The FUTURE of Device Authentication is Here NOW Artwork

Security Unfiltered

Cyber Security can be a difficult field to not only understand but to also navigate. Joe South is here to help with over a decade of experience across several domains of security. With this podcast I hope to help more people get into IT and Cyber Security as well as discussing modern day Cyber Security topics you may find in the daily news. Come join us as we learn and grow together!

All Episodes

Security Unfiltered

The FUTURE of Device Authentication is Here NOW

November 10, 2025 • Joe South • Episode 211

Send us a text

We explore why most breaches are identity failures and how to flip the model with hardware-backed, device-bound credentials that never move. Jason shares global threat trends, startup lessons, and a blueprint for preventing credential theft across people, agents, and machines.

• life on the road, burnout signals and recovery
• global threats to critical infrastructure and state actor pressure
• startup culture, expectations and keeping teams healthy
• Jason’s path through engineering to entrepreneurship
• identity’s failure modes and why credentials are stolen
• asymmetric, hardware-bound authentication and device posture
• extending identity to agents, drones and satellites
• cyber-physical risk and why finance invests heavily
• identity as the universal control plane in cloud
• practical steps to prevent session hijack and MFA fatigue

Connect with Jason: “Hit me up on LinkedIn… our website, beyondidentity.com… even X”

Inspiring Tech Leaders - The Technology Podcast
Interviews with Tech Leaders and insights on the latest emerging technology trends.

Listen on: Apple Podcasts Spotify

Support the show

Follow the Podcast on Social Media!

Tesla Referral Code: https://ts.la/joseph675128

YouTube: https://www.youtube.com/@securityunfilteredpodcast

Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast

Affiliates
➡️ OffGrid Faraday Bags: https://offgrid.co/?ref=gabzvajh
➡️ OffGrid Coupon Code: JOE

➡️ Unplugged Phone: https://unplugged.com/
Unplugged's UP Phone - The performance you expect, with the privacy you deserve. Meet the alternative. Use Code UNFILTERED at checkout

*See terms and conditions at affiliated webpages. Offers are subject to change. These are affiliated/paid promotions.

SPEAKER_00: 0:53

How's it going, Jason? It's great to get you on the podcast finally. I think we've been talking about doing this thing for a couple months at this point. And you know, it I I felt so bad. I think I had to reschedule like three times on you. But I'm really glad to finally get you on. No worries.

SPEAKER_01: 1:10

Glad to be here. And it has been a bit of a crazy summer, so it's no big deal.

SPEAKER_00: 1:15

Yeah, it's it's been such a crazy year, just just overall. You know, like I feel like because so I have a two and a half year old and I have a six month old. And I I feel like once you get into a rhythm with one, right? The second one comes, it's like this changes like my entire schedule and everything is just jacked up, you know, and you know, there's so many nights that you can go with no sleep. It's just, you know, that's what you're doing. It's crazy.

SPEAKER_01: 1:39

Yeah. Yeah. No, this year definitely feels like if you blink, you'll miss it. Yeah, it feels like it just flew by. Yeah. 25, if it's uh like it's a don't get me wrong, it's been a good year, but I like this is the year where I think I re-qualified for 1K by March. And the lat like this week is an amazing week for me because it's like one week where I get to be home. The previous six weeks, it was like two weeks across Europe, a week in Japan, two weeks across the US, a week in Mexico. And I've only ever gotten like a week or two off between these six week tours. So, like, yeah, this this this year is this year is like the scale testing year.

SPEAKER_00: 2:16

Wow, that that is that's fascinating. So, like, what are you doing, you know, on these tours? Are you are you giving talks or what does that look like?

SPEAKER_01: 2:25

It's a little bit of everything, but we started so our business started to evolve over the last 12, 12 to 18 months where we started getting a lot more inbound from large organizations, specifically critical infrastructure, ministries of defense, departments of defense, governments. And the gist of it was it it really boy, it's actually pretty simple, right? It boils down to at the end of the day, most security incidents are identity problems. And, you know, for all sorts of reasons we get into later, like identity truly is the future of security, like solving things properly, not just like putting the fires out quickly, but like preventing forced fires. And uh, and so yeah, the business has has changed a bit, and it's a combination of talks and like prospect and customer visits. But, you know, in Europe, it's a combination of kind of cybercrime as well as kind of active, uh more active, uh, call it gray warfare, right? So, like with the war, with the Russian war in Ukraine, there is a lot going on in Europe around kind of sabotage operations, cyber operations that kind of blend into the physical. And so we're seeing a lot of critical infrastructure get serious about kind of plugging their holes. And it's very kind of state actor driven. Similar thing in Asia. We're seeing a lot more uh adventurous exercises being carried out by uh various Chinese threat actors. And it's usually again, it's against the usual suspects, right? Like uh US and American allies. And uh and so as a byproduct, we're seeing again critical infrastructure, everything from like energy production to transportation to finance really getting serious about kind of plugging some of these holes. But the other inter the you know, the other thing that just to remind everyone, you know, you said this would be like a conversation at a bar. The first thing that usually someone says after you mention all the travel is like, man, that sounds glamorous. That sounds awesome. You get to see all these places. And, you know, it on one hand, it it is a privilege to be able to visit these places, but what you get to see is usually from the Uber ride. And uh, you know, if you're lucky, and I have gotten a little bit better at this, you know, you can you can maybe budget an hour a day just to keep exercising and like not go insane, but it's exhausting. And uh yeah, six weeks of that and my my fit my fitness app was basically I was using it to actually track the residual heart rate, like my resting heart rate, you can literally see it change dramatically in the first four days after that six-week trip when I was home. And you can also see it in like my sleep time. So like the first four nights I sleep for 10 to 12 hours and my heart rate, my resting heart rate's actually pretty high. And then by day five, it's like back to six to seven hours. The resting heart rate is like down to where it should be in like the 50s and sixties. And yeah, it's exhausting.

SPEAKER_00: 5:00

Yeah, yeah. I'm I'm also a bit of a health data nerd with my own trackers and whatnot. And I notice that too, like when I travel, even if it's a place that I've been, you know, 10 times, like if I go to Vegas, you know, and I'm staying in the same hotel that I always stay in, right? Like, still, you know, those first like three, four nights, sometimes just the entire trip, is just complete garbage sleep, whether I drink or not, you know, like it's irrespective of that, whether I go to sleep at a normal time for me or not, like it's terrible. And I always come back and I'm just so exhausted, it takes me like two, three days to recover. Same thing when I go overseas or anything like that. I try to, I mean, this is just me, right? But when I when I go like somewhere new for work, I try to take you know a couple days, couple days extra, and just go and you know, see around and sightseeing and whatnot. I was going to go to Japan one time for work, and I told my boss like straight up, I was like, all right, well, I'm taking two weeks vacation after my week of work in Japan. Like, I'm telling you that right now. Can you just book my flight to come home on this date? You know, and like they were totally fine doing it, right? Because I one, I have the time, and two, it's like you go that far. It's like, man, I don't want to make another 20-hour flight to come out here and see everything again that I should have seen the first time.

SPEAKER_01: 6:21

Yeah. On on one hand, what is it, boom aerospace, they can't get here fast enough, right? It does take forever to get places. Yeah, actually, you know what, that's kind of the lure that we use. So we have a we have an overseas engineering office as well. And it's distributed teams are always difficult, right? And to like, how do you promote the mixing of your engineers between offices or at least locations? And that was essentially the the the right that we would always offer is like, look, if you're willing to go for at least three weeks and work out of this office for three weeks, I'll pay for your spouse to go with you. Like that kind of stuff, right? Yeah. And that actually worked really well for us at my previous company. We haven't quite done it that way here just because when we were building out COVID was happening and it wasn't eat that wasn't even possible. But I mean, we'd support the same thing here too. It's just we're we're a little bit uh further built along.

SPEAKER_00: 7:09

Yeah. Yeah, no, that's a that's a fantastic perk. It's always nice to see when leadership is is taking care of their employees, you know, and actually like caring about their own lives outside of work and whatnot. Like that it's always refreshing to see that because you don't always see that. You'll see it with like your direct manager, you know, sometimes, but to see it up the chain really speaks volumes to the company's cultural role.

SPEAKER_01: 7:35

Yeah. Well, I mean, I I think I think a lot of companies actually do do care. It's just things do get lost in the moment, right? And uh like it's uh like startups are such a unique thing, right? Like at the end of the day, a startup is not a normal job. It's not for everybody. It's really, really hard. And uh, you know, it it is a marathon, it's not a race, and like but it but it's not a singular race either, right? Like the team has to finish. And so there is a lot of give and take, right? Like you're gonna spend more time with your colleagues in a startup than you are your spouse. So there does have to be, there does have to be like friendship, there does have to be relationships, there does have to be mutual respect and that sort of thing. You know, I'd say the the the tricky thing in startups is actually mismanaging that expectation, right? Like when you get people, good people, but like they're not down for that style of mission, it can it can kind of you know breed conflict and and whatnot that can kind of come off as as as various things there. Like we ran into that early on in our in our history. But but but yeah, for where we are right now, like you look at it, like we need the full team, right? We're only a hundred people. We're trying to compete with organizations that have 5,000 plus people. We need everything out of everybody. And you know, if you burn people out, then then like you're you're you're you're lopping off an arm or lopping off a leg. So you've got to find ways of making it work, you've got to find ways of making it fun. You've got to actually like the people you work with. Otherwise, why do it?

SPEAKER_00: 9:25

Yeah, no, it it's fascinating. Well, you know, Jason, we kind of just dove right in, right, with giving your background or anything like that. So why don't we why don't we dial it back, you know, a couple couple years, right? And talk to us about you know how you got into into IT, how you got into security, what piqued your interest to get into the industry, and you know, maybe even like what made you want to go and like become an entrepreneur and do startups and get into companies at that at that level.

SPEAKER_01: 9:57

So it's more than a couple years. Back to the whole time flies faster than you can imagine. But you know, I was I was I was fortunate enough to where I grew up in a house of engineers. We everybody always worked on stuff, right? Like my dad would would wouldn't would refuse to buy stuff around the house, he would build it, right? Like whether it was bookshelves or cabinets or whatnot, to working on the car, you know, he wouldn't uh bring it to the shop to get serviced, he would do a lot of it himself, at least early on. And uh, you know, I guess by osm osmosis or adjacency, like even though I ruined my toys, I tended to like, you know, a lot of kids did this, right? You took your toys apart, try and figure out how it worked. And you're like, you're you're you're pulling capacitors and resistors and inductors off a circuit board thinking, you know, you're a doogie houser doing surgery. And the reality is you're just breaking your toy. But I don't know, for as long as I can remember, I've always been interested in tinkering and engineering, right? And like taking apart electronics and building Legos was the thing. And when I got into you know junior high and high school, I was able and fortunate to actually get into these like robotics competitions where you got to build a thing that really did move and go and do stuff. And um I had learned how to write software mostly as a hack to go through my math homework faster. But then I started realizing that like, hey, this is more than just for hacking out your your math software or your math homework. You can actually get your software to run on this processor and control this robot and make it do X and Y instead of like, you know, the the baby circuits, right? Where you have like a photo resistor and as the the light shines stronger, it gets more current, which means it steers a little bit more to the right than to the left, that kind of stuff. So, you know, I would say tinkering and building stuff was uh was a kind of an early childhood thing. Going from there to IT was pretty natural, right? Like you build you build and tinker with stuff, you play games, you wonder how it works. You know, this was we had the internet, but it was cooler to actually get your modem to call your friend's modem, establish a PPP link between your two computers, and then you could really dogfight with the with the combat simulator, right? So like that kind of stuff is pretty much what I was doing in my teenage years. And uh the entrepreneurial bit was more of necessity, right? Like you get to college, you you think you're rich because you've saved all the money you've earned in your high school job, you got like two whole thousand dollars, and you're like, this is gonna last, you know, I'm not gonna have to I'm just gonna be able to enjoy this, I'm gonna be able to go to a party from time to time. And long of it, you know, that doesn't get you very far at all. And I had to get a job, and I I found a job actually writing software. And obviously I was very, very young at the time, but because I had a lot of experience writing basically math in C or implementing certain types of math functions in C, I got hired as a research assistant. Uh it's for like a geoscience sort of company. And I don't know, I think that gave me the idea that like, you know, you don't procedure and protocol and decorum are what society suggests you ought to have, but if you just want to do something, you can. And from there, two years later, I joined an actual startup in Austin, Texas. And uh as an engineer, and again, I was super young for what they were asking me to do, but I happened to be in the right place at the right time and I had experience. And uh, you know, I loved it, right? At the startup, they gave you I like food, right? And I like a good buffet. And a startup felt like showing up at the best buffet ever, right? Like there's miles and miles of all of these cool, interesting problems. And, you know, there's only three people to help you eat your way through the buffet. So no one's gonna get angry, no one's gonna get possessive, no one's gonna get territorial. If you want to eat anything, they're gonna help and they're gonna say, knock yourself out. But if you start, you gotta finish. And I don't know, I love that about a startup. Like you could, there was no problem you couldn't work on as long as you're willing to own the outcomes. The the learning aspect of it too, right? Like in a in a startup, you can't afford to hire experts and all the verticals that touch whatever problem you're on. You have to figure it out. And for me, and you know, well, there's a lot of people that are this way, like the joy of figuring something out is kind of like a drug, right? Almost so to where you have to be a little bit careful, right? Because the startup is there to to build a business and to make money and return stuff to the shareholders, not just for learning stuff. But you know, I I I fell in I fell into startups and entrepreneurship out of necessity. I needed, I needed money and they needed someone with my background at the time, but but it quickly became what I've been doing for 20 some odd years because it's it's it's one of those places where ultimately you kind of have complete freedom.

SPEAKER_00: 14:28

Yeah. Yeah, that is it's fascinating how you describe it like that because it's it's so true. And I started my career at startups, and it was an interesting experience, you know, because at the startup I was doing a little bit of everything, you know, like application engineering, doing, you know, customer related work, help desk, you know, just just about everything. And I wanted to get into cybersecurity, and so I kind of took over the you know vulnerability management program of this startup for our solution, you know, like and that was exactly what you said was exactly what my VP told me. He goes, once you start it, you gotta own it through and through. Like there's no going back, and you know, me not knowing what that is, young 20-something-year-old kid, right? I got into it and luckily I enjoyed it, you know. But that that was the mentality, and then from there I went to like really large companies, and it's a totally different mentality. I mean, there's people there for 30 years, and they're there for a reason for 30 years. You know, you can literally just fly under the radar, do the bare minimum, get your paycheck, you know, and not really learn anything new. Like it's possible in those environments. And for me, that's like the complete opposite of who I am. You know, like I didn't start this podcast out of comfortabil comfortability of talking to people, right? I kind of started it because it's kind of pushed me outside of my box every time I do it, you know, and makes me better, it makes me different, right? In startups, now I'm now I'm finally back at a startup. And I, you know, I basically own my entire vertical. And the CEO is just like, however, you want to run your side of the business is how you want to run it. If it succeeds, it's on you. If it fails, it's on you. Like it's up to you to make to make this thing work. We believe in you, you know, and it it's all about leveraging, you know, other team members and their skills and getting their feedback and what worked, what didn't work, and you know, implementing it in the into my side of the house, right? It's it's a totally different feel. And I always go back, you know, you don't always have to be the number one guy, the CEO of a company, the founder of a company to be, you know, successful financially, right? Like you look at like Steve Ballmer or or this the CEO of Microsoft, right? I mean, they they were what the number five guy in the hierarchy for for years. I mean, Steve Steve was a janitor for a while in the beginning. Like he did everything, you know, he discusses it very openly. So it just shows you, you know, you can you can still come out all right and be, you know, the 10th or the 15th guy in line to the to the CEO when you believe in a mission and you know see it through.

SPEAKER_01: 17:14

You know, one of those stories that I heard early in my career that that that kind of cemented itself similar to that was this was the late 90s, there was a company called Level Three Communications. They're still around, you know them today as CenturyLink. But their innovation at the time was just realizing that, like, hey, the internet's gonna change everything, right? And everybody's gonna get connected to the internet, and so we're gonna need fast connections. And the fast basically means fiber, means means lasers, now these things called this technology that was basically uh wave division multiplexing and dense wave division multiplexing. Basically, in one fiber, you can actually have more than one signal, you just shift the different signals by essentially the wavelength. And what level three realized was hey, this technology is gonna evolve pretty much every two years. But it would be a mechanical engineering nightmare to try and entrench new stuff every two years across the continental US. And so they came up with this system that is kind of like the revolver magazine, the magazine of a revolver. And so what they what they they laid this conduit across the US. And they they came up with a couple of interesting things, right? One was this train car that basically had this big arm that would lay the conduit on the side of the rails. So that's kind of how they did it in a mechanical fast way. But the second part that I found more ingenious was the conduit had this revolver magazine-like structure, right? Like imagine like five or six hollow tubes. And what they could do is they had these flanges that they would mount to fiber and they would all they would be able to just blow with air pressure the new, whatever the new fiber technology is down the latest chute. And so like two chutes were always active, two chutes were being being decommissioned, and two chutes were always being developed. And they didn't have to retrench, they didn't have to rerun rail. It was literally just like they figured out that 90% of their architecture could be fixed and 10% could be modular. So like that was one of the things that stuck with me. But the the the thing that was related to your story was the the receptionists made like almost$2 million at the IPO of that. And I and I thought if the receptionists can become successful, everyone at the company can be successful. And they were they were like, I don't know, five, eight hundred people at this point. It wasn't even like a 10-person job. So so yeah, if you know, not all startups get these sorts of outcomes, but if you do it right, it can it can work for everybody.

SPEAKER_00: 19:30

Yeah. Yeah, it's a really good point. Well, you know, what what is what's the problem that beyond identity is solving? What what what what was the problem in the marketplace that you guys identified, you know, as an issue? Because I've worked with identity, I've worked in IAM, that's kind of where I cut my teeth for you know security. And it's very easy for it to become a mess. A lot of the times it's a mess, regardless, you know? Yeah.

SPEAKER_01: 19:59

So we looked at it in a couple different ways. But so my previous company or my my previous role, I was a CTO of a company called Security Scorecard. And we we had a ton of data and research uh through collaborations with our partners on breached companies. And we had all the data analysis of what correlates, so not cause, but what correlates generally, right? What data signals and behavioral signals correlate to breach? And what was striking was three or four signals were incredibly strong in their correlation. And then everything else was kind of close to zero, right? And those signals were all about the identity system. How are passwords managed? Is the endpoint how are passwords managed? Is 2FA present? And then the third one, which I'll argue is related, but may seem a little bit different, is do they have an endpoint patching program in place? In point hardening and patching. And, you know, we looked at so so that's kind of an interesting thing, right? Like if I take a step back and then I just think about it, right? No matter the organization, no matter if you're an employee or contractor or custom or even a customer, and no matter if you're working on a managed device or an unmanaged device, you're gonna cross the identity bridge to get to any service or data. So number one, identity is like the structural high ground. It sees everything by definition, right? So that's kind of one observation. Number two, it's the strong mishandling of it is the strongest corollarity breach. And and and you know, since we got started, this has been proven out as well by like Mandiant and CrowdStrike and Verizon, uh, where they track security incidents. 80 plus percent of all security incidents are identity failures, right? So this is kind of like the topical observation. But like, what about 50,000 foot? Like what's gone on a little deeper? Well, a little bit deeper, it's not hard to reason about that. Identity historically is not a security function, it's a productivity function. It's IT. If I run identity, I'm judged by getting you to work fast, not necessarily judged for security outcomes. We hired some security folks for that, right? Like, blame them. And so the incentives aren't necessarily there, I would argue, for identity companies to be security companies, historically. But then when we get into the technicalities of it, right, that's where things become really, really interesting. The most common technique that an adversary will use to compromise an identity system is a variation of credential theft. I can steal the credential from you, I can steal the credential from somewhere that you've used it, I can steal the credential from a third-party ecosystem that you don't realize kind of handles your credential in one way, shape, or form, right? And there's there's probably 20 different enumerations of this. Fundamentally, I steal your credential, I bypass the MFA, or I push bomb MFA, or I man in the middle MFA, and then I hijack the session at the end of it, right? I copy the cookie out, I copy the access token out, I copy the barrier token out. So in all of those statements, there's a symmetric credential that can move. So that's kind of interesting. We think of now, now let's let's think about computer science. Like, like let's take ourselves back to like teenage years. What does that mean, a credential that can move? Well, it means it's in memory. It means I copy it from my memory to someone else's memory. And now let's think about a traditional connection between your browser and some service, maybe Chat GPT. Does TLS guarantee the protection of that credential that you're moving back and forth? We all kind of assume yes, but it actually doesn't. There is no end-to-end TLS anymore. And there maybe never was. If you're in a big enterprise, Palo or F5 or Zscaler is terminating that TLS before it even leaves your enterprise, right? Then it goes to Akamai or Cloudflare or Amazon CloudFront, right, for content distribution. Then it probably goes through an application load balancer layer in how the service is distributing itself across regions and zones. And then if your engineers are doing what's new and exciting, they've deployed a Kubernetes cluster, which means you go through a service mesh, which again re terminates your TLS connection, right? So you're probably not managing any of these. They're probably all third-party managed. So now the footprint of where your credential lives is like three or four third parties that you have no ability to track that represents credential theft. They can basically represent insider threat as well as uh exploitation. So again, this is just one example of like why are credentials so easy to steal. But our insight was, well, what if a credential didn't have to move? What if we could move from symmetric credentials to asymmetric credentials, right? And asymmetric cryptography for signatures is clearly an old technology. It's been around, people know how to do that. But what if we could take it one step further? What if we could guarantee the signing key cannot move? And the observation one of our engineers made early on was like, hey, HSMs can do that, and HSMs exist in servers, but they're expensive. But wait a minute. I think because of mobile payments, things have changed. And it turns out, yes, because of how the mobile payments industry drove a change in the chip manufacturing industry, you almost cannot buy modern electronics today that does not have a version of an HSM in it. Your phone has an HSM, your laptop has an HSM, that drone that you bought that you're flying around your your yard, it has an HSM, right? So if these HSMs exist everywhere, then what if we move primary authentication to be asymmetric where the private key can't move? If it can't move, that surface area that I described a minute ago shrinks to a single point. Um credential theft doesn't work, stuffing doesn't work, guessing doesn't work. If I'm on the device you're working from, it's actually rather trivial to then start detecting things like man in the middle, man in the browser, attacker in the middle, that sort of thing. And then that third comment, remember endpoint patching, endpoint hardening, that sort of thing? Well, when you get on an airplane, it's not enough for you to be the right person on the ticket. You also need to make sure you have no guns, no knives, no bombs, right? You have to be safe enough for the environment you're asking for. Again, if we're managing the credential on the device you're actually working from, then it's rather trivial for us as part of authentication to also comment on the safety of this device relative to the service it's asking for. We can basically check the posture and say, hey, this device is hardened. This device does have the security controls you would expect relative to what it's asking for. That could be attested and kind of sealed over. And that is kind of the essence of what we do, the foundations. We plug into your existing identity stack, we don't displace it, and we transform how authentication works in your organization to where there is no movement of credentials. So there is nothing to steal. And you cannot man in the middle of the connection because we can detect it. And every authentication, whether it's the initial access attempt or re-authorization for continuous off, always checks the full posture of the device. And, you know, we started off doing that for workers, employees, contractors. The typical movement early for us was a customer would have a contractor audience, contract software developers, contract marketing, contract PR, executives with exemptions for personal devices, but they had to maintain compliance. They had to be able to show that even though these folks were working on their data that it was still secure, the controls they expect were still present. And so we could do that simply. Where we've now moved into is because of how we built our authentication technology and how it's kind of universal. Our authenticator works on Linux. And because it works on Linux, it's actually rather trivial to make it work on this drone. And if I have a bunch of drones flying around and I want to know what drone is mine versus someone else's, I can just zap it with an 802 next challenge and I can get back a full attestation from our authenticator. You can run it on a humanoid robot and get get identity. You can actually run it on a server-based agent and start solving some of the agent identity problems that are coming up. So it's it really foundationally it's about attacking the primary security vulnerability, which is identity, which is credentials that move and lack of understanding of the device, the credentials are bound to. But I I probably talked for too long.

SPEAKER_00: 27:27

No, it's it's fascinating that like my PhD is actually like I'm researching essentially the exact same thing with encryption keys on satellites. Okay, cool, cool, cool. Yeah. There's a big issue, right, where there's just no real way to secure satellites for the future. Right. As soon as they leave the ground, you have you know a 10 to 15 minute window to connect with it, patch it, test it, make sure that it's still working, and then it you know rotates around. And yeah, you can you can switch uh ground stations and whatnot, but it becomes very tedious and it's difficult. It's really hard. And you know, a lot of the satellite people that I was talking to, they said, Oh, yeah, you know, what you're trying to do probably isn't gonna work, it's gonna be too delayed and whatnot. And uh, I mean, my my theory was, well, can't we just throw it in an HSM, put the keys there, authenticate the keys on an interval, you know, when we need to communicate throughout the network and then call that zero trust? Like, doesn't that meet the requirements for zero trust? And if it meets those requirements, can it use you know post-quantum encryption to communicate off of? And all like now, everyone that I'm talking to, the people that are like actually in the post-quantum encryption world and you know, the satellites and everything else, they're saying like, but yeah, that's totally doable. That's like totally possible. It's it's fascinating because like for two years, yeah, for two years, I was literally thinking, man, is this thing even gonna work? You know, and but it's fascinating to hear you explain it because that's literally what I'm gonna be doing with encryption keys, just utilizing the HSM module that's already on there. Yeah.

SPEAKER_01: 29:03

The uh so so funny thing there. So if you've got a TPM, the TPM's the is basically the gold standard. The downside with the TPM, and I'm gonna forget the precise numbers, but it it's very limited in bitrate. So I think you the the max the max bitrate you're gonna get, you're gonna push through a TPM is I don't remember it's like 8 meg or like 40 meg or something like that, but it's pretty low. With that said, it's it's fast enough for you to use it to then generate short ephemeral session keys and and then like every now and then do like the stronger attestation. So like there's a lot of things you can do with the TPM, but then like you know, trust zone gives you a lot. You're probably working on ARM, right? In that environment, ARM-based Linux. I I may know a little bit about this because of some of our newest customers.

SPEAKER_00: 29:47

Yeah, no, that that's that's fascinating. It's interesting. I I want to get your opinion on it, right? Because I I remember in the first startup that I was a part of, I ran the the DOD, the the federal contracts that we had. And I was talking to the to my sales guy at the time. You know, I asked him, I was like, well, how did we even like get into you know doing government contracts and whatnot? And he he literally said it took four years to get the first one. And once you got the first one, like we got like 12 others in the same year, right? Because it's like all about it's all about like the circle of trust. So if you get into the circle of trust, everyone goes to you for that same thing. But if you can't get into one place, basically no one trusts you.

SPEAKER_01: 30:29

Very much as an all or nothing. And you know, it works it works like that with mission partners too, right? So like when you go over and you want to talk to MOD over in the UK or whatnot, usually the first question they ask is who in the US DOD are you already working with, right? So it's But like let's zoom out, right? Like at the end of the day, no one has truly enough time to do all the diligence that that that that that you would truly need to do to know everything on your own, right? So like reputation via peers that you trust is it it is how the world works, and it is a major influence point in decision making. I know I I do that in some of the decisions that I make, right? If I don't really have time to think through everything, which is very often, it's like, well, who do I know that I actually trust for that area? So it makes sense.

SPEAKER_00: 31:12

Yeah. Yeah, no, it's uh it's a great way to do it too. And that's why I always tell people to like really build up. Build up their network, you know, like don't don't take it for granted, you know, actually engage with people and whatnot and and you know, build it up, right? Because you never know when an interesting opportunity is gonna come along and you know you need to reach out to someone and say, like, hey, is this a real thing? Does it work like this? You know, all that sort of stuff. Kind of have a candid conversation with someone. I've I've had that so many times, you know, even with the podcast, right? And I I had like one of my first sponsors, you know, they reached out to me, they were asking for some forums, and I reached out to like my business slash podcast mentor, and I was like, hey, what what are they asking for? He goes, Hey man, it means that like you're doing good. You need to provide them this. Yeah, I like couldn't, I just like couldn't figure it out. You know, it's just it's fascinating how that works.

SPEAKER_01: 32:08

The yeah, no, opportunity, a lot of opportunity is serendipitous. I my I ended up doing my PhD because of serendipity, right? Like a right place, right time, met the right person. I ended up working for the General Keith Alexander through serendipity, right? Former director of the NSA. I ended up actually ended up meeting Jim Clark through serendipity here at Beyond Identity. You know, you need to be good at what you do, and hard work matters, but like luck does play a role.

SPEAKER_00: 32:34

Yeah. That's uh that's fascinating. There was a couple times where I mean, you might be the fifth person that I've talked to that knows Keith Alexander and like looking for ways to bring him on. I'd love to have a conversation with him, you know, and just like pick his pick his brain for an for an hour. The things that he that he has seen, you know, and has knowledge of, like, it's just so it's a different world. It's totally different, and it's so fascinating to me.

SPEAKER_01: 33:01

Think about it, right? The director, the dual-hated director of NSA and Cyber Command from 2004 to 2014, when the world literally transitioned from kind of pure cyber espionage to actual cyber physical attack, and then all of the world events that happened in that time frame as well. Like it's yeah, it's a pretty interesting I mean, it's a pretty interesting period in history.

SPEAKER_00: 33:24

I mean, yeah, as a as it is today, but uh yeah, that time frame really changed everything with cybersecurity, you know, forever. It's for a long time, and I I read the book on on Stuxnet. It's zero day, right? By like Kim Kim Zader. Kim Zetter. And uh, you know, they they mentioned in the book that you know cyber cybersecurity and and you know, malware and you know, worms, that's this whole world of malware, never really crossed over into the physical realm until someone put together a piece of malware that made a generator operate at an RPM that it wasn't supposed to be operating at, and then it explodes over at Idaho National Laboratory, right? And there was some general there that was watching it. And I I don't know if it was Keith Alexander, it was someone, someone important was watching it, and it was like a light bulb, you know, that that came on in their head. It was like, oh, this is this has real world implications. That was like the first time that they ever really, you know, tested it out and whatnot. And then you fast forward, you know, probably 10 years, right? And we we saw it again with like Ukraine's power grid when Russia first first invaded, right? The very first thing that they did was take over those computers and you know they were they were operating the mouse and going through everything, shutting things down, and they had no clue what was happening. Luckily, because of how their power grid is, they're used to manually operating it, but god forbid that happens in America. There's like no chance that we would be able to efficiently and effectively manually start operating the power grid because our digital systems were were taken over.

SPEAKER_01: 35:08

You know, we when you think about when you think about cyber physical, it's pretty interesting, right? So like we've we've lived with denial of service for a long time, right? Like denial of service attacks, bot attacks. But imagine denial of service that it's more of like a physical, a cyber physical denial of service, right? Like if I've got bots, but my bots were light bulbs or my bots were smart devices, right? Smart toilets. If I flushed all the smart toilets of New York in one moment in time, I mean could I actually physically stress the sewer system? I actually don't know the answer to that question. However, if I could turn on a current draw on a bunch of smart devices at the same amount of time, I do know that I could break fuses, right? And junction points. And then there's a question of how long does it take to replace those? What's the manufacturing pipeline even look like? So like they're they're I mean, the good news is we are taking these sorts of things seriously now, right? But the you know, the bad news, I guess it's just the asymmetry of cyber operations, is in a highly connected modern economy, everything is up for remote control, right?

SPEAKER_00: 36:10

Yeah. Yeah, everything is up for the taking. I I feel like people don't people don't really understand that, you know, and even when you go to like I I spent a long time in you know, internal security teams for companies. And it seems like the only industry that like fully understands it and doesn't care how much money they have to throw at the problem is the banking industry. Yeah, I was about to say finance. Yeah, not even not even like the the private investment firms, you know, like they're they're still trying to, you know, cut costs as much as they can and be as cost efficient. I was talking to some people at at Bank of America because they were they were looking to bring me on maybe a year ago. And I was asking what the budget was for for cloud security. And they were like, you don't ever have to worry about what the budget is. And I said, well, why? And he said, the budget this year is$1.5 billion for cloud security. It's like there's literally no cost that we like even blink at. And it makes sense because they they understand, like, oh, if you know, if Bank of America, if JP Morgan Chase get breached, and I mean they have everything. They have your mortgage, they have your social security number, they have your address, your phone numbers, they have your entire identity history, right? Because how often do you change banks? I mean, I changed banks once 15 years ago, and I haven't even considered changing one time since then, you know.

SPEAKER_01: 37:39

Well, they're they're also like beyond just like the consumer banking, right? They underwrite they underwrite the transactions that drives the entire economy.

SPEAKER_00: 37:46

Right.

SPEAKER_01: 37:46

So, like with that, the the the thing that's really easy to forget is you know, the size of the economy is not based on raw dollar value. It's based on like the velocity of money and transactions itself. So like slowing things down is actually harmful. Right. Yeah.

SPEAKER_00: 38:04

No, it makes a lot of sense. I mean, there's a reason why people don't go and buy things with gold, you know, like you still have to convert that gold, like it has value, but you still gotta go and convert it to dollars, and you're probably not gonna pay for it with cash. Those dollars go into a bank account, you know. Like it it makes things a whole lot more streamlined. Like, I'm not gonna go to you know, some online web store and try to give them a gold coin. Like that thing doesn't, it doesn't even exist in the real world, you know? Like it's a digital store, but that that that's a really good point. That it's it's more about you know high speed frequency of the money that's actually changing hands rather than the physical dollar itself. I never thought about it like that. I think I've I've heard it before for sure. I just didn't think about it like that.

SPEAKER_01: 38:52

You've definitely heard it. If you've ever taken an economics class, they call it money velocity. But it's easy to not in that space, it's easy to forget, right?

SPEAKER_00: 39:00

Yeah. Yeah. I mean, you know, I actually I took economics and I I was one class away from getting my minor in it when I was doing my bachelor's. I'm still kind of frustrated that I didn't get that I didn't get that that minor in it because I was literally one class away. But uh it was really fascinating to me. I don't know, something with numbers, right? Like I feel like if I had to do my bachelor's over again, it would be in math, honestly. Because like that was just it wasn't necessarily like the the easiest for me, but you know, there's something with math that's very elegant where you can go forwards and backwards with it. You could start in the middle and go to the end, you could start in the middle, go to the beginning again, you know, like if you really understand how everything is working together, you can do that. And when I grasp that, you know, in my mind, it was it just like opened the door completely in a new way to me that was like, this is like really interesting, you know. And if I had to go back and do it again, I I totally would get my degree in math and I'd probably be in in cryptography now.

SPEAKER_01: 40:03

Yeah, well, I mean, math underwrites everything we do, it's useful and valuable to know.

SPEAKER_00: 40:07

Yeah, absolutely. So, where do you see the identity space going? I mean, it sounds like Beyond Identity is already operating in kind of that futuristic area of IAM overall. Where do you see it going from here?

SPEAKER_01: 40:21

So I really do think the future of security is identity. And I think it's borne out at the 50,000 foot level, it's borne out in like the the gross statistics. Like most security incidents are identity failures. I think they're actually preventable, right? Most of the industry is focused on detection and response. But now that everybody's got an HSM in their pocket or on their device or on their drone, we can actually prevent some of these forest fires from ever happening in the first place, right? Which means it's cheaper, it's faster, it's better, we get better outcomes, we can shift and work on a new set of problems. This doesn't change just because the computing platform changes. So the way you solve it for a human is actually not unlike the way you solve it for a drone or for an agent. For instance, I want to know what agent is running on what machine with what posture, and I want to know what model it's running. And traditionally we might think of a user as like what user on what machine with what posture. And for the user, we'd think about like what factor do they possess? What are they, right? Like a biometric, or what do they know, like a knowledge pen. How do we do that with an agent? Well, agents are programs, and programs can you can think of programs as being biometric. A program is a running process that's loaded from an actual file. That file is traditionally signed by the OEM that gave it to you. You can actually run those comparisons. You can decide if you trust the loader, you can trace the process through the loader back to the EXE. Like all of this can become part of quasi-checksum for even unlocking the HSM key that proves the identity for that particular agent. There are ways of doing device-bound, hardware-backed, multi-factor agent authentication that actually are almost the same way that you buy a cup of coffee with uh Apple Pay or Google Pay. So I, you know, I think the, I think where we're going in security is identity is going to play a deeper and bigger role. Identity is the only thing that sees everything. And I think the the explosion you're seeing in agents right now is going to prove that out even more. The easiest way of understanding what your people are doing with identity, what services they're plugging into their agents, where they may even be exposing data leakage is actually the identity system, right? Because the identity system can offer trusted MCP servers, trusted data servers, trusted uh vector DBEs to the agents. They can uh offer trusted models or vetted models to the workforce, right? To make sure that you know you're helping the workforce as opposed to impeding the workforce. So yeah, I I think the future of security really is identity. And I think these new platforms, whether it's drones, humanoid robots, or agents, are really just carrying the same old problems forward. And like you can't, you've gotta, you've gotta like reassess how you solve them. And changing the equation, moving from these symmetric credentials to immovable asymmetric credentials is kind of the first step in that journey.

SPEAKER_00: 43:00

Yeah, yeah. No, that's very true. I totally agree with with everything you just said. You know, like the cloud kind of put it put it at the forefront, right? Where identity is now the perimeter of your security environment. It used to be to be able to think of it as like your firewall, but now everything's identity-based. If I want to get into your environment, it's literally a login screen. And hey, now I have access to your environment, right? I mean, was it the MGM hack or the Caesars hack? Was someone just calling up the help desk saying, hey, I'm locked out. Can you reset my MFA and my password? Yeah. It was just a login. You know, it wasn't, it wasn't, hey, I'm gonna go and probe their firewall to see what ports they have open, you know, get in and redirect some stuff and whatnot. It was identity-based.

SPEAKER_01: 43:43

You no longer have a network, right? You have the internet. And the only way, the only thing. So if if you no longer have your network, if you only have the internet, then you've got to start thinking in like control plane or like overlay sorts of things, right? And the only natural overlay you have across your organization is identity. That's it. That really is it. Everything else is almost artificial, right? Like you could say, well, I'll I'll construct a network overlay, I'll force everything to that network overlay so I have visibility. And you you can do that. It won't work for everything. It'll be expensive and it'll give you network issues, but identity is already there. And if you're using an identity system that actually uses device-bound credentials from the device they're working from, right? Not pull out a second device, but like from the device they're working from, you can also comment on the security of that device. You can comment on its control and data plane without actually having to carry the burden of its traffic.

SPEAKER_00: 44:33

Yeah, this is a really fascinating area. And unfortunately, we're at the top of our time here, and I'm trying to be very conscious of you know the time that I set, right? I know everyone's so busy, and I'm probably unfortunately going to go jump into more meetings after this. But Jason, I I really do appreciate you taking the time to finally come on the podcast and talk about this. I I would love to have you back on for sure, you know, talking about new product evolutions and stuff that you see in the space. I think that would be great.

SPEAKER_01: 45:03

Absolutely. Well, thanks for having me.

SPEAKER_00: 45:04

Yeah, absolutely. Well, before I let you go, how about you tell my audience where they can connect with you if they wanted to connect with you and where they could find your company if they wanted to learn more?

SPEAKER_01: 45:13

Yeah. So I'm easy to reach. Hit me up on LinkedIn, our website, beyondidentity.com, hosts and talks about almost everything that I've mentioned. Also, Claude and ChatGPT know a lot about us as well. So they can they can give you some context and point you at some of our uh materials as well. But yeah, hit me up on LinkedIn or uh even X.

SPEAKER_00: 45:32

Awesome. Well, thanks everyone. I hope you enjoyed this episode.

Joe South

Host