Zero Trust Architecture: The Future of Cybersecurity Artwork

Security Unfiltered

Cyber Security can be a difficult field to not only understand but to also navigate. Joe South is here to help with over a decade of experience across several domains of security. With this podcast I hope to help more people get into IT and Cyber Security as well as discussing modern day Cyber Security topics you may find in the daily news. Come join us as we learn and grow together!

All Episodes

Security Unfiltered

Zero Trust Architecture: The Future of Cybersecurity

July 28, 2025 • Joe South • Episode 197

Send us a text

Cybersecurity expert Bob Kochan from Beyond Identity discusses the evolution of security from network defense to identity-first approaches. He shares insights on how AI is transforming security operations while creating new threat vectors, emphasizing the need for phishing-resistant authentication solutions in today's threat landscape.

• Traditional security focused on network layers, but SaaS adoption exposed vulnerable identity systems
• Zero Trust architecture must start with device-level security and extend through the entire authentication chain
• AI will augment rather than replace security professionals, making systems-thinkers 10x more effective
• Government agencies are often driving cybersecurity innovation faster than private industry
• Security solutions must prioritize usability or users will inevitably find workarounds
• Legacy MFA solutions are insufficient against modern attack methods like phishing and deepfakes
• Security should be designed into systems from the start rather than bolted on as "security through configuration"
• Nation-state funded threat actors have created their own innovation ecosystem rivaling private sector development
• Beyond Identity offers phishing-resistant authentication that eliminates password vulnerabilities

Check us out at beyondidentity.com or visit us at our booth at Black Hat this year.

00:00 The Entrepreneurial Spirit

02:35 Passion and Problem-Solving in Startups

05:12 The Evolution of Cybersecurity

07:49 AI's Impact on Security

10:19 The Role of Engineers in Cybersecurity

12:51 AI and the Future of Cybersecurity

15:16 Research and AI Tools in Cybersecurity

22:05 The Impact of AI on Employment

Digital Disruption with Geoff Nielson
Discover how technology is reshaping our lives and livelihoods.

Listen on: Apple Podcasts Spotify

Support the show

Follow the Podcast on Social Media!

Tesla Referral Code: https://ts.la/joseph675128

YouTube: https://www.youtube.com/@securityunfilteredpodcast

Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast

Speaker 1: 0:53

How's it going, Bob? It's great to get you on the podcast. Finally, I'm really interested in everything beyond identity. It's obviously not a sponsored podcast or anything like that. I've been following you guys for quite a while, so I'm really interested to have our conversation.

Speaker 2: 1:09

Thanks for having me, joe. I've listened to a lot of your podcasts and they're really great and fun and interesting, so I look forward to the conversation.

Speaker 1: 1:16

Yeah, I appreciate that. You know it's interesting. You know, when I started this podcast, right four and a half years ago, at this point, the biggest critique that I got from people was well, how are you going to find people to come on who would want to go and talk to you? What are you even going to talk about? Right, like, is your skill set that deep that you think that you can actually talk to everyone and anyone? Right, and you know, for myself, right, I guess I'm a bit of an entrepreneur and for myself, when I heard that it was just like, well, none of those questions even matter. Right, like, I'm going to do it, and if it fails, it fails. And if it works, great, right, like, never intended on, like, making money from it or gaining popularity or anything like that. Really just intended on having good conversations with people.

Speaker 2: 2:03

Right, well, that's, that's you. You truly are an entrepreneur. That's the startup mentality you jump first and then you check to see if you have a parachute afterwards.

Speaker 1: 2:12

Yeah, yeah, yeah, one hundred percent. That that's the thing. No-transcript. It's pretty scary and I've had on entrepreneurs that are doing that right now, where they're in their mid to late 30s. They have a young family, several kids under two or three years old and they're just starting this entrepreneur thing and I'm like man, I do not have the cojones that you have, that's for sure.

Speaker 2: 3:06

So it's interesting and my wife sometimes calls it a character flaw. But you really have to have a passion for this kind of thing. You really have to want to create new things. Starting early is great, but startups at any age. It really comes down to do you have a passion for a problem. The rest of it you'll figure out. But as long as you have a known problem in the market and there's a passion for it, you get it validated. Then the market's like calling you and you just need to commit to it and go In the end. That's kind of what brought me. I've done, I think, five or six different startups through the years. In my early years they all were a disaster, you know, in my early 20s. But I learned a lot, but there was always a passion for that. And then through the years I've gone to a lot of different startups and no regrets. It's a different path and I encourage everybody to really think about it. It's a great opportunity to kind of change things in the market.

Speaker 1: 3:59

Podcast as a business, you know, to some extent, and when I think of that, right like it's, it's a way to generate your own income, to be your own boss, to not really rely on someone else to to, you know, pay your mortgage right, but in other countries that's really not possible, not to the extent that it is here, right, and I think that's a huge benefit. You know that we have that a lot of people don't even identify and don't even you know realize what it is here, right, and I think that's a huge benefit. You know that we have that a lot of people don't even identify and don't even you know, realize what it is. I was having a conversation with someone who you know he went to University of Chicago, right, got his bachelor's degree from University of Chicago, got a master's degree super smart guy but hasn't followed the trajectory that someone of that pedigree you know would have expected to have followed, right, and he was talking to me you know about, like the marketplace, and you know he got into this debate right, where you know some people are paid more than teachers, for instance, and whatever it might be, right, my wife is a teacher, so I totally get it, you know, and it's like, yeah, they totally should actually be getting paid more, right, in other countries they do actually get paid a lot more than doctors. But at the end of the day, you know, it all comes down to the value that you bring to the marketplace, and a part of that value is actually identifying the gaps in the marketplace and filling those gaps, right.

