving it on their own. And, and we have built, I think a very innovative technology for addressing this. And also not only we have technology, but we really talked about the full journey of doing it. So, so I'll start just from the technology that I'll explain what we had to figure out in the journey to help customers really leverage this effectively.
The technology piece is, you know, we figured out that it's not enough to just give you visibility to these accounts. I mean that that's a good starting point and that's what a lot of the vendors are doing now. But I don't think that solves the problem on it's reading information from the directories is this is just a starting point. We had to figure out how do you then enforce controls? How do you basically intervene in what these accounts can do? And that really requires an
inline technology. So at the heart of the Silverwood platform, those are technology that we call RAP, runtime access protection that plugs into the directory, OK, for example, Active Directory, but also others in a way that doesn't just give us visibility, it gives us the ability to intervene in line in the actual decisions of the directory.
So for example, if you're trying to access some system, could be a modern system, could be a legacy system, and we see that request coming in to the directory. We are able to then not only see it and and and log it and analyse it, but we are also able to potentially block it or to potentially hold it and do something about it, like verify it somehow and only then allow it.
So we can, we can really become a decision point in the middle and we found a very elegant way to do it without causing, you know, any issues to the network or to the performance that, that that appeals a lot of the sticker sauce of Silverfold and what gives us advantage in many areas, but also applies to to service accounts. Because with this, we can not just give you visibility, but we can actually prevent any abuse
of these accounts. So now moving to the, the journey of how COC was actually adopted, they talked about discovery, right? That that's something we do automatically. So we, we find those accounts based on group memberships and naming conventions and, and most interestingly, what they do, then we map where they're being used. That's another thing we do automatically. But then it gets to the enforcement base and to do the enforcement at scale.
I think about it, some of these companies have a million service accounts, OK, that, that, that actually exists, right? Like huge amount. Right. You're not exaggerating there. Some, some companies have a millions of how do you even start protecting them? So it has to be something automated. It has to be something that is really built into the to the processes of the organization of the IT that that don't require
manual work. So we figured that if we learn what each of these service accounts are doing at scale, like even even for a million service accounts, and we automatically figure out how predictable is it? Can we see after a month, after two months that it really has some baseline? You know it, it goes from these two system to these five systems every day. This is what it's doing. And most of these accounts, this is kind of how they behave. We can build a mapping for each
one of these millions accounts. We can automatically build this, this map, this, this baseline and also understand how, how sure are we, you know, is it very predictable and repetitive. And then we can automatically start moving them into enforcement, into protection where we only allow that. So if an account is very predictable, very kind of, you know, doing the same thing every day, we'll move it very quickly to enforcement. And we, we know that it's not
going to, to do anything wrong. If it's not, then it will take a little longer, but all of it can happen automatically. And we build integration to the existing IT systems that organizations are using like service now so that we can build it into the regular processes. So if they're working with something like service now, we can automatically plug into that and, and populate our policies based on, you know, the CMDB or based on, you know, tickets of people opening.
We can, we can, you know, avoid you having to build any policy manually. Well, that took a long time. You know, the, the just building of the capability that that was one piece, but getting it really to the point where it fits the way enterprises walk at scale. That that took a long time and
lot of work. And I think that that gives us a big advantage because we can really do that at this huge scale because we understand what people need in order to to be able to, to do that at this large scale. Absolutely. Your point is really well taken when it comes to the scale I I talked to a lot of clients who are getting into their IM roombab and they need to take some time in the beginning to clean up their Active Directory.
Active Directory is usually the core platform from a security standpoint that runs most organizations. Their emails tied to it, the ability to log on to the network and communicate with your coworkers. Just so many functions require are reliant on Active Directory. So they have to do this cleanup project, which usually includes, you know, group cleanup, group identification. What are those groups doing and service account cleanup.
First off, I asked you to build a tool for the group cleanup. Second off, when it comes to the Active Directory cleanup, you are, I'm sorry, the service account cleanup, you mentioned this mapping that needs to take place. I mean, that's a big part of that exercise that when you're doing it with spreadsheets and emails to, you know, try to track down the person who knows what that account does. It's First off is it's just not the right approach.
