You're listening to the identity of the center podcast, this is the show that talks about identity and access management and making sure you know who has access to what let's get started. Welcome to the identity of the sender podcast, I'm Jeff. And that's Jim. Hey, Jim hey, Jeff, how are you? Oh, not so bad yourself. I'm good. I'm conserving. My guess the little that I have left and driving my guest house or car when I'm not conserving gas.
But, you know, I'm living in the southeastern United States where our gas supply has been affected by two things. One is a cybersecurity attack that Happened on the pipeline, that fuels a lot of the southeast. And the second is by Panic, buying, everybody rushing out the fill up their tank, all in the same day and it's the same thing that happened, you know, right after covid, where everybody had to rush out and buy toilet, paper of all things.
Yeah, I think I saw a picture of you filling gas tanks and putting them into the trunk of a car or something like that. Maybe make a few extra bucks on the side here. The Good Ol American Way. Yay, capitalism that sort of thing. Yeah, we all knew. Bunker, right? So it's interesting you bring up the pipeline thing. So the latest that we have as of Wednesday, May 12th on recording this and this will go out into the internet and all of our listeners on the following
Monday. 17th is that it's is that the pipeline hack may have come from The Exchange vulnerabilities that were widely touted a couple months ago. I think it was back in March or whatever means and yet again you know patching didn't get in place. And wasn't remediated and your, we are having another ransomware story and now we're seeing prices gas, go up because of that. But also because of, you know, the economy, I think starting to open up a little bit here in the US.
So, I guess keep those systems patched. Well, I think, you know, a lot of the, a lot of these ransomware attacks are, you know, eventually boiled down to basic blocking and tackling we talked to dr. Jason Cunningham on the show, a few months back and you know he mentioned that these types of attacks. Or moving Downstream, not that utilities.
And and kind of core infrastructure is that far Downstream but they're going from government agencies and Banks down to, you know, kind of companies that haven't seen themselves as Prime Targets in the past. But I think what you and I have seen with a lot of organizations we work with is that they're understaffed.
And you've got a lot of, you know, not enough people running around trying to keep up and They're doing yeoman's work and there I am here as but if they don't have the tools like MFA everywhere, there's only so much that they can do and so run into these kind of situations where nobody wants to end up on the front page of the newspaper, but I certainly what's happening. Yeah. I mean, job security, I guess, right? Human error gets involved and people start to, you know, fall behind.
I think, you know, one thing that we see a lot, right is underfunded. Man, they're understaffed teams really doing heroic effort to keep organizations as best of the camp, but the can't do it. All right? And they can't do it forever. So something is certainly consider. Yeah, well, hey we, you know, we've been talking a lot about that. By the end of this year, we're hoping to be able to do some
business travel again. It's there's nothing like a year of no business travel to make you miss business travel, but I think you'd agree that probably the Favorite business travel is conferences because we get to see and interact with people in
our industry. Hopefully, when this starts up again, we'll get to meet a lot of the folks who listen to the podcast, but I had an interesting story and that our guest today is somebody that I met at a conference that actually had a couple of forgerock conferences that I can recall. One of the cool things about forgerock was especially in the early days was you know, the Of
some of their conferences. And a lot of times, the two that I'm thinking of we're in California, which is such a beautiful state but the Asilomar Conference Center it was like Pine Forest right on the woods and our I'm sorry right on the beach and it was such a cool place to be and the other was at the Ritz-Carlton a Half Moon Bay and the Bay Area and wow I mean couldn't pick a better place to To go for a work trip. Yeah. I always enjoy going west for
that for conferences. I'm a California guy. So I like it. So speaking of our guests, why don't we go ahead and introduce Nathan coughing? He is the head of strategy at Cloud entity. Welcome, Nathan to the show. Thanks for joining us. Thanks for having me really, really glad to be here and thanks for going to the Wayback machine.
There's, those are wonderful conferences, both from a technical point of view as well as you know, the atmosphere absolutely phenomenal for idea sharing and kind of growing in the The I am space. Yeah it's a lot of fun to kind of interact with folks. I do miss the conference thing.
