So actually o obviously we're here to talk about authorization at the nexus of zero trust, as well as what's historically been called privilege access management. And we are going to talk about that. But before we talk about that, I'm gonna say, obviously we didn't coordinate any of this, but just that last question from David and the urging from Peter to move faster, I do want to, that, that was how I was gonna open this talk anyway, and I was gonna open it because, you know, I'm the co-founder.
And one, one aspect of starting a company is to indulge in patience, right? And, and actually find that spirit of, well, why do we have to wait till next year or next decade? Why? Why does this, why does it have to improve for only our grandchildren?
Why, why can't we have better things now? Okay, so I'm asking myself that all the time, and that guides a lot of my decision making.
And then I find when I ask that question, I find that actually the answers are coming up again and again.
Well, you know what? The barriers to having better authorization now, they're, they're actually falling down day by day, really over the last few years. I think all of us can sense, we just heard the Passwordless talk earlier. All of us can sense how the author, the authentication story is, is resolving.
And, and this is the moment. So anyway, I just really want to echo everyone that's participating in authorization. Everyone that's thinking about it now is the time.
So like, let's charge the Hill Related to that, there's also one other intuition that I use that I, that I wanna share it. I don't know.
May, may. It's a fun story. I find it fun. So I'm gonna need someone's name. Can you pronounce it okay?
Yeah, yeah. We're, you're, we're supposed to meet today, so you pronounce it for me, Chen.
Okay, so Chen, yeah. Alright, so when I, I have my messages here and I've got a text from my, from my wife, I've got a text from the airline, okay? And then I've got a reminder to come to this session. So when I turn my phone to hin, which ones should he be able to see, right? Which pixels should be visible to him?
Well, he's registered for this session too. So ideally what I want is my phone. I want at a hardware level, I want at a silicon level, I want him to be able to see those pixels or those bites of memory underneath. Okay? And I want the, the, the text from my family members to be blurred out. Okay?
Now, as a technologist, my intuition is, gosh, we're a long way off from that.
That's not how computers work is often how I would, how I would phrase that.
But, you know, the more you think about it, maybe it's not that far off and maybe we can expect more. Okay? So I expect more from our computers.
It's 20, 24 and beyond. And we're gonna look at how applying that expectation to very old topics like privilege, access management, and even, you know, decade old topics, like zero trust can give you something that feels, feels correct, feels modern, feels current, and, and I think is right for this moment of authorization. So let's get into it, of course.
Just a a, a quick note about strong dm. So, so we do handle those traditional PAM use cases, but really a lot of customers come to us for those cloud forward cases. If there was one signature of why folks adopt our product, it's, it's really about adoption.
So, so penetration of those privileged access cases into all the workloads, all the use cases throughout the enterprise. If you've got Pam and you've got an adoption problem, you can see me after. Okay?
So, so when folks are using our product, a lot of them really do start their day with no authorization, okay? And so they wake up and they start their work, and their work really does begin like this in a resource list, zero standing privilege, fashion. And of course our next step is then we have to appeal for some authorization. You can imagine there are a lot of ways to do that. There's ServiceNow, you can imagine there's chat ops, all that stuff exists.
But since we're talking about authorization and since we're talking about upgrading our expectations for what authorization could be, let's just ask authorization a few hard questions. Like, for example, should an authorization at the start of a session apply for the duration of the session?
There's a lot of technology, that's how it works. That's just, that's what the underlying substrate produces and requires.
And, and I'll say, you know, if we're expecting more out of our systems, we kind of don't have to expect that it continues to apply. We don't need to expect that authorization to persist in the presence of changes, right? So if the context changes, we heard another talk earlier about signals that are coming from outside the system. So as those signals changes, how do they propagate into the decision? Okay? What's the latency of that propagation? These are all questions that we could ask. 'cause computers are fast, right?
These are all things that we can hopefully start measuring, not in minutes, we're not. Hopefully we're gonna dispose of seconds, hopefully we're gonna start, start talking about milliseconds. Hopefully we're gonna start talking about microseconds, okay?
That's, that's the rate at which we can think and we can hope for, for changes in context.
Okay? And what kinds of other changes? Obviously there's a lot of changes.