Second off, it takes forever, especially when you have hundreds of thousands or a million service accounts. So how long does that kind of that mapping exercise take with Silver for Soul? Finding most of the service accounts and what they're doing, within two weeks, you get almost
the full picture. And so within two weeks, it's enough for us to figure out, you know, it's enough time to understand if if an account is behaving like a human or not, usually unless the person is on vacation, right? But for most cases, it's also enough time to understand, you know, for these accounts that are more active, what are they doing now? That's maybe 95% of your account. Then there's a long tail of accounts that only run a scheduled test once every month.
And, and you know, it will take that long to to notice them and find what they're doing. But that's like, you know, that last 5%, you know that that can take a little while and that's OK. You know, as long as you can start somewhere and you can mitigate the majority of your ways, that's OK. That that will take a little extra time. That is a faster than more
complete approach. Then you know what you're describing, which is how organizations try to do it until now, trying to manually figure out what these accounts are doing. That's not a scalable approach. Any company was tried to do that. Maybe they were able to do that for 100 service accounts. I'd like like ridiculous numbers.
I'd like companies tell us. So we we managed to do this for like 50 service because you know, we know exactly what they're doing and but they have like 20,000 right. So it's it's almost as symbolic and also with the manual report, you'll never know if you really have the full picture. So you know, you went through this, you talk to the application owner, they think that it's being used by these 5 servers. They don't really know. I mean, they, they think that this is better being used.
I mean, who knows if, if, if this was also, this account is also reused for another system. Nobody knows for sure. So at the end of the day, what happens is people end up with these Excelsius a year to build and they're still not fully sure that this is the the the full story. So they don't want to act on it. They don't want to actually make changes to the system because they're not fully certain that it's all going to break something.
And if they try and it did break something, then the project is completely derailed because now nobody's going to allow them to do anything. And this happens all the time. So with simple, not only we shorten it and simplifies it, but also we give you the, the, the comfort that this is everything this account is doing. This is the full picture. It's impossible that this account is doing anything that we don't see because we see all the authentications that kind of the heart of our college.
So you know that if you're going to now make a change to this system, these are the only three places where you need to do it and you know exactly what will be affected.
And you don't even necessarily have to do that because we can also reduce the list for you, you know, using our virtual fencing, you know, by by just, you know, preventing this account from being used anywhere else, that that alone is a huge reduction of risk because it means that nobody can use this account for lateral movement now or to spread them somewhere. It can only log in from A to B. So it's just a very easy, very streamlined way to reduce that that that list.
And again, this is Active Directory where I think the pain is, by the way, the the, the biggest. But now we can protect also all the cloud environment. It's really, it's really that end to end approach where you you don't need to solve these problems individually, but you get one platform where you can do that. And the other advantages non human identities is only one element of your identity risk. You know, attackers don't only target human identities, they they also target human
identities. And they might start from an any giant then expand to an human account. So any approach that only looks at one piece of this puzzle is missing some context. If you only look at non human identities, or if you only look at privileged users, or if you only look at the cloud or only look at AD, any one of these these siloed poachers is missed in context and is not going to really be able to give you the full story because attackers
don't look at it like this. Attackers look at all of this is 1 big attack surface. Yeah, Attackers don't care whether you're here or not. Human, they're going to exploit whatever they can. That fear of breaking things is so important to understand because that is like the number one reason I've found that people don't do anything to, to solve some of their, you know, servers count issues or, you know, CICD pipeline or or whatever it may be.
How do you establish that trust to say, OK, we think we think we've got a pretty good handle on what the mapping looks like between if I shut down this account, whether it's AD or cloud account or whatever it may be that I feel confident to understand what the, you know, the, the, the ripple effect might look like for some of the other downstream things. How do you how do you establish that trust?
Because let's be honest, system admins and you know, other folks are like, don't touch it. It's, it's working. And how do you get past that fear? That's a great question. We, we, we didn't fully understand how big that fear is initially. And it took us time to learn how to, to offer things that will
make people comfortable. And one of those things that was very effective is to move these accounts before we move them into full enforcement and prevention mode, we move them into some kind of alerting or simulation mode. So at that point, we basically say, hey, we are confident that this account is only doing what we learned.