You know, I never thought I would say this is I miss being in the line to get on to a United flight scrambling with the, you know, 200 other people trying to fight for overhead space or under, you know under seat space, you know whatever, maybe so maybe it's some point here in a future that will resume, I know we're going to talk a little bit today about open Banking and how that has started to I guess we'll open up. Up right, for organizations,
start, taking advantage of. But before we get to that, I think would be helpful for the folks who are listening to a kind of understands you know, your journey, you've known Jim for a long time and in Prior roles and sort of, you know, the the maturation of your own career. But how did you get into the? I am space.
Is it something that you chose or did you choose it or well, we gotta go in the way, way back machine back to the Netscape, I Planet days where I was actually At Boeing working just in cyber side building you know some of the initial firewalls and then son chose me somehow. I'm not sure how they got my number. But apparently there was there was Data sharing back then that required some type of consent, right? And I got recruited into the eye planet Sun Alliance or the AOL Sun Alliance.
And then from there just kind of continued both in the identity space as well as the cyberspace. So it's been about 15 years doing just identity and then hop back. Over to the Cyber side. Because maybe one of the are joining, as one of the first couple dozen employees, at imperva back in 17, 2008, 2009, and then release all kind of this inculcation. This need to bring cyber together with identity. I think that's one of the core tenets of the podcast, right? It's identities at the center.
Whether that's the center of your application security or the center of your user security unit becomes a fundamental part to building out your next generation of applications. Sorry to give you to give you a plug guys, but it's too easy, right? Definitely love that. I always love hearing somebody about somebody's journey in this industry because usually they started off somewhere.
Like I don't want to say the bottom, right, but they started out somewhere in kind of the guts of the machine that you started off with the Netscape directory, which of course, this kind of like core functionality, but as you know, more or less than the back office and now you said your Chief strategy officer at Cloud identity. I'm sorry Cloud density and I'm wondering if you could tell us a little bit about that role. Yeah, so I think I alluded to it right in that previous
monologue. But you know what we've done is we've looked to bring Dynamic authorization and when I mean when I say that is bring in a lot more context right now, can be cyber context, it could be consent context and push it all the way out to the edge of the service. And so we started like thinking, how can we start building
product around this? Looking at microservices, you know, API light infrastructure back in 2015, 2016 and then sort of rolling, you know, Intelligence on top of it and machine learning is much better descriptor than AI, but I know AI is nowhere more in Vogue to use those words these days. So, what we started, building all these pulling these different pieces together, right?
Making sure that we could have adequate data sets, adequate rules and adequate policy decision points at the edge of the service and you know as we've built that you know started Getting Believers both in the marketplace, right? Meaning some early adopters of our technology, as well as Believers in the, in the VC Marketplace and can Under 12 first round of funding last year, as part of that.
You know, I kind of shifted out of the the sheer Tech point of view and really moved into, you know, how can we lead the team, how can we start building a bigger broader team and we've been able to bring in some incredible Talent, both from people running in the Olaf circles as well as other I am platforms. So Nathaniel I was kind of wondering You go to a prospect, is this something they've sought
you out? Because they understand your technology are usually going through education process. So I'd say that's actually really transitioning over the last three to six months, right? So part of its due to covid, you know, part of its due to the adoption of distributed services, but what we're seeing is that, you know, as people move into the next generation of services and whether that's a kubernetes, or a service mesh or functions, they have no idea how
to bring identity. He constructs into that much less cyber constructs, and one of the big goals as your building, you know, this next Generation services to make them immutable, right? So how can I externalize identity, authorization and privacy? Make that incredibly easy for my developers. So anytime I bring in a new service it's protected by a default set of rules. So if we think about like identity for the last 2,000 years, right?
What's been the hard part? It's always been onboarding applications bar not and now you're starting to have the capabilities to Get on board, right? Make it very very seamless, like an onboard 10,000 services in a matter of minutes, so long as their next Generation services that our API driven. So you're able to really start driving Innovation forward and instead of becoming this kind of
tax it happens. After the fact, you're able to lead the digital transformation by saying, I'm going to make these parts easy for you and we can we talk about that from a
customer perspective. Now, the reason that we have open banking like at the center of the discussion is, because that's really one of the first mandated and Regulatory regulated areas where a Apis have to be, you know, the center meaning, the first, you know, real API Centric transaction requirements coming from, you know, Federal bodies or government regulatory bodies depending upon the the nationality. So we talk about open banking here a little bit. I guess, why don't we start with
what is open banking? Because I think people may be using it and they don't maybe even know it, right? If I think of services may be something like plaid or you're connecting different Financial Services together or I think you do. Into personal Capital, you know, there's a bunch of these out there that lets you interface and pool financial data, right into third-party apps that aren't necessarily owned by the financial institution themself. Is that a good explanation of it?