Speaker 1: 5:38

So you know, I always tell everyone, right, when I was getting into IT slash security, I was looking for my niche and so at the time, like the cloud was brand new basically it was just a few years into the cloud and I figured, okay, cloud security is going to be a thing. More companies are going to be moving into the cloud, more companies are probably going to be solely in the cloud, right? So that means that they're going to need cloud security. And I I think the ccsp cert was like brand new at the time, you know right. And so I started going down the path of cloud security long before people thought of it as like it being its own domain, right, and it's still kind of people still kind of don't understand that it is its own beast in and of itself. But you know, I'm not forming a business around that. I literally just identified an area in the marketplace that was lacking and started executing on getting more knowledge on it, more training on it, getting the certifications and making the jump into the field.

Speaker 2: 6:35

Yeah, I hope just two funny stories on something you said and then I'll jump right into why. That's a great message for individuals who want to get into cybersecurity Don't ever think it's just get started. But when you're talking about the US and startups the very first startup I did 95, I was working for a French company at the time and their R&D, and then when I told them I was going to do a startup, they just looked at me like what do you mean? What is that? How can you leave a company and go do something else? How is that even possible? So that was really interesting and they thought that that was strange. And then on to what you were saying just a minute ago. I think that's right with cybersecurity individuals at least my experience.

Speaker 2: 7:09

My experience is very eclectic. I started out in aerospace engineering, computation and fluid dynamics, was dead set on going into industry application engineering, cfd expert, and had a lot of opportunities there. But I got sucked into grid computing, because that's when computers were starting to get into this grid computing. They were cheap and scalable and I found out that I had a passion for software. And then that led into go into the history, if you want to. But eventually one thing led to another. I ended up doing a deep packet inspection, worked on some of the first security gateways back in the early aughts in session border controllers for VoIP network, which radically changed everything. Then, after that, when I had done that, I said what am I going to do next? I ended up doing banking security, which is this is back in 2007. We built multi-factor phishing-resistant authenticators before there were even iPhones and people were telling us you're crazy, no one's ever going to tap a personal device to authenticate and you know it was early on and then worked on some of the first large-scale, verifiable credential deployments for digital offers and distributed supply chains, and that ended up at Beyond Identity and all of that. So you never know where you're going to end chains, and that ended up at Beyond Identity and all of that. So you never know where you're going to end up and you never know where you're going to start.

Speaker 2: 8:22

If the people listening here, if they have a passion for system engineering, solving problems, and they like a lot of different aspects of that technology, then cybersecurity is a great, great place for them, because even today, like you talked about the cloud, I mean everything's accelerating One of the themes I learned, or the things that I started to grok over time through my career is that security has to be moved into the product early, and I kept seeing that over and over again. And I think again for your listeners here if they're getting into cybersecurity, it's no longer a bolt-on thing anymore. You're going to be key to the product development. Certainly, if you're at a startup, you will be part of that. Secure by design, compliant by design, privacy by design these are all real things now.

Speaker 2: 9:38

And we have security, cybersecurity, people, data privacy, people at the table at inception of the product.

Speaker 1: 9:45

Yeah, yeah, that's a huge thing, right. You know there's a lot to unpack there that you brought up and I think I kind of discovered my passion for security in that early, you know, help desk role that I had where, like you know, looking back on it, it wasn't quite help desk, it was like part help desk and part, you know, engineer to some degree and you had to really understand the underlying processes and services. You know how they operated, what they did in their startup process or their shutdown process, right, because you know, in that role I was working with E911 systems, right. So there's a database of information.

Speaker 1: 10:29

Sometimes when you do an upgrade, things fail, right, and you have to really kind of work through it. And of course, it was always my luck that I would get the most random, most difficult issues that would happen. I was basically a part of the QA team without being a part of the QA team, because when they would say that it's ready for production, I would have a line of customers ready to go and we would be running into just the most random things where, like, I have to go get the dev that wrote the code that is dealing with this thing because we don't know what's going on right now. Going on right now. But having that reverse engineering mentality benefits you so significantly in security. You know that like it pays so many dividends down the road.

Speaker 2: 11:15

It's some of the best. It's funny you say that because I'm in the Dallas office. We have a New York office and the support team sits right over here on the QA team and that story that you just described plays out every single day here and some of the best systems engineers I know are on the security side support and security side. They're either deployment engineers, support engineers, cybersecurity, and if you're a support engineer, you really have to be a Swiss army knife right, Because you're getting pulled into every direction.