But because you know, we want to give you comfort, we're first going to move it to a phase where it's not actually going to block anything, but it's going to alert you, you know, if, if, if there's any deviation that supplies that, you know, if let's say that we think that this account is only used to connect from these five systems to these 10 systems. And we learned this over two months. And we're very confident because it's very, very repetitive.
And we're going to give it another month where it's we're not preventing anything yet, But but we're going to alert you if there was any other use of this account that was outside of this. And this gives you comfort because at that period of time, you're going to see that there's no false positive, there's no alerts, there's nothing that actually happened that would have been prevented. And at that point, organizations feel more comfortable.
And also, I think they realize that if, if there will be anything that goes outside of this, it's suspicious enough at this point to at least pause and ask, what is this? Why is it happening? So by the way, one of the things we do is for every one of these accounts, we, we are able to recommend or, or kind of map, you know, two different integrations who's the owner of that account.
That's really useful because we can say, OK, we think that this account is only doing this, but if it's going to do anything else, we're going to reach out to the owner of this account and ask, is this expected? Like we'll sing this, this account being used in this new place. Is this something that you know about? And, and that allows for some feedback.
So now this also builds fast because they know that those application owners are going to, to be able to provide feedback and say, Oh yeah, my, my account actually does need to run in this additional place because they just, you know, did this change? And once these and, and by the way, at this point, we didn't prevent anything yet. We were still in, it was still in alerting mode at that point.
When they see that this whole flow walks, they'll feel comfortable enough moving into prevention. But that really took a lot of investment in understanding, you know, how organizations want to operationalize this, what other IT system they're using that we need to integrate with to make it, you know, more, more visible to them.
It's, it's really, I think anyone outside of the identity market cannot fully appreciate like how complex the changes are that I think, I think, you know, you guys, you guys know, well, I've talked to one company, well, you know, before implementing Silverfold, they were trying to do some of these manually and, and finding these accounts and trying to rotate the passwords. And they told me it would, it would take sometimes six months to get approval to make a change
to a service account. And by the time they got the approval, the service account maybe was already decommissioned or was outside of the scope of the audit or the audit already happened. Like all kinds of things that make it make it so slow that it's almost irrelevant. It's really a feeling of you're, you're walking and walking and making no progress. And I think that's not only a problem in, in non human identities, it's probably an
identity in general. But in in non human identities, it's even more of a problem because there's no person to ask sometimes, like, what are you doing? Like, why are you doing this? You need to, you need to, you know, guess if you don't have this system.
So Speaking of non persons, I think that's probably a great segue to get into talking about some of the new things you've announced around AI agent security because you talked about that mapping of like, OK, who does this account belong to? It's approaching probably sooner than we think where we have a is talking to AIS, talking to AIS, talking to AIS.
We have like this Inception or Mostrica doll where you've got so many different layers of, you know, bots talking to bots and maybe there's a human in the mix somewhere. But I want to talk about this, this new feature or this new capability that you guys have have brought out around age AI agent security. Tell me a little bit about that. Yeah, it's, it's this is a very exciting space that is obviously moving faster than anything else that we've been talking about.
I mean, other areas of identity security are moving fast, but but nothing is even close to this. This problem is changing and evolving, you know, every day. And I think it's going to become a huge problem for organizations that soon, if not already. So just an explanation for we know anyone you know, listening to this who doesn't fully understand what are those AI agents and, and why is it such a
new and different problem? What why is it so different than detecting regular identities or, or NH is? So, you know, AI agents are basically as opposed to chat bot. AI agents are actually doing things though, you know, logging into your systems and they can take actions, they can write an e-mail, they can, you know, change something in in your in your CLM. It can, you know, build an application, it can actually do
things. And this has massive potential for helping businesses because you can actually automate a lot of work that was done by people, manual work. You can use these these agents almost as virtual workforce or virtual assistants that do things that that were just a lot, a lot of manual effort for people. But it also creates a huge security risk because the risk of using our our regular good old ChatGPT are are, you know, at the worst case you get, you get the wrong answer, right?
So it's, it's, it's there is a risk though, right, with his utilization and things like that to, to do anything bad agents can actually do stuff. So it can delete your data accidentally, or it can send an e-mail that makes you look really bad or cause an issue for your company, or it can it can do all kinds of things that that can cause real damage.