Or is there is there more to it? You're hitting on the core tenets, right? And it's really about the democratization of banking, right? So I can build, I won't be a build a bank. I'll be able to build a service that can consume Bank data and then the second aspect of it is the utilization of Of privacy and consent, right? So I've seen gdpr CCPA, things of that nature, kind of bubble down on a larger industry basis. But then open bank has been very, very explicit in the
flows. Here's where I need to consent to what? Here's how fine grain that consent to be that consent should be and we're also seeing that start to now percolate into some of the different standards bodies. Right. So, you know, we've seen just in the last six to seven months, is a Grant Management standard pop into the oauth into the or
standards bodies. And that's becoming increasingly important because everybody, you know, every user now once to understand where their data goes are tired of seeing, you know, the Facebook, Cambridge analytical, if you know examples or the experience data breach that just happened, you know, last week or the week before last. I'm sorry. You know where highly insecure API. No authentication right? For user, or for another service? No authorization. And the only constructs
protecting it was public data. Meaning my birthday. I'm sorry. Not even my birthday. I first name last name. My address, and then a unvalidated birthday, right? So you can program. And when using it in the API perspective, right? You can programmatically go and just download all of it, right? You can literally iterate all the way through it. Taking public records to either pull from the dark web or maybe you have, you know, from Peridot or something like that, right?
And just boom, boom, boom boom, right and now I've got everybody's credit score number and that's that's sensitive data to me. I'm sure it is to everybody else listening as well. So I think one of the challenges that I've seen having been a consumer of some of these services, Is the inconsistency with how they may be implemented and I think of things where, you know, you have to go into this interface, you type in your ID and password for the Target
financial institution. And if they have MFA in place or some other type of, you know, second factor that you need to provide, it's a very sticky situation. Sometimes where you're waiting, it's almost like they're doing screen scraping behind the scenes sometimes and it's frustrating for me as a consumer. Zoomer right? Trying to get the kind of keep
my accounts linked. How does you know, from an enemy not knowing enough of how it works between the open banking standards and that have been developed and companies who maybe aren't using it? Is that a symptom of, you know, a poor implementation of it is just, you know, how it works right now? Or maybe they're not even using open Banking and that's why my experience is so poor.
So if they are screen, scraping, they're not using open banking, you know, screen scraping is a security vulnerability right there, doing an impersonation against both, probably your Banks. Standards of conduct as well as even even their Partners standards of content that you're that you're logging into and that's been kind of the de facto, right? For the last half dozen years, right? If we seen Financial aggregators really come to fruition. Now, that's changing because,
you know, of open banking right? Literally everybody, realizes that's a big problem. So how do we start to normalize that how we build common patterns around consent and around data? All right, flows. So so if you're seeing screen, scraping, you're seeing that delay. You'd probably not in open banking, in open, banking ecosystem, and you don't have the security that's wrapped around open banking.
Now, I'm actually gonna go back to your earlier Point Jeff, and it's a lot worse than we actually think particularly over here in North America. And what I mean by that is, you know, we've got all of this identity and authorization sprawl. So depending on, when you're doing your, your application was build, right? It was a 2008 mobile app or maybe it's a 2020 mobile app. Probably have a different ID P. You have hard-coded
authorization. You have hard-coded, privacy, built into And even those different Services different applications from a singular Bank, don't talk to each other. Well now the banks are actually trying to fix that and kind of give a little bit better user experience, but I can jump, you know, within some of the credit bureaus. I can jump from service to service to service and I'll have
to re-authenticate. I'll have to reauthorize, will have to re Grant consent, because none of it's stored outside of the applications, all hard-coded in there, and nobody has any good way of reporting. Now, that's obviously a tremendous liability for the bank's, the credit bureaus, Etc, or for any of the financials. Because they're storing
different data. And any time a regulatory body comes and says they show me, you know, prove to me that Nathan allowed you to use his account data proved to me that Nathan, like mother's last name and they have to go and say, okay, well, I don't know why policies look like right, I've got to find the developer that wrote that application that developer has to go back to the code more than like that developers in another company by now. Right?