Speaker 1: 11:42

Yeah, yeah, you know, that's so true, you know. Looking back on it, right, I didn't think of it at the time. But you know you're learning Postgres, you're learning. You know Apache web servers. You're learning Linux. You know, you're learning Python, while you're doing it all in Bash script, you're learning. I mean, there was even a point in time where I was learning. You know PKI certificates. You know distributing the keys and how to initialize it on the system and attach it to the web app and all this other stuff, right. And then you know SELinux, right no-transcript.

Speaker 1: 12:22

Man, you know it's funny because our devs, you know we worked with a lot of federal agencies and everything, so they always required SELinux to be, you know, turned on and enabled and whatnot. And the dev that was supposed to design that module of our application, he never actually like, ran it in production. He created it, got it working for, you know, this one top secret environment, right, and never looked at it again and several years had gone by and now I have a whole bunch of customers that want SELinux running, but every time it starts up the application completely crashes. You know, it doesn't start anything right.

Speaker 1: 13:02

So now I'm reading the NSA's documents on SELinux, you know, trying to figure out how to make these exceptions and, you know, going through and learning. Like each and every single command, process, service that is tied to this application needs to be whitelisted. It's not a normal whitelisting process. You have to run these string of commands to run through it, right, like. But that sort of thing develops you into that Swiss army knife, you know, and no one was doing that beforehand, like I couldn't. It wasn't like a Google Googleable, like problem, it really wasn't. It was like hey, here's this document that the NSA wrote go figure out how to use that information and correct it over here, because, like we can't lose the contract, the contract is worth several million dollars. We're a small startup like this is something that needs to be done.

Speaker 2: 13:51

The first again to reiterate that um or just to double down on that, and I've led product teams, engineering teams, cto, coo, cso. I've kind of done the whole. I've worked at a company that, a vc firm, that bootstrapped uh energy, like small energy startups, and I would bootstrap the engineer and the technology, get them going and they'd go to the next one. At the end of the day, the person you go to first to understand how the system works is the deployment engineer and the support engineer, because they're the ones who are going to tell you how the customer is using the product and how it's deployed. And your solution architects Don't get me wrong, the engineers.

Speaker 2: 14:29

They're the engine right in engineering, but sometimes you know they'll be very super technical and very focused. So I totally, totally get that and that is kind of you know when you talk about those. Historically those roles have been quite separate. But I think we're seeing now, certainly with your security engineers, your privacy engineers and your product engineers, even support and deployment they're all starting to collaborate very tightly, kind of like you know, in the past it was DevSecOps. You know you had your walls right and younger engineers probably can't even imagine a world before DevSecOps. It's the same with security and product.

Speaker 1: 15:05

It's heading in that direction right, yeah, yeah, it really is.

Speaker 1: 15:09

And there's new.

Speaker 1: 15:10

You know, with AI becoming more prevalent and LLMs, you know, there's whole new domains of security that are being created right in front of us, right, and I always keep my eye on the job market just to see how it's performing, what it's.

Speaker 1: 15:26

You know what the trends are and everything, and I'm slowly starting to see AI security roles open up, right, and like normal companies that aren't NVIDIA, right, and you know, I'm sitting here and I'm watching this industry start to pivot, because now everyone is saying, you know pivot, because now everyone is saying, you know, we're going to incorporate AI into our platform, into our solution, into our offering and whatnot, we're going to offset this headcount. But companies are slowly starting to wake up to the fact of, oh, that's a totally different kind of security that we have to provide. I mean, there isn't even true, you know AI security products on the market right now. I mean there's a couple offerings out there, but I haven't seen anything that, like you know, is like truly built for it. You know, it was kind of like a bolt on, sort of thing.

Speaker 2: 16:16

Yeah, no, that's a great observation. And you know again when you look at kind of, how the threat landscape has evolved over the last four or five years and you know the cost benefit analysis like people who have their current. And one of the points that Beyond Identity always makes is that legacy MFA is not good enough. Legacy solutions aren't good enough because the landscape has changed and if you haven't been popped it's not because you're good, it's probably because you haven't been targeted and the whole cost benefit analysis for some of those APTs has radically changed. Benefit analysis for some of those APTs has radically changed. It's that, yeah, that landscape has completely changed. And then you layer on AI on top of that and it accelerates the scope whether it's malware as a service, phishing as a service, you layer on AI and then all of a sudden you're a threat landscape let's put aside the innovative attacks and the new enablement attacks like deepfakes but just on top of the legacy stuff, the scope and scale just explodes and you can't defend. And then you know AI is going to augment products and everybody just puts an AI stamp on their product. Just like you know, back in the day you had a Windows certified hard drive and you're like what does that even mean? Well, it's Windows certified, so there are a lot of products out there. People have to be careful when they stamp with AI. So there's the augmentation part and there's a lot of value that can be added there. But then on the other side, you have a whole new category of security that needs to be figured out because all these companies, ourselves included they're trying to figure out how to use AI internally and it's going to explode.

Speaker 2: 17:46

The use of information, information that otherwise wasn't accessible or used within the organization is now being exposed to these LLMs. And we've spent all this time, kind of as a security engineer, trying to make sure that the data is anonymized and you can't de-anonymize it. And we patted ourselves on the back right Done, figured it out, and now we put an LL-anonymize it. And we patted ourselves on the back right Done, figured it out, and now we put an LLM in front of it and the LLM itself is de-anonymizing the data, because when you ask it questions, you don't really know how it's going to answer and you're getting all kinds of data leaks and privacy violations. It's kind of crazy.