And unlike regular non human identities, and this is where we're starting to get into the differences, they're much less predictable with a regular non human identity. I mean, we just talked about, I can learn that it's connecting from A to B every morning at 9:00 AM. And I kind of learned that very, very simple repetitive button, because it's just a script, an AI agent, because it's based on, on AI, on LLMS, it's, it's not deterministic. It can do a different thing every day.
It can suddenly decide to to do something new today that is a little different than yesterday. So it's harder to tell is it doing something that that it should. At the same time it it's not a human. So you can't use the regular stuff that the security controls that work for human like multi factor authentication, right? The stuff that we got used to do for humans. So it's not a human, not classic NHI. It's something in between. And it takes a newer post to.
How do we secure this? I think that this is a very important problem because the adoption of AI and especially AI agents is going to have so much benefits for the business that companies are going to adopt it whether we the security people are ready or not. I think that, you know, in over the next month, you know, boards and CEOs will be coming to those security leaders and saying, you know, we're going to adopt AI because otherwise our competitors take us out of
business. Like we're not going to be competitive. So we're going to implement it. You know, you should do your best to secure it, but we're not waiting. And I think that this is this makes it an urgent problem, although it looks like it's so new and and so emerging and it feels like you can wait and see where it goes. I think that it is going to become very urgent based and. So. Now let me tell you our, our approach to it.
So we figured in order to make this safe, in order to make AI agents operate in my network and know that that I, I limit them from from causing any damage, I need to have visibility to what they do and I need to be able to stop them from from doing things they shouldn't do. The first part is easier. So giving you visibility to what they do.
You know, I think that every vendor that is in the non human identity space is going to be able to do that because at the end of the day, these are non human identities And you know, we can see what they're doing. The other vendors that can also see what they're doing by looking at the logs and looking at, you know, the configurations and things like that and show you, you know, you have this AI agent and it's using this identity and it's accessing this system.
I mean, it's not super easy, but but you know, vendors are figuring it out and companies are figuring it out. The second part is more complex. How do you actually prevent it from doing bad things? This requires an in line approach. What I mean by that is we need to actually get the AI agents when they access things.
So when they connect to your e-mail server, all to all to your customer database, we need to be in line as a gateway on this communication in order to really be able to stop bad things. Now, luckily, there are ways to do that technically, For example, I don't know if you heard about, obviously, like a lot of people are talking now about how AI agents are accessing other systems and, and the Basel right now is MCP, right?
MCP is kind of the, the language, the protocol in which AI agents are connecting to other systems. It's very cool. It, it allows you to save the need to integrate individually with every system. And the, the, you know, the advantage of that is that you can actually create an MCP gateway, which means that when an AI agent is trying to connect to different systems and applications, it will do it to your solution to silver fault.
In this case, this means that we are actually in line on what it's trying to do. And it means that if we're seeing you're doing something bad, we can block it or we can involve a human, you know, this is, by the way, in a new kind of concept. But think about the AI agent is doing something bad. I go to the owner of this agent and I ask it, hey, is it OK that your AI agent is trying to do this? And the human says, yes, that's actually, that actually makes sense to me.
And then we can allow it. So there's a lot of things you can do there. By the way, it's not just a new problem. There's also new opportunities here. You can actually use AI to be able to do that. You, you, you, you know what you said before, you know, you left, but that actually is true.
Like it's all kind of connected. So in order to to look at what AI is doing and, and, and figure out if it makes sense, you can actually leverage AI And also those new opportunities with interacting with AI agent, for example, with regular non even identity that is trying to do something. I can't ask it why are you doing it? But with an AI agent, maybe I can, maybe I can ask the AI agent, hey, why are you accessing the customer database?
And the AI agent will actually tell me why is he trying to do that? So there's, there's a lot of new opportunities. There's a lot of, you know, new challenges, new opportunities, everything is moving super fast. But you know, the port we just released is exactly that. It's a, a gateway that sees all these agents trying to do things. It can show you what they're
doing. It can control what they're allowed to do. So like granular authorization, we can say, you know, yes, it connects to Slack, but it shouldn't be able to write anything. We shouldn't be able to read any, any of these groups. And also you can really control the granular access permissions you give it. It can block certain things.