They have to go back into the code try and pull extract it and then showcase exactly what. Transpired, right? You and I both know, that's almost an impossibility, right? The reality is is going across all those different systems and platforms, trying to showcase exactly what happened within a transaction is a lot harder than it even is to explain, right? But so being able to externalize that normalize it, right? And then use a common authorization, privacy identity
standard across all of them. Well, that's exactly what oauth was designed to be. And what I mean by that is we so often do ATC kind of pop out in 2012, right? 2011 2012 depending Upon which one we're going to count by. And the design, there was, let's separate context, right? And separate the authorization construct away from the identity, the session building, right? But we saw the industry do is we took you know kind of these big model list that we've been using for Wham.
You know. For the for the 2000's own. Let's layer on top of federation. You look we're using sample. Its layer on top of oauth. Rider looks layer on top. All you think we took a model? If we threw another model with that. It right? We built kind of these giant. Rocks that are difficult to use difficult to upgrade and aren't meeting the needs of modern application developers. You know, until we did is we said, well, what happens if we go back to the original intent, right?
What happens if we think about authentication as a session generation and then there's all kinds of great contacts, it comes from your authentication provider and then authorization and application identity. That's a whole separate construct. And then when I want to move into finer grained, authorization or I want to move into fibrin consent management. I want to layer on top. You open banking based, regulatory demands, Now, I can
do that very, very simply write. It can spin up open Banking, apis, and minutes, instead of saying, we've got to build this giant sandbox. I've got upgrade my loyal servant of fappy 1.0 compliance. I got to do all these different things which could be man months or even man years you know, I'm curious because I highlighted my poor experience with not having open banking in my life, right? So in your mind and you know, I'm curious, what does good look like from an open banking?
Patient can, is there a gold standard or an example that you can kind of provide to say if you're doing it, right? Here's here's what it should look like. What's the process as a? Just a normal customer, trying
to collect my finances. So I'm going to do one better than that, and I'm going to talk about the gold Center that we've seen already in the UK. And so there's a company called Sterling Bank. Obviously, we're not sure the motor from the North America so much, but what the, you know, Millennials and gen Z of set is I want all of my financial Offices. And this is not just Banking and moving money around but also home insurance car, insurance
life insurance, right? All these different financial services available in a singular portal and by using open banking now, Sterling Bank has created Created that portal for Gen Z and they seen tremendous account. Adoption, because of it, what they've seen is a tremendous Boon right to there to account adoption, by Third parties and buy additional new customers. Because now, they have kind of this comprehensive ecosystem. They never have to leave that Sterling Bank portal. Able to see.
Okay, I'm going to sign up for these different Insurance different retirement funds. You know, different investment means as well as do their regular banking all from a singular interface and it's completely changed the way that people interact with them. And that's what, you know, the account aggregators, you know, that the Minsk cetera have to have strokes driven do to do in North America.
But without having kind of this common symbiotic, methodology of exchanging data of protecting, privacy of all of these different fundamental features of open banking, they're just not able to get there in a Secure manner. It sounds to me, like the Millennials and gen Z are driving. The demand for open banking.
Would you say that's accurate and you know, I'm kind of wondering about the value proposition for the banks is this something that they want to be able to to enable these Financial aggregators in a secure way? Or is it you know a compliance driver. So it started as a Appliance driver. Well, that was a two-part question. Let me start from the beginning, right? So first of all, you know, gen Z and Millennials are the first digital natives, right? Jen's even more.
So than Millennials, meaning, they grew up. Always on internet's everywhere Services should be everywhere. So they're looking for distributed services and the best user experience possible, that means pushing the service all the way down to the edge of the millennial or the edge of the Gen Z. Alright, so my phone's got to be able to do everything in that circumstance. So if we look at, you know, Banks, As you know, we've seen Banks Banks are responsible for where we are today.