Speaker 2: 18:22

And then just the fundamental architecture, with RAGs and daisy-chained LLMs. It needs a whole new authentication Beyond Identity, feels it has a position there for sure. But there's things called pre-inference ABAC, which is you come in and before you actually execute the prompt you have to map it to the policy domain, map that to annotated data to make sure you restrict the data. You pull that you put it into the LLM. So there's all kinds of stuff that's radically changed and it's kind of exciting and I think there's going to be a ton of opportunities again for security, cyber security, people in cyber security are going to be front and center.

Speaker 1: 18:57

Yeah, yeah. People ask me if I'm worried about AI taking my job and I'm sitting here like no, no, ai doesn't augment but it 10Xs me right, like you really have to use it, you know I'm. So I'm getting my PhD right now and I mean don't congratulate me yet until I actually get it.

Speaker 2: 19:17

Kudos to you.

Speaker 1: 19:19

It's very difficult, it's extremely difficult, it's probably 10 times more difficult than I expected going into it, but I think the reward at the end will be will be worth it for sure. But you know, I'm getting my PhD. I'm studying deploying zero trust frameworks on communication satellites with the sole purpose of preparing them for post quantum encryption. Because, really, like, that's where, that's where everything is going, that's where, like the next, you know, major war will start. Right, it's going to start in space long before it starts on the ground, you know, because how else are adversarial militaries going to intercept communications? And, you know, hack a country, right, like you would start with the satellite, really. But you know, in that right, I'm using Grok heavily, heavily. Right, I'm using Grok heavily, heavily.

Speaker 1: 20:06

And the whole purpose is because when I started my research, I was using Google to try and find scholarly articles that support my research in different ways and it was very difficult to find just reliable sources, material that I would actually be able to use, anything like that. I mean, it was just, it was just very impossible, basically. So I went over to chat, started using that a bit. It definitely provided me more value, but it wasn't able to go deeper than what the text was giving me. And this is, you know, a year ago. And then I, so then I started comparing it with Grok and Grok was able to give me, like precise information. Hey, this document matters because of this table. They did this work.

Speaker 2: 20:52

Here's the actual quote to try grok out yeah, everything.

Speaker 1: 20:55

You know, I've never, I've never. So I've made requests of grok before and it didn't give me, you know, a result or whatever might be. I think it's because I'm literally like hitting limits in the chat window of how much, how much text is actually in that chat, but it gives me exactly what I'm looking for, like every single time, you know, and I've had it. You know, even like, write me some code, and I'm not a developer by any means, but it gets me 85% of the way there and I'm smart enough to know what to adjust and how to plug in different things, right? So, like it's, it's literally being used to augment me in a way that would take me years to get through you know.

Speaker 2: 21:35

yeah, so a couple things. One of the things, uh, the biggest issue I have is is doing research and again, everything I do now is ai assisted certainly all the research and the synthesis of information, but it's attribution. That's a real problem because the MLM will. Again, they call it hallucinations, but it's confident about everything right, and so I won't really reference anything or use it unless I have strong attribution. No, that's pretty important.

Speaker 2: 22:01

And then the other thing is and I don't know really how this is going to shake out with AI, honestly, but I have a sense that people like yourself and systems engineers are going to be 10x'd right and I agree with that, that people can think from a system perspective. And then the individuals who can't bridge that gap and get to the system level and become, you know, engineers are going to really struggle. Because I've been using AI, claude Cursor, all kinds of AI tools and it's actually writing kernel code that just works. Wow, I've done all the way from UI development, back-end development process, productivity work and the AI stuff just really works. Now, two or three years ago it was still you know what it was, but it actually you can write serious code with it and I think the you know and then you'll see.

Speaker 2: 22:54

I think the cybersecurity industry is really going to be impacted in a lot of different ways. With the proper agents and the proper security architecture internally, a lot of the stuff that I can do can be rapidly accelerated right so that I can focus on more important problems. Whether it's compliance, it's automated compliance, regulation, reviews, all that stuff. All that stuff's going to be addressed very quickly. And then you know, threat surface analysis, attack, surface analysis, incident response. Those are all areas where AI, I think, surface analysis, incident response, those are all areas where AI, I think, is really going to augment the security operations.

Speaker 1: 23:30

Yeah, yeah, that is true. I feel like there's areas that it would be able to, you know, replace a headcount, potentially right. But, like with everything typically, you're going to find that the industry will cut, you know, so severely because they think that they're going to save all this money with having this LLM or this AI thing and getting rid of all these people, and then they're slowly going to be adding them back in. Like if you, if you look and if you actually follow it, you know Microsoft laid off like what, 200,000 people in the past 18 months or something like that. I mean, like it's a significant amount of people that they laid off. Google did the same thing. Probably a different amount of people obviously met up everyone and now they're hiring in other areas. They're hiring in other key areas because they're finding oh okay, we didn't need as many marketing people to do this work, we can augment it with this other tool over here and then we can divert those funds somewhere else.