It can, it can, you know, involve more security because if we think it's doing something bad, it's really a very cool answer to this concern that this is super new. But I think without solving it, organizations will not be able to really enjoy this revolution. So I think it's going to be. So I, I, I think that's really clever the way you're approaching with that gateway type of approach and, and things like MCP or model context protocol or A to a which is
agent to agent. There's a lot of work being done to facilitate data transferring right between models and between agents itself. I'm curious if you have an opinion on from an identity standpoint, how should we be thinking about security for this? Is it very specific fine tune agents that only have access to the things they need to, which means more agents or something that's a little bit broader from an agent perspective that maybe does have more access to different things and have fewer
agents. So is it a quantity versus quality thing? Like what are you thinking like from an identity security standpoint? I think that at first at least, we, we probably are going to see many agents doing small things right and, and kind of orchestrating each other and telling each other what to do. But it's really, it's really an army of agents that is trying to to do a combination of many small things in order to
accomplish one big thing. That also simplifies things a little from a security perspective, because I can figure out what each of these agents is exactly trying to do. And I can understand, you know, who owns each of these pieces. If you imagine one agent that is Superintendent can do all of it, then it's also really hard to secure it because I don't know what it's time. It might do this today and this tomorrow. And you know, does it even have
an owner? Because if it's doing everything, then who, who is the person really owns it? So it makes things a little harder. I think in the long term, this is where it actually might go because, you know, AI will become smarter and, you know, we won't need to bake it all these tiny pieces. It will just have, you know, much better capabilities and it
will be able to take action. And we'll actually, we'll actually want to give it more flexibility, but that will have some paid off with, with security, you know, with our ability to control it. I think at least for now, while we, we still don't know how this is going to work. We, we, we understand some of the risk, but definitely not all the risk. I think it's important that we
that we stay pretty structured. I and I think that's what organizations mostly are doing because that's also, you know, the, the limitations of, of the current AI models. They're breaking it down to small things. And we can tell that, you know, this piece is in charge only on, you know, writing stuff into your CRM and it's owned by this person from sales operations and it's only connecting from here
to there and doing this. And this actually makes things, you know, much, much more controlled from a security perspective. So I think at least for the short term, that that's what we mainly are going to see. And, and by the way, I think the that that connection of every agent to a human owner is actually very important because it means that you have someone accountable for what it's doing.
Yeah, it seems like the agent acts in the context of the person who is making the requests or what if I'm not sure if the request is the right word, but depending on what the agent does, right? So the question is, does the agent run under a service account or does it leverage the context and authentication of the person, Not only the authentication, but also the authorization, the entitlements
that that person has. And via the MCP server, maybe MCP server says, oh, here's Jim McDonald asking to access, you know, the Custer database user example. Yeah, that to me seems like that's the right level of security. I think that is probably the easiest approach because, you know, if it's on behalf of Jim, then it's going to have Jim's permissions. I don't think that's the safest approach because it might not need all of Jim's permissions, you know, because it's doing
something specific. Why give it all the permissions that the gym has? I think that that's where a lot of people started because it was easy. I think that what vendors like us are doing now is offering, you know, more ground law controls. So we the least privilege approach where we say, yes, it's acting on behalf of gym, but it only really needs to do this one
thing. So, you know, let's only give it this this permission that will give it all the permissions Jim has, which is harder to do, but that's what vendors like us are here for in order to automate this and figure it out more automatically. I don't think that's something that an organization can figure out on their own at scale.
But just like we've done that for service accounts and for non humanities in the cloud, now we're doing this for NHIS because we have already some expertise in this. We can see all these agents, we can understand what they're doing. We can understand who is the owner, we can understand it. Or do they really need those
full permissions? Or based on what they're doing, maybe they only need a much smaller set of permissions and then we can automatically start recommending to you, you know, where you can actually minimize that. So all of that I think is is very important, very urgent, because before we know it, our companies are going to be full of agents. I mean, we're already seeing it at Silverthorpe, even internally. I'm sure many organizations are starting to save.