And what I mean by that is not just technological innovation, but Innovation across you know infrastructure. Accelerate banks have really stepped up to the plate in the last, you know, five thousand years, I think, is a fair way to say it right, due to the exchange of money and helping us build the world as we know it today. And so when they first started adopting open banking you're right. It was absolutely, you know,
across the bear. It was literally, you know, it's another regulatory burden that we have to kind of pass through but we've Started to see that transition where it's no longer seen as that because not only are they getting better engagement from the customer communities, but now they're actually getting much better visibility into how their services are being used. You know, what apis are being called, who are their biggest users?
How are they transferring money? You know what other Partnerships and what other services should they package and integrate that are allowing them to better monetize their customers. So all of that data that very rich rich data that now they are allowed to have because they have the appropriate consent is also the date of the It's feeding back into a, circular Loop of better Services which are able to again to offer out and to monetize and to build better customer adherence.
Have you seen any differences in how, you know, the pandemic has affected uptake of some of these Services, you know, around getting open Bangkok open banking off the ground and becoming more digital first, you know, less touch. And, you know, I look around in my hometown, where I marry it, where I'm at and I see Bank branches shutting down right there just they Had the physical presence anymore, I can't
remember. The last time I went into a bank, I've been digital banking for at least, if seal, it feels like 10 years. And, you know, that's probably the trend for the future, and I see a lot of those spaces being
repurposed for other things. You know, one's been turned into electric car charging a spot because they have the parking and, you know, no one else is using it but I'm curious if from your perspective having worked on this much more closely is if the pandemic has driven this any more than it probably would have gone already just to the Natural flow and evolution of services or if. Yeah, there was something here where you know, covid here and we've got a kind of speed this
up and maybe faster than we were planning on doing it. Your bang on, right? I feel like that was a softball, be honest. Because, you know, what is covid, done, you know, to push work from home. It's pushed distributed Services out everywhere and whether that's, you know, upgrading your VPN and do a CT and a for the podcast last week or whether that's offering your services. Very distributed fashion. And a very integrated fashion out to your consumers are to your partner's to resell, right?
Both of those are driving at lightning speed. You know it's you're right. We don't go into any branches anymore. I mean even Starbucks, you know I have to order online right? Then I can go pick it up from a branch but you know there the reduction in touch interaction I think is a fair way of saying it you know do the covid has really pushed net, new digital services and net new ways to engage with your customer base out into the marketplace.
I'm thinking about these open Banking apis, and I'm wondering, are banks deploying the apis to bolt onto their applications and, and their systems, or they deploying the apis, and then building their services on top of it. And I guess I'm I'm getting at that from the standpoint of the security being layered at the API level, right? It seems to me that if you're building apps on top of it, you still want to Put that security at the API level.
So, Broad question I guess is are the banks themselves using those apis? They're deploying. And then why is securing at the API level necessary? Okay, lots of questions are so let's just parse them out, one by one by one. Right? So when we look at open banking, you know, I break it into kind of three major fundamental steps. So the first is building, an API driven infrastructure.
This is where you'll create a net new API, you know, through apogee or acts way or one of the API Gateway vendors to your back-end Services, right? And that's Step 1 and that is just to participate in an API driven ecosystem, which obviously open banking as one of them, step two is bringing in that security layer, right? So open banking has designated fappy, which is financial API. It's a standard put out by the idea of the open ID Foundation that, you know, mandates.
A number of things, big things like pairwise identifiers, right? So shared Secrets, essentially the easy way to think about that Mutual TLS between client and server. Secure software assertions, right? So, you have a signed certificate that says, I can be a client of this service or kind of the fundamental pieces, right? So, they have mandated a gold standard for API security is
easiest way to think about that. And I think that should be carrying across all Industries because we wouldn't have the experience problem, right? To just to relate it back today. If that was in place yesterday, right now, the third step is that consent factor? And I think this is where things start to get really, really interesting. Ting because consent has kind of changed rather dramatically in the last five years, right. So start off with gdpr, we got
all of these kind of blanket. Consensus got the pop-up ad, you know, are the top Banner saying? Hey, I'm consenting to my cookie, you know, take all of my data or store your cookie here and capture my pee, and everything else, which we all hate. But it seems to be a necessary part of using the internet at this juncture, right? So that's been around for a little while and I was kind of the start of, how do I mitigate? You know, some of the GDP our needs that's a very blanket base.
