A

Welcome to to the Point Cybersecurity Podcast. Each week, join Jonathan Neffer and Rachel Lyon to explore the latest in global cybersecurity news, trending topics and cyber industry initiatives impacting businesses, governments and our way of life. Now, let's get to the point. Agreed. I'm not gonna lie, Josh. For the longest time I was avoiding the whole two factor authentication because it just drives me insane because I never have like the right device, you know, that it bounces to and it's always a thing. But I'm also kind of curious on hospitality in general. There's a fairly high turnover rate for these kind of employees and in this world, like restaurants, hotels, et cetera. So how do you manage training? So kind of security awareness and training when you have such high turnover? To your point, like someone leaves within a week. If you have a lot of that happening, how can you manage security in that way and training in that way?

B

Well, I'm not gonna sugarcoat and tell you that it was just easy. We just flipped a switch and turned Beyond Identity on and that was that. No, I mean it is a little bit. It's a heavy lift right now for us to get people like when they start, get them enrolled and get that passkey on board. We've got some hotel leadership, general managers, AGMs, which are really great at it. And we have other ones who are like, seem to forget it exists as a thing to do. And so we're always looking at the reports and beyond what pending enrollments are there and like, hey, why are these folks so pending? You know, they've been here for a while, we need to work with that. So that's actually one thing we're focusing on this year, is to make that process a little bit more streamlined. And I know Beyond Identity is making some hopefully platform enhancements and things that they've been working on in their pipeline to make that easier so that users can maybe authenticate to one device and then they have a Yubikey available. We don't use Yubikeys just because it would be. It's hard enough for them to keep their name badge. Having them carry around a Yubikey, I think would be an impossible ask. But I think the idea of like, you know, if you've got your passkey bound to your mobile device and you can use a QR code and scan and authenticate, that would be like the wave of the future. But right now we're still working on that aspect of like, hey, how does that flow work to get them into, to get them in because it is a little bit of a lift. But then once they're in, as far as the training we do for security, we use another company, it's called Venza, but they actually help us with all of that PCI training and cybersecurity awareness vishing phishing, spear phishing, all of those types of things and they're constantly enhancing that. But it is something that we, you're right, we have some people that start like they get onboarded all this stuff, they can literally just click there and do the training. And again, some leaders are really great at making sure like, hey, you don't do anything until you've gone through this training. And then we have other people like, hey, I really, I'm swamped. I've got, you know, so many people coming on. I need to do. You're going to, you know, trenches in the ground here, let's get going. And then they, they're catching that up. So that's the other great. One of the other things that Beyond Identity has done for us with that single sign on is it has taken the barrier away of getting to your training or getting to those jobs because once your accounts created and you've got that passkey, it's just one click in. There is no what's my username, what's my password, what's any of that which, you know, that's bound together with single sign on and, and saml with an identity provider, but still that the password is the barrier.

C

So Josh, what's the actual user experience?

B

Right, like you started this with like the warning of that phishing attack was.

C

The user got queried for a password.

B

And they shouldn't need a password at all.

C

So how's the typical person in this scenario logging in in the passwordless case?