And if not, they should actually be even more concerned. I think that, you know, they need to, and I think that this level of control is the only thing that will allow organizations to, to have the trust and the confidence to do it. So in a way, it it's an enabler for AI adoption. You know, if we don't figure out the security aspects, then organizations are not going to be able to adopt this fully or under competitive pressure. They're going to adopt it without security and it's going
to be a mess. So so we do need to figure it out. And I think that that's, you know, starting from the the entire the permissions of the person who's who's who's running the agent is a good start, but it but it has to be more narrow than that. You know that I think this kind of highlights the the urgency and sort of the the issue with all these different agents. I can certainly see an angle where, you know, in this, in this example that Jim point out there I was acting in the
context of something. And you're totally right. We, we don't want to give the thing too much information or too much permission. So I can see one agent, you know, saying, OK, here's what I need to do, another agent saying, OK, well, what does that actually mean?
And then another agent that says, let me interrogate Jim's entitlements and then some other agent that says, OK, based on these entitlements and based on what you're trying to do, let me down select the specific authorizations and then passing that back through the check all the way back to the first agent to actually do the work. Yeah, no, it's crazy. And then it can even become more sophisticated. I'll give you an example of something we're we're building
now. You know, we've had for years sexually coding, right, as part of, of, of privilege access management, right? People have been doing session recording. They recorded what the admin is doing inside the session and then it was sent to be buried somewhere that nobody ever watched it, right. But but, but we did that because we needed to have some evidence
of what the the person did. AI actually presents an amazing opportunity to use this kind of data because you can actually have AI watch it and figure out, you know, what is it doing? Is it actually aligned with what it will this person was supposed to do. Now think about this is in the context of of AI protecting AI. You could have an AI agent saying, I need to log into the CRM because I need to do
something. I need to update this this, you know, record and then you can actually watch what it's doing. I mean, another AI agent can watch what it's doing and compare that to what the agent said is going to do. So the agent was going though to update this record. Did it actually upgrade the record, update the record or did it do something else? You can apply, but of course you
can apply that to humans too. But there's so much new opportunity to ultimate things that were impossible to do because the manual work needed was unreasonable. And now that those AI, we can actually do that. We can actually watch all these hours of, you know, session recording and compel them to what people were supposed to do and what they said they're going to do in the ticket. And we can automatically figure out who's doing something bad
and block it in real time. So, you know, I think security is actually going to get way more sophisticated because we can finally automate all these things that we're always, you know, not feasible. And that is actually going to help us protect the AI too. And by the way, I think that that is critical because with AI protection has to be automated, has to be fast because AI itself is is operating very fast.
So think about the way we secured human was always assuming that they move at human speed. So I could detect the bad behavioural send an alert and somebody at the stock would look at the alert and investigate it and then go back and, and do something about it. And all of it was assuming that it's a human attacker moving at human speed with AI based attacks is going to happen in seconds because all the decisions are automated and AI
is making them. So taking over the corporate network, you know, breaching the corporate network could take a few seconds if all of this is automated. This means that if we don't make those security decisions in line in real time, and we don't block these things while they're happening, we're too late before just sending some alerts to the stock waiting for anyone to to look at them. The attack already happened, so I think AI speed is actually the only way we can protect against AI threats.
So, so had you've already given us like 12 minutes more than we asked for and I didn't want to we neither Jeff or I wanted to stop you along the way because we're learning so much. It's been an absolutely great session. So can you just give me two more minutes? There's one more question I wanted to ask you, which was around this ideal identity security playbook that you guys have crafted an ideals and acronymic stands for integrated integrate, discover and force analyze and lightweight.
So can you give us an idea of like how this gets used, why is it useful for the practitioner? And then Jeff will take us out. Yeah, I'll keep it very short. I think that it it kind of summarizes a lot of what we talked about. So I talked about syllables approach to identity security, right. We're doing it really is a very broad platform. We want to tackle all these things like humans and non humans and AI and on Prem and
cloud. And, and to summarize this approach, you know, with a playbook that I think organizations can use to, to understand what does it take to really deliver holistic identity security. You can really use this, this ideal concept. So it starts from integrate, which means in order to really bring identity security everywhere, I need integrate with all the pieces of my identity infrastructure all the way from the legacy to the modern cloud ID.