Can set the It is the oauth based consents. Right, that I think most of us are familiar with this. Is we're going to Facebook. Facebook says, Hey, I want to see your first name last name, phone number. And I'm gonna do whatever I want with it. Right? You know, I'm going to store it and you know, it's going from you now. And that's the second one and it's definitely not fine grained enough, right? Because there's no real consent. There's just hate take my data and do whatever with it.
Now, the third one, which open banking's and reduced is really consent. That actually happens before the oauth consent that is I'm going to consent and you're very fine grain. Around this account with this transaction ID. I'm going to consent to sending it to this third party. Right. And this is where those third-party providers and the
aggregators really come to bear. And so, what we're seeing is very disconnected, approaches to consent, you kind of again, based upon that sprawl, we're talking about earlier. You might have the, the blanket consent. You might have some oauth consent, but unless you're an obeah ecosystem, the open banking ecosystem, you're not bringing to fruition the open bank consent. So what we've done is we brought all of those together, right?
So you have a common model for consent that spans the Three different types. Actually, a fourth type as well, but will dive down the rabbit hole if we go that way. So I have a common model for understanding. What I've consent to do to an organization as well as what I've consented to an organization to share about me and I can go and revoke manage it. I can give you, you know, you can use it one time. You can use it seven times. You can sit for 30 days, you can
use it for 24 hours, right? So I've got very fine-grained controls around. How I'm willing to share my data out to an organization and how that organization has to treat the data going out to third parties. Sorry, the rest of your question was where should a pi security lie, right. And so the very interesting thing about apis is something like 80% of the internet traffic is Now API driven, right? And you have to think about apis
as machine-to-machine, right? Or service to service because that is the fundamental underlying flow, right? And whether it's me going through my, my iPad right through an app. On my iPad, it's making an API call back up to, you know, Wells Fargo or two to my bank. And that is a machine to machine communication. We have to start rethinking identity. So, we've always thought about identity as a user identity, right? Super easy. I know how to authenticate users, right?
We can do that very well, although we don't do that for a while, but that's a, that's a different point of discussion. Now, when we start thinking about identity of machines, right, I've got two different aspects of that. I've got workload identity. And this is like the carbon, right? This is my function. That's done up or my kubernetes, no Dharma, kubernetes pod, sorry that I just spun up that kubernetes.
Each pod your registers. And if it's in something like a CEO or service much, it'll go and get its own. What's called a spiffy service product service. Provider identity for everything, which is an x.509 service, essentially. That's giving a very short term, often times, it's 90 minutes to two hours, identity, down to the workload. Now, what we've done is, we've also broker that's we can take a spiffy identifier and now we'll assign a service identifier oauth, client, ID down to the
that workload identity. Brought those two. The other. And now we have a much better way of governing, a user, accessing a service identity, which is tied to a machine identity. So I have independent client identities that are now tied to different workload identities. So, every instance of my service, it spins up has its own unique identity. Instead of now, instead of old way, which is, at an API key, right? That was shared across a hundred different services or 1000 different Services.
Even now, I have individual x.509, certs. So if I have a breach, I can know exactly which individual instance, it was as opposed to My service, got breached, I can say this. Service instance got breached, I'm going to go and rectify and look at the low audit logs for that as well. The sounds pretty spiffy to me. No one thing I thought as you were describing that framework, which included open banking. You peel out kind of the open banking thing. I'm just kind of freestyle your.
It sounds very much like a framework that can be used across Industries, which I think is what you said. But I was also having the thought I think, you know, to put it in oil parlance, you're talking a lot about allowing certain Scopes, kind of put me into the mindset. I thinking of when it comes to that, I mean that's almost functionality, Shores security. So, you know, especially from an authorization context. But that's really like at the core functionality of what is happening here.
Jim, you're right. So You know, kind of putting it into that oauth scope our lands, right? So what we're talking about thus far was all like oauth client. Credential flows, right? How am I going to get a service identity to a machine identity? Now, when I start talking about, how am I going to authorize data and whether that's privacy, related data, you know, be a grants or even other data that might be t.i. at it, might not be Pi.