Speaker 2: 24:28

That's right.

Speaker 1: 24:30

And so we're moving into an interesting place. But I kind of want to shift gears a bit and talk about Beyond Identity, absolutely. So talk to me about you know what Beyond Identity is, what the problem is in the marketplace that you're solving for and how you're doing it.

Speaker 2: 24:46

Yeah. So I mean fundamentally we're a secure access platform built from the ground up to address the new identity threat landscape. So we target identity threats directly and we design them out. We try to move as much from detection to prevention and it kind of takes advantage. We do that by providing. I mean, if you look at Zero Trust, we provide phishing-resistant MFA. We'll get into why I think most of the legacy phishing MFA we know is not good enough, but at its underpinnings it has phishing-resistant MFA. It has strong device credentials and device posture so it can do continuous authentication. We have a secure access layer and SSO and now we're starting to expand into kind of collaboration tooling like RealityCheck which is basically targets deepfakes.

Speaker 2: 25:31

And so the problem fundamentally was when you and it was a re-imagining, it was from our founders and one of our founding CTO, jason Casey, who had very early on recognized I think long before I certainly did a lot of other people in the industry that there was something radically changing. So where you had on the IT side which was doing mostly productivity and that's where all the identity solutions were, it was really about workflow management, orchestration and most of the security threats were at the network layers. All your engineers. You know that war between the red teams and the blue teams was all at the network layer. As that started to, as we started to move out and started, everybody started using SaaS applications. Bring your own device you saw an explosion. You saw an explosion of all of that layer and it exposed an identity substrate where it was completely vulnerable. And then the IT guys who were awesome people, but but they were focused on workflow optimization and identity management all of a sudden had an entirely new security problem, which was identity, and all of the security engineers were trained for the last war, which was network penetration malware. Once you penetrate a device, you do lateral movement Totally wasn't going to work anymore. So that's kind of where Beyond Identity came from.

Speaker 2: 26:47

And we started with phishing-resistant, passwordless back in 2019, long before anybody else had an enterprise-level solution, had a lot of success there.

Speaker 2: 26:56

And then we expanded into, like I said, the device posture. We have an offering called Device 360 that allows you to look at your device fleet, recognizing that the real problem. And when you get down to it, if you follow the user's lifecycle and this is the next generation kind of secure access platform they start on a device, they go to the access plane and then they get to an application Makes sense, right? A new platform has to follow that entire journey from the device to the access layer and then finally to the application. Again, one of the things we're really excited about right now is our reality check solution that targets AI deepfakes and that is only made possible because we can tie the device to the session, to the user, and we can tell you who's actually on that call. So, on our platform, it eliminates that deepfake threat, but anyway. So that's kind of where Beyond Identity came from, and we're having a lot of success in large enterprises Fortune 50, all the way down to SMBs.

Speaker 1: 27:55

Yeah, that is pretty fascinating, you know it was. I think it was right around 2019, probably when I started to actually follow, you know, beyond Identity, a little bit right, because you're starting to do things differently and the problem with identity security overall just IAM is it's typically an arduous experience for any sort of end user, really. I mean you got to think about it, right, so you're not going to remember 10 or 12 different passwords. I mean it's just not going to happen, you know. And if it happens, cool. But guess what? You're going to have to change them all eventually and you're going to be relearning them, right.

Speaker 1: 28:35

So now you move it into a password vault, which is great. I mean, I use a password manager myself. I use 1Password it's great. Does one password? It's great. Does his job, does exactly what I need, you know. And so now I have this solution over here that you know has complex passwords in it for all these different websites, but still for someone that's not technically savvy, right? My wife is a teacher and I tried to get her to start using, you know, one password and it's just not going to happen.

Speaker 1: 29:03

You know it's never going to happen, right?

Speaker 2: 29:07

You bring up a good point and you mentioned the usability. So fundamentally the enterprise and the consumer, at least on the surface, have very different requirements. But when it comes to password loss so let's even move away from passwords just say it's secure authentication and secure access they kind of look very similar because with an enterprise you have to meet the user where they are and they have these massive heterogeneous environments. Some are deeply technical in the way you can put a PAN or a platform authenticator and you can device posture Others you have to use a FIDO key or we have a solution which is called a hosted web authenticator, which allows us to engage the user just in the browser. That's security there. So even with the consumer, a password vault, that's a starting point, but it's not okay anymore, right, and we see that a lot of times at the enterprise level as well, where they have these.

Speaker 2: 29:59

They weren't clear about how they were going to deploy the next generation MFA or a phishing resistant MFA. So they deployed an MFA, which is really just another factor on top of passwords. And so now they have these large heterogeneous environments where in some places they have phishing resistant password solutions. In other places they have MFA solutions that are not phishing resistant, which they can be easily. And the other thing they run into is the user experience is horrible, like if, even in an enterprise, when you try to push an edict out, if the users don't, you're outnumbered. You worked on the IT side. You're outnumbered by your users, and if your users refuse to use something, it's really, really hard to get it deployed. And that's another thing that beyond identity. Again, I know we're not supposed to be pitching our product here, but it's what I just from my personal experience. If you don't focus on the usability, whether you're on the consumer side or the enterprise side, it's just not going to work.