There's, there's scary, look at that scary image, there's scary things that could be happening on my workstation. There's all sorts of interesting time properties. Ultimately we want to combine all of these into, of course, a real time continuous assessment of all of these properties. So this is of course, a metaphor and an idea that you're familiar with. It's something we aspire to. But what I'll say is, in my experience, this is something that is achievable today. We also just heard a bunch about Brownfield.
It's true that Brownfield makes this more challenging, but in our case, we found that especially by embracing Brownfield, a lot of this is possible today. And I'll show a few examples momentarily about how that feels within a fully articulated product. Look at this.
Oh, denied. Oh, love that animation.
Okay. So also in the title of this talk is the, is the micro prefix, okay?
And, you know, the grain size of authorization is, you know, art, maybe eventually it's science. What granularity are we going to authorize that, you know, just in defensive roles for a moment, thinking in roles is, is an important device for helping us plan, helping us organize our thoughts, okay? And so that, that utility of thinking in roles, it does persist. But of course as we think about adding more richness to that authorization context, we very quickly get into cases where attributes are appealing as well, right?
And then, so we're thinking in roles, we're thinking in attributes, you know, the more we think about what's happening, you know, do I have lasers here? Yeah, I have lasers, you know, on the contrast here between I have access to the whole database versus I have access to finer grain structures and actions within the database.
You know, you, you begin to get a little bit of intuition that there's a, a management and a manageability challenge. But of course that's another area where we can be hopeful.
We can be hopeful for ai, we can be hopeful for the power of all of our current systems that we rely on. Okay?
So, so I still love roles, I do love attributes, but really, and this is a quote from, from one of our customers, what we're focused on very often every day is how to achieve star back, is what we call it internally, especially for those key privilege operations. So those operations that have the huge blast radius, the high consequence score, right? How are you going to really have great hygiene, great visibility about those operations among all the operations that are happening in your enterprise? Okay?
So let's see a few examples.
And if anyone wants to heckle or yell out that's not possible or that's not how computers work, I would invite that. Okay?
So, alright. So I am expressing this example, by the way, in using the CR policy language. So at at strong DM we have, because we do so much brownfield work, we do a lot of our authorization through proxies. And so that proxy needs to have at essentially micro microsecond latency needs to be able to evaluate policy decisions. So we've embedded the CER policy engine.
In fact, for, for any of you that have substantial go code bases in your environment, we, we, we created the go implementation of the Cedar language. And so we've embedded it directly into our proxy, which means we are capable as, for example, an action, like a pseudo operation inside of an SSH session.
You know, we can subject that to constraints, we can subject that to every kind of constraint that's possible with the C language. And then we have additional functionality for, for example, triggering, you know, a a a step up in this case here.
And so what you're seeing is, of course, as I'm performing the pseudo operation, what's happening is, you know, the network sort of comes alive and it suspends that action in flight, okay? So that action does not proceed until such time as this MFA is fulfilled. And the user experience for that is you're still typing the command, you hit enter and nothing happens. Your phone buzzes, you tap, approve, and then it proceeds. Okay? And that's just a really, really exciting, profound feeling to feel that happening. And I love it and I use it every day.
So here's another example that's pretty far afield from, you know, pseudo make me a sandwich.
Let's, let's talk about, you know, a very different context. We've got the admin console inside of Microsoft 365. So there's a, there are screens within the 365 admin console that actually Microsoft won't allow you to control, right? So there just simply is no control for, for example, the set of fields related to user contact information. If you have update and create on user, you can also update and create on the contact information.
But because we are often sitting in line on this workload and because we're parsing the protocols, you can subject that finer grain action to additional policy constraints. So in this case, I have a geo constraint and the net of that is not only am I preventing changes to maybe the job title or the display name here, but I'm also providing a custom error message back to the user, okay? And that's something that again, like, feels like it almost shouldn't be possible, but I expect more from our computers.
And so it is possible.
I apparently people still use databases and we keep a lot of crown jewels there, okay? And a lot of us, you know, there's a lot of records stored in those databases and we've got exfiltration ri risk, we've got privacy concerns, we've got regulatory regimes. So this is another environment in a context where appreciating at a fine grain what's happening. And you know, maybe in the underlying system, of course you do have existing roles and permissions and authorizations, but this is just a case where belt and suspenders and redundant controls is actually appropriate, okay?
So, so you might for example, say it's permissible to interact with that table, but while you're doing it, I'm going to redact a set of columns. And you know what, I'm also just gonna limit volume. I'm gonna say you can only see four rows at a time.
Yeah, you can page through it, but that's gonna set off other alarms, okay? And lo and behold, regardless of what data tool I'm using, I might be using Tableau, a Jupyter notebook that, you know, that column doesn't exist and I'm only seeing four rows at a time. Okay? So this is an authorization environment that is speaking across a extremely broad diversity of system types, okay? And it's doing all of this in real time at wire speed.
Okay?
So we've heard a lot of identity fabric stories before, so I I, I just wanna focus for a moment on some of the stuff that often an identity story can be lacking and something that, you know, hopefully all of us can ask our, our, our vendors and our colleagues for, for more in this dimension. So, you know what, I'm just gonna say all, all the stuff should be continuous. There's just no reason to wait. Okay? And so that does mean that you need to think about your event propagation pipeline does mean you need to get the change events all the way to the enforcement point quickly.
But again, computers are fast. Please just expect it.
You, you have to, not all actions are created equal, okay? And so we've talked about it as blast radius. We've talked about it as quantified consequences, but there is fundamentally a power level for each click, for each view that's happening within your system. And even in some of our threat models, that's actually a core notion is power level. So when we see p spikes of power, the, that might not be related to API call rates or anything like that. It could be a very low rate, but if it's a high power action, it's something you're gonna need to zoom attention in on. Okay?
And then I'll just say, as much as we have greenfield and brownfield, there's, there's really no reason to treat them differently, especially if you, if you demand that they must be treated the same. Okay, a few more, a few more points here for this composable identity fabric that we're, we're all hoping for, really support for everything.
It's true, there's a lot of legacy technology, it's true there. Creating those adapters is challenging, but creating those adapters is possible. Okay?
So just a few more points of what we can hope for out of our privilege access systems, our zero trust systems.
Let's, let's hope for just in time access. There are a lot of ways to make it happen, but once you live with it, it's hard to go back. Okay? Once you give your team members a little bit of a low friction, great feel to that just in time appeal, rapid approval, automated approval, in some cases, they're, they're gonna understand and they're gonna appreciate why, especially for those high con consequence, high power operations, they're gonna appreciate a little bit of friction.
Personally, I use session recording all the time when I'm performing high privilege, high power operations because I want to, I want to be able to have a paper trail that shows that I didn't, I didn't mess it up, right? And that's something that, that I think a lot of, a lot of team members will appreciate. And that's something that is certainly possible. Obviously the audit trail is, the detail of that audit trail is kind of related to the detail of the precision in your action control. So these things, as you do more of one, you get improvements on the other.
Of course, you can put all this together and, and then you can of course overlay all of your, all, all the threat detection, AI and ML that you want on top of that. That's, that's the way we do it, having to talk to you about that.
And I am close to the end here, so let's just say, I'll just leave you with this, so please make it continuous. Please stop, unsanctioned action. Please aspire to just frustration free friction is actually a good thing. Slowing down a powerful action is a good thing, but frustration is not a good thing.
So you're fine, by the way, you're fine to frustrate attackers, so that's fine. Just don't frustrate your colleagues. Okay?
And then, and then, yeah, and expect more out of all of your systems. Okay, so those are my thoughts and I think we've got a few minutes for questions.
A quick check. There were no questions online, but the question is, are there questions in the room? Yep. Sorry.
Oh, microphone, I'll take this one. I'll take it back.
So, so in the SQL case, just curious, is it like a TDS reverse proxy type of thing?
Okay, so the que the question is related to that, that SQL example, right?
Yeah, yeah. So that, that's exactly what's happening. So there's, there's just extremely performant, extremely comprehensive protocol parsers and query parsers for,
Do you have any issues with like modern off and MFA Azure with that in the middle?
Yeah, and there's a, and there's a, for any, anything that's an event driven additional factor that you're asking for, there's gonna be essentially like a dependency resolution that's gonna invoke that system. So especially for ones that are push right?
You're, it's going to essentially as, as that policy statement is being evaluated, it's realizing, oh I can materialize this additional step up. And so it's gonna trigger that as a result.
Okay, thank you very much. Yeah,
Thank you very much. And this is for this session. Thank you very much for the insights and I hope that friction is good. I'm afraid sometimes not, especially those who are used to having this root window always open and the curves are blinking, but all the others will hopefully really appreciate that. Thank you very much. Thank you.
