A

You're listening to the Cyberwire Network powered by N2K.

B

This exclusive N2K Pro Subscriber only episode of CISO Perspectives has been unlocked for all Cyberwire listeners through the generous support of Meter building full Stack zero trust networks from the ground up. Trusted by security and network leaders everywhere, Meter delivers fast, secure by design and scalable connectivity without the frustration, friction, complexity and cost of managing an endless proliferation of vendors and tools. Meter gives your enterprise a complete networking stack, secure, wired, wireless and cellular in one integrated solution built for performance, resilience and scale. Go to meter.com CISOP today to learn more and book your demo. That's M-E T E R.com CISOP Foreign. Four Individuals A British fashion designer, an American rap artist, a Filipino influencer and an old security Guy While there are many, many differences between these folks, there is one important similarity that is relevant to this discussion and that is this. Each of these individuals is named Kim Jones. With in person interactions, the differences between these four Kim Jones would be obvious. It would be as difficult for Kim Jones the Filipino influencer to masquerade as Kim Jones the old security guy as it would be for me to impersonate the rapper Lil Kim online. Though any of these individuals could at least begin the process of accessing data that is restricted to my personal use by honestly and truthfully providing their names. This example illustrates one of the fundamental challenges with combating online fraud establishing identity in a non reputable yet convenient manner. While we understand that merely a name is nowadays woefully insufficient in establishing online identity, adding both layers of complexity such as geolocation and authorizing financial transaction and additional factors for authentication have yet to stop the seemingly exponential advancement of fraudsters. As we provide more data to organizations, it's theoretically possible to create a unique identity using seemingly innocuous non regulated information. But this ignores another fundamental problem with establishing identity capturing the identity information in a pseudo physical or atomic fashion. Once identifying information is given and stored in some fashion, that identity becomes a de facto token and tokens can be tampered with or stolen. If we wish to get a handle on fraud, then it's time for us to start re examining how identity works and functions online. Rather than assuming that traditional models of identity are the only solution, we need to start exploring concepts such as making identity bidirectional, reinforcing or strengthening a session or transactional identity, and exploring the concept of secretless identity. I've written and spoken about these concepts before, all with the caveat that these concepts are by no means the only potential solutions to the problem. That said, it is clear that we need to move beyond rehashing or even complexifying old models of identity which fail to address the real needs of our data driven world. Buy $0.02. Welcome back to CISO Perspectives. I'm Kim Jones and I'm thrilled that you're here for this season's journey. Throughout this season we will be exploring some of the most pressing problems facing our industry today and discussing with experts how we can better address them. Today we're looking at fraud from a different angle than we did last episode. This time we're going to look at fraud from an identity perspective. Let's get into it. Richard Byrd is an internationally recognized expert on the topic of identity. Richard's goal, his push for our community rather, is to look beyond the traditional bounds and mechanisms of how we approach identity and explore innovative solutions to this topic. I sat down with Richard to explore the concept of identity and how getting identity right might solve a plethora of challenges to include fraud within cybersecurity. A quick note that the opinions expressed by Richard in this segment are personal and should not be interpreted as representing the opinions of any organization that Richard has worked for, past or present. Richard, it is really great to see you man. We don't get to see one another that often.

A

Yeah, it is great to be having the opportunity to catch up with you.

B

I would suspect that most of my audience, if not knows you, knows of you. But I don't want to be presumptive so take a couple minutes and tell my audience about Richard Byrd.

A

Yeah, it's always so weird. People are always like, well you've got imposter syndrome. That's why you struggle to talk about yourself. And I'm like no. What's weird is where my career has gone over the last three decades. Most folks have heard this story. Twenty plus years in the corporate side. Had this great opportunity to work first in IT operations when I came into technology. Also a big advocate for non traditional technologists. I was a liberal arts major that got out of the army and been doing construction project management. One day some guy said if you can manage a construction project, you can manage a mainframe migration. Let's hope those opportunities continue to persist as as the world changes. There was tequila involved, but only a little. Only a little, only a little. But I made an unexpected transition into security halfway through that career and ended up accidentally, truthfully being the global head of identity for JPMorgan Chase's consumer businesses. And that led to a CISO role So I've done both CIO and ciso and I realized that I wanted to do something different and left and moved into the startup world. And that's really where people know me from, is that I was given the opportunity to begin public speaking, which I'd never done before. And all of a sudden people were coming up to me saying, you don't speak like any technologist that we know. And I said, well, that's because I'm not a really good technologist, but I grew up in a family fishing business and learned how to tell stories. And all of that has created a lot of energy that has created a really unexpected personal brand in the marketplace. But I love having my hands in the startup world, working on new technologies, advising, participating in any number of different conversations about where standards are going and how do we change the hockey stick curve of cyber losses. And to be able to just every day have that be your job and you get to have these really interesting and meaningful conversations and then hopefully be able to change things. It's a freaking awesome career. And I'm super, super humbled by all the opportunities that I get to be able to participate in these conversations.

B

And we're glad you're here, man. As someone who's internationally recognized in this topic that not enough people care about, I'm here to actually talk to you today about this thing called identity. And I'm going to take it all the way back to basic concepts and get into challenges and concerns. So let's not make assumptions. Let's start with when I use the phrase identity from a cyber standpoint. How do you define that? As an, as an expert?

A

Yeah. My focus on identity when we talk about it in the current age is identity is the pathway that moves a human actor into the digital world.

B

Right.

A

And I always love what. Yeah, I always love how John Kinderback phrases it. A couple years ago, John's an old friend and he said, he said, I don't understand why people are using this non human identity label. He goes, all identities in the digital are non human. And I gotta pause for a second.

B

Right?

A

And what he said is really kind of impressionist, observant, right? He's saying everything that is an identity in the digital world is functionally a proxy for a human equivalent. Now, maybe not a full human, which gets into things like AI and that type of thing, but maybe a human function. And so, yeah, for me it is, how do I move from this keyboard, from this device to the digital world and then how do I navigate that digital world? And all of that is associated to.

B

Identity, which means that every interaction that we have is being done by this proxy called our identity within the environment. So the challenge that I see as an old guy and an old cyber guy is that if we get identity wrong, then I either A, do not have the ability to do the things I need to do, or B, have give someone else the ability to do things that I don't want them doing. I like to use the example, I give a presentation on identity and I put five pictures up there and say, what's the common thing for all these pictures? And the answer is all of those folks are Kim Jones, to include the female influencer, to include little Kim, the rapper, to include the British fashion designer, et cetera. So, you know, there's lots of opportunity for identity to go wrong. So what has been our approach to identity up till now? And what are the challenges with that approach?

A

So that's why I was very specific in my choice of words in the current age, right, when we're talking about identity. Because the history of digital access is problematic. And it's problematic from the standpoint of how it started, which was it wasn't a representation of me in the system, it was an access control mechanism to get into a system. So I always like to use the example of, first of all, I'm more of a history geek than I am a tech geek. But then you combine the two and then I go and research stuff that nobody really has ever written about. So a great example is when were the first account and password constructs created? 1961. Why is 1961 an interesting date? It's because it's a time when IBM set up a brand new mainframe lab at MIT and it was only available to compute graduate students. And they got four hours of compute time a week, and it took exactly 11 hours for some dude to figure out how to spool off the access control dog and hack the system so that graduate students in the mainframe programming classes could sell each other their four hours of time. Right? And so, like, when you hear that story, you immediately go, oh, well, I can understand why access is screwed up today because not only did we start out with this construct that it was, and it's also really important to understand what that was replacing. The reason why this identity or this access control mechanism was created was you actually used to get into COMPUTE devices with real physical keys. Right? And so this was a digital means, the very first digital means. So we treated from 1961 until about 2012 or 13, we treated identity only as access administration and only as access control. And I always like to tell people like in 09ish or whatever, when I got my first Identity gig, my corporate CIO congratulated my promotion. He said, way to go, you've got the easiest job ever. And I said, I was like, what do you mean? And he goes, it's just giving people access to stuff. How hard can it be? And so the whole idea of de accessing people or deprovisioning or roles, profiles, grants, entitlements, the complexities that really drive Identity are completely obfuscated from most people in any organization. And because they always equate things with just giving access to something as being identity. We've had this very, very stunted thought process around identity. And why I think this is an important conversation is a number of years ago, Julie Smith, when she was at IDSA and I started working on something where I was writing articles about why is Identity the only control domain recognized in nist, recognized in ISO very clearly. We are cybersecurity kids. It's a big dinner table. But why is Identity the only security control domain that doesn't use security language? We talk about access, we talk about entitlements, we talk about grants. In the meantime, our brethren's in the other domain and sister and the other domains are talking about attack surfaces, exploit surfaces. You know, time to remediate all of these different mechanisms. And we are still talking about, even within identity security, we're still talking about identity and access administration terms. And I think that's a big, big contributor to the problem.

B

So when we think about identity as a proxy for us in the digital world, what should not what does, but what should that change about our thought processes regarding identity as a cyber professional?

A

Well, boy, that's a, that's a tricky question.

B

We got time because.

A

Well, I know, but it opens up that whole can of worms of which end of the, which end of the whale do you start with?

B

I want you to go there. So let's take a woods, take both sides of that.

A

Well, you mentioned something that I think is a real key part of the mess that we're in, which is, I'll use Chase as an example. I've been a chase customer for 32 some odd years back to bank one, right? But I've been a Chase employee, I'm also a Chase former executive director, which when you leave Chase provides you with some interesting benefits. And, and, but each one of those is a different me. Right? So there's no singular representation of Me like there is in in the, in the analog in digital systems. And because of a propagation of 16 different versions of me, we run into massive conflicts. And the use case is always so easy to prove where as whereas identity specialists, experts we should be focusing solving problems is a very simple one. I am a employee of a company for 27 years. I leave that company and retire. Now I'm a retiree, former employee, but I come back six months later as a contractor. That simple use case usually blows most people's identity frameworks and identity stack apart because that contractor comes back and there's some, you know, connection point that happens in all of their old accesses that were never hygiene and taken away because it was, you know, we disconnected at AD or Azure ad, but we never disabled at core application or core function. When you just look at the simple use cases like that, the problems that we have still not resolved in identity just bloom right in front of your eyes. And you know, I think that, you know, a lot of our questioning about identity needs to come back to did we ever actually build a functional taxonomy for the the function? I raised this point actually at the last identiverse. I said I have a question about this whole. Is an AI an identity? Which is a really interesting big philosophical divide going right now. And of course all the identity people are like of course it's an identity. And I said great. I said who's ready to go talk to an enterprise buyer and tell them that their octabill is going to go up by 50% in any given year because they're going to get thousands and tens of thousands of AI agents that all need an identity now and it's all value metric and subscription based licensing. And they were like oh. And I said maybe the real problem here is what we are terribly bad at identity is the way that we have been abstracting identities. So we tend to specify identities and go dive fast into authorization, authentz, entitlements, grants, privileges. And I'm like, maybe our entity classification at that top layer has never happened where an AI is an identity, but it's a different type of entity. And a great example of this is one we've already mentioned, which is I love all of the excitement about this thing called nhi, right? But I always ask, and I know all the NHI players and I always ask them the same question. I'm like, so we didn't have anything other than workforce identities until two years ago when NHI companies just blew up, right? And everyone kind of pauses and I'M like, this is a 50 year old problem. Like we have contractors that are not humans because they're actually financial contracts. We have service accounts that aren't human. And I used to certify 2.7 million service accounts a quarter under SOX obligations back when I ran Identity at Chase. I'm like, this has been a problem that's existed forever. How all of a sudden is this now a new thing? And it's a new thing functionally because we never did the top layer entity assignment, right? We've missed an entire layer in the taxonomy because if I had an entity that was called a contractor or a temporal worker, then the way that I would have managed that identity would have been different than trying to take that contractor and then stuffing it into my workforce solution. And then in the state of California be sued because I have contractors in a human resources related system and now the those by default they are considered to be full time employees. Right? This entity classification thing has been really scratching at me for the last several months in the AI space because now we're seeing it very aggressively happening in conversations around AI. And I'm like, and AI is not an actual full human. So if you stuff it into a workforce system probably is not going to work right?

B

And it's going to get even more interesting as you begin to get more agentic AI operating out there. So now I've got additional functionality for this entity that more closely replicates what the the human proxy can do within the environment. That's going to get even more interesting. Sam, Have you ever imagined how you'd redesign and secure your network infrastructure if you could start from scratch? What if you could build the hardware, firmware and software with a vision of frictionless integration, resilience and scalability? What if you could turn complexity into simplicity? Forget about constant patching. Streamline the number of vendors you use, reduce those ever expanding costs and instead spend your time focusing on helping your business and customers thrive. Meet Meter, the company building full stack zero trust networks from the ground up. With security at the core, at the edge and everywhere in between. Meter Designs, deploys and manages everything an enterprise needs for fast, reliable and secure connectivity. They eliminate the hidden costs and maintenance burdens, patching risks and reduce the inefficiencies of traditional infrastructure. From wired, wireless and cellular to routing, switching, firewalls, DNS security and vpn. Every layer is integrated, segmented and continuously protected through a single unified platform. And because Meter provides networking as a service, enterprises avoid heavy capital expenses and unpredictable upgrade cycles. Meter even buys back Your old infrastructure to make switching that much easier. Go to meter.com CISOP today to learn more about the future of secure networking and book your demo. That's M e t e r.com CISOP. Question for you. You mentioned that a lot of the, a lot of the focus in terms of fixing the problem of looking at identity as more than just Access happened around 2012. What happened around 2012?

A

Cloud. Right. The very beginnings of cloud and commercialized cloud when it was very clear that none of the access control solutions that were currently present on the market were going to be able to manage what at that time was predominantly aws. Right now has become the complexities of multi cloud, multi csp. Right. But you have to hand it to companies like Okta. I had Okta come into my office in 2014 when I was a CISO and try and sell me, right? And I remember like the conversations of like, why would I put my identity stores in the cloud? That seemed like a very bad idea. And yet with a lot of tenacity. And again, this is why I give a lot of respect to McKinnon, because he had to hold on for a long time until the world caught up to real, full cloud enablement. But the cloud brought into focus the inability for us to manage identity at the technical stack layer across a broad, diverse infrastructure deployment. I think this is an interesting repeat, really. We saw major technical advancements, technological advancements, during kind of the boom cloud years with identity. And it wasn't just them, it was cloud identity. It was, you know, a whole laundry list of names you can think of beyond identity. Delinea Ping, you know, going ping cloud, like everybody, you know, finally got there. I think AI is the next massive litmus test catalyst for advanced changes in identity security. Because.

B

Yeah, go ahead, let me push you a little bit. This is more devil's advocate than anything else. While I see the advances that we made in terms of understanding that we can't manage identity not just in house, but need to actually expand it and expand the capabilities. I'm not necessarily sure we saw the mindset shift regarding what identity is other than just another form of access, go along with that advancement in technology. Because I still see a lot of vendors using good companies who are still looking at this as just another method of managing access. Do you disagree? And if so, why? I'm good with that. And if you agree, what do we need to do to fix that still? Because it sounds like all we've done is migrate, taking the same problem that started 50 years ago that we're dealing with now and migrating it and making it more effective and efficient to be broken.

A

Yeah, yeah, I love that observation. Right. Because you're absolutely right. Except this, this is going to be interesting. But it's not a technological problem. Now I'm going to be very, very specific. It's not a technological problem on the workforce side. And the reason I say that is because the triad always holds true. People processing technology. So it was probably about 6ish years ago that I started saying something that sounded really contentious in the marketplace which was if you get popped on a workforce identity related hack, it's your own fault because the tech is here and there's no reason that you should get hit in the workforce space. We're fully mature in that space and I, I definitely still fully believe that today. But we can use an example of how the people and process part has failed to keep pace with the technological advancements, specifically in workforce identity. With another example with Okta, the MGM breach. The MGM breach was really interesting. Social engineering phishing happening to a help desk and that help desk then enabling the bad actors with access at the engineering level that had too many privileges. It was over entitled right? Now who made that choice? I hope I don't make anybody mad at mgm. I'm currently staying in an MGM resort.

B

That would be bad.

A

Yeah, but who made that choice to allow persistent excessive privilege and access for the engineer that engineer's account. MGM did, right? Somebody with an MGM made a decision that maybe one day this engineer needs this really heightened access capability in order to be able to continue to do their job. Therefore we're not going to extract that from them because they are too important of an employee a resource for us. This is the guy that if he steps off the curb and gets hit by hits by a bus or production system stop. So we cannot take and segment that information and or that access and put it into privileged access management. That has nothing to do with technology. That is a series of process and people related decisions that represent that antiquated mindset of access versus control. And that's why, and this is why I really love that you went there. That's why I think the AI era is the catalyst for the next gear change. And the reason is, is because I have never heard non identity people talk about the fine grained control layer as much as I hear about it today. Which is that fine grain control layer is what those bad guys were capitalizing on in the MGM hack. Knowing that the fine grain control layer was subject to the people and Process weaknesses. If you want to allow people and process weaknesses in an AI agent, I'm going to guarantee you right now you're going to have a very bad day multiple days in a row, right? And faster and faster. Because AI agents do not suffer from indecision bias, right? They will do what they have been tasked and coded to do and they will capitalize on all of those same weaknesses if it allows them to accomplish that mission that you have tasked them to do. The only way that we're going to get our arms around that is diving into fine grained, controlled deep waters that I'm going to be really frank, like Identity people, we're terrified of it, right? And the reason that we're terrified of it is because we don't control Authn and Authz. We distributed that to the developers years ago. And if we think about the construct and the framework of that entity into Identity and who should have been controlling those fine grained entitlements grants privileges. When we gave things like authorization control over to developers, they didn't even bother to associate those authorization costs to users. They associated them to the app. So if you get access to the app, you can control the app through the authorization layer whether or not it's assigned to you or not. We've seen AI agents doing this already actually in the last year. And so this is why I really like. It's so weird that for everyone else that's freaking out about AI, I am stoked. Not because of all the cool things that AI can do, but because AI is going to become the 10 ton weight the grand piano dropping on Wile E. Coyote that wakes up everybody in security beyond just Identity to go. Oh my gosh, our, our architecting of this Rube Goldberg device that we call Identity for the last 30 years, 35 years, is going to get absolutely destroyed by AI unless we start talking about these difficult problems. Get after it.

B

So that's a perfect segue. Let's double click on that. So I'm a CISO of a company smaller than Chase, significantly smaller than Chase. What do I do to today? You know, there's an argument that says AI is already here, which means this problem's already here, which means I'm already at least one to four steps behind. Okay, right. But let, let, let, let us assume that by listening to this podcast, I realize, oh crap, I'm probably five to six steps behind. I need to catch up. What do I do today to try and get in front of this? And I want to get more operational you know, versus strategic. What, what should the very first thing be doing?

A

Yeah, yeah. The very first thing that every CISO needs to ask is what AI am I allowing into my organization? Because frankly, 90 plus percent, 99 plus percent of most companies exposure to AI is external. Right. It is not in house developed. And because of that, that means I'm allowing things into my network. And the network still exists, and the network still is a protection layer. So every CISO needs to demand a full inventory and visibility into everything AI that is coming into the organization. Question number one, right? Once there's knowledge around that, question number two is, which of these AI services, features, functions or agents has persistent access that is not challenged or verified on a transactional basis? The other question that I ask that I think is another first starting point for CISO is I ask, okay, what's your relationship with AI innovation within the organization? And they say, well, I've been told to just block the services that we don't have an enterprise contract for. And I look at a ciso, I'm like, okay, can we be intellectually honest for a moment? Are you blocking everything? Oh, hell no. Yeah. And you see, I don't even know.

B

Everything I should be blocking. Yeah.

A

And you see, you see, see every CISO and I do think that there's a certain hold your nose and throw up in your mouth a little bit right now that CISOs are having to deal with because of the grand hope and dream of all the things that AI can do on the business side. Now I will say that this is also the first time in my career where I'm seeing a lot of CIOs who are responsible for that innovation, who are like something with no guardrails is probably bad now. Right? That's a good evolutionary movement, Right. We want to, you know, we want to progress the conversation. The way that people come become security aware is not because they do cyber security awareness training. You know, nobody learns how to run away from a bear by reading a book about running away from a bear.

B

Right.

A

A CIO who's now understanding that the reward component of AI comes with a very possible risk component or damage component. Like, to see that kind of recognition among other C level technologists is incredibly important.

B

Absolutely.

A

And that's why I think AI is driving these really interesting conversations. I am so glad, like, this is going to sound melodramatic, but I'm so glad that I'm not retired. I'm so glad that I'm not. I'm so glad that I didn't Hang my cleats up a couple of years ago and just say that I'm going to go do whatever. I think we're in a super exciting time for security and identity, specifically because of AI, because it's forcing us to think about all the things that we, A, did bad in the past, and that's a lot.

B

Right.

A

And B, what we're going to have to do not to repeat those things. Because, like you said, the consequence, the catastrophic consequences are faster, the blast radius is bigger, the damage is going to be insane. Right. And it's forcing conversations that I haven't heard in the practitioner community in years and years and years.

B

Let's end this the way I end all my podcasts and give you an opportunity to tell my audience one thing that you want them to know that we haven't brought up, we haven't discussed, et cetera.

A

Well, the thing that I talk about a lot now is while we're talking about all of these founders in the AI space that are just so eager to hype up what they're doing. Right. There's a reality here that I think is both exciting and fascinating, which is we're in an age of technology that is the first, what I call pop culture age of technology. So my mom, 79 years old, my mom has asked me if she needs to be concerned about AI. Wow. My mom has never asked me what my Qualiscan results were. Right. Like, my mom has never expressed any interest in what I do on the security side. And there's huge opportunity for conversations as families, as parents, as children amongst each other about technology and what it means in our lives because of what's happening currently with AI. I think there's a need for us to kind of collectively as human beings to embrace this pop culture moment of AI and go, okay, like, what could we do? What could change for the better? What could we leverage these capabilities to do besides lay off a thousand call center workers? Right.

B

Like.

A

Let'S be more thoughtful. Too many people feel like this AI thing is such a tidal wave that is just washing everything out into the ocean and they can't keep up with it. And I'm like, that's not really true. Just be observant. Dig into it. I think that's really what I'm encouraging people to do.

B

Foreign. And that's a wrap for today's episode. Thanks so much for tuning in. And for your supporters and 2K Pro subscribers, your continued support enables us to keep making shows like this one, and we couldn't do it without you. If you enjoyed today's conversation and are interested in the learning more, please visit the CISO Perspectives page to read our accompanying blog post, which provides you with additional resources and analysis on today's topic. And there's a link in the show Notes this episode was edited by Ethan Cook with content strategy provided by Mayan, Plot produced by Liz Stokes, executive produced by Jennifer Ivan, and mixing sound design and original music by Ellie Peltzman. I'm Kim Jones. See you next episode. Securing and managing enterprise networks shouldn't mean juggling vendors, patching hardware, or managing endless complexity. Meter builds full stack, zero trust networks from the ground up, secure by design and automatically kept up to date. Every layer from wired and wireless to firewalls, DNS security and VPN is integrated, segmented and continuously protected through one unified platform. With Meter, security is built in, not bolted on. Learn more and book your demo@meter.com CISOP that's M E T E R.com CISOP and we thank Meter for their support in unlocking this N2K Pro episode. For all Cyberwire listeners.