It's your time.
Awesome. Thank you. And thanks. It's really, as many of the speakers have noted, it's really nice to be back in front of a, a live audience finally, and, and actually see your smiling masks. I know you're smiling under them, so you can see what the, the squint lines I thought. I'd give you just a quick bit of background on myself because may a little controversial in a couple of topics. And I just wanted to give you an idea of where the, where that may come from and, and how those, those perspectives are informed.
So I'm almost 30 years in cybersecurity is almost three decades now, which is, is beyond my, my belief. So, and, and I've spent, you know, time on both the identity side and the cyber side, but I really think of myself first as a cybersecurity expert and having done that as a practitioner and a CSO and a CIO.
So been been on the user side of it, and then lots of years on the vendor side and the vendor side I've spent, like I said, most of the positions that I've been in are with companies that do cyber, I've had two stints in identity management.
This is my second, the first one was with a PIPA vendor that did kind of hybrid cloud PIPA stuff CA bought the technology some time ago. So I was with exceed.
But yeah, so that, you know, when, when I come at this, I think of identity, you know, from a cybersecurity lens and the good news is CISOs care about it. It wasn't on the, the CISO top 10 list for, you know, until more recently in the last year or four years, it's, you know, the top one or two things, but, you know, for a long time, many security officers just didn't really think about identity that way.
It wasn't one of their top problems, but now they all understand. So let's explore why that is and, and what we can do with authentication.
So we won't do a big history lesson, but you know, the, the, the presentation is passwords and beyond getting rid of passwords that we look at is just really a first step on a longer journey to building out strong authentication. But they're sticky. They're very sticky.
They were, you know, invented in the, or, you know, first using computers in the sixties obviously invented a long time before that medieval times even, but they really didn't proliferate. They weren't really much of a problem until the commercial internet came along with Netscape.
Those, you remember that and, and Netscape server and the browser and SSL and TLS that, you know, which is now TLS, they invented that technology. So now we could do business, you know, on the internet just instead of sharing it between universities and government agencies.
So as that happened, you ended up having, you know, commercial accounts and that's when passwords for all happened.
So studies are different, but they say, you know, all of us, particularly in the tech industry have, you know, somewhere from dozens to hundreds, you know, of passwords these days that, that we have to manage. And so they became one of the number one attack vectors. And we'll talk about that in a second for, for the bad guys.
You know, if you, if you believe the data from Verizon data breach breach report, you know, somewhere north of 60% and 70% range of all breaches, the initial way the attacker gets a foothold under the network is, is through stolen credentials. So, you know, it's obviously a big problem, and this is why, you know, password list and identity and things like that are on the mind of the CSO these days.
But we started with these recommendations about if I make a password longer and I make it stronger and that's interesting, but it really belies it doesn't inform the way hackers, get them.
If I make a four character password or a 400 character password, it really doesn't matter if I type it into a phishing email or a phishing site, or if credential theft, malware running on my machine deals that it doesn't weigh the password first and say, oh, this one's too heavy. I'm not gonna steal it.
You know, it it's gonna take it. It doesn't, you know, so the problem is as end users, we can't do a lot about that.
But as, as companies thinking through authentication, we can. And so, you know, it's interesting. We had a lot of things come on beyond that, you know, password managers came up and then MFA and two FFA.
And so I'm gonna make a, a little bit of a controversial statement.
As, as I told Martin earlier, we're fans of multiple factors, but we're not fans of multiple weak factors. And really that's a lot of what the legacy MFA is. I've got a password plus maybe an S you know, a one time password, you know, sent through an SMS or an email. If the machine's already compromised, it's easy to get those things. And there's, you know, so there's lots of different ways that, you know, the legacy MFA solutions have been hacked and it's partially because they rely on multiple week factors.
Or if somebody was trying to protect their house, they wouldn't put a screen door and then another screen door or a screen door, and maybe a, a hollow wooden door, you're gonna put maybe a screen door and then a steel door or something, something strong, you know, as the, as the second factor, so to speak.
So we're, you know, it's not that you don't need multiple factors, but you want multiple strong ones. So we'll talk about that a little bit.
Anybody playing bingo and talking about, I'm not gonna spend a whole lot of time on this slide, the, the, the one common thread to all these fairly recent attacks, and we can fill up, you know, pages we get to read about 'em all the time was that the initial attack vector was through a password. The most famous, probably being solar winds, which the, they blamed it on the intern, which was not a bad, not a very good PR way to, to deal with it, but it was solar winds.
1, 2, 3, you know, allowed the Russians to get into the inside of the network, put code in their code base. And, and then it got delivered. And I think we all, you know, know the story about all the different, you know, companies and government agencies got hit.
They also, what people don't realize is they also bypassed solar winds MFA as they got back in, if you read the whole threat report and the whole detailing of it now that was a fairly sophisticated, you know, version. It was not, you know, necessarily just weak MFA.
They actually got into the back end of the system and created a set of cookies that they could use to get in. You know, so when they got the, the second challenge, anyway, they could just bypass it. So they had in and out access to, to solar winds for quite some time. So one of the concepts, you know, when we talk about strong authentication is we have, we, we start to think about, you know, this concept of identity being really the new perimeter.
And, you know, back in my early days, when I was writing Coball code at a, an insurance company, you know, all of our stuff was in inside the castle walls.
Now everything is moving outside of the castle walls. And so in the old days, we could protect it with the network perimeter. Obviously that's pushed all the way out, but there's a, you know, so, you know, with the pictures, we've got the, you know, the idea of the castle, you can't survive anymore. Now we've got the idea of, you know, it's a village, you've got some stuff inside the castle and some stuff outside the castle.
So the network protections that you have really aren't available to you in many cases, and it got worse with COVID. Now anybody can work from anywhere and access anything from anywhere. So we're in a whole new situation. And so this idea, so there, there's two things that come up when we think about strong authentication, one of them is we CA it's not just keeping the bad guys out, letting the good guy in and letting him in for a long period of time.
You want to reach. So it's not this idea of a toll bridge that you go across. It really needs to be a toll at every doorway.
You know, you need, if you get into a secure building, they'll check you in, in the front and you, and you, you know, you use your badge to get in. Then you have to use your badge to go in a lot of the other rooms. And we need to think about security that way, continuously authenticating, and in, rather than just, you know, once they get in, once they get over the toll bridge they're in and they can do things. And we also need to think a lot about the device itself. It's not just the person, it's actually the device. You have to, you know, pay attention to what device we're bringing.
You know, cuz we're not bringing it onto our network.
I can't enforce the control there. We're bringing it to SaaS applications.
So those, those are gonna be two really key concepts to building out modern authentication. And really that's the premise of zero trust.
A, a lot of that is, you know, not just this concept of identity and the new perimeter and how we have to engineer things, but it's, it's not zero trust in itself, but it is a fundamental building block to building out a zero trust environment. You know, we, we not so jokingly, so you can't really have zero trusted, you know, any zero trust kind of mechanism if you're using passwords since they're so fatally flawed, but there's other things you, you want to validate the identity of the person. I really wanna answer three questions. Is it Martin?
You know, for example, is it Martin's device that I've issued to them, to him and is Martin's device secure enough?
So we're gonna come back to that, that concept. You want to do all of those things on a continuous basis. But if I did that and I asked Martin to do unnatural acts, every time I did that, I made it really difficult and the speed bumps high and, and he had to pull out a, a phone and type in a code and all these things, every time you couldn't continuously authenticate, you'd have so much friction that your users just wouldn't put up with it.
You know, whether it's your workforce or your end customers. So you, you, you can do these things now, which is nice, but you have to do it with a user experience scenario in mind. And what does an ideal solution look like? It looks something like, it looks something like the airport, you know, we're all very familiar with that physical model.
We go in, we show 'em our passport, our passport there's been good identity proofing, you know, on the passport. So they know it was issued to me, you know, they're hard to copy, they've got controls, but they don't stop there.