Those are the Scopes that you're talking about and so you know what we've done and not too kind of toot, our own horn too much but is we built governance around the Scope. So as a developer have governance that covers exactly what's going to transpire. So when I register a service, I can no longer ask for, hey, I want that full jot. I want the full user record. I need all this data unless I
actually need it, right? And that's very different way of treating it. So I just used this metaphor on the open banking World Congress just last week, but you know what we're seeing is that Pi? I write for the last decade has been called. It's the new oil, right?
You know, from whether it's Harvard Business review or CIO monthly, but it was really We becoming as the new CEO to write because we're not able to control it, we're not able to constrain it, it's propagating wildly because we're sending these giant jobs or do these giant access tokens from service to service the service, no idea where the data goes.
Right? Might get dumped in a syslog, might get pumped out to another another API that we are unaware of. It might go into any recording platformer, might go to a rogue service, no clue once it's out the door. So by actually doing governance around the access token, that's being meant to write. What are we able to do? We're able to say service, a can
see We'll use a record service. Be can only see first name and transaction ID. I think of all the things that can go wrong for banished from a security perspective and it comes to apis. And then you toss in like Facebook, wanting to be at having access to financials, right? You mentioned face. I'm like, there's no way I'm ever going to allow like Facebook, to be financially, connected to the rest of my stuff, right? But that's just an editorial coming anyway from a security perspective.
What is the Worst thing that could happen if the open banking apis are really just apis in general, aren't properly secured, I mean, obviously there's theft, right, someone could intercept and steal money, I think of an attack. If you're a fan of office space where your may be developing an API that, you know, just takes fractions of a penny, right? From a bunch of different accounts and you know, you hope
you're never caught. What are some of the other things that maybe aren't as noticeable from a security perspective that People should be concerned about and drive towards making sure that apis are probably governed are properly secured and being utilized the way that they've been designed to. Yeah, so that's a good question. And, you know, it's actually relatively scary like when we start back to talk about it, because if I look at, you know, what's driving my Tesla, its API, right?
It's calls from, you know, a service on my steering wheel and my accelerator down to, you know, the central control panel and then talking about to the internet somewhere. So what can what's the worst-case scenario, you know? Yeah. Well, somebody takes that over. And we've seen it. We've seen it hacked many a time already. I think, Dodge not successful in a fairly but Dodge and a few other ones have had their, you know, their auto-drive features and apis hacked.
We saw that we're just person Mercedes. I think believe that was the end of last year. It wasn't a hack of the driving system, but it was a hack of the data coming through the Bluetooth platform, right? So so it's not just personal data but you're actually livelihood, right? Can be impacted and whether it's a, you know, heart monitor. And I T device or whether it's the car that you're driving, right? And not doing a pi security, right?
Is going to fundamentally, put you at risk and put your organization at risk for not just, you know, Financial liabilities but potentially, you know livelihood of people? Yeah. I think about that too. And it's a connected world and if a human designed it, that means that there are flaws in it and there will be, you know, ways to break systems as that have been designed. I know that you've been very generous With your time with us.
And one of the things that we've started to do is kind of close out with maybe something not. So I am so that we're not leaving on a heavy note, right? Try to lighten the mood after the Doom and Gloom of not having apis being secured and I think all your money stolen and Facebook watching you, Jim came up with a good one. I'll let him have the honors Jim, why don't you go for it? Yeah, but before I do that Jeff went to remind you. They are fractions of a penny.
Have you seen the the penny dish at the convenience store? Therefore everyone right, Community pennies. That's little Office Space. Chatter if you will so mine on. I am question and this is really timely because of my guests. Guzzler that I mentioned earlier, my nan, I am question is what is the coolest car you've ever owned? And I'm going to start with Nathaniel.