Speaker 1: 30:52

Yeah, I've deployed privileged access management solutions before to pretty large companies and you know I've beaten every record that that vendor had of previous deployments, of size and speed and capability and everything else like that right.

Speaker 1: 31:11

And so a huge part of that deployment you know I'm deploying it to probably 12,000 individual people, about 100,000 individual accounts, including onboarding, you know servers and you know all these other workloads and whatnot, and maybe the biggest part of that was actually vocalizing it and kind of, you know, going around and making sure that all the people in the company were on board with this right and the biggest thing was explaining it to them in a way that you know related to like, not only just their job but what's at risk. You know, and it was very convenient for me because one of our competitors had a breach very recently in that timeframe, so I could literally say like, hey, they had a breach, this exact way that we're trying to protect against right. Like I know this makes your day a little bit longer. It's a little bit more difficult for you to log into this server that has all these social security numbers on it, right, I know that.

Speaker 2: 32:16

You know solution with no password be less usable than a solution with a password. It is kind of interesting, and oftentimes that's the case, right, because again, security wasn't the like I said. You have to push security into the product and that's happening, but you also have to push usability, and that's exactly the feedback that I've seen in the market is your solution has to be low friction, because we're trying to get users to authenticate and access safely. That must include it's got to be easy to use, because if it doesn't, they're not going to use it.

Speaker 1: 33:01

Yeah, yeah, I mean, I've seen it where users immediately start trying to just go around the product, no matter what. They try to have perpetual SSH sessions going and RDP sessions going and they're they're, you know, logging into. You know. I was at a company and we had this fantastic solution right when if you didn't log into a server for a certain amount of time, you would lose access and you'd have to re-request it. Right, and the request just goes to your manager. They approve it, you get the access yeah, it's a typical idea.

Speaker 1: 33:34

It's like an early form of just-in-time access yeah, pam yeah so I was talking to like one of our top engineers, slash developers, right, and he went and you know, just all willy-nilly, just logged into a bunch of different servers, you know, right off the bat, and he wasn't doing anything in them. And I'm on security. But he likes me, you know, I have a way about getting people to talk to me, probably more than they should. And so I was asking him, I was like why do you log in? You know, once a week or whatever it is to get in to these servers if you're not doing anything? And I'm like what's the purpose? You know you could really be opening up the environment to a foothold if your device ever got compromised, you know.

Speaker 2: 34:14

Right, that's right.

Speaker 1: 34:15

And he's like well, I have to log in, you know, maybe once a month, once a quarter, to actually do work, but at that interval I have to go and like request permission. You know, every time I log in and my manager my manager isn't always available. He had a whole list of excuses and I'm like man, we have this multimillion-dollar solution that we just deployed and bought. We were talking about it with everyone vocalizing how great it is and everything. This guy is just having no part of it. He's getting right around it and there's literally nothing you can do about it, because he literally said yeah, if it changes, I'm just going to start writing a script that has a perpetual inactivity monitor on it. That will just forever keep me active.

Speaker 2: 35:00

So you hit a key point for me. You're making a key point where it's a pet peeve for me of the legacy solutions that have tried to adapt from the identity side and the IT side have created all these add-ons and bolt-ons and it starts to look like it looks like security through configuration, right, which is a really, really bad model, right? You want security by default and one of the pet peeves I have is and again it's all about PAM, privileged access management. There's a lot of great stuff going on there and extending it, but fundamentally, the question you have to ask is why do privileged accounts have a different access management solution than everyone else? So I think there's again it's rethinking the security solution At the end of the day, when we talked about the access layer, you start from the device cryptographically bind that all that great stuff device credentials, continuous auth but even in the access layer, if that's built properly for the future, you have all of that privileged access management built into that access layer.

Speaker 2: 36:04

That's available for all accounts all the time and you shouldn't be running into these kinds of problems and that individual. That just wouldn't even be a problem because that's an artifact of having a really complex system. That is, it's no one's fault. It's just how we all got there organically. That is security through configuration.

Speaker 2: 36:19

Yeah, yeah, no, that's a really good point, which is a bad model, by the way.

Speaker 1: 36:23

Yeah, you really have to take kind of the guesswork out of it. You know there should be no questions about it and there are, you know more advanced ways of authenticating a user and a network and whatnot. Right, like you know, with zero trust. If you want access to an application, you have to meet a certain you know criteria with your device. You don't have to worry about, you know, getting onto a VPN, logging into that VPN, logging into a server to get you access and whatever it might be right.

Speaker 1: 36:50

I, I was working for a company that's been around for you know 100 years, whatever it might be like. It was probably 100 years and so they had this this, you know, siloed it's like a three-tiered ad architecture. Right where they had it was microsoft built it for them and then microsoft coined the term and wrote a whole document on it because you know this company paid them so much. Then Microsoft coined the term and wrote a whole document on it because you know this company paid them so much money. They were just like here's a blank check design this thing, you know, build it all out, right.