They don't look at my passport and my ticket. And let me go to the plane. We go through the scanner, you know, they don't trust that, you know, it's just me and it's okay. And then they put our bag through the scanner too. And any of you ever left your glasses out in the bar area before going through the checkpoint, know that if you go back out to get your glasses, they're not gonna wave at you and let you go right through again, you're going all the way back through that same process, you know, a continuous authentication model.
So, you know, these concepts, aren't, aren't really anything new in the physical world, but that's what it would look like.
You'd be able to confidently authenticate users. You'd be able to very positively identify that the device you're using, you know, check their person or check the, you know, bag scan, and then scanning them completely and making sure that you're not bringing a knife or a sword or anything onto the plane that you shouldn't be or a gun, you know, in, in some cases. And like I said, you have to do that at the airport.
They don't think as much about this, but they're, they're trying to improve the process and, and make it go faster. It's certainly not frictionless, but in, in the digital world, we have to make it frictionless. So that's kind of what we've done.
You know, that when we designed the solution that, that we put together, we, those, all those concepts were in mind only, you know, multifactor authentication that only used strong factors.
In our case, we're using a cryptographic, we're using the first factor from the device, you know, the either biometric or the pin code attached to the device. And in the second factor for us, we're using the same thing that SSL and TLS, you know, the lock and your browser use, it's a X 5 0 9 certificate that we share.
And the unique way that we've done this is we store the private key of that on the device, in something called the TPM or the enclave, which not only secures it in a way it makes it immovable. So I can't, as an end user, move it from one device to the other, the company or the organization can control that.
But it, so I get a strong cryptographic relationship between the user and their device. So I know it's Martin, I know it's his device. And the third thing our software does is it does a security posture check and hands that over to our back end cloud service, which checks a bunch of different security settings.
And then we with a policy on the back, it can control is, is, is Martin's device strong enough to get access to whatever he is trying to, to access. So in this cloud world, this idea of the device piece ends up being really interesting and really important.
There's, you know, with MFA or traditional MFA, I can't control Martin from going to the hotel computer in the lobby and logging into one of his SAS based applications, you know, that maybe have some critical information in it. We all know that those hotel lobby computers are not really anything you wanna do, you know, critical or go to your bank account on because, you know, they're likely compromised or exposed, but you can't control that. But tying the identity to a specific device you can with policy.
So you get the, you know, not only are checking whether, you know, the, that it's his device, we're also being able to control what that device has access to.
So, you know, a, a strong authentication of the future really brings all of those things together and allows you to do that check at every doorway. Don't check it once and then turn on, for example, in an MFA world, since it's in traditional, MFA is pretty hard, you know, on the end user, what do we do?
We turn on session timers and we let those session timers go for, you know, some times we week, sometimes months, we had one client that kept him on for 30 days. Well, you know, that's not continuous authentication even to, to get in.
So, you know, you building, you know, if you work back from where zero trust means, it really does meaning check, check every time, which means you have to make a user experience that is just seamless and, you know, not just secure, but really frictionless. So if that, if we've got any questions, I think, oh, let's look one, I'll take one more sliding and just look a little bit forward.
So we're in the, you know, we we've, we've really gotten to a place where we can start to implement.
Passwordless like now bill gates said back in 2002, I think the RSA famously stood up and say, we're, you know, pronounced the death of passwords. And you know, many years later, we're still here and we're really have just gotten the point where you can do it in earnest and, and pull 'em out of the, you know, pull 'em out of, particularly the workforce or your, you know, your consumer facing customer facing applications.
So, you know, Fido really led the charge there companies like us and others have taken that manhole and, you know, continue to run with it. And where does this go in terms of building strong authentication, it's adding that device piece in, and then in the future, it's really, if you're getting all those transactions and you're doing those device checks and the people checks very continuously, you have a treasure trove of data to mine with AI and ML machine learning kinds of things in the future.
So we think if we look a little bit down the road, you know, we'll fix the hole in the beginning and produce enough data that will be able to leverage that as part of the policy decision as well. So I think that's where it's going. And with that, we'll open it up for any, any questions.