Oh, this is a, I got a two-part answer on this one too, so I still own it. So I have a 77 Vijay 40, which is the old Land Cruiser, but the BJ is a diesel does Ignatian, I imported it from Canada on 25 some odd years ago, so it's kind of like a diesel Jeep essentially, that's incredibly low geared. Seemingly can drive up trees, although I would never hurt a tree, second one would be an F100. So I've got a 52 F100, that's in
my garage. That's, I mean, it's pretty to look at and that's more my wife's car, but I bought it for us. There's a tough guy. For me to my first cars. Like I love this so much. It was a 69 Ford Falcon with dry-rotted winter tires. So in other words, these tires were like if I stepped on the gas they spun and left. A black streak behind me and left a bunch of smoke because they were just like just so old of tires and everything but that was a fun car.
I had a 72 Nova SS in college. I drive a Mustang convertible now, but I think the fun is car I've ever owned was, I had an 88 v w Vanagon with one of those tops and popped up and became a tent. And it had a full size bed under it. And a full-size, the back seat, folded down to become a full-size bed. It had a kitchen and a refrigerator in it. I mean, it was like my Hippie Mobile.
So that thing was You know, everybody loves it was a conversation piece, the only downside to others to downsize, one was, I mean the thing broke down a lot so it was in the shop about as much as it was in my garage. The second thing is it was a gas guzzler. So when gas was cheap that was no problem. But when gas got expensive and like I'm experiencing right now, we're gas has not existed in my part of the country, that was
not the best. So, With that, I already know what Jeff sensor is going to be. So go ahead, I'll pass the you Jeff. Well, okay, so I'm not a car person at all. I'm more of a, you know, the tech geek nerd. So, of course, my answer is probably not going to be surprised, but it is definitely my 2018 Tesla Model 3. Absolutely. Love that vehicle. Absolutely perfect. Never had a problem with it at least no major problems.
Right stuff that you know, little things here and there but it is so much fun to drive an electric vehicle. You know I'm a Tesla fan just They were the ones that that came out ahead of time and the one that was available. And I've been waiting on that one for a while. So I guess you can coin that my maybe midlife crisis car, but I
think it's fantastic. I have not been to the gas station in, I don't know, at least six months, maybe even longer mostly just to fill up my wife's car and I haven't, you know, I can't remember the last time I had to take care of an oil change or anything like that. Mean the only maintenance I've had to do on it is putting in windshield, washer fluid, that's it. So I absolutely The Tesla is just so much fun to drive and you know, I think it's not it's not specific to Tesla, right?
The the quick acceleration and the torque that you get from an electric motor. Most electric cars are a lot of fun to drive and it comes down to, you know, probably the Comforts that come around it. But, yeah, absolutely. It is, is my Tesla. That is my pride and joy, and I'm looking already looking forward to my next EV and whether I'll stay with them, Tesla brand, or maybe. Look at something like you were kind of talked about this last
night. Night, my wife and I around, you know, maybe the Ford Mustang Mach e which is, I know there is polarizing. A, whether you should be using the Mustang name for an electric vehicle, but it looks pretty sharp and seems to have some some pretty good metrics around it, so I'm going to go but I'm going to go with my Tesla. That's that's my jam and it's a lot of fun to drive.
So I think with that, that's probably a good spot where we can go ahead and leave it. We had a pretty good mix of vehicles there between trucks and hippie mobiles and Mustangs and Tesla. So I think we covered really the the wide variety of vehicles that could potentially be out
there. Nathan's think thank you so much for joining us and hopefully people were able to get, you know, idea of kind of, at least, if they, if they aren't familiar with open banking, you know, how they might already be using it and not even just be aware of it, but How, you know, Technologies and standards are developing to make life easier to be able to manage finances. And, you know, and Underneath It All. There's identity, right? It's part of this process etcetera.
I will have a link to Nathan in the show notes. If you want to connect with him on LinkedIn, obviously can connect with Jim and I is there as well. We're always happy to engage and talk with, you know, our listeners and get ideas for shows, and so forth. Also have a link to Cloud entities website.
So you can learn more about what Nathan and his company has been doing in this space you can get familiar with their offering and for us right you can always find us on the web at identity at the center.com you can find us on Twitter idac podcast and with that we're going to go ahead and close it out for this week. Preciate everyone thanks for listening and we'll talk with you all in the next one. Thanks for listening to the
identity at the center podcast. If you like what you heard, don't forget to subscribe and visit us on the web and identity at the center.com.