PS Right, Okta, Google, AWS or all of these different pieces including the the SAS applications or or legacy applications that have local identities. So integrate is the first piece because I need to see every. The second piece is discover. Once I'm connected to all of these pieces, I need to discover all the entities, all the identities, all the and non human identities, all the privileges, the group memberships, everything that they can get. The third step is in.
Force that is also. Probably the step that is the most unique the silver fold many vendors. Do the first. 2 steps and they just give you that visibility and then you know, you need to do something with that. We need to figure out how to to address these issues. We also believe that the critical element of this is in force. Once we see what's going on, when we see some bad things, we need to be able to intervene. We need to be able to prevent certain activity.
We need to be able to authenticate certain users as they're trying to do something. We need to be able to to to have, you know, real time controls.
And that requires an inline architecture means that you need to actually see the access, the quest going to, in a, in a way that you're able to, to stop them if you need to step #4 is, is analyzed because, you know, all of this, all of this data and activities and, and, and, you know, people authenticating and all these different data sources, you get, you need to,
to have intelligence around. And that's part of what we just talked about analyzing, you know, what did it actually do compared to what it was supposed to do? And, you know, does this look like normal behaviour or not? Does this look like lateral movement? Does this, you know, you need to, to bring intelligence into, into this. And then the last part is, is
lightweight. And the, the reason why we believe that's so crucial is because identity project historically have been way too complex for most organizations to, to survive. You know, a lot of people joke that, you know, there's no point starting an identity project because it's going to be the, the next person after me that is going to actually get to finish it and get a credit.
So I think we have to make identity security easier, otherwise we'll, we'll, we'll limiting it to a very small number of companies in the world that have the, the ability to, to execute. And, you know, and the rest of the companies are just, you know, listening to these type of, of podcasts and, and, you know, wishing they had these, these, these things, but, but they can't really implement them effectively. So it has to be lightweight, it has to be simple, it has to be quick.
I think that if you look at other categories of, of security, again, the vendors that really were able to bring innovation and conquer those markets, well, not just the ones who did it in the most secure way, but the ones who made it easy, made it super simple to implement and to use. And I think it's time for identity to, to set this as a, as a requirement of, you know, identity. People deserve to have porks. They're not a nightmare to
implement otherwise. You know, they're just wasting time and money and they're not going to get the result. So that's basically the approach and. It's kind of summarizes. You know, everything we said before and kind of how we believe identity security should be done and and yeah, whether people do it with. Us or not, I think I. Think that's that's what they need to aim for. I think that's. AI don't know how we top. That and so I think that's probably a good spot where we close it.
You guys are doing such, such cool work and, you know, Congrats on the success. We're going to have a bunch of links in our show notes, but definitely want to encourage people to go to silverfork.com and check things out. I was taking notes as we were kind of talking here. There'll be a link to the, the insecurity in the shadows report that we talked about to be a link to the identity security
playbook as well. And then we'll also have the link in our show notes forehead for people to connect on, on LinkedIn and as well as ourselves. So had it's always a great pleasure talking with you and I I I really appreciate you taking the time with us. Any if I took one thing away from this conversation, you kept mentioning that the word in line, it's like, OK, like that is what we need to get people understand.
It's like you need to be injected into the process, into the data stream, into whatever you want to call it and be, well, as you said in line. Yeah, I think that's very. Important otherwise. We'll just, otherwise we'll just pointing out the issues without being able to actually solve them or stop them. Yeah, well, there's.
Value in. In at least pointing the issue out but we've got to start solving these problems so I I I appreciate the you know the the discussion especially when we say we need to make identity security easier yeah absolutely right nobody wants hard tools we've got to have a way to approach this and I like what you guys are doing so thank you that yeah so that's is a good spot we're. Going to have to leave. It for this week. Thanks everyone for watching Andrew listening.
You can find us on the web at idacpodcast.com and we'll talk with everyone in the next one. You've been listening to Identity at. The Center. We hope you've enjoyed the show. Make sure to like, rate and review and we'll be back soon. But in the meantime, hit the website at identity@thecenter.com. See you next time on Identity at the Center.