Risky Business Podcast Summary
Episode Title: Risky Biz Soapbox: Enterprise Yubikeys can now be pre-registered
Host: Patrick Gray
Guest: Jared Chong, Chief Operating Officer and President of Yubico
Release Date: December 8, 2024
Introduction
In this special soapbox edition of the Risky Business podcast, host Patrick Gray welcomes Jared Chong, the Chief Operating Officer and President of Yubico—the makers of the widely acclaimed Yubikey hardware authentication devices. The episode delves into Yubico's latest advancements in enterprise security solutions and reflects on the current state of cybersecurity in critical infrastructure.
Yubico Enrollment Suite
Overview and Innovation
Patrick Gray opens the discussion by highlighting the challenges enterprises face when deploying Yubikeys at scale. Jared Chong introduces Yubico’s new Enrollment Suite, a comprehensive solution designed to streamline the onboarding process for hardware authenticators.
Jared Chong [02:18]: "What we wanted to do was let's rethink how we enable an out-of-the-box experience—when you get the authenticator, it just works. It's really provisioned for you, we call it pre-register for you."
Benefits of Pre-Registration
The Enrollment Suite addresses two significant pain points in large-scale deployments:
- Logistical Efficiency: Yubico handles the delivery of pre-registered Yubikeys directly to users' home addresses, eliminating the need for manual distribution.
- Seamless Onboarding: Pre-registration with identity providers (IdPs) like Okta and Microsoft ensures that employees can start using their Yubikeys from day one without additional setup.
Jared Chong [03:57]: "We want to completely eliminate the first part of this journey, which is you want a user to be onboarded with the best authenticator."
Process and Logistics
Jared explains the technical workflow:
- Integration with IdPs: Administrators configure Yubico’s Enrollment Suite to work with their chosen IdP.
- Automated Provisioning: When a new employee joins, Yubico’s system automatically pre-registers the Yubikey with the company’s IdP credentials.
- Efficient Delivery: Yubico manages the shipping of these pre-registered keys to users, often spanning multiple countries.
Jared Chong [07:08]: "We take care of... pre-registering Yubikeys and shipping them to remote locations or home addresses."
Handling Exceptions
While the system covers the majority of users, Jared acknowledges that exceptions will occur. Yubico has introduced a client-side component to allow local provisioning in cases where immediate access is necessary, ensuring minimal disruption.
Jared Chong [11:08]: "Some customers say, 'We have a local IT shop that we trust. Can we provision it at that location?' And we say, 'Absolutely.'"
Cybersecurity in Critical Infrastructure
Delegation to Singapore
Transitioning from product discussions, Patrick shifts the conversation to Jared’s recent experience in Singapore as part of a Swedish business delegation. The focus was on sustainable energy and infrastructure modernization, with a surprising scarcity of cybersecurity representation.
Jared Chong [16:25]: "I was pleasantly surprised to hear that cybersecurity is part of the mix as well... But I don't think that there is enough cybersecurity representation in some of these national infrastructure projects."
Observations and Concerns
Jared expresses concern over the underrepresentation of cybersecurity experts in large infrastructure projects. Only a small fraction of the delegation comprised cybersecurity professionals, leading to a patchwork approach to security.
Jared Chong [20:36]: "Cybersecurity is a patchwork when they start to roll it out... It's just the bad guys are going to attack us. We got to defend them."
Funding Challenges
A significant barrier identified is the difficulty in securing funding for projects with stringent cybersecurity requirements. Governments struggle to mandate high cybersecurity standards without jeopardizing the funding from private sectors, banks, and venture capitalists.
Jared Chong [21:17]: "Governments are only going to fund so much and the banks are making really hard to get loans... There's a culture of nobody wants to go all in."
Industry Perspectives
Jared emphasizes the need for early cybersecurity integration in infrastructure projects to prevent vulnerabilities, advocating for policies that balance security with funding feasibility.
Jared Chong [24:42]: "We don't see that at the beginning of the journey... Identity is part of the conversation in terms of making sure that infrastructure cannot be hijacked by anyone."
Passwordless Authentication
Current State of Adoption
The conversation shifts to the broader industry trend of moving towards passwordless authentication. Jared observes steady progress, particularly among organizations utilizing major IdPs like Microsoft.
Jared Chong [26:57]: "We're making progress as an industry. Some would say we're making pretty reasonable progress in general."
Challenges in Specific Sectors
However, adoption varies across sectors. High-assurance industries like finance show reluctance due to entrenched practices and user resistance.
Jared Chong [29:27]: "Change can only happen with a generational change. Change of how we log into services."
User Adoption Barriers
Jared discusses the human element in transitioning to passwordless systems, highlighting the resistance from users accustomed to traditional authentication methods.
Jared Chong [29:27]: "They say, 'Why can't I log in with a password? I've been doing this for so many years now.'"
Conclusion
Patrick wraps up the episode by encouraging listeners to explore Yubico’s Enrollment Suite for streamlined enterprise authentication solutions. He thanks Jared Chong for his insightful discussion on both Yubico's latest offerings and the critical state of cybersecurity in infrastructure projects.
Patrick Gray [29:40]: "A pleasure to chat to you and we'll do it again next year."
Key Takeaways
- Yubico's Enrollment Suite simplifies enterprise-wide deployment of Yubikeys by pre-registering and pre-enrolling them with major IdPs, enhancing user onboarding efficiency.
- Cybersecurity in Critical Infrastructure remains underrepresented in large-scale projects, often leading to vulnerable systems until a security incident forces attention.
- Passwordless Authentication is advancing but faces significant adoption barriers in certain sectors, primarily due to user resistance and established authentication practices.
- Funding and Policy Balance is crucial to ensure that cybersecurity measures do not hinder the financing and development of essential infrastructure projects.
For more information on Yubico's Enrollment Suite, visit Yubico Enrollment Suite.
Notable Quotes:
- Jared Chong [02:18]: "What we wanted to do was let's rethink how we enable an out-of-the-box experience—when you get the authenticator, it just works."
- Jared Chong [07:08]: "We take care of... pre-registering Yubikeys and shipping them to remote locations or home addresses."
- Jared Chong [16:25]: "I don't think that there is enough cybersecurity representation in some of these national infrastructure projects."
- Jared Chong [26:57]: "We're making progress as an industry. Some would say we're making pretty reasonable progress in general."
- Jared Chong [29:27]: "Change can only happen with a generational change. Change of how we log into services."
This episode of Risky Business offers valuable insights into the evolving landscape of information security, highlighting both innovative solutions like Yubico's Enrollment Suite and pressing challenges in integrating robust cybersecurity measures within critical infrastructure projects.