Speaker 1: 37:18

And it was like an early iteration of zero trust, where you put your crown jewels into one environment, you shut off all access to that one environment and God forbid you ever have to log into that environment because by the time you log in, your sessions are going to start timing out and you can't do anything. You can't manage that infrastructure. And when I was diving into this architecture with the engineer that was around when he set it up, he was actually retiring, so it was pretty important for me to get an understanding of that environment I started diving into okay, well, you say you know nothing can touch it. How do you patch it? Right. And he said oh, you know, we have to log in and patch it manually from you know this console or whatever. Like, okay, that's fine. Well, how do you get the patches there? Do you like download them on prem and then transfer them over through some secured you know SCP process, right? He goes oh no, there's a connection out to the internet and it pulls it down through you know the official repository and everything.

Speaker 1: 38:17

I'm like okay, well, that's a great idea, but you know how the federal government does it, right, where they interact with a vendor, they verify those patches. You know, in some secured environment they shoot it up to a satellite and that satellite is the only thing that's allowed to connect to that internal environment and it's on every repo. It has a special key and everything else like that. Like you're trying to replicate that without doing that, you start going down this rabbit hole of finding out oh, this thing hasn't been patched in four years. You know this system isn't even used anymore but it's active in this environment for this one authentication token. That breaks everything else if it ever gets turned off.

Speaker 2: 38:53

Yeah, I mean I know people overuse the term zero trust, but zero trust is real and material as far back as 2007,. Some of the earliest TCG Trusted Computing Group architecture around TPMs and secure elements to the famous Black Core document issued by the government, which is the next generation security architecture, which was the beginning they didn't call it that yet, but it was the very beginnings of zero trust. This is not a trend. Security experts have realized that to ensure trust it has to start at the device and then it has to go up and you have to cryptographically bind the entire lifecycle to the destination. You just have to do that, like with your satellite example. There is a huge push. So the DOD has made it an absolute imperative that all corporate, government corporate networks are zero trust by February 2007. That's a hard hit. All military networks by 2035. It's not. I think there is.

Speaker 2: 39:51

I was listening to the CISO, the DOD, give a talk at RSA and I think there's 145 different networks that they have to kind of manage and understand. It's crazy, but zero trust principles are grounded in real deep engineering and fundamentally it has to start with, like I said, the root of trust you and a company have to be able to build a root of trust and then extend from that, and Microsoft has made a lot of great progress there too. They use device credentials when they deploy. When you move to Entra and you move off hybrid or AD, a whole ton of like, pass the hash, pass the token. A lot of threats on the device disappear. There's a lot of other issues with the paradigm, but fundamentally it's real, it's based in real engineering principles and you can't. You just have to get on board and understand that. That's where the industry's going. Well, a huge part of the industry's already gotten there and the government's got to be there.

Speaker 2: 40:47

And just as a side note, joe, what is interesting too is everybody looks at. So I've, beyond Identity, went through, we got FedRAMP Moderate and we work with partners and we have a really strong interest in the Dib and the FedSiv area. But what I am learning too is what I learned from that experience is that all of the compliance stuff that you know, people look at the government and say they're slow and they're bulky. That's just not true anymore. In a lot of ways they're thinking faster and more strategically than the private industry and they're driving a lot of stuff and you're going to see some pretty significant changes around automated compliance and zero trust architectures where the federal government's leading that. I mean you see things like their SWIFT program and their FedRAMP 20X. There's some pretty innovative stuff going on there and they're really, in a lot of ways, driving. They're going to start driving the private sector, in my mind.

Speaker 1: 41:47

Yeah, no, I mean, it's so that satellites. It's interesting because you're talking about, you know, let's think about it like with a 6U server Each U has a different component that's doing a different thing, and all of that has to be zero, trusted, but you can't use, you know, an extreme amount of resources. You're in an environment that's extremely limited with resources, especially when the satellite is on the other side of the earth and not facing the sun. Now you're running on batteries and now you have limited resources for everything, right?

Speaker 2: 42:18

Well, think about it. I'm sorry, go ahead, Joe.

Speaker 1: 42:20

Yeah, so the zero trust in that situation then turns into a tiered architecture type of thing, where you have these root nodes, right right, that are at higher altitudes, that you're now authenticating to and you're verifying your identity with and you're verifying other connections with, because those are the ones that then have to be focused on that process, because that's all that they do, rather than, you know, the lower tier satellites that are authenticating within itself, right? Yep and you know with that.

Speaker 2: 42:50

If you think about that, extend that to um, uh, what's it called mum tea and uas manned, unmanned, uh, teaming and uh, the drones that just explodes. That wasn't a satellite I get for you, still working off with you, but in the last three years, and particularly with what's going on in Ukraine.

Speaker 1: 43:36

Think about that times 10 for drones, you know, lagging behind this huge, you know infrastructure that you know doesn't really adapt that easily or that quickly or anything. And then Stuxnet happens, right. And then I read the book on Stuxnet Zero Day Right. On, stuxnet zero day right Kind of changed my entire mentality, because they were doing IOC hacks long before anyone even thought of IOC as a thing like as a thing even being a part of someone's infrastructure.