B

So we have it connected with our Windows domain or active directory domain. So when folks are originally signing in, they do have a password at the very first day. Like hey, we have a generic format of how we make it based on different artifacts from their employee file. And that's their initial password. And then when they log in, they're going to create what one. And then as soon as they log in, they would go to Microsoft the Beyond Identity portable, like Microsoft my apps and they, you know, they click that click Beyond Identity downloads their passkey, binds it to their device. And then once that's done, now that device is all set up for them. So now when they log in, instead of using that password, they're going to use a PIN or maybe if they've enrolled their fingerprint. If they have like a. They're a support office user and has a fingerprint reader on their device that they've enrolled, and they log in and then they open up their email, type in their email address, click Next, and instead of going to that Microsoft flow, it goes right to beyond identity, verifies that, and then they're in. That's literally why the gm, I think, calls it automagical, because there was no. All these forms to fill out. When you first start, it's literally, what's your username? And then it's checking that device right away. And so the flow, once they have it set up, it. It's so easy. I feel the other thing that happened, like, our CEO watched probably, like, oh, maybe it's when the new iPhone came out, they didn't transfer their passkey to their new phone. And so then he's trying to log in. He's like, I can't log into anything. Everything's giving me, like, what's going on? I'm like, hey, did you move your passkey over? Well, yeah, I backed up my, like, well, it's like a. You know, it's like your Apple pay card. You got to move everything over. So then we put that pass key back on, and all of a sudden, no more problems. He said. But the idea that, hey, these people haven't typed a password in four years to actually bring back passwords on our side, I think people might actually cry or at least be like, really shaken to the core of, like, this is not easy. We had a hotel that had left us, and then they came back. Like, we managed for other owners as well. So we were managing this hotel when we originally had the beyond entity rollout. They. They left. They went to another management company, and then this year they came back to us. And one of the first things the GM said was like, oh, I can't wait to get all that integration so we don't have to type in all this stuff, you know? And so I think that's a little bit of a win, too. People prefer it once they experience it, I think, but I think they have a little bit of a hesitation for new folks that come in and they find out we use a passkey because that word has become a little bit dirty because of this really poor deployment by the masses. But I don't know how we get around that. Facebook wants you to use a passkey, Google wants you to use a passkey, whatever those might be. And they don't understand how it works or they don't use a password manager and they don't quite get the fact of, well, what's the point of this passkey if I can just use my password? That's a good point. What is the point of the passkey if you can just use your password? But at the same time, people I don't think have a full understanding of. I think passkey's a really generic, broad term rather than a very specific thing. And so the way that I get into the technical weeds and don't really know what I'm talking about, and I'll defer to Jason here, but I understand it's like a key pair certificate rather than this magical passkey you got in the Nintendo game that you just tap on whatever device you want to get into.

A

What is the evolution of, let's say, identity based security look like? Jason, I'm quite curious. I love the show Altered Carbon and they use actual DNA kind of thing. But I'm curious, what does this look like? Where are we going to? Because ostensibly everything can be spoofed, be it your voice, be it your fingerprint or other things. But what does the future hold here?

C

Interesting. Let's try and find an analogy that's in this. In the, in the style of Altered Carbon in a sleeve, or maybe even Permutation City and Greggy. And I mean, let's see, identity is basically what you are, right? And I don't know, it sounds a little philosophical, but. But it's also meaningful. So a program, before you load, that program has a very specific sequence of bytes. No other program has that sequence of bytes except for a copy of that program. That program's identity is literally its sequence of bytes. When we think about essentially how we're talking about what modern identity is, that is the concept. It's like your identity is this unique pointer that's cryptographically sealed. When we say cryptographically sealed, what we really mean is it's. It's signed in in a way where the only person who could produce a signature over that unique sequence of bytes is someone who possesses that private key. All right, well, why can't I steal the private key? Well, in the modern world, so, like, go try and buy a processor. It doesn't matter if you're buying like a Intel CPU or if you're buying like a tiny little, like a tiny little ARM processor, right? They all have these things on them now called secure enclaves, which is essentially a place that will create those key pairs, keep them separated from the main processor and main memory the key's never in memory, can't be stealed. There's no instruction that you could ever issue that says read key, right? Basically you could think of it like imagine there's a jail and the jail doesn't have a door, but you can reach between the bars and there's a monkey with a pen on the inside. And essentially what you're doing is you're handing a document through those bars and asking the monkey with the pen to sign it. That's kind of what an enclave is. And so the future of identity, and this is ultimately what is kind of at the core of pass keys and device. And anytime you hear someone say device bound, it's basically picture the monkey in the jail without a door, right? Anytime you hear someone say device bound, that means your computer, regardless of what it is, has that little isolated jail and it's able to sign things. And because it's built in that way, you know, anytime you see that signature, it's that thing and nothing else you can build on that, right? And so when you, you probably have an Apple phone or an Android phone, and I'm sure you've used it to pay for something, right? Like a mobile payment, the experience you see is you tap and you smile or your mask breaks the smile detector, right? And so you put a little PIN code in. You don't really think of it beyond just I bought some coffee. But what happened under the hood is you just did single device multi factor authentication that leveraged a device bound credential, right? The merchant sent your phone a bill over the wireless network and your phone said, hey, monkey, sign this. Turns out for the key that you just asked the monkey to use, it pulled up its book and it says, hey, the manual says to use this key you need to do three jumping jacks, right? Now, otherwise I won't sign this for you. But instead of three jumping jacks, it's like, hey, I need you to smile. You send a biometric or an image of your biometric into the enclave. And if the monkey likes it, it signs it. And if it doesn't, it says, try again. Or give me an alternative, right? You give it a pen. And so that's called enclave policy. When you satisfy the enclave policy, it will then sign the document and give the document back to you. Key never moves, key is never in memory, key can't be stolen. And you now get a receipt of two interesting things. Either an inherence factor, right, the biometric, or a knowledge factor, that local pin. And because that key can't move you have a possession factor of the device itself. So that's what makes it multifactor, that's what makes it device bound, that's what makes it incredibly secure. And oh by the way, any event that you produce off of that authentication now is really special and unique in your SIEM or in your xdr. It's an event that you know with certainty came from a specific device. It's an event that's not spoofable. It actually can't be faked under the assumption that the foundry that produced that chip has not been essentially compromised by the Russians or the Chinese. So it is possible to actually prevent impersonation. Maybe somebody in the long tail who's listening to this show is going to say oh, what about quantum? Well the answer is pretty simple to that too. There's post quantum signature algorithms and these systems use those as well. So haha, you're right, flip the switch. Post quantum signature defeated. That's what the future looks like. That's like the building blocks at the lowest layer. I think what the future looks like for users though is that Apple pay experience but for work.

A

Interesting, interesting. So for those out there and I think about business leaders and others, so how did they get started on this path? A really kind of next generation identity based or device based security if they're not there yet? I mean where do you even get started in a 30, 60, 90 day plan? Because this is very compelling and I suspect a lot of people want to figure out a path forward to help themselves be more secure.

C

The easy answer is just call us. But let me talk a little bit about the architecture. So a good identity security platform, it doesn't displace your identity stack, it plugs into your identity and so we follow that tenant. It actually doesn't take but a day to plug us into an intro or an octave or a ping or one login or a shibboleth or pick your IDP provider. The harder part, as we kind of talked through earlier, is the enrollment. Like how do you actually want to enroll? And best practices that we see is you pick your rings. Your rings are kind of based on the writ, like who are the riskiest users. And that's very dependent on your business, right? So if you're hospitality, you may define risk in a very different way than if you're software tech, than if you are education. Right? But we do see that pattern show up. They all agent, they call them rings. Right. So ring one, ring two, ring three. We have a couple different deployment models but I would imagine that like over time any solution is going to evolve with these similar deployment models. But you can deploy with an MDM to manage devices. You can enable self service for BYOD or third party. The hardest part in all of this is really just getting your users ready and aware for the new experience. Otherwise you're going to get help. Desk calls of like, hey, I don't see my password box anywhere. And so now I don't know how to log in. And you're like, well, no, just click the button. And they're like, but no, I don't see a password box. Right. So like there's a little bit of a marketing exercise, even though it's to your internal workforce. But you know, we've had companies deploy 60,000 people in 60 days. So it's, it's, it's possible to go quick. Usually the really quick organizations are, they're motivated, right? Like they had a breach or they had an incident. And this is a very easy quick response to ensure that the incident doesn't persist or continue. But it's also, we also find deployment time frame is largely a cultural decision of the organization that's running the deployment. Right. Some organizations like it deployments. It doesn't matter what it is. It's going to take a period of time because that's how the organization has decided it's going to take.

A

Right.

B

Right.

A

Cognizant of time. But I do want to ask kind of one final personal question, Jason. We've had a lot of entrepreneurs and founders come on the podcast over the years and it's. I, I came across an interview you did and you know, you talked about 19 years old was your first startup writing software. And then you, then you found a book. There was this book that you were reading from Michael Lewis. I think it was new, new thing about Jim Clark and having that unequivocal obsession of solving problems. And I just would love if you could share a little advice for our listeners who are, you know, kind of thinking about pursuing this path and how do you get started and just take that first step?

C

Yeah, the. Let's see. It's a hard thing to give advice to because it's kind of saying fall in love with X. Right. And ultimately that's an intrinsic motivation. It's not really an extrinsic motivation. But the people that I see do this and follow similar paths. You're highly curious. You really understand a thing. You're not necessarily superficial on the topic. You obsess over the problem. The monetary reward isn't Necessarily really what's on your mind. The fact that the problem must be solved and other people are going to solve it incorrectly is what's on your mind. It's almost like an on the spectrum obsession. That's the, that that's kind of what you need to, to be the North Star, to keep everybody motivated to, to get through the hard times. But also like if it were easy, the existing players would be doing it. Right. If it were easy, the opportunity wouldn't be yours. If it were accomplishable in 9 to 5, it wouldn't be your opportunity to try.

B

Right?

C

Right. So like it is hard work. It does require a lot of persistence. The people that I see that do the best, they're naturally curious. They're systems thinkers, they go deep. They don't accept superficial responses to answers. They keep asking why they really want to understand how stuff works. They're system thinkers. You know, for me, you know, it was a combination of like I, I like puzzles, I like building things. I like the idea of turning an idea into something that somebody else used. Right. Like how else. It's like one of the most, one of the most obvious ways to impact others is to build a thing they use. Right. That changes their life. And you know, you don't have to change. We're not talking about like a movie, you have to change their life to where somebody writes about it. But like changes the way they behave for the better. Like that's, that's meaningful. Right. It means you kind of impacted society and you know, the way you do it is technical but, but at the end of the day you're still doing a thing to try and impact the behavior. Right. Like beyond identity, like where we're, our mission is really an obsession. Around 70 to 80% of all security incidents are preventable. Like for the sake of, for the love of God, can we move on to the next problem that is actually hard? These 70 to 80% problems, we can prevent them. We don't have to reduce them, we can actually prevent them. I don't know, I could go on a long time for that. But like if somebody were getting started, like don't say you want to do a startup, but you don't know what you want to do a startup on. That sounds like you should join a startup, right? Like if you're going to start a thing, you already know what that thing is, right. There's a bit of a self selection bias in that. I can totally see you want to do a startup, you don't know what to do. And you're inexperienced so you just don't really recognize the situation. And the answer is join a startup that you can get excited by. You're going to grow really fast. You're going to give and be responsibility that you don't deserve. You're going to be given an opportunity in a noose to kind of grow or hang yourself with that. You will not experience it anywhere else. Yeah, and that's where learning comes from. That's where you get to meet great people like Josh. That's where you get to discover like, you know, you only ever have a vague idea about like the specific problems and maybe you understand the macro problems well. But like once you engage with the customer then they really tell you, well, yeah, you're on target enough for me to work with you. But really I need this, I need this change, I need this shift, I.

A

Need real world problems and similar kind of question. Josh, we're always interested in how people found their way into security. It's not always a linear path. Some people were PhD in linguistics or something like that and now I see so, but yeah, always curious, kind of, how did you find your way to this world?

B

Well, so I actually started school when I went to university. It was for commercial aviation. I'm a pilot, went to UND Aerospace and my part time job was working at a Holiday Inn and I wanted to be a porter like the shuttle driver because I needed the tips in order to pay for rent and everything else. And I stayed with the hotels all the way through college. I did an internship with American Airlines down at DFW and the hotel kept me on as an employee during that semester. And when I came back, finished UP school. Unfortunately September 11th happened my freshman year and so that kind of impacted things. By the time I was ready to go and had things lined up, a lot of that was backfilled with a lot of furloughed pilots. And so I thought I'd go into aviation investigation. I really liked human factors and cause and effect how things happened. But those jobs weren't available anymore. So I thought, well, the company I worked for, I said, hey, how would you like to go be a general manager of a hotel in Fort Worth, Texas? And I said probably not. But a week later I had my car packed and was driving down to Texas and I ended up being, I'm like, I'll do this for a few months and get back into aviation. But you know, I kind of fell in love with hospitality. I was in the operations side for a long time until about 20 and they kind of moved into the property support and I really saw the evolution of technology and how we use it in our operation. When I first started, really it was the crs, the central reservation system and the property management system and people had a Windows login to use Word. But that was about all the technology we had. And now we run on so many systems and so many things. So it's been fun to be a part of that evolution and see how that happens. And then I just kind of got a knack for the IT side and kind of shifted into that full time here about eight years ago. And so that's kind of been that's how I ended up where I am now. But I still am very passionate about hospitality and taking care of guests and I would love to see how we can continue to equip our teams in a secure way so that free up just to deliver hospitality and not so scared about phishing emails and attacks and did I expose or have a big breach or anything like that.

A

Wonderful pilot. That sounds scary. Well, thank you Josh Jason, for this wonderful conversation today and incredibly insightful and I wish we could keep talking, but I know you have things to do today. So to all of our listeners out there, again, thank you so much for joining us. And I'm going to give John the.

B

Drum roll for Smash that subscribe button.

A

And you get a fresh episode every single Tuesday. So until next time, everybody stay secure. Thanks for joining us on the to the Point Cybersecurity Podcast, brought to you by forcepoint. For more information and show notes from today's episode, please visit forcepoint.com podcast.

B

And.

A

Don'T forget to subscribe and leave a review on Apple Podcasts or your favorite listening platform.