Speaker 1: 44:02

It was a controller that you just had to run in the environment. No one was thinking of it, of. If I manipulate this controller here, I can make this power generator over in Idaho. National Laboratories, you know, operate at such an RPM that it's not even built for and it's going to explode all on its own without me having to do anything. I don't drop a bomb on it, I don't send someone with a bomb, it is the bomb itself already and we're going to blow it up with code, right, that's right. And then you look at how they built out Stuxnet and everything. I mean that is a work of art in terms of technological engineering, of what they did right, like having the different modules, how it sat there and waited for an undetermined amount of time just waiting for the right system to log into it and how it was even querying that system to get the device properties and whatnot. It wasn't doing normal queries. They had to create this whole query language around it just to figure it out in a very stealth manner, right?

Speaker 2: 45:02

Yeah, no, it's absolutely crazy.

Speaker 2: 45:03

So I think the takeaway for me there is again I think the government, in a lot of ways, is driving a lot of this technology and I think the security the enterprises that need to deploy a solution just because that's not their business they need to secure their business really need to look for vendors that understand soup to nuts, the raw device attestation and secure like zero trust architecture plays into that, Because it's really pretty intense.

Speaker 2: 45:36

What you can do now and everything has to start now, it has to start at a root of trust. I mean, if you were to say to an enterprise today, or even a small business for that matter, hey, we just want to verify the hardware supply chain when the device is out, they're like, yeah, that just seems like such a secondary, tertiary problem. I've got other things to solve, but that's not the case anymore. That's a real problem that needs to be dealt with today and it needs to be part of a default solution. Because the attackers we think we're more sophisticated, because in a startup industry, private sector, we're doing all the kinds of innovation the threat actors aren't. They have their own startup ecosystem they really do, and it's funded by nation states. So we have VCs, they have nation states that fund that whole ecosystem and it's changing and growing quickly and the attacks are getting more and more sophisticated.

Speaker 1: 46:26

Yeah, it's very true. Stuxnet was only the beginning of what we're seeing. I mean, you look at the Pager attack that Israel pulled off against.

Speaker 1: 46:36

Iran.

Speaker 1: 46:39

That is one of the most impressive compromises that we've ever seen, right, that we'll know about in the public eye and even, just, you know, with the recent bombings in Iran.

Speaker 1: 46:50

Right, I'm sure that we'll, you know, hear more details about it in like 15 years, right, when some people you know that were tied to it, probably like pass away or whatnot. But just thinking about the logistics that go into it, I had on someone a few weeks ago from the cia that specialized in the umds and you know, monitoring them and tracking them throughout the world and whatnot, and he was talking about the precision that these pilots had to have with dropping those bombs. And if you look at the satellite images, there's one hole. Right, that means that those pilots literally dropped multiple bombs into the same exact hole to make sure, because they knew that those bombs are only going to go down so far, right, so they hit that target. Well, maybe the facility is below that. Well, they just kept on dropping them, you know, and that alone to know where to drop it, to know, you know, the infrastructure inside and everything like that the logistics behind it is so impressive. It's not like anything that we've seen before or even dreamt of, you know, decades prior.

Speaker 2: 47:57

No, and I think with that high-tech stuff, I think zero trust architecture and solutions that kind of incorporate that in for the enterprises by default are going to be really, really stressful. You know, it's just again the level of sophistication. As we get more sophisticated, the attackers get sophisticated, and me personally on my journey through cybersecurity, coming from product and engineering, I've always wanted the first thing I do is I look at the architecture. How can I design problems out? Because I know we're going into. We have one of our marketing people that coined the MFA apocalypse. But as we get ready for this AI onslaught, you know it's batting down the hatches.

Speaker 2: 48:38

Look at your legacy ecosystem and the gaps that. There are solutions out there that can close those gaps and move it from detection to prevention, because you do not want to be in a position where you can't focus your resources away from the legacies. I've just buttoned that up. Get a solution that works, it's secure by design, it is privacy by design, compliant by design. I mean just out of the box, secure defaults and focus on the new threats. I mean the last thing you want to do is be looking over your shoulder saying, hey, did I really close the back door Because there's stuff coming Right.

Speaker 1: 49:07

Yeah, that's a great point. Well, bob, you know, unfortunately we're at the top of our time here. It was a fantastic conversation, you know like we went down so many rabbit holes. It's always great having these sorts of conversations with you know, people of your caliber and experts in the field. Yeah, absolutely. Well, you know, before I let you go, how about you tell my audience you know where they can find you if they want to connect with you and reach out, or where they can find Beyond Identity?

Speaker 2: 49:33

Sure, first and foremost, beyondidentitycom. Beyondidentitycom, you can go to our website. You can also go to our Beyond Identity slash podcast and you'll see a lot of the latest stuff and hopefully this will be up there pretty soon. And then we're all going to be at Black Hat, so we have a huge presence at Black Hat. So anybody who's going to be there, they should reach out to us and we look forward to seeing you Awesome.

Speaker 1: 49:55

Well, thanks, bob, and thanks everyone for watching. I really hope that you enjoyed this episode I know I did.

Speaker 2: 50:01

It's a great service, Joe.

Speaker 1: 50:02

Yeah, yeah, absolutely Well, thanks everyone, I'll stay tuned with the next one.

Speaker 2: 50:07

Hey, one last thing, Joe.

People on this episode

Joe South